Security

This biometric sensor knows if your finger is alive — or dead

iphone-5s-fingerprint-reader

Updated 12:22 PST with new information on Apple’s TouchID

You can fool Apple’s new TouchID fingerprint sensor simply by creating an elaborate prosthetic finger … and you can fool some fingerprint sensors by the standard old action flick standby of — ouch — viciously chopping off someone’s finger.

But neither guile nor evil will work with biometric pioneer NexID’s new technology, the company says.

“We find that most fingerprint scanners are highly vulnerable to spoofing,” NexID Biometrics chief operating office Mark Cornett says. “In fact we have been able to spoof every device we have tested.”

iphone-5s-fingerprintIn an effort to make fingerprint scanners harder to fool, the company has created a “liveness” score that helps any device determine whether an image it is checking is live — indeed, alive — or dead.

As in never-living, like plastic and latex, or the awful and almost unthinkable now-not-living alternative.

The technique hackers used to crack the iPhone 5S fingerprint sensor was “fairly straightforward” and the materials needed were “readily available,” NexID says. But the addition of its software and algorithm can take the potential error rate created by determined attackers on almost any fingerprint sensor hardware down from basically 100 percent to between two to four percent.

“The NexID software technology exploits the inherent differences between fingerprint images from both live and spoof fingerprints via real-time image processing and statistical analysis,” Cornett said. “We look at and analyze only the image that is captured by the scanner, and return to the scanner’s operating system a ‘liveness score’ which represents the probability that an image is either from a live finger or a spoof.”

In other words, your finger moves and stretches and maybe even pulses a little as your blood flows through your body, all in ways that are different from a prosthetic finger built to approximate a living digit. NexID captures that data along with the fingerprint, and analyzes it as well as the print pattern.

fingerprint sensorOnly a match on the pattern coupled with a high “liveness” probability will let you in.

The problem with fingerprints, unlike most other biometric forms of identification, is that they are not secret, NexID says. We think they are, but in reality, anyone with access to almost anything we’ve touched can have our fingerprints. That’s quite different than, for instance, retina scans — although all biometric systems are vulnerable in different ways.

“With the NexID solution integrated, most of our clients’ scanners realize a “spoof resistance level” of 96 – 98%, and we continue to improve this performance as we enhance our software algorithms,” Cornett said.

Apple has incorporated technology into TouchID that checks for a live finger via an RF capacitive sensor. NexID, however, says that’s not good enough.