3D-Printed Fingerprints: The Tipping Point of Spoofed BiometricsVeridium Author | August 4, 2016
Recently, the media has been abuzz with stories of fingerprints replicated by 3D printers.
Fusion first reported the story of researchers at Michigan State University tasked by law enforcement to create a copy of a deceased victim’s fingerprint. The police needed to recreate the print to unlock the individual’s mobile phone as part of their investigation.
“A 3D-printed finger alone often can’t unlock a phone these days,” Fusion’s Rose Eveleth reports. “Most fingerprint readers used on phones are capacitive, which means they rely on the closing of tiny electrical circuits to work. The ridges of your fingers cause some of these circuits to come in contact with each other, generating an image of the fingerprint.”
Skin is conductive, so it is able to close these circuits, but the traditional material used in 3D printing isn’t. To circumvent this, the researchers used a 2D version, printed in conductive ink, which includes tiny metallic particles, allowing the fingerprint scanner to read them.
3D-Printed Fingerprints are Just the Beginning
Replicating a fingerprint with a 3D printer is certainly remarkable, but this discovery is also worrisome. As biometric technology continues to grow, researchers and hackers alike will simultaneously find more creative ways to spoof and bypass the system. But, the good news is that we have the tools to enable greater levels of assurance.
As we’ve previously discussed, liveness detection is one such option.
Liveness is accomplished through a physical gesture (wiggling fingers in a specific pattern) or reaction (nodding, winking, smiling) that only a living human can do. This could also be determined through clinical measurements, such as the temperature of a finger or blood flow and heart rate.
Verifying a user’s true identity is the primary purpose of biometric authentication. By introducing a liveness mechanism into a biometric sensor, we further ensure that users are who they say they are.
So, You’re Telling Me Biometrics Aren’t Enough?
Biometric technologies present an enormous opportunity for us to better protect sensitive data. In many everyday instances, solutions like Apple Touch ID offer much greater protection because someone has to take the time to create a highly-technical fake fingerprint.
In other words – if you are a consumer, Touch ID will suffice in keeping unwanted users out of your text messages or email account, but if you are a broker at a large financial institution, a biometric sensor coupled with liveness detection will ensure no errant wire transfers are sent without your approval.
Traditional passwords or PINs? Those are most certainly not enough. Consider the fact that I can share my password with a friend to access my bank account, and as far as my bank knows, it’s me logging on. Zero authentication has occurred for the bank to think otherwise.
In the aforementioned case of the 3D-printed fingerprint, the replica did authenticate the identity of the victim and authorized access to the phone. However, had a liveness mechanism been introduced, the Michigan State University researchers would have been required to provide another level of assurance and prove they were the true owner. A fingerprint replica alone would not work.
The ultimate goal is to move beyond authorization to indisputable identification, and an added layer of liveness detection can do just that.