Biometrics – Fingerprints - CUPS

Brent Kennedy


Overview


Security Issues


Usability Issues


Bring it all together


Discussion



Sequence of ridges and valleys


No two fingerprints can be exactly the same


Even two imprints from the same finger are
different


Reliable and efficient biometric


Still are cons


Scanners work by imaging the print and using
an algorithm to compare images

http://denis.biometric
-
fingerprint.com/?cat=7

http://en.wikipedia.org/wiki/Fingerprint


Storage


How are the fingerprints stored?


Who can access them?


Privacy


Can fingerprints lead to more information?


Device


Is it susceptible to over the shoulder peeks?


Does it leave a trace?


Can it be spoofed?



>


Small experiment
done at W&J College


January 2006



Aimed to spoof
fingerprints using
common household
items



Total Cost: $12.82




Cast:


Play
-
Doh


Gummy bears


Model Magic


Silly Putty


Modeling clay


Tac

N’
Stik



Mold:


Paraffin wax


http://www.washjeff.edu/users/ahollandminkley/Biometric/index.html


Devices


Microsoft Fingerprint Reader


APC Biometric Security device



What failed…


One
-
step method of taking a print directly from
the source (no cast)


Gummy bears: Myth busted!

▪
Wouldn’t even hold a fingerprint


Tac

N’
Stik

worked too well

▪
Picked up old prints from the scanner


Silly putty stuck to the device


Play
-
Doh

was too soft to withstand pressure


Success!


Very soft piece of wax flattened against hard
surface


Press the finger to be molded for 5 minutes


Transfer wax to freezer for 10
-
15 minutes


Firmly press modeling material into cast


Press against the fingerprint reader


Replicated several times



Modified approach on the APC device


Requires less pressure so Play
-
Doh

can be used


Form the Play
-
Doh

around the scanner surface


Then place the flat surface in the cast


More patience required to get authorized



After time, the mold becomes too soft to use



Caveats


Molding material becomes firm and brittle quickly

▪
Hard to make a cast ahead of time


Very high quality mold is required

▪
Attacker may need more advanced materials


All molds were of the thumb

▪
Smaller prints may cause additional problems


The main usability factors for fingerprints:


Scanner height/angle


Training conditions


Age


Habituation


Supervision


Height/Angle


Efficiency (time) not significantly affected by
height or angle


Quality significantly affected by height but not
angle

▪
Still hard to determine optimal height


Overall satisfaction affected by height, angle, and
user height


http://zing.ncsl.nist.gov/biousa/docs/NISTIR
-
7504%20height%20angle.pdf


Age


18
-
25 age range gave consistent good prints


Prints get worse as age increases


Men overall better than women


Habituation


No trend to print quality over time


Users didn’t know how to fix bad prints

http://zing.ncsl.nist.gov/biousa/docs/WP302_Theofanos.pdf


Training/Supervision


Poster had worst success rate: 56%


Verbal vs. video instruction had equal success


Assistance significantly increased success rate

▪
78% without assistance

▪
98% with assistance



http://zing.ncsl.nist.gov/biousa/docs/NISTIR
-
7403
-
Ten
-
Print
-
Study
-
03052007.pdf


Can better usability solve the spoofing
problem?


It can help


Smaller scanning area


Slap vs. roll


Better algorithms with better feedback