Aliveness detection
La détection du vivant

Welcome to the start page related to aliveness detection.

• Introduction
• Basics
• Papers & counter-measures
• Movies
• Real world
• Standards and testing
• Conclusion

There are also the following additionnal sections and related pages :

• A page with the definitive list of (old) papers related to aliveness detection, since 1994 up to 2013 (I stopped to collect all these references). Even some web pages I kept for the records !
• I started to made a page with a list of (old) laboratories working about aliveness detection. Not really up to date, I'm afraid of.
• In 2003, I was the technical guy of the Biosec european project, proposing some aliveness detection to work with a thermal swipe fingerprint sensor.
• Myth about revocation, which looks to be impossible at first sight, unless you are making some aliveness detection.
• Myth about reusing stolen body parts.
• Myth about reconstructing a biometric feature starting from the template.
• Myth about absolute security when using biometrics.

Papers

Labs

Biosec

Alivenes detection, liveliness, cut finger, dead finger, fake finger, spoofing sensors, presentation attacks... if you are here, this is because you want to know more about all these topics.

Up to now, I've been able to break any fingerprint sensor system, likely thanks to my knowledge about physics related to sensors, and also because there is not very much aliveness detection systems in fingerprint sensors. It must be changed in the future, it has to be changed, security must be increased so that it will be extremely expensive to break a system, and so it does not worth the effort -as for every security system-.

Aliveness detection is around since the last century, the first paper I found is from 1994, and the first product, from 3M, 1996.

If you came here to get some recipes, forget it. At best, you will find links to reference papers about this topic, from people generally proposing counter-measures.

Also, for those discovering this topic, this is NOT a new topic. James Bond was already making fake fingers in 1971 (yes, 1971, Diamonds are forever). And with one of the most difficult situations to detect: there is a true finger behind the fake!

First of all, remember that proving that you are living is not enough. What is desired is to prove that:

• I’m a living person not under threat
• and I agree to make such and such action

This is impossible (up to now): you can’t read a person’s mind. Having some form of aliveness detection is not enough!

You need to place the problem inside the whole security problem, so I invite you to have a look at the security basics of a biometric system.

There is a myth about revocation or compromised biometrics: if someone steals your biometric traits (copy), then you cannot use it again. Only people with their mind stick to the password concept still believe that, and aliveness detection is the answer to this problem: if you show your biometric trait, and prove that it is still connected to your mind, then compromised biometric trait is no more a problem.

We can define some detection levels, depending on the difficulty to spoof a system. Several proposals about this exist, but well, it is always around this. I'm taking the case of fingerprint sensors because it is pretty easy to explain and to understand, but you can transpose to any biometric trait with more or less difficulties.

1. Latent print left on the sensor (zero effort)
2. Fake/copies:
   • Printed fingerprint image
   • Fake made of gelatin, latex, or other material
   • Thin layer of material glued to a real finger, including real skin cells grown in a laboratory
3. Original finger:
   • Cut out
   • Belonging to a dead person
   • Alive person under threat

Is it so easy to create a fake finger? yes and no. It's easy when you have the cooperation of the donnor -it's what you see in those youtube from hackers. You will get more info from my easy fake finger page.

I have collected old papers related to aliveness detection, and I wrote some articles in the Encyclopedia of Biometrics:

• J.F. Mainguet "Fingerprint Fake Detection" in "Encyclopedia of Biometrics" 2009
• J.F. Mainguet "Fingerprints Hashing" in "Encyclopedia of Biometrics" 2009
• J.F. Mainguet "Anti-spoofing: Fingerprint (Fake Fingers)" in "Encyclopedia of Biometrics" 2014

The oldest product tentative with some counter-measures was the 3M Biosentry ultimate /1996: a fingerprint reader with optical plethysismography AND electrocardiogram.

Some companies are proposing counter-measures against spoofing, proposals coming from laboratories, but we have to admit that it is easier to show the defects of a system than proposing something to make them better. In general, you need to add some more sensors, so it is at the cost of the overall system. At the end, very often and it is a pity, there is no aliveness detection system: people does not want to pay for that (like insurances). This is why it was so easy to spoof the Apple iPhone 5S shortly after its release -not a big deal for people used to this domain.

You will find my own proposal in 2004-2005 for the FingerChip from Atmel, done within the Biosec project.

There are many movies showing biometric recognition: let's have a look to those with cut fingers or the like.

Diamonds Are Forever (1971) (James Bond)
Les diamants sont éternels

Demolition man (1993)

Double Team (1997)

The 6th day (2000)

La Tour Montparnasse Infernale (2000)

Die Another Day (2002)
Meurt un autre jour

Doom (2005)

Shoot'Em Up (2007)

What happened to Monday (2017) Seven Sisters

The Spy Who Dumped Me (2018) L'espion qui m'a larguée

Cut fingers ? Does it really happen ? Yes, you will find here some material for your article/paper/blog :

(2005 Mar) Is this a sign of the maturity of biometrics? Well, to my best knowledge, the very first official case of the use of a body part happened in Malaysia end of March 2005, where a team of carjackers on the prowl in Subang Jaya chopped off part of the left index finger when they realised that the S-Class Mercedes Benz had a security feature which would immobilise the car without his fingerprint.

There is no limit to stupidity: even with a reliable cut finger detection, it is likely that this will happen again, just because "they don't know", at least that it possible to enroll somebody else...

Imagine if it was an iris recognition system, as proposed here !

(2006 May) (Office of the United States Attorney / District of Arizona
(www.usdoj.gov/usao/az/press_releases/2006/2006-063(George).pdf))

TUCSON, Ariz. – Marc Terrance George, 41, of Jamaica, was sentenced here today by U.S. District Judge Cindy K. Jorgenson to 13 months in prison, to be followed by deportation, after he pleaded guilty on February 27, 2006 of illegal entry after deportation.

George attempted to enter the U.S. illegally on September 24, 2005 through the Nogales, Ariz. Port of Entry during which time U.S. Customs and Border Protection officers noted that his fingerprints had been surgically replaced with skin from his feet.

George stated that this procedure had been done to “clean” his identity by a doctor in Phoenix.

"This case demonstrates what extraordinary and drastic measures people will take to enter our country illegally,” stated U.S. Attorney Paul K. Charlton. “It proves as well that our fingerprint identification systems have gained a significant reputation in the criminal world.”

Prior to deportation, George will be extradited to the State of New Jersey to face money laundering charges in state court in that jurisdiction.

The investigation in this case was conducted by U.S. Customs and Border Protection. The prosecution was handled by Danny Roetzel, Assistant U.S. Attorney, District of Arizona, Tucson, Ariz.

(2018 Mar) [Forbes]

Yes, Cops Are Now Opening iPhones With Dead People's Fingerprints

The iPhone 8 uses Apple Touch ID, a fingerprint-based security technology that cops are trying to bypass in various ways. It's legally easier to bypass when the owner is dead, Forbes has learned.

I really like this one:

Some standards are developed at the ISO/IEC JTC 1/SC37 Biometrics :

• (2016) ISO/IEC 30107-1: Information technology -- Biometric presentation attack detection -- Part 1: Framework
• (2017) ISO/IEC 30107-2: Information technology -- Biometric presentation attack detection -- Part 2: Data formats
• (2017) ISO/IEC 30107-3: Information technology -- Biometric presentation attack detection -- Part 3: Testing and reporting

And yes, you have to pay to get them.

(2020) FIDO alliance is proposing to certify your biometric device : the Biometric Component Certification done by FIDO Accredited Biometric Laboratories.

• Checking the biometric performances FAR/FRR: 1/10000
• Checking the resistance to spoof: Presentation Attack Detection

I recommend this excellent laboratory : the CEA-Leti ITSEF (CESTI CEA-Leti in french)

• brochure
• Les Défis du CEA #242, L'enjeu de la cybersécurité (Mars/Avril 2021) [local copy for the records]
• Article en ligne: Les R&D du CEA en cybersécurité [copie locale].

What Liveness Testing IS:

• A means to minimize the effectiveness of artificial or simulated biometric specimens and thus improve the security posture of the biometric system.

What Liveness Testing IS NOT:

• A guarantee that the biometric specimen belongs to the authentic live human being.