Alivenes detection, liveliness, cut finger, dead finger, fake finger, spoofing sensors, presentation attacks... if you are here, this is because you want to know more about all these topics.
Up to now, I've been able to break any fingerprint sensor system, likely thanks to my knowledge about physics related to sensors, and also because there is not very much aliveness detection systems in fingerprint sensors. It must be changed in the future, it has to be changed, security must be increased so that it will be extremely expensive to break a system, and so it does not worth the effort -as for every security system-.
Aliveness detection is around since the last century, the first paper I found is from 1994, and the first product, from 3M, 1996.
If you came here to get some recipes, forget it. At best, you will find links to reference papers about this topic, from people generally proposing counter-measures.
Also, for those discovering this topic, this is NOT a new topic. James Bond was already making fake fingers in 1971 (yes, 1971, Diamonds are forever). And with one of the most difficult situations to detect: there is a true finger behind the fake!
First of all, remember that proving that you are living is not enough. What is desired is to prove that:
This is impossible (up to now): you can’t read a person’s mind. Having some form of aliveness detection is not enough!
You need to place the problem inside the whole security problem, so I invite you to have a look at the security basics of a biometric system.
There is a myth about revocation or compromised biometrics: if someone steals your biometric traits (copy), then you cannot use it again. Only people with their mind stick to the password concept still believe that, and aliveness detection is the answer to this problem: if you show your biometric trait, and prove that it is still connected to your mind, then compromised biometric trait is no more a problem.
We can define some detection levels, depending on the difficulty to spoof a system. Several proposals about this exist, but well, it is always around this. I'm taking the case of fingerprint sensors because it is pretty easy to explain and to understand, but you can transpose to any biometric trait with more or less difficulties.
Is it so easy to create a fake finger? yes and no. It's easy when you have the cooperation of the donnor -it's what you see in those youtube from hackers. You will get more info from my easy fake finger page.
I have collected old papers related to aliveness detection, and I wrote some articles in the Encyclopedia of Biometrics:
The oldest product tentative with some counter-measures was the 3M Biosentry ultimate /1996: a fingerprint reader with optical plethysismography AND electrocardiogram.
Some companies are proposing counter-measures against spoofing, proposals coming from laboratories, but we have to admit that it is easier to show the defects of a system than proposing something to make them better. In general, you need to add some more sensors, so it is at the cost of the overall system. At the end, very often and it is a pity, there is no aliveness detection system: people does not want to pay for that (like insurances). This is why it was so easy to spoof the Apple iPhone 5S shortly after its release -not a big deal for people used to this domain.
You will find my own proposal in 2004-2005 for the FingerChip from Atmel, done within the Biosec project.
There are many movies showing biometric recognition: let's have a look to those with cut fingers or the like.
Cut fingers? Does it really happen? Yes, you will find here some material for your article/paper/blog :
(2005 Mar) Is this a sign of the maturity of biometrics? Well, to my best knowledge, the very first official case of the use of a body part happened in Malaysia end of March 2005, where a team of carjackers on the prowl in Subang Jaya chopped off part of the left index finger when they realised that the S-Class Mercedes Benz had a security feature which would immobilise the car without his fingerprint.
There is no limit to stupidity: even with a reliable cut finger detection, it is likely that this will happen again, just because "they don't know", at least that it possible to enroll somebody else...
Imagine if it was an iris recognition system, as proposed here!
(2006 May) (Office of the United States Attorney / District of Arizona
TUCSON, Ariz. – Marc Terrance George, 41, of Jamaica, was sentenced here today by U.S. District Judge Cindy K. Jorgenson to 13 months in prison, to be followed by deportation, after he pleaded guilty on February 27, 2006 of illegal entry after deportation.
George attempted to enter the U.S. illegally on September 24, 2005 through the Nogales, Ariz. Port of Entry during which time U.S. Customs and Border Protection officers noted that his fingerprints had been surgically replaced with skin from his feet.George stated that this procedure had been done to “clean” his identity by a doctor in Phoenix.
"This case demonstrates what extraordinary and drastic measures people will take to enter our country illegally,” stated U.S. Attorney Paul K. Charlton. “It proves as well that our fingerprint identification systems have gained a significant reputation in the criminal world.”
Prior to deportation, George will be extradited to the State of New Jersey to face money laundering charges in state court in that jurisdiction.
The investigation in this case was conducted by U.S. Customs and Border Protection. The prosecution was handled by Danny Roetzel, Assistant U.S. Attorney, District of Arizona, Tucson, Ariz.
(2018 Mar) [Forbes]
Yes, Cops Are Now Opening iPhones With Dead People's Fingerprints
The iPhone 8 uses Apple Touch ID, a fingerprint-based security technology that cops are trying to bypass in various ways. It's legally easier to bypass when the owner is dead, Forbes has learned.
I really like this one:
(2020 Mar) Belarusian man, 53, claims he can unlock a smartphone with his severed thumb which he kept in a freezer after cutting it off in circular saw accident. download mp4 file
Some standards are developed at the ISO/IEC JTC 1/SC37 Biometrics:
And yes, you have to pay to get them.
(2020) FIDO alliance is proposing to certify your biometric device: the Biometric Component Certification done by FIDO Accredited Biometric Laboratories.
I recommend this excellent laboratory: the CEA-Leti ITSEF (CESTI CEA-Leti in french)
What Liveness Testing IS:
What Liveness Testing IS NOT:
If man can make it, man can break it!