Tactical Information Systems
Biometric Identification Software

Tactical Information Systems Blog

Identity & Technology

Biometric Spoofing

Fake fingerprints aren't hard to make but they are hard to use.

Fake fingerprints aren't hard to make but they are hard to use.

In biometric identification terminology, "spoofing" is the process of presenting a fake biometric (e.g. gummy fingerprint) to a system in order to gain access. I don't often write about biometric spoofing because I personally find it one of the less interesting aspects of biometrics. I don't mean to discount it as a problem, because it is a real vulnerability for biometric systems. It is just that it is often used as a way to say "biometric systems are useless because of spoofing". I find this kind of argument annoying because every security system has vulnerabilities and those vulnerabilities don't make the system useless. As a simple example, the vast majority of locks used on home and office doors can be easily picked, but we still use them. Risk management is about understanding risk and controlling them, not eliminating them.  

A recent blog post hit two of my triggers - it claimed that without spoof protection biometrics are useless and one of my personal peeves about commercial blogs, namely the "without my company's X, then Y is useless"  The literal title was "Without Spoof-Proof Liveness, Biometrics Will Never Replace Passwords". I find this wrong on many levels. First, the use of the word "never" in a technology sense is never a good idea (see what I did there?). There are certainly plenty of cases where a biometric is good enough. For example, my phone. I know a super-dedicated attacker might be able to spoof a fingerprint on my phone, but I am OK with that. It is a balance of convenience and security.

The blog also talks about the company's use of ISO 30107, a standard dealing with biometric spoofing. Standards can be great to establish a common vocabulary and measurement approach. However, in the area of spoofing, a standard can (at best) only provide you with protection against well known attacks. At worst, it can give you a false sense of security.

A biometric system that is sensitive enough to need spoof protection is sensitive enough to need a second factor (e.g. PIN/password). Relying upon spoof protection is only going to protect you for a short while until new attacks are discovered. It will never be a perfect solution.

Source:  https://mobileidworld.com/guest-post-spoof-proof-liveness-facetec-007200/