Recent research and test results reveal that with only negligible-to-modest efforts, many leading biometric technologies are susceptible to sensor-level ‘spoof’ attacks. In these attacks, perpetrators present fraudulent samples to the biometric system, which processes them to generate the templates that verify enrolled individuals. Some manufacturers of biometric systems claim anti-spoofing detection capabilities, and many users believe that current biometric systems can detect fake or ‘spoofed’ biometric samples. However, research shows that artificial fingerprints can fool fingerprint systems.1,2 (In addition, printed facial images can trick face-recognition systems,3 and static iris images have been shown to fool iris-recognition systems.4,5)
It is easy to acquire a fingerprint from a person without his or her knowledge or cooperation. For instance, someone could lift latent fingerprint impressions and create fake fingers that can trick commercially available sensors. Our work introduces a new capability that detects whether the biometric sample presented to the system during enrollment and identification is from a spoofed sample. We found that it is possible to exploit blood-flow composition and patterns underneath the skin to impart powerful antispoofing capabilities to biometric devices. In particular, measuring the percentage of oxygen in the blood during the fingerprint-sensing process can lead to a system that successfully thwarts spoof attacks.
Our research team designed and developed a new fingerprint system that simultaneously collects an individual's identity, oxygenated blood measurement (the saturation of oxygen in hemoglobin), and pulse (taken from the fingertip).6Oxidized hemoglobin (HbO2) and reduced hemoglobin (Hb) have significantly different optical spectra, so the absorption of visible light by a hemoglobin solution varies with its level of oxygenation. (The oxygen saturation SpO2 is the ratio of HbO2 to the total concentration of hemoglobin present in the blood.)
Our method estimates the percentage of oxygen-saturated blood (see Figure 1) by using LEDs that operate at selected wavelengths and interact with the finger during imaging. Specifically, these LEDs are excited alternatively at high speed while the corresponding matched photo detectors detect the transmitted/reflected light. The signal corresponding to each of the received light frequencies is separated by a channel separation mechanism and used to automatically estimate the ‘liveness factor,’ which represents the proportion of oxygen-saturated blood (SpO2%) in the biometric sample.
Figure 1. Online estimation of oxygen saturation from the fingerprint samples.
Our implementation has been rigorously tested, and experimental results from several live and spoof fingerprint samples have illustrated a large difference in the percentage of SpO2, confirming the reliability of the proposed design to thwart spoof attacks on fingerprint identification devices. We also tested spoof attacks using a very thin translucent fingerprint worn over a live finger, and this approach generates a low-quality image from the optical fingerprint sensor that can be easily rejected by the quality checker in the fingerprint identification module.
One could argue that it is possible to develop a thin translucent fingerprint sample that generates a good-quality fingerprint image from the sensor. However, the fingerprint images in optical sensors are generated by the reflection of light, so the image quality from a thin translucent spoof fingerprint is bound to be low. The rejection of such spoof attacks is highly dependent on the quality checker in the fingerprint identification module (which ensures that low-quality images are rejected).
Figure 2. Standalone fingerprint identification with antispoofing using oxygen saturation in hemoglobin.
Our fully automated low-cost fingerprint identification prototype6 (see Figure 2) automatically estimates the saturated oxygen level in the hemoglobin beneath the fingertips and reliably thwarts spoof attacks. Our current research efforts are focused on further miniaturizing this system. We also plan to investigate the effectiveness of this module for sensor-level attacks on palm print-based identification systems.
Department of Computing
The Hong Kong Polytechnic University
Hung Hom, Hong Kong
Ajay Kumar is an assistant professor in the Department of Computing. He was previously with IIT Delhi where he established the biometrics research laboratory. His research focuses on biometrics and computer-vision-based industrial inspection.