Using biometrics for authentication of people to systems provides convenience. When authenticating to mobile devices, such as smartphones, tablets and laptops, however, security problems may arise because this authentication typically takes place in unsupervised environments (e.g., at home). Since a mobile device can be easily stolen, an attacker with physical access to it can launch a powerful attack by manipulating the data which is acquired and transmitted by the biometric sensor. Furthermore, the biometric information has a low degree of secrecy as it can be captured by an unintended recipient and even without user’s consent. Because the biometric characteristics are difficult to change and cannot be revoked, their compromise may lead to more serious consequences than, for example, a compromise of a password. Finally, regardless of all efforts to keep user’s biometrics private, the widespread use of biometric technologies are set to make the biometric information essentially publicly available, with the face photos being public even today.
To counter some of these security threats, we have developed a technology for authentication of fingerprint sensors, which can be of the same type, manufacturer, and model. The technology uses unique, persistent, and unalterable characteristics of the fingerprint sensors to detect attacks on the sensors. For example, it can detect if the image with the fingerprint pattern of the legitimate user and acquired by the authentic fingerprint sensor has been replaced by another image that still contains the fingerprint pattern of the legitimate user but has been acquired by another, unauthentic fingerprint sensor. The technology uses the conventional authentication steps of enrolment and verification, each of which can be implemented in a mobile device, a desktop, or a remote server. The technology is extremely accurate, computationally efficient, robust in a wide range of conditions, does not require any hardware modifications, and can be added (as a software add-on) to systems already manufactured and put into service. We have also protected the technology, implemented it in software for both area and swipe fingerprint sensors, and successfully demonstrated it at the Biometric Consortium Conference and Technology Expo in Tampa, Florida, in September 2011 and 2012.
An example application for it is combining the biometric authentication with the sensor authentication, each having its own enrolment and verification but both using the same fingerprint image, leading to a two-part (bipartite) authentication with improved security. Similarly, as this authentication certifies both who the user is and what the user has, it binds the user and the device. The technology can also provide source of randomness and be used for device identification. Its possible areas of application include mobile wallets, access to health care and medical records, contextual authentication/user rights, and asset management.
For more information, please contact:
|
Vladimir I. Ivanov, Ph.D. Research Associate Institute for Systems Research University of Maryland, College Park, USA vladimir3456@gmail.com, +1 (301) 405 7933 http://www.isr.umd.edu/Labs/SEIL/Sensors |
Prof. John S. Baras, Ph.D. Lockheed Martin Chair in Systems Engineering Department of Electrical and Computer Engineering, and Institute for Systems Research University of Maryland, College Park, USA baras@umd.edu, +1 (301) 405 6606 |
