Blog

Chaos Computer Club Creates Fingerprint Spoof From Public Photo

As you may have noticed, this past Monday’s biometric story of the day was the claim by the Chaos Computer Club that they were able to produce a working fingerprint spoof from public photos of a subject’s finger, http://www.ccc.de/en/updates/2014/ursel. The story’s broad online propagation instigated numerous threads, once again debating the use of biometrics as viable means of authenticating one’s identity using their mobile device.

Regardless of your impression about how easy or difficult it is to spoof a fingerprint sensor (mobile or otherwise), it is clear that such vulnerability exists. However, there are fake finger detection and liveness detection solutions available today that can mitigate the risk associated with spoofing. Some of these solutions are hardware-based and others software-based. And as you may already know, NexID Biometrics provides a leading edge software-based solution … http://www.nexidbiometrics.com.

Biometrics are not likely the “end all” solution to keeping your mobile device, and your identity, secure, but it’s more apparent than ever that biometric authentication will play a key role in this important function going forward. Moreover, it’s very likely that fake finger detection solutions will be making their way to market in the next generation of mobile devices. And with this, mobile device users can enjoy the convenience of fingerprint authentication, along with the confidence their device is more secure. Happy New Year everyone!

Security for Internet of Things (IoT) – A “Rubik’s Cube” of Passwords

Technology is meant to make our lives easier and, in most cases, it does.   Communications and Internet access using mobile devices allows us to do everything we did 10-15 years ago in the confines of our homes and offices to almost anywhere in the world.  The ability to detach ourselves from wires and expensive business equipment has enriched our lives and made us more productive at work.

Now the next stage of technology upgrades is upon us, or will be soon.  The Internet of Things (IoT) – or as some refer to it, the Internet of Everything.  It is the concept of interconnecting uniquely identifiable devices with the existing Internet infrastructure – seamlessly moving all kinds of data among the devices and a variety of storage platforms.

For example, devices can range from heart monitoring implants, biochip transponders on farm animals, an automobile with built-in sensors, to field operation devices that assist firefighters in search and rescue.  If you have a “connected home,” you’re already experiencing the IoT.

According to Gartner Research, there will be nearly 26 billion devices on the Internet of Things by 2020.  Another firm, ABI Research, estimates that more than 30 billion devices will be wirelessly connected.  Depending on population growth over that same period, on average, that’s about four devices for every person – but you can’t make that simple assumption.  There will be a concentration of devices by geography and population based on social and financial parameters.

The biggest area of concern for IoT pundits, and companies expected to play a large part in bringing this phenomenon to life, is security.  An executive from Intel recently said the Internet of Things needs its own security model in order to fully protect user data, and to allow that data to be shared in a secure, personalized way.  This is a huge stumbling block for companies making large investments on developing products and services for broad acceptance and use by consumers and business.

This is just the tip of the security iceberg.  Think about how this impacts the average person.  How many passwords do most people have for all their accounts, apps, services, etc.?  Personally, I have so many I’ve resorted to a “password keeper” app on my smartphone.  So how does someone securely manage all of their personal, financial, health and other data that is supposed to traverse the IoT?

How do you solve the Rubik’s Cube of password security?

Secure biometrics can be the solution to remembering the dozens of passwords required today to conduct our daily lives.  As fingerprint sensors are embedded into more mobile devices and fixed ID modules, the ability to use one, or several fingers, to securely identify oneself and access information is a convenient alternative to traditional passwords or PINs.

Just as IoT security is still being researched and developed, mobile biometric solutions are also evolving as we speak.   While users of the latest Apple and Samsung mobile devices enjoy the ability to use a finger to conveniently unlock the phone, the level of security is woefully inadequate to handle the kind of personal data transmitted and delivered over the IoT.  Both companies’ fingerprint-authentication features were spoofed, or hacked, within two days of being introduced.

But solutions are on the way and becoming more available on a daily basis. The FIDO Alliance, an organization NexID has recently joined, is an industry consortium revolutionizing online authentication with standards for strong authentication. And speaking for NexID, we are continually working to deliver higher accuracy “fake finger detection” technology, often referred to as “liveness detection,” onto smaller and mobile platforms. To that end, look for us to introduce new solutions for “embedded” and mobile fingerprint sensors in the coming weeks.

Liveness detection adds a required level of security that helps to ensure that authentication on a device is valid, eliminating many of the security hurdles faced by the IoT at the starting point of the interaction.  Authorization for a mobile payment or healthcare application, and the information interchange over the IoT, starts and ends with the user so placing the first level of encryption at that point helps to ensure privacy and security of the data.

When the IoT becomes easy, understandable, affordable and most of all, secure, this next stage of technology will impact our lives as much as mobility has in the past ten years.

Apple Patent Acknowledges Vulnerability to Spoofing

From reading the recent announcement of Apple’s “Doodle” innovation … http://www.biometricupdate.com/201404/uspto-publishes-apple-patent-application-addressing-biometric-spoofing, it’s great to see that Apple is acknowledging that biometric spoofing is being recognized as a serious issue, and one that needs to be addressed with the iPhone 5S and with what they have coming.

As I’ve mentioned recently, the 5S has certainly validated the convenience aspect of fingerprint authentication on mobile devices, but its current level of security remains highly vulnerable to spoofing. Failing to address this vulnerability in the 5S and other mobile devices with integrated fingerprint sensors could potentially retard adoption of biometric authentication for mobile commerce and other mobile-centric applications’ security requirements.

While it’s possible the Doodle innovation might raise the operational challenge of readily spoofing the iPhone 5S, it appears to lack any ability to determine the presence of a spoof-derived fingerprint image. Legitimate anti-spoofing (a.k.a. liveness detection) solutions have that ability, and are easily integrated with existing fingerprint authentication technology. At NexID our live finger detection (LFD) technology has been utilized by traditional fingerprint scanning devices for over seven years, and recently became available for mobile device integration. Look forward to seeing “Mobile LFD” from NexID in future mobile devices with integrated fingerprint sensors.

Samsung Galaxy S5 Spoofed by SRLabs

Well it’s déjà vu all over again. The fine folks at SRLabs took the opportunity to again demonstrate the vulnerability to spoofing that exists among fingerprint sensors lacking spoof mitigation (a.k.a. liveness detection) technology. This recent effort targeted the newly released Samsung Galaxy S5 … http://www.sammobile.com/2014/04/15/galaxy-s5s-fingerprint-scanner-can-be-easily-hacked/ … and yielded the identical outcome as their previous exposure of this vulnerability in the Apple iPhone 5S.

Thankfully, at least one solution is coming to the rescue … Mobile LFD from NexID … and will hopefully be incorporated into future devices from several manufacturers, or existing devices that have their fingerprint sensors updated with this software-based solution. The Android version of Mobile LFD is on schedule for release in May and we will be sure to make everyone aware of the release date when known.

NexID Participates in 2014 Connect:ID Expo

NexID participated in the inaugural Connect:ID Expo this past week at the Ronald Reagan Building in Washington, D.C.  NexID joined approximately 40 other vendors as booth exhibitors and our  CEO, Dr. Stephanie Schuckers, was a presenter on Day 1 of the Expo, speaking on fake fingers, liveness detection and ID template protection.

We also took the opportunity to announce our latest product, Mobile LFD, a completely “re-architected” version of our live-finger-detection solution targeted at the mobile device and embedded products market.

We were pleased with all aspects of the Expo, especially the media coverage of our Mobile LFD announcement. All of our media conversations were interesting, including that with Natasha Singer of The New York Times. As for the venue, the Ronald Reagan Building is spectacular and quite ideal for such a gathering. Our hats go off to Science Media Partners and the IBIA for an outstanding inaugural event.

As evidenced by a number of seminars on the topic, along with exhibit area conversations, mobile biometrics continues to be the hot topic of the industry. Examples from the program include tracks focusing on enhancing security and convenience with mobile identity, digital identity in the era of hyper-mobility, and identity solutions for banking and healthcare. I look forward to future biometrics conferences to follow Connect:ID’s lead in focusing additional program space on the topic of mobile identity.

NexID Welcomes U.S. Congressman Bill Owens

NexID was pleased to welcome U.S. Congressman Bill Owens to our offices on March 10, 2014. Congressman Owens represents New York’s 21st Congressional District and has been a strong advocate for new venture creation and small business development since coming to office in 2009. His web site is located at https://owens.house.gov. Our conversation began with a discussion of various potential threats that can occur with fingerprint spoofing, including one we hadn’t considered until Congressman Owens’ visit. According to the Congressman, firearms manufacturers are beginning to design biometric locks into their products, along with accessory providers (e.g., www.intelligun.com). Since many biometrics systems are vulnerable to being spoofed, one can quickly imagine gun owners having their biometric gun locks spoofed, thereby exposing them to being blamed for crimes committed that involved their firearms. Talk about an incentive for spoof mitigation! Rep. Owens also took time to connect us with another company in his district that also serves the biometrics industry, specifically Fujitsu, located in Plattsburgh, N.Y. We greatly appreciate the Congressman’s interest in NexID and our liveness detection solution, and hope to welcome him to our offices again. Lastly, Scott Dosztan, News Director for WPDM Radio captured the interview on tape, highlights of which can be listened to here.

Unleashing the Potential of Mobile Biometric Security

The trend of mobile biometric authentication gained further momentum this past week with the introduction of Samsung’s Galaxy S5. The fingerprint swipe sensor located just above the home button on the S5 allows users to enroll up to three fingerprints and then unlock the  phone, or even authorize PayPal payments, with just a swipe of an enrolled finger. Additional functionality can also be authorized with a finger swipe, such as providing access to “private” data stored on the phone. Unfortunately, it does not appear that the S5’s fingerprint reader is outfitted with liveness detection technology, and is therefore likely to be vulnerable to fake finger spoofing.

That said, Apple’s Touch ID, the Galaxy S5, the HTC One Max, and other mobile handsets incorporating fingerprint biometrics are all good indicators of the future potential of mobile biometric authentication. Indeed, mobile biometrics are expected to be pervasive among handsets in the coming years. As Goode Intelligence predicts, “By 2018, 3.4 billion people will have a mobile device with a biometric sensor.” But will mobile biometric security live up to its potential?

If all that comes of mobile biometrics is a more convenient means for unlocking one’s phone, then I would suggest that potential has not been met. Most visions for mobile biometric security include utilizing this convenience factor in all aspects of a mobile device’s utility in our daily lives. From mobile commerce to remotely accessing our employer’s network to updating our health care records, our mobile devices will be integrated into the majority of our daily activities.

So how do we get from just unlocking the phone to using convenient biometric authentication throughout the days and weeks of our busy lives, all while leaving PINs and passwords far behind? I would argue that device manufacturers (and their biometric sensor partners), need to build confidence among their user communities that mobile biometrics are not only convenient, but also secure. Liveness detection has the single purpose of instilling such confidence.

Until such confidence has been achieved, not only will users be hesitant to expand the utility of mobile biometrics, but nor will the companies providing that utility feel compelled to integrate biometric authentication into their applications and services. At NexID we are busy integrating our liveness detection technology with fingerprint sensors being targeted for the mobile device market. And as these deployments work their way through product design cycles and into the market, we expect such confidence to build, thereby facilitating the full potential of mobile biometric security.

Apple iPhone 5S: The Watershed Moment for Biometric Authentication … and why Liveness Detection Matters

In his presentation to the October 2013 Biometric Consortium Conference, Dr. Joseph Atick of Identity Counsel International described the introduction of the Apple iPhone 5S as a “watershed moment” for the biometrics industry. Moreover, in reviewing a sampling of commentaries and press releases from industry observers and stakeholders like the European Association of Biometrics, the Biometrics Institute and others, it would appear numerous other people share Dr. Atick’s assessment.

We couldn’t agree more with Dr. Atick and the chorus of industry observers sharing his opinion. Personally, I would add that this moment applies equally to liveness detection – the ability for biometric authentication systems to identify and mitigate spoofing attacks.

Dr. Atick’s presentation discussed how personal identity is becoming “mobile and transactional,” and that the key element to the biometric value proposition is in securing mobile commerce transactions and managing online identity in a highly convenient manner … just “click and go.” Such convenience is tipping the balance away from pin/password-based authentication and toward biometrics. This in turn should facilitate more pervasive development of secure mobile applications in such industries as banking, healthcare and, of course, mobile commerce. And liveness detection goes from being the “elephant in the room” to a critical element to any biometric mobile security solution.

Like others, I believe it is both the immense scale of the iPhone 5S adoption and its introduction of biometrics to the consumer market that make it a watershed / paradigm-shift moment. According to Sebastien Taveau, Chief Evangelist at Synaptics’ Biometric Product Division, the daily volume of iPhone 5S shipments approximates the monthly volume of sensor shipments of former leading sensor manufacturers Validity Sensors and Authentec combined. Accordingly, the iPhone 5S is considered one of the largest ever deployments of biometric sensors, and clearly demarcates the recent hockey stick curve in the industry’s unit volume shipments.

Literally overnight, fingerprint-sensor manufacturers have an entirely new market landscape to lay claim to. That landscape, of course, is the non-iOS field of mobile devices. With Apple’s acquisition of Authentec removing one of the top sensor manufacturers from the fray, the subsequent iPhone 5S introduction then reshuffled the remaining sensor industry leadership by vaulting mobile device compatible sensors into the highest levels of demand. Validity (now Synaptics), Fingerprint Cards AB, IDEX and others offering such sensors are now scrambling to secure as many design wins as possible to help Android and Microsoft mobile devices to catch up with the iPhone 5S. And given the aggressive valuations of these companies (relative to more traditional sensor/scanner companies), the expected consumer adoption of mobile biometric authentication appears enormous.

Accompanying the iPhone 5S are other occurrences and trends that should only leverage and magnify this moment in biometrics history. The establishment of the FIDO Alliance will facilitate standards of interoperability among biometric authentication solutions as they quickly proliferate in the market. The trend of enterprise policies toward BYOD (bring your own device) is another driver in the adoption of mobile biometric security. And in the background for some time now has been NFC (near field connectivity), waiting for enhancements to mobile device security so as to speed up adoption of its application to mobile commerce at retail points of sale.

At NexID, we look forward to playing our part in enabling the pervasive use of mobile biometric authentication with new liveness detection solutions targeting this space. Look for more news on these solutions later in Q1.

BYOD and Mobile Device Security

The issue of “end node security” is a difficult challenge for enterprise CIOs forced to deal with today’s BYOD trend (Bring Your Own Device). A new wrinkle to this challenge is the increasing adoption of mobile biometrics, a-la-Apple iPhone 5S and other biometric-enabled handsets coming to the market. NexID’s Liveness Detection technology expects to play a significant role in BYOD security.

On one hand the inclusion of biometric authentication can A) encourage users who currently do not utilize any security measures for their device to invoke the device’s locking feature using biometric authentication, B) add additional security for users currently using pins/passwords by using the biometric sensor as a second authentication factor, and C) facilitating personal versus professional security in a BYOD environment.

On the other hand, users choosing to rely solely on the biometric sensor for securing their devices need to be aware of its limitations, especially with regard to biometric spoofing. For fingerprint sensors, this vulnerability was sensationalized by the spoofing of the iPhone 5S within days of its release  (http://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-scanner-hacked). While industry experts will debate the risk level of a spoof-related attack on a mobile device, suffice it to say that it’s readily feasible should a knowledgeable perpetrator target a mobile device linked to high value resources.

I’m betting that the convenience of biometric authentication will drive its adoption by end-users, but it will take more robust and secure implementations of this feature to put CIOs at ease and encourage greater proliferation of mobile applications that involve higher levels of information or transaction risk (e.g., accessing enterprise resources or online purchases, respectively). Some of these measures are already underway, such as trusted ID platforms (think the 5S’ Secure Enclave and Samsung’s KNOX Container), which protect biometric information once it’s captured by the sensor.

For fingerprint authentication, to insure the captured image is the end-user’s live finger (and not a fake finger spoof), these mobile biometric sensors can implement liveness detection (a.k.a. spoof mitigation) functionality. Among traditional fingerprint scanners, NexID’s software-based liveness detection technology is proven highly effective at detecting spoofs, achieving 96-98% accuracy. We aim to bring that functionality and level of performance to the mobile device market with our forthcoming Mobile LD solution. Look for more news on this forthcoming product later in Q1.

Mobile Device “Land-grab”

Household names such as Apple and Samsung suddenly see biometrics as must-have features for mobile devices, and everyone else is following suite. By next year, fingerprint sensors will be standard on most high-end smartphones and common on most mobile devices by 2018, Goode Intelligence predicts.

That demand will be worth $8.3 billion annually by 2018, which is why there’s a land grab underway among biometric sensor manufacturers. The winners will be the ones capable of delivering key features such as liveness detection on devices that have limited space, power and computing resources to spare for biometrics.

CES 2014 was a convenient opportunity to get an update on how handset manufacturers are implementing biometrics . Since the Apple 5S debuted this past October, rival vendors have responded mainly in Japan, Korea, and China. Examples include products from HTC, Fujitsu, Pantech and Konka, all sporting fingerprint readers from either Validity (now Synaptics) or Fingerprint Cards AB (FPC). In visiting the booths of other mobile device manufacturers, I learned that all will likely be offering biometric authentication in the very near future.

Leading fingerprint sensor manufacturers aggressively competing for the mobile space include FPC, IDEX, Validity and Digital Persona. But iris sensors are also in the running, with rumors that Samsung is deciding between fingerprint or iris-based authentication for its next device.

To capture this initial round of design wins, sensor manufacturers are rushing new products to market that are smaller, with less resolution, and lower cost, all to better “fit” mobile device constraints. Unfortunately, these changes will challenge image quality and therefore limit matching algorithms’ functionality. Moreover, software-based liveness detection (LD) is also challenged by these design parameters.

Longer term (1-2 years), it appears that fingerprint sensor technology will morph and integrate directly with touch screen platens. This should reverse the current trend of smaller image capture and lower image quality, thus improving both matching and LD functionality, along with the end  user experience.

To meet current and future LD requirements, NexID is currently working on a new product specifically for mobile and embedded LD applications. Our goal for this “Mobile LD” application is to offer performance parameters currently available with our desktop/laptop application on a mobile and/or embedded device. Look for more news on this forthcoming product in Q1.