If new software gets perfected, forget trying to use that severed finger to get past the security gate.
Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-doh or gelatin or a model of a finger molded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers.
In a systematic test of more than 60 of the carefully crafted samples, the researchers found that 90 percent of the fakes could be passed off as the real thing.
But when researchers enhanced the reader with an algorithm that looked for evidence of perspiration, the false-verification rate dropped to 10 percent.
The idea of using perspiration is promising as a way to beat hackers because sweating follows a pattern that can be modeled. In live fingers, perspiration starts around the pore and spreads along the ridges, creating a distinct signature of the process. The algorithm, created by Stephanie Schuckers, associate professor of electrical and computer engineering at Clarkson, detects and accounts for the pattern of perspiration when reading a fingerprint image.
Dead fingers don't sweat.
"Since liveness detection is based on the recognition of physiological activities as signs of life, we hypothesized that fingerprint images from live fingers would show a specific changing moisture pattern due to perspiration, but cadaver and spoof fingerprint images would not," Schuckers said in a prereleased statement.
The research, funded by a $3.1 million grant from the National Security Agency and conducted in collaboration with other universities, is part of an ongoing effort to improve biometric authentication and identification.
Other methods are in the works as well. Fingerprint readers essentially take a picture of a fingerprint and match it to a sample in the database. To get around spoofs involving lifted fingerprints, NEC researchers have developed technology that actually takes a picture of the tissue underneath the fingertip to get a three-dimensional image that can be matched against a database sample. Fujitsu has developed an authentication technology that looks at vein patterns.
Although biometric identification technologies continue to improve, each has its own flaws. Voice authentication is fairly accurate and tough to spoof, say advocates, but it can be affected by a bad phone connection. Iris scans work well, but are commercially impracticable.
Face scanning is actually less accurate than most, but consultants for the U.S. State Department say that the technology was chosen for electronic passports because that particular identity test seems to make people feel less like criminals.