For years, biometric finger scanners have been used in ATMs and at the cash register. But there are problems with finger scanners. Researchers have demonstrated how a flat photograph or molded fingertip can easily fool these devices into giving a false approval. And while face recognition is improving, especially 3D facial mapping, these devices aren't yet in wide use today.
Fujitsu PalmSecure is another option. Already in use in hospitals and government offices, the device reads the hand's vein pattern using near-infrared light. On this week's Security Bites podcast, I spoke with Joel Hagberg, vice president of marketing and business development at Fujitsu Computer Products of America, about the technology.
Below is a transcript of part of my interview. The entire podcast can be heard here.
Hagberg: Fujitsu has worked in biometrics for many years with fingerprint sensors and scanners--both in the manufacturing and the marketing of those technologies. We work with the corporate clients and government clients of Fujitsu Limited, and there has been an interest in moving the level of security up and beyond what fingerprints were able to provide. When you look at the fingerprint sensors and fingerprint biometrics, there is a strong opportunity to utilize those for a range of handheld or low-cost devices where individual usage carries a lot of security threat. It's not a major concern as is maybe other types of computer systems or physical sites and locations where fingerprints can easily be compromised. If you look at the range of university professors looking to spoof different types of biometrics, they are able to take fingerprint records and etch a fingerprint into a piece of latex and then the sensors or touch pads, you know, read air gaps. Having someone that has built an artificial finger is able to easily compromise most fingerprint sensors in the market. Our customers are looking at ways to overcome that potential threat with a higher level of biometric authentication.
Q: What is that method that you came up with?
Hagberg: Fujitsu looked at a range of products and determined that vascular authentication--reading vein patterns and specifically in the Palm--is best. Our product is called PalmSecure, and what it does it takes a snapshot of blood moving through your vein. Looking into it from three-letter agencies and the government which are very high in security, department of defense applications, this says something. They call it Liveness Detection, which means you have a live body with biometric authentication. Many other biometric authentications can be fooled without live bodies or without live body parts. Fingerprint and iris scans are examples. You'll see in many modern-day movies or television shows like 24, where people use body parts to overcome and bypass biometric security. With our product you're looking at moving the deoxidized hemoglobin that's moving through the vein pattern. You have a near-infrared signal that comes up from a sensor; it reflects off of the hand. The blue blood that's moving without oxygen through your hand actually absorbs the light and what's emitted back is the pattern, the vein pattern. It absorbs that light that's emitted from the sensor.
Q: Ultimately, though, this is still an image, is it not?
Hagberg: Yes, that's correct, it's an image. But it's the image of moving blood, not of a static pattern. So there are many of professors in the universities in Japan who have been making a practice of trying to spoof biometrics, and they've been unsuccessful here. They've broken every other biometric except for our vascular vein PalmSecure Product.
Q: But with all biometric devices there is a variance factor. The scan that I do today isn't going to be exactly the scan that I do tomorrow, is that correct?
Hagberg: Well, I think with anything you take it from kind of a multiple snapshot scan of the pattern in your hand. Fujitsu's research into this over the last 10 years--of working with the product and in general--has shown that there is no variance in your vein pattern without catastrophic injury--meaning losing part of you hand. If you have a cut on the external surface of your hand or other damage externally, it doesn't affect the blood flow through the vein pattern. Your muscle or structure of your hand is developed from childhood and continues as you move to adulthood. Those veins have settled into place. So the vein pattern signature that you see when you register stays the same. The vein pattern from number of years ago when I registered is no different than when I walk through the facility today to get into our building.
Q: I guess what I was after--I know with certain retina scans you have to fix your eye on a certain dot and then it takes a only scan of a particular region. So you're looking at the entire hand--you're not looking at a subpart of the palm?
Hagberg: Correct. That's one of the differences. We looked at iris scan. We looked at facial recognition software and other types of voice recognition software in our thoughts about moving to a higher level modality of biometrics. We determined the iris scan--just from a peer use standpoint, as you highlighted--you're constantly concerned about the pattern or the particular area in the iris you're looking at but you have a use concern. I met with some very high-level executives within IT departments of the U.S. security agencies in the last month and I asked them how many of them were comfortable having their iris scanned everyday. Not one hand went up. So, that's what we found in research in Japan. With both government and corporate employees, they wondered what happens to your eye when it's scanned everyday for the next five years. Even though you'll say it's harmless, they don't feel comfortable about it. The other thing that we also uncovered in our focus groups and customer discussions was contact. When you look at fingerprint or you look at any other even iris you're either touching a pad with a fingerprint or you're leaning against something, a pad for an iris, to position your eye correctly. Say the person in front of you is sweating, they're leaning against this pad or touch that pad or they're leaving SARS or avian flu, you know, on that device for you to touch and your eye is one of the most sensitive areas in terms of the transmission of disease; so are your hands. Touching things with your hands or getting close to touching things with your eyes is a concern for transmission of disease. Having a contact-less product like ours where you are holding your hand above the device has satisfied that hygiene and kind of transference of potential contagious disease concerns that we uncovered in our research. We've addressed it where I think iris and fingerprints still have a long way to go to address those concerns.