FAQ Fingerprint

How do stripe and area sensors differ in practice?

With area sensors, the finger to be recognized has to be placed on the sensor statically while for merchantable stripe sensors, also known as strip, swipe, or slide sensors, the same finger area has to be moved (swiped) actively over the sensor stripe. Since semiconductor stripe sensors need significantly less sensor cells than area sensors, their chip area and hence their price can be correspondingly lower. Although state-of-the-art stripe sensors are insensitive to slow, fast, or uneven finger motion, more training is needed than for area sensor to reach familiar low false rejection rates. For that reason, stripe sensors are recommended for applications with regular sensor use. Most area sensors allow a faster authentication as stripe sensors, if the whole process is considered. Due to their functional principle, stripe sensors are unsusceptible to latent image attacks and thus don't need software countermeasures which may increase false rejection rate. Area sensors generally have a lower current consumption than stripe sensors due to their significantly lower reading speed. Together with a suitable mechanical finger guide, stripe sensors, in comparison to area sensors, require a higher spoofing effort for attacks based on mechanical fingerprint copies. Stripe sensors expect an active cooperation of the user. In certain applications this may reduce the danger of accidental authentications, e.g., by unintentionally touching the sensor. Because of their low space requirement, stripe sensors are especially suited to very small devices. Stripe sensors are self-cleaning to a higher extent than area sensors. The decision whether the properties of a sensor type are favorable or unfavorable thus mostly depends on the requirements of a dedicated application. As a result, it cannot be fixed globally. As a rule, one may assume that swipe sensors rather offer security while area sensors tend to ease of use.

What can a user do to avoid false rejections in a fingerprint authentication system?

The finger should be clean (free of sticky residue and grease), and depending on the sensor, should not be too damp or too dry (breathe on it!).  The finger should always be applied on the sensor in the same manner (same position, same direction) and with uniform pressure  (e.g., avoid pressing while twisting). The more finger area the sensor "sees", the better (i.e., don't use the finger tip!). With older stripe sensors swipe the finger even and consistently over the sensor with the correct speed (try it!) without lifting your finger. Especially stripe sensors need some practice. For that reason it may pay to repeat enrolment. If the enrolment was insufficient, normal recognition cannot be optimal!

How do wounds affect identification?

If a wound is not too deep, the finger lines will fully regenerate to their original state.  Deep cuts leave line forming scars, and should be recognized as such by good identification algorithms, thereby barely impairing the identification performance.  Most systems offer the possibility to record a "substitute finger" in enrollment, so that a fingerprint authentication can still take place during the healing process.

Can a fingerprint be copied?

Yes. Almost all biometric features can be copied at varying expense.  Fingerprints can be copied in the form of data sets, paper prints, wax molds, etc.  It is possible with criminal technical methods to observe, analyze, and copy latent fingerprints unwittingly left behind on beer glasses or door handles. One of the oldest descriptions of a high tech copy procedure has been given in a novel from R. Austin Freeman [Freeman]: Take a plate of chromate gelatin, expose this plate with the slide of the fingerprint and wash out the surface. Thereby those locations which have not been hardened by light are removed, thus leaving a fingerprint relief. Whether the copy is recognized as such or is accepted as the original depends on the fingerprint sensor and the analysis algorithm.  Ultimately, however, the specific use dictates whether copying is worth while at all and whether it can be harmful.  In most applications, it helps very little if a forger can make an exact copy of his own finger.  From optimized protection systems, one can expect that a copy will cause no damage.

How easy is it to copy a fingerprint?

It is relatively easy and inexpensive to copy the own fingerprint (may be compared with the manufacturing of a duplicate key). This may be done in the form of a rubber stamp which may be delivered by a stamp manufacturer on the basis of an electronic fingerprint template. Mechanical copies require as interim step a negative. Paper copies are made using a stamp pad. Copies from the own finger are a risk for systems for which the feint of an authentication by a complice can result in a damage (e.g., attendance system: feint of attendance by abandoning a suitable fingerprint copy to a colleague). Much more complicated is the manufacturing of a finger image copy from a non-cooperative person (feature theft). Here one has to get access to a fitting fingerprint of the foreign person. One way is to find latent fingerprints. However, latent prints often are difficult to find have a quality which in fact allow a dactyloscopic analysis, but which are inapplicable to electronic fingerprint verification systems belong to the wrong finger show the false area cannot be gathered without leaving significant traces (e.g., graphite powder) In security considerations often (but misleadingly) "cooperative victims" are supposed. To acquire the own latent print or that of a conscious contributor is relatively easy. It depends from the assurance requirement of an application whether a fingerprint authentication system must be able to distinguish between copied prints and authentic prints or if the fingerprint may be considered as a secret.

What is compromisation of a fingerprint?

Compromisation here signifies the stealing of a fingerprint's data set which is subsequently misused.  When an application is based on keeping a fingerprint secret, it can naturally have serious consequences, as every finger is one of a kind, but (unlike a password) is not changeable.  Fingers previously compromised can eventually no longer be used.

Is the possibility of fingerprint compromisation a problem?

No, provided that the system is soundly laid out.  A system's release of its own fingerprints is not a problem, when for example the application does not receive a fingerprint data set from just anywhere, instead the data can arrive exclusively via the sensor which is secure.  Appropriate measures can be added to the sensor to reject mechanical fingerprint copies from a released data set, e.g., through a liveness detection. A personal pass provides a nice example for the possibility of reliable verification even for public biometric characteristics (here the face).  It suffices if the personal pass is forgery proof, i.e. forgeries are relatively easy to recognize.

What measures can be taken against forgery?

The possibility to copy is no problem in many applications, because of high cost, long processing time, or because registered users can control access themselves (fingerprint mobile phone, gun trigger safety).  In high-security applications, extra measures have to be taken, to ensure that the authorized user's real fingerprint is used.  Here are a few examples: Addition of extra biometric features including prints of additional fingers to increase forgery expense Fake detection by checking material and structure of finger tissue Liveness detection as protection against simple copies measuring of levels of blood oxygen by determining the hemoglobin concentration based on the varying absorption of infrared light wavelengths. testing the finger reaction to sensor stimuli temperature measurements skin resistance measures pulse measures blood flow measure Limiting the size of analysis area The area of analysis is limited to a special part of the fingerprint, in order to ensure that remnants of fingerprints left behind by chance cannot be processed and misused. The probability then that the copied fingerprint matches this small part is minimal.  This technique presumes that the finger can be repeatedly accurately positioned (e.g., with a finger guide) and that the number of authentication trials is limited. Use of a fingerprint smart card If the entire fingerprint processing, including the sensor and feature storage, is combined with a unique key pair (consisting of private and public keys), one obtains a unique combination of property, secret knowledge and biometrics, which can identify a user for any application or service.  A forgery requires that the card falls into the wrong hands.  In this case, the unchangeable key on the card can be blocked in the application.  The card is then useless to the forger.  If lost, the user must obtain a new card containing a new unique key, save the fingerprint again, and re-register for all applications and services.  Of course one can avoid this process by simply having a back-up card with different keys.

Is a fake detection test necessary for all applications?

No.  In practice, forgers must overcome further hurdles beyond the biometric authentication.  The following examples should illustrate: At home, one uses fingerprint authentication for access to the internet, so remembering or writing down a password is not necessary.  A burglar will not have enough time to copy the appropriate finger.  Naturally, he could take the entire PC including the authentication setting mode, and at his leisure make copies of the collected fingerprints (although searching for passwords would be much easier).  In the meantime, however, the victim would notice the theft and change the password for internet access activated by fingerprint. Again, take the case of fingerprint authentication for internet access.  Further family members could gain access to an online account (e.g., a bank) via a finger copy.  "Unfortunately" all transactions are documented and the foul play would be discovered, rendering this type of unauthorized access not worth while.  Essentially more critical would be the stealing a password, because access to an account would be possible from computers other than the home PC, increasing the number of possible perpetrators.

How is the similarity of two fingerprints determined based on minutia?

Successively recorded fingerprints are never identical, rather are at best highly 'similar' due to differences in finger position, application pressure, finger angle, dirtiness, and the physiological constitution of the user.  The measure of similarity is given a score.  The higher this score, the more similar the fingerprint, and vice versa.  During the matching process in minutia based systems, one tries to minimize the influence of positioning and angle discrepancy, and incidentally size variations (in order to calculate out the effects of growth until around 18 years).  The actual picture is adjusted and rotated with respect to the reference picture until the distance between minutia is minimized.  The resulting similarity score, then depends on the following: Number of minutia in agreement Exactness of the positioning agreement Degree of agreement of the minutia directions Type of minutia agreement (line ending versus branching) All values will be weighted with the picture quality near a minutia Basically one can say that few, but very strongly matching minutia can receive a similar score as a case with many, but weakly matching minutia.

When was the uniqueness of fingerprints first used?

In China since at least 700 AD, fingerprints were used to officially certify contracts.  In Europe in 1858, fingerprint use in fighting crime was proposed and was implemented in Germany in 1903.  [Heindl 1922, pps. 1-108]

How does the use of multiple fingers affect a verification?

There are two extreme cases: All N (N<11) fingers must be recognized For N>1, at least 1 Finger must be recognized In Case 1, the false acceptance rate FAR improves (provided that the fingers n (0 < n < N+1) are statistically independent) according to: FAR = FAR1FAR2FAR3···FARN where FARn is the FAR of finger n =>  FAR = FAR1N if all FARn equal FAR1 while the false rejection rate gets worse: FRR = 1 - (1 - FRR1)(1 - FRR2)(1 - FRR3)···(1 - FRRN) => FRR = 1 - (1 - FRR1)N if all FRRn equal FRR1 =>  FRR ~  N·FRR1 if additionally N·FRR1 << 1 In Case 2 it is exactly the opposite: FAR = 1 - (1 - FAR1)(1 - FAR2)(1 - FAR3)···(1 - FARN) => FAR = 1 - (1 - FAR1)N if all FARn equal FAR1, n = 2,...,N =>  FAR ~  N·FAR1 if additionally N·FAR1 << 1 and for the FRR: FRR = FRR1FRR2FRR3···FRRN => FRR = FRR1N if all FRRn equal FRR1, n = 2,...,N Note that the assumption of statistic independence appears justifiable based on the hypothesis of uniqueness. Imperfections such as a dirty finger generally, however, often coincide with other fingers, so that a certain statistical dependence cannot be avoided.  For the Case 2, this means a reduced improvement of FRR.  Furthermore, in practice it is rare that the performance data FAR and FRR are the same for every finger n. Cases 1 and 2 are extreme cases.  With suitable systems, the information fusion allows 'intermediate levels' to exist.  In principle, every set recognition threshold should have a way, which by combining multiple fingerprints makes a simultaneous improvement of FAR and FRR possible.

Is there proof for the uniqueness of a fingerprint?

The uniqueness of a fingerprint is a working hypothesis which in the mathematical sense is difficult (if not impossible) to prove.  The opposite is more provable, namely finding two identical fingers.  Until now, no two fingerprints from different fingers have been found which are identical. This holds true even for identical twins, between right and left fingers and can be anticipated also for clones. In a scientific sense, the term uniqueness has to be replaced by the probability to find two identical fingerprints from different fingers. This probability may be determined empirically by comparing all fingerprints of a forensic data base against each other. For example, if such a collection contains 100 million fingerprints, a probability of nearly 10-14 should be provable (due to inter-dependencies this probability is assumed to be higher but should lie below 10-6). However, such a large trial has not yet been undertaken until today. Furthermore, the probability for misnaming fingerprints (fingerprints from the same person/finger are filed under different names) is supposed to be much higher. This experience is well known from experiments with much smaller collections. As a result, the outcome of such a trial may become quite questionable. A scientific investigation of the individuality of fingerprints has been published by [Pankant et al. 2001].

What are minutiae?

Minutiae are the endings and the branchings of the finger lines.  Because these follow a strong random pattern, they are the carriers of "uniqueness".

Fingerprint authentication is suitable for which applications?

PC access PC network access (internet, intranet, ...) Access to rooms (key replacement) Safety on weapons: no access for children and other unauthorized users Mobile phones: network access, theft protection, mobile financial transactions, ... ID: company pass, personal identification, club ID, ... Credit cards, bank cards, EC cards Automobile: Seats, mirrors, temperature, and other personal settings Automation of hotels (e.g., check-in and room access) Company vending machines (soft drinks, ...) Participation in sporting events Memberships (discotheques, tanning salons, slot machines, video stores, ...) Personal access to patient records ...

Which finger is most suitable for reaching high performance recognition?

In principle, every finger is suitable to give prints for authentication purposes.  However, there are differences between the 10 fingers, which are expressed in different performance for FAR, FRR and FTE.  These differences are based on: different finger qualities (use, moisture, ...) different sizes different ergonomics (e.g., systems ergonomically optimized for the thumb are only usable by other fingers with contortion) whereby the type of sensor also reacts in specific ways to these differences.  In most cases one can assume that the index finger obtains the best performance regarding FAR and FRR.

How does reduction of the fingerprint area affect performance?

The size of a fingerprint generally determines the cost of a fingerprint sensor, the size of the reference trait's saved data file, and last but not least, the processing time.  Therefore it can be advantageous to process only part of the fingerprint.  But how does this reduction affect performance? A rough estimation is possible, if one simply assumes that different areas of the fingerprint are statistically independent of each other with respect to the analyzed features. In this case, the same treatment as for multiple fingers applies, only that the number of fingers is replaced by a size factor.  Also here, the two same extreme cases are treated, whereby the "conjunctions" AND or OR depend on the algorithms used and thus generally lie outside of the area of influence of the system integrator.  In principle however, a reduction in the area of a fingerprint results in a reduction of overall performance.  (This treatment does not apply for different prints from different fingers.  Here, by all means, smaller fingerprints may achieve better performance than large fingerprints!)

Why is a good finger guide important?

Modern cost effective fingerprint sensors are generally smaller than a complete fingerprint, and therefore process only part of the fingerprint. Suitable mechanical finger guides nevertheless may lead to a good recognition performance. A good finger guide has the following characteristics: it will always record nearly the same part of the fingerprint it is suitable for both large and small fingers it also works with long fingernails it is comfortable it ensures that the fingers covers the entire sensor surface users can intuitively and correctly use it it allows use with all fingers from both the right and left hand it makes the application of fingerprint fakes more difficult

Against which attacks must a fingerprint system be secured?

If the fingerprint recognition is a part of a security concept, one has to expect specialized attacks. The application determines quality and quantity of the security requirement. The bandwidth extends from sole convenience applications up to high security applications with its corresponding high potential of damage. But even with the same potential of damage, not every kind of attack is evenly meaningful. Therefore, for each application scenario the expected attacks and their probability has to be determined to be able to find out which is the expense for countermeasures against each kind of attack. Another procedure may become inevitable, if a planned security concept turns out to be impracticable for a certain application. This concerns questions like "identification or verification", "local or central reference data bases", employment of chipcard with or without cryptoprocessor, or public versus non-public access to the fingerprint system. By a suitable choice of the security concept the requirements for the protection of the biometric component sometimes may be reduced considerably. In other cases, the result of the security analysis may directly lead the way to other biometric features than fingerprint!

What kind of attacks against fingerprint systems are imaginable?

The following list compiles the most important attacks to biometric security components. It depends on the actual application, against which attacks security measures are necessary. Brute force attack A brute force attack is an attack which offers a large number of different biometric features to the authentication system, anticipating a coincidence with the stored reference feature. The probability for success is given by the False Acceptance Rate (FAR). Note that the number of references in an identification system greatly influences the FAR! When specifying an FAR for fingerprint systems, it should be taken into consideration that every non-authorized person has ten fingers with completely different features. Ten trials with different fingerprints will increase the probability for a false acceptance by nearly a factor of 10! Latent print attacks In fingerprint systems, a latent print recognition is necessary, depending upon the sensor type. This is because traces from the last fingerprint remain on the sensor and may be activated, e.g., by breathing upon the sensor surface. There are several measures against latent print acceptance available. Q.v. "How dangerous are latent prints on the sensor?". Replay attacks Depending on application and mechanical realization, replay attacks between sensor and processing unit may pose problems or not. An USB sensing device, e.g., needs special USB equipment to carry out replay attacks, however most attacks may be blocked by software which is able to detect succeeding features which differ too little. In office applications, replay attacks are much more difficult to perform than via keyboard when using passwords. Trojan horse attacks Theoretically, trojan horses may serve to perform replay attacks or to change the security adjustments of the PC's registry without user perception. This has to be prevented by up-to-date virus scanners. A better method is to perform all biometric processing in a separate hardware outside the PC. Fake feature attacks In biometric systems, it might be possible to make mechanical copies of the feature to fool the sensor device (spoofing). While a liveness detection is suited to prevent attacks from dead body parts, a fake feature detection generally has to be much more sophisticated. Dead feature attacks In biometric systems, it might be possible to obtain a positive identification with cut or dead body parts. If the application is susceptible to such attacks, a liveness detection will help. Examples are optical blood oxygen measurement or measurement of the response to controlled stimulation. Hill climbing attacks To prevent hill climbing attacks, the score values must not be shown to the user (at least in too fine intervals). [Soutar 2002] Software leaks The most relevant security risk when designing security systems is that erroneous code or system faults may open security holes. This has to be prevented by extensive testing by security experts. Use of force An authorized person can forced to carry out an authentication with his own features to grant access to another person. Even the state of unconsciousness may be abused for that purpose. Other attacks All interfaces within the whole system have to be secured, if necessary. The reference archive has to be protected against manipulation. Unknown attacks It is most unlikely that all possible kind of attacks are known in advance.

How dangerous are latent prints on the sensor?

In test reports about fingerprint sensor devices occasionally is criticized that residuals of the fingerprint of an authorized person remaining on the sensor might be activated by an attacker to gain unauthorized access (e.g., by breathing on the sensor). This effect indeed can be demonstrated with a couple of sensor types (e.g., capacitive and optical surface sensors). However, this effect requires the sensor to be clean or cleansed (which is often not even notified by the testers!). Touching the sensor surface several times degrades the quality of the latent prints in such a way that a false acceptance becomes very unlikely. Since in practice a cleaning of the sensor is hardly ever necessary, latent prints on a sensor are a much smaller risk than generally supposed. The remaining risk might be further reduced by software, if fingerprints are refused whose position coincide too much with the last positively verified fingerprint. This may be attained by storing the position coordinates. Precondition for this method to work is, however, that the authorized person only touches the sensor if an authentication is requested. If the authorized person leaves a latent print on an inactive (and cleansed!) sensor, this way of latent print detection has no chance! A further software method to prevent reactivations of latent prints, is to slightly shift the finger during authentication such that a double recognition becomes possible at different sensor coordinates.

Question to come

Text