The present invention generally relates to a method for preventing improper authentication in biometric devices. More specifically, the invention relates to a method of detecting and preventing latent-image attacks that take advantage of weaknesses in many existing fingerprint verification schemes.
Security is an issue for many modem transactions. As the world becomes increasingly interconnected and electronic commerce becomes more commonplace, so too does the need for security. Secret identifiers such as passwords and secret personal identification numbers (PINs) have become the normal security mechanism for people conducting transactions at automated teller machines, over the telephone, or over computer networks. While secret identifiers certainly provide a measure of security, they are problematic in that they depend on users memorizing the phrase, code word, security number, etc., for access to sensitive information. This situation is worsened by the proliferation of electronic accounts and transactions which typically force users into having a multitude of secret identifiers to keep track of An attractive alternative to the use of secret identifiers is the use of biometric devices.
Biometric devices include devices that read, for example, fingerprints, retinas, or in some instances, detect voice characteristics. Biometric devices are advantageous for several reasons. Each of the above examples can detect traits that are unique to each individual, and which are largely impossible to forge. No memorization is required by the user to provide this “unique code”. Further this “unique code” required to access the desired information is, for the most part, inseparable from the user, and hence is always available to the user when needed.
Fingerprint scanners have become one of the more common, commercially available biometric security devices. They operate on the principle that every person has fingerprint pattern that is unique to each person. The characteristics of these patterns may be compared to a previously-stored set of characteristics and, if a correlation exists, access is granted to the user.
The optical fingerprint verification scheme calls for the user to press the desired digit against a transparent surface. A scanner on the other side of the surface takes one or more pictures of the fingerprint pattern. The pattern is processed to identify its characteristics, and the characteristic are then compared to the previously-stored set of characteristics to determine if a match exists. Systems that implement this scheme are fairly inexpensive to mass-produce, and they are fairly robust at dealing with issues such as variable placement, orientation, pressure deformation, etc. Nevertheless, they do suffer some potential weaknesses.
As with other biological characteristics, fingerprints in theory are very difficult to forge. As a practical matter, however, living people inevitably acquire a buildup of oils and residue on their skin. As objects are touched by fingers, some of this buildup is transferred from the ridges in our fingerprint patterns to the touched object, producing an image of the fingerprint pattern which is normally invisible. In the course of everyday life, people leave behind latent fingerprint images. If a person can lift one of these latent fingerprints, or recreate a valid fingerprint image from the latent image, and present it to the fingerprint recognition device, the device may recognize it and take a positive action. Just by using the systems as they were meant to be used, the user will normally leave a latent image of his fingerprint pattern on the transparent scanning surface.
One postulated method of attack on these systems involves lightly dusting the transparent surface with a fine powder. The fine powder will adhere to the oils left behind, but be easily removed from any areas where the oils are absent. When illuminated by an external light source, the latent image becomes visible to the scanner. Since the pattern was created by the original fingerprint, the identified characteristics will match those on file, and access will be granted in the absence of any countermeasures. One solution to this type of attack requires users to carry a portable fingerprint platen that is to be placed onto the fingerprint scanner before use. Users then place their fingers on this portable platen. Once access is granted, the user removes the platen and keeps it and any latent fingerprint images with them. While this solution certainly reduces the danger of latent image access, it counteracts at least one of the advantages that fingerprint authorization seeks to offer. That is, it requires users to remember to carry the portable platen at all times.
In situations where portable platens are not a viable option or are not desired, countermeasures must be included in the verification method that will detect latent fingerprint image attacks. It has been recognized that scanners can distinguish real fingerprint patterns from latent or duplicate fingerprint patterns by capturing and comparing multiple images. A typical optical fingerprint scanner consists of a charge-coupled device (CCD) camera and an internal light source. The internal light will illuminate the fingerprint and the carmera will capture the reflected image. A typical frame capture rate is on the order of about several dozen times per second. By comparing successive live images or groups of successive images, the scanner can determine if the image is changing. This countermeasure technique is effective because a live fingerprint image is constantly varying slightly due to changing pressure and motion caused by the user. On the other hand, a latent image remains constant because the latent image on the scanner surface is unchanged. Denying access for a static image thus stymies this attack.
However, it has been discovered that this countermeasure technique can be defeated if this postulated method of attack is augmented. If a strobe light is used to illuminate the static, latent fingerprint image, the scanner can be induced to perceive differences between successive images. These image differences may be sufficient for the latent fingerprint image to be perceived as a real finger, and access may be improvidently granted. It is desirable, therefore, to provide a verification method with improved resistance to latent fingerprint image attacks.