Working as security consultants, our day-to-day work consists of advising corporations on the selection, implementation and evaluation of security measures to protect their information. One of our specializations is biometrics. Ton is world famous for his research on the security of fingerprint recognition systems.
Biometrics add a new dimension to identification and authentication of persons. Besides knowledge (e.g. passwords) and possession (e.g. smart cards), biometrics provide new means of security. Biometrics are used to recognize or verify physical or behavioral characteristics of a person. But before deploying any security tool or system, one should carefully examine the sensibility and added value of it, as we do in our daily work. For that purpose it is important to know the strength and weaknesses of the security measure you are about to implement.
To assess the risk and security of the system itself, Ton started the evaluation of biometrical fingerprint recognition systems over 10 years ago. As he discovered back then, the systems have some serious security flaws. We have waited until the year 2000 before making this story known to the public, in order to enable the manufacturers to fix the problems. However, none of the fingerprint systems we have tested have been able to close the security holes in it.
The main issues with fingerprint technology are (see also Article 3 below):
- It seems to be impossible for manufacturers to implement a technology that can distinguish between the upper skin of a finger (which is almost dead material) and artificially created dummy fingers of silicon rubber, acrylic paint, etc.
- Every day, you leave numerous perfect fingerprints behind on glasses, doors, vending machines, tables, and many other places. These latent fingerprints can be lifted and used to create perfect duplicates.
- To create dummy fingers, the techniques require few skills and the materials are readily available (all materials can be bought in normal stores) and cheap (material price is around €10 - €25).
Obviously, other biometric identification or verification do not suffer from (all of) the above weaknesses, but should also be very carefully considered on their purpose, use, and added value before implementing.
- Current state of biometric systems (Dutch article), Informatiebeveiliging magazine, November 1999.
- Biometrics and security, Cards in Business magazine, April 2000.
- Biometrical Fingerprint Recognition: Don't get your fingers burned, Ton van der Putte and Jeroen Keuning. Also published as part of the proceedings of the Fourth Working Conference on Smart Card Research and Advanced Applications (CARDIS 2000) by Kluwer Academic Publishers in Smart Card Research and Advanced Applications, September 2000.
- The finger on the sore point (Dutch article), eVision magazine by Atos Origin, June 2001.
- Forging ahead, Biometric Technology Today, October 2001.
- Fingerprint scanners easily fooled (Dutch article), Telegraaf (Dutch newspaper), May 2002.
Ton van der Putte and Jeroen Keuning (www.biometrics.org)
You can contact us by email at the address biometr at keuning.com