Faking vein scans is doable but maybe only after every single other option is exhausted

Researchers with access security player Duo Security have written about experiments they have conducted using near infrared light for authentication. They wanted some practical experience with near-IR in a biometrics role — specifically, imaging arm, hand and face veins.

Duo Security was bought by networking pioneer Cisco Systems in 2018 for $2.35 billion. Duo sells cloud-based unified access security and multi-factor authentication products.

The team’s work, laid out in a Duo post, found that a common digital, single lens reflex camera with various IR filters can be reconfigured to record veins relatively clearly in real time with an infrared light source of 940nm combined with a 950nm lens filter. The DIY vein scanner could then theoretically be used to capture images for use in spoof attacks.

But there remain serious complications to the process that in the short term likely will mean only the most determined attackers will even consider vein scanning.

In the post, Jeremy Erickson, senior R&D engineer with Duo, writes that the team was aware of “demonstrated working attacks” against near IR biometric security systems, but that no one seems to have followed up on the results.

Erickson said that it is hard to find information about general IR authentication. What they could find was specific to successful attacks. That limits useful insights.

The infrared spectrum as a whole typically is used to illuminate dark settings without using visible light. A prime example is lighting military environments. Some personal electronics use some of that spectrum, along with visible light, to authenticate a person by comparing a live face scan to stored images.

Near IR is the invisible spectrum adjacent to visible light, roughly from 700nm to 1,400nm. Veins in all of their unique branches beneath skin show up well in this range. Duo’s post spotlights multiple products the AccuView AV500, a med-tech system that uses near IR spectrum to scan veins and then display them as an overlay on a patient’s body to, for example, make phlebotomy a faster and less nauseating process.

The Duo researchers found that vein scanning is harder to accomplish than facial or fingerprint recognition. If nothing else, off-the-shelf hardware and software can image and process face and print images in their thousands. At the moment, capturing vein images takes a do-it-yourself effort, breaking down a digital camera, to get the endeavor underway.

And, finally, the security of vein-scanning is not certain. On the one hand, writes Erickson, it is not prohibitively hard to view a person’s vein structure. On the other, approximating the captured pattern in the experiment required printing it and covering the print with molded wax. As he points out, it is not unlike the tedious routine needed to fake fingerprints today, but even more strained.

Vein biometrics are forecast to be a $1 billion market by 2029.

Article Topics

authentication  |  biometrics  |  Duo Security  |  infrared  |  palm vein  |  research and development  |  spoofing  |  vein recognition