Protection from biometric spoof attacks requires emerging technologies and standards adherence
Advanced biometric technologies and standards are necessary to build adequate presentation attack detection (PAD) into border control systems, Norwegian Biometrics Lab (NBL) Chair Dr. Christoph Busch told an audience during day one of the eu-LISA Industry Roundtable.
Busch is also principal investigator at the German National Center for Applied Cybersecurity (ATHENE) and a co-founder of the European Association for Biometrics (EAB).
The three main points in biometric systems for targeted attacks, according to Busch, are the capture device, which is potentially vulnerable to presentation attacks, the network transmitting the data, which could be protected by cryptography and face morph detection, and the database, in which biometric templates must be protected.
The talk outlined different types of presentation attacks than can be carried out in non-supervised data capture situations, such as at kiosks, as well as face morphing enrollment attacks and face sample quality as the three main potential presentation attack vulnerabilities of the eu-LISA system.
Presentation attacks can take the form of imposter attacks for positive access, and concealment to induce a false negative match in a 1:N check against a watchlist.
For fingerprint and face biometric spoofing, there are technologies and standards in development that could help ward off both attack types.
Fingerprint capture devices with optical coherence tomography (OCT) could be used to observe live skin properties and sweat glands, while laser speckle contrast imaging (LSCI) could be used to detect blood flow. Fingerprint algorithms with singular point density analysis can pick up the noisy friction ridge areas that can indicate an altered print.
For facial recognition, short wave infrared range (SWIR) imaging holds promise for detecting skin, while makeup-based attacks present a unique challenge due to the use of makeup for non-spoofing purposes by many people. For morphing attack detection, single-image and differential attack detection methods are considered.
Questions also remain about how image quality may affect eu-LISA’s biometric systems, and face image quality was the topic of EAB Research Projects Conference Chair Javier Galbally’s keynote on day two.
Standardized testing metrics for PAD technologies were discussed, including ISO/IEC 29794-1, 29794-4 and 29794-5, which relate to image quality, ISO/IEC 24358 for face-aware capture devices, and other standards for logical data structure. Busch explained the ISO/IEC 30107-3 PAD standard, including the need to keep both attack presentation classification error rate (APCER) and bona fide presentation classification error rate (BPCER) low, and how the imposter attack presentation match rate (IAMPR) applies to full system evaluations.
The EAB and industry stakeholder are also continuing to develop fraud-prevention methods through research projects like the TReSPAsS ETN on secure and privacy preserving biometrics and the iMARS face morph attack detection initiative.
Further presenters during day one of the eu-LISA Industry Roundtable included representatives of Idemia, IN Groupe, Gatekeeper Security Inc, secunet and Vision-Box. Sessions on days two and three of the event are focusing on ensuring consistent data quality and the interoperability and accessibility of data.