The finding was incidental to their goal of testing the accuracy of a set of fingerprint scanners like those commonly used in airports, banks and police stations. Computer science professor Anil Jain and his biometrics team were studying how to test and calibrate fingerprint scanners commonly used across the globe at police departments, airport immigration counters, banks and even amusement parks. Without a standard life-like 3-D model to test the scanners with, there is no consistent and repeatable way to determine the accuracy of the scans and establish which scanner is better.
To test the scanners, they created life-size 3-D hand models complete with all five fingerprints using a high-resolution 3-D printer that can produce the same ridges and valleys as a real finger. "Like any optical device, fingerprint and hand scanners need to be calibrated, but currently there is no standard method for calibrating them," said Jain.
"This is the first time a whole hand 3-D target has been created to calibrate fingerprint scanners. As a byproduct of this research we realized a fake 3-D hand, essentially a spoof, with someone's fingerprints, could potentially allow a crook to steal the person's identity to break into a vault, contaminate a crime scene or enter the country illegally. Now, another application of this technology will be to evaluate the spoof-resistance of commercial fingerprint scanners," Jain said. "We have highlighted a security loophole and the limitations of existing fingerprint scanning technology, now it's up to the scanner manufacturers to design a scanner that is spoof-resistant.
Jain said fingerprint identification technology is not going anywhere, but that it will have to be improved to keep up with the hackers.
"The introduction of any biometric, whether it is face, fingerprint, or iris, also opens the door for imposters to take advantage of this technology," said Jain. "It's always a cat and mouse game. The manufacturers of technology will try to come out with technology that is as spoof-resistant as possible, but then the crooks also come up with better schemes to make the attacks, so the idea is to be aware of what are the potential weakness of any security technology."
"We are very pleased with this research and how it is showing the uncertainties in the process and what it can mean for the accuracy of the readers," said Nicholas Paulter, group leader for the Security Technologies Group at National Institute of Standards and Technology (NIST) and a co-author of the study.