I see a bit of irony that a great Saturday Night Live alumnus is launching a campaign to decrease spoofing. I’m talking about Senator Al Franken, who has been looking into the problem of stolen fingerprints, see article.
Senator Franken challenges Samsung and Apple with some fair concerns about the problem of stolen or spoofed biometrics. The issue is that most biometrics that could be stolen can’t be easily replaced. We only have one face, two eyes, and 10 fingers, so not a lot of chances to replace or change them if they are stolen.
The mobile phone companies, challenged on the fingerprint issue, had two responses:
- The biometric data is ON DEVICE. This is very important because when it’s stored in the clouds it becomes much more accessible to a hacker AND much more desirable because the payoff is a whole lot of user information. Cloud security is often hacked into, such as the recent break-in of the European Central Bank. In fact many banks I have spoken to insist that passwords can’t be stored in the clouds because they are just too easy to hack that way.
- The fingerprint biometric is not stored as a fingerprint image, but as some sort of mathematical representation. I’m not sure I understand this argument because if the digital representation can be copied and replicated, then the system is cracked whether or not it looks like a fingerprint.
I think Franken is right to question the utility of biometric fingerprints, because a product like Sensory’s TrulySecure (combining voice and vision authentication) offers a large number of advantages:
- The TrulySecure biometric is not easy to copy or find. Unlike a fingerprint which gets left everywhere, a voice print with a video image of a person saying a particular phrase is NOT easy to find, and even if well recorded, would fall apart with Sensory’s anti-spoofing technology that requires a live image.
- The TrulySecure biometric is readily changeable. Unlike the nine chances that a user has to replace a fingerprint, there are a virtually unlimited number of TrulySecure password phrases that can be used. If by some nearly impossible chance a TrulySecure biometric phrase is copied, it can be changed in a matter of seconds and a virtually unlimited number of times.
- TrulySecure works across conditions. Every biometric seems to have a failure mode. Fingerprint sensors seem to require a highly directionalized swipe of a very clean finger. If I cut my finger or have a little peanut butter on it, it just doesn’t work. Likewise a voiceprint by itself might fail in high noise, and a faceprint might fail in low lighting, but that magical dual biometric fusion in TrulySecure seems immune to conditions.
Here’s a more canned demo on Sensory’s home page that better showcases some of the anti-spoofing features.