FC: Biometric technologies and their problems, from German magazine c't

From: Declan McCullagh (declanat_private)
Date: Thu Nov 07 2002 - 11:45:08 PST

  • Next message: Declan McCullagh: "FC: News and events from Cato, EPIC, and Stanford Univ. law school"

    I was fortunate to be invited to speak Tuesday in New York City about 
    biometrics and privacy. The two-day conference was organized by the U.S. 
    Department of Justice, the Bureau of Justice Statistics, and SEARCH (The 
    National Consortium for Justice Information and Statistics):
    When I was preparing my presentation, I came across a May 2002 article from 
    the German computer magazine c't that exposed many flaws in off-the-shelf 
    biometric technologies. I highly recommend it. A summary from the UK crypto 
    mailing list is below.
    From: Markus Kuhn
    Date: Wed May 29, 2002  11:16:20 AM US/Pacific
    Subject: c't: unsupervised biometric scanners more toys than serious 
    security measures
    An even more fatal blow to off-the-shelf *unsupervised* biometric
    identification products was given recently by three authors in an
    article in the well-respected German computer magazine c't:
       Lisa Thalheim, Jan Krissler, Peter-Michael Ziegler: Körperkontrolle --
       Biometrische Zugangssicherungen auf die Probe gestellt.  c't 11/2002,
       Heise Verlag, ISSN 0724-8679, p 114-, 17 May 2002.
    An online English translation is now available on
    The team tested:
       - six products involving capacitive fingerprint scanners
         (Biocentric Solutions, Cherry, Eutron, Siemens and Veridicom)
       - two optical (Cherry, Identix) fingerprint scanners
       - one thermal (IdentAlink FPS100U) fingerprint scanner (Atmel FCD4B14 
       - Authenticam by Panasonic
       - an iris scanner that is currently being marketed in the USA
         and is scheduled to enter the European market in the near future
       - FaceVACS- Logon, a technical solution for recognizing faces
         developed by the Dresdner Cognitec AG
    The authors "were able, aided by comparatively simple means, to outwit
    all the systems tested" and concluded that "the products in the versions
    made available to us were more of the nature of toys than of serious
    security measures" and that "business should not treat the security
    needs of its customers quite so thoughtlessly".
    It is worth stressing that none of the deception techniques used are
    really applicable in a *supervised* two-factor application, for example
    where a border control or social benefits officer watches someone using
    the finger or iris scanner in order to confirm the identity information
    stored in a presented smartcard. The relevance of these attacks to the
    discussion about the use of biometric features in a national identity
    infrastructure is unfortunately sometimes misrepresented. I am still
    convinced that both iris scanning and finger print recognition in a
    *supervised* scan can be made easily several orders of magnitude more
    reliable than human photo/face comparisons.
    What currently marketed sensors lack is a really robust detection
    technique for whether the detected signal comes from live human tissue,
    and this still looks very much like an open research problem. Parts of
    suitable solutions might be:
      - tests of various involuntary reactions that require significant
        effort to simulate, for example, is the iris pattern deforming
        correctly when the pupils contract because of illumination?
      - test whether the body part is functional, i.e. can the fingerprint
        be detected from a finger that is typing fluently on a keyboard
        or can the pupil inside the contracting iris read text at the same
      - is it possible to build low-cost spectrographic cameras/scanners that
        can distinguish materials and tissues by using hundreds instead of
        just three (red/green/blue) wavelength bands, etc.
    Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
    Email: mkuhn at acm.org,  WWW:
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    Recent CNET News.com articles: http://news.search.com/search?q\clan

    This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 12:23:02 PST