All eleven biometric protection applications tested by us are products that were presented at this years CeBIT trade fair at the German city of Hanover and all are freely available on the market. Even though the range of products tested was not complete it did on the whole reflect market conditions: The great majority of the currently available biometrics products relies on features of the fingers for user identification. Neck-and-neck in second and third place are face recognition and iris scanning systems. All other devices and programs such as make use of language recognition, hand geometry measurement, signature recognition or keyboard touch dynamics taken together have only a marginal share of the security biometrics industrys overall turnover.
Besides six products involving capacitive fingerprint scanners (Biocentric Solutions, Cherry, Eutron, Siemens and Veridicom) two optical (Cherry, Identix) and one thermal (IdentAlink) fingerprint reader were available to us. Our tests also took in the Authenticam by Panasonic, an iris scanner that is currently being marketed in the USA and is scheduled to enter the European market in the near future, as well as FaceVACS- Logon, a technical solution for recognizing faces developed by the Dresdner Cognitec AG. Our test environment consisted of three PCs (1-GHz-processors, 128 Mbytes of RAM, 32 Mbyte AGP graphics cards) running Windows 98 and Windows 2000, as well as of a Gericom notebook with a 14" LCD screen running Linux.
Compared with other biometrically-based security access procedures the marketing opportunities for facial feature recognition devices and programs are assumed to be fairly good. The technology profits especially from the fact that some of its features are already integrated into the living conditions and habits of PC users: Many people are a good deal more familiar and comfortable with gazing into a camera than, for instance, having their eyes scanned by infrared beams or their fingerprints taken by a device, the latter procedure perhaps awkwardly evoking images of criminal investigations.
Cognitecs FaceVACS-Logon, which can be applied both as a authorization access solution and as a screen saver, uses as its sensor a commercially available webcam. Cognitec recommends Philipss ToUcam PCVC 740K. Authorization proceeds almost automatically: When a person approaches the PCs webcam the recognition software aided by special algorithms in a first step begins to search in the pictures it takes for eyes; once these are found it mathematically projects based on their coordinates a virtual rectangle into the picture. The following pattern recognition process in the course of which so-called Support Vector Machines (SVM) capture characteristic facial features which are subsequently compared with stored facial patterns takes place within the boundaries thus established. In the event of a positive match the authorized person is granted access to the PC immediately.
A variety of 2D images can be used to log on.
During enrollment, i.e. the creation of an initial reference set of facial images, FaceVACS begins by storing a number of images of the new face in the .PPM format in a log file. During each subsequent authentication procedure images, this time with a .fvi tag, are added to the collection. As these image data are neither encrypted nor otherwise particularly protected they can be read and possibly manipulated once access to the system has been acquired. Moreover, the log files allow one to ascertain which are the good data sets, those, in other words, that lie above the recognition threshold. We began our attempts at outfoxing the system by transmitting the freely accessible image files to the notebook. We then presented the images upon the notebooks display to the ToUcam. Once we had found the appropriate distance between the webcam and the display, it would take but one attempt in most cases for FaceVACS-Logon to accept the image presented and hence grant us access to the system.
In the course of our next attempt at trickery we recreated a situation that could easily come about in the real world: An assailant without access to stored data attempting to overcome the obstacle of the facial recognition procedure. For this purpose we secretly took three pictures in all of an authorized user with a simple digital camera under different lighting conditions. These digital images we then again transferred to our notebook, proceeding to show the various images to the webcam via the formers display. The result was that after only two images of the digital camera we had put FaceVACSs biometric protective measures out of action. From then on the system would cede control of the PC to anyone who held the notebooks display up to the webcams scrutiny.
Playing Video Games
To prevent deception with the aid of photographs Cognitec has integrated a higher level of security known as Live-Check into the FaceVACSs software. Indeed once Live-Check has been activated all attempts at deception with stills (such as those described above) are foiled. On the downside, however, user-friendliness sinks considerably and registered users are only seldom recognized right away.
Adding motion via a short video clip was sufficient to fool the algorithm that supposedly verified that the person was truly 3D.
Hence we simply shot a short .avi video clip with the webcam in which a registered user was seen to move his head slightly to left and right. As brief movements suffice for FaceVACS to consider an object alive and as the program engages in simple 3D calculations only, we were not particularly surprised about the success of our approach: Once the appropriate display-to-ToUcam distance had been found the program did in fact detect in the video sequence played to it a moving genuine head with a known facial metric, whereupon it granted access to the system.
In a worst case scenario this state of affairs implies that a person without a professional background to movie making who had wielded a digital camera during a public meeting and there shot visual material of authorized personnel, to log on to a protected system, need only modify the acquired material slightly and transfer it to a portable PC.