Thwarting Attacks on Biometric Systems - Ruud Bolle, IBM Thomas J. Watson Research Center, Hawthorne, USA

Automated biometric authentication systems help to alleviate the problems associated with existing methods of user authentication. Biometrics can improve convenience or security, or ideally both. However, security weak points will exist or will be introduced in any biometric installation, unintended by the designers of the system. These weak points will be discovered during operation of a system when the system is attacked, and the system will be attacked most successfully at the security weak points. Unlike password systems, which are prone to brute-force dictionary attacks, biometric systems require substantially more effort to attack successfully. Although standard encryption techniques are useful in many ways to prevent a breach of security, there are several new attack points possible in a biometric system. In remote, unattended applications, such as web-based e-commerce applications, attackers may have enough time to make numerous attempts, at a safe distance from the server, before being noticed, or they may be able  to attack the client physically. At first glance, supervised biometric installations, such as those at airports, may not be that vulnerable to brute-force attacks. But such installations can certainly be the victim of replay attacks. We develop a generic pattern recognition model that enables the study of security weak points. Such understanding is needed when designing biometric systems, while still keeping in mind the security versus convenience trade-off.