Security /

Our 'not so impossible' mission

You can't fool a fingerprint device, but you can wreak havoc with face and voice recognition systems.

By Tere' Bracco
Network World, 05/08/00

It's not often that we get to play spy, detective and criminal in the course of a review. But with the variety of iris scanners, fingerprint readers and voice recognition software we received from the authentication suites, we couldn't resist putting on our spy hat and trying to break into the system with every trick in the book.

To test fingerprint recognition devices, first we lifted authorized fingerprints with tape, then tried applying them directly to the fingerprint reader. To add more realistic dimensions to the purloined fingerprint, we also affixed the authorized prints to a latex-gloved hand, then tried to get past the readers.

The verdict? We couldn't trick any of the fingerprint devices. This isn't really surprising because fingerprint recognition technology is very mature.

Testing the face recognition systems involved three different test approaches. We used life-sized photographs to try to slip past the system, first with flat color photographs taken with a 35mm film camera and blown up to life size, and then with 3-D "masks" made from photographs. Next, we tested the improbable (but really fun) "evil twin" factor by using identical twins to try to fool the systems (my neighbor was more than a little concerned at first when I asked him if I could borrow his twin 12-year-old daughters "for some testing I'm doing").

The verdict? The face systems showed their youth. They showed the least consistency of results throughout the testing. Furthermore, with the systems set at the default levels, we were able to stump Visionics FaceIT, the face recognition software used by the BioNetrix Authentication Suite and SafLink 2000, using the crude 3-D mask. However, after we bumped the sensitivity setting up to 90%, there was no sneaking past it.

FaceGuardian, the face recognition application of Keyware's Biometric NT Logon, fared somewhat better at a lower sensitivity level of around 80%. However, the identical twins were able to fool both packages every time, even with applications set at maximum sensitivity. Network managers who choose to use extremely high sensitivity should note this caveat: Enrolled users who are frequent bad hair day sufferers may have trouble at high sensitivity levels. We were also able to lock out an enrolled user whose face had been swollen by extensive dental work.

To try to crack voice recognition systems, we recorded the authentication sequence of an authorized user, then played it back to the system. We conducted each test 10 times, carefully checking the consistency of our results.

The verdict? The voice recognition systems were also difficult to sneak past, but exhibited shortcomings similar to the face recognition. We weren't able to trick a voice recognition system into allowing an unenrolled user access, even at default sensitivity levels. However, we had to spend some time fine-tuning Veritel Voice, used by the BioNetrix product, so we could get maximum security without locking out enrolled users whose voices were distorted from colds, allergies or post-dentist numbness.

We didn't have to spend so much time tweaking Keyware's Voice Guardian, which provided the easiest and most granular fine-tuning capabilities. Furthermore, while the Lernout & Hauspie voice recognition product employed by SafLink was reliable, we thought its configuration was cumbersome. And we also discovered two points that network managers should remember. First, for the most accurate recognition, voice recognition password phrases should contain a lot of strong vowel sounds. Second, beware the curse of laryngitis.

Finally, we took a walk on the wild side by testing iris scanning, a new and very cutting-edge biometric authentication method. Iris scanning works on the principal that no two irises are alike in their details, even between identical twins. The human iris is as unique as the human retina and a whole lot easier to scan. BioNetrix sent us a copy of IriScan from IriScan, Inc. We borrowed PC Iris system - the requisite iris scanning hardware - and played with it a bit. Although installation was fairly complicated, once it was up and running IriScan worked fine. In fact, even the twins weren't able to get past it. However, they weren't able to get past the voice or fingerprint, either. So considering the cost in money and complexity, as well as the eerie "spook hype factor," iris scanning seems like overkill for all but the most sensitive of nuclear missile installations.