Fingerprints, Spoofs, and AI: Pioneering Mobile Security Innovations

This Friday marks three years working at AWS and a reflection point for me. It has been a thrilling ride. One of the first questions we ask at Amazon with an interview candidate is an example writing case. For me, the question was - "What is the most inventive or innovative thing you’ve done?". I had spent over a decade in the field of fingerprint biometrics and so I wrote about my innovations in the field of anti-spoofing. My innovations, included a patented gradient-spoof detection feature that was fed into a neural net along with hundreds of other features to generate liveness score. An example where I bridged technical expertise with product management skills to drive industry-changing advancements to secure millions of devices.

DIVE DEEPAI - FEATURE ANALYSISBIOMETRICS

9/8/20246 min read

Introduction

In 2013, Apple debuted the fingerprint sensor on the iPhone 5S. In response, Samsung, which had their flagship Galaxy product in direct competition with the iPhone, approached our team at Validity (acquired by Synaptics Incorporated in Nov 2013) for a fingerprint hardware and software solution. I was at that time functioning as the product manager and algorithm/software engineer for the matching engine product at the company. The team responsible for the algorithm side of the solution consisted of a chief scientist, a junior developer in our branch office at Hyderabad, India and I in a 100 employee startup. Having been in the biometric industry and particularly the fingerprint field since 2006, I had built substantial subject matter expertise in the field. But, the field was predominantly mature in the PC and public sector space and there were challenges to be solved when the sensor footprint was decreased to fit on mobile phones.

At this time, the only viable product was our swipe sensor which was customized for Samsung to be made narrow so it fits on the Galaxy S5 phone. This project was intense and after a few intense months, we were able to productionize the fingerprint solution including hardware and software for the Galaxy S5 as the first product and scale from a few thousand units to millions of units being shipped. This success with the swipe sensor was short lived and we needed to accelerate our efforts on the touch sensor since the iPhone's fingerprint solution was a touch sensor. Our touch sensor was in the R&D stage in hardware and the matching engine software was still being white boarded. The existing matching engine would not be viable anymore since it was designed for a much larger fingerprint image and we had utilized it to its maximum for a smaller width swipe sensor. The newer hardware meant we had to rethink and innovate in all our algorithms.

While the large part of the new team (6 members now post acquisition) kept focus on innovating on the matching engine, a former team member from Validity and I focused on building the antispoof solution even though this was not a requested feature from the customer. A spoof is the presentation of a counterfeit biometric. With a fingerprint, a spoof can potentially be used to unlock the phone and gain access to the device. Fig 1. above shows sample spoofs we built during the early stages of developing the antispoof solution.

Although the current focus from customers was around ease of use, we knew the focus would quickly shift on security. Instinct and knowing the industry made me feel that this was the right thing to do. Plus, having no antispoof security opened customers to potential security fraud risk which didn’t feel right at all. It didn’t take long to convince the VP of Product and we had a quick prototype which convinced the leadership team as well. In the meantime, as earlier suspected, the prior product of the swipe sensor which had no anti-spoof technology was being tested around the world and criticized for its lack of antispoof solution [8]. This helped convince everyone else on the sidelines.

A two-member team, which included me, led this effort to innovate on the antispoof engine. What followed was a series of inventions that led to a signature product for the company which was a key differentiating factor for the product offering at that time [4][5][6]. Many of these inventions [2][3], were a collaborative team effort with one other inventor and one patent in particular, Systems and methods for a gradient-based metric for spoof detection [1], was a solo contribution and together all the inventions were tied to the Sentry Point Antispoof Engine as a product [4].

Antispoof solution

A spoof is the presentation of a counterfeit biometric, and the quality of fingerprint spoofs can vary greatly while new techniques are being introduced regularly. Because spoofs represent the underlying finger, the matching engine can be fooled into a successful authentication to enable access into the phone. We introduced an antispoof engine into our fingerprint solution as shown above to do a check on whether the presented image is a spoof or an image of a real finger.

With high resolution sensors (>1000dpi), many documented techniques existed in practice which included use of pore detection where fingerprint sweat pores are visible in the images. These pores are less likely to occur with a spoof. With Synaptics sensors, the resolution was 333dpi and with the existing hardware technology of capacity sensing, it was highly improbable to see sweat pores on the image.

But, when doing an exploratory study to determine if sweat pores were visible, I started to notice some anomalies on the raw images that were distinctly captured by our hardware. We started a small capture with spoofs that we constructed in partnership with the testing team and material experts in the team to collect a small sample of prints to analyze further. An intermediate transformation of the image into its gradient form revealed some characteristics that could be potentially exploited to determine the liveness of the image. This was the beginning of the invention.

Invention: Systems and methods for a gradient-based metric for spoof detection

The invention takes an image and computes its gradient image and divides it into blocks.Consider the fingerprint image (left) above with its corresponding gradient image divided into blocks of 8x8 (right). For each block, we compute the histogram of the gradient magnitude and compute the variance in the histogram. Figure below shows the variance in the histogram plotted as an image where a dark block represents high variance and a lighter block shows low variance in the block.

What I found was that for many of the spoofs, depending on the material of the spoof, the variance was spread out. However, this was less so with the images from real fingers. When we plotted the histogram of these variances, a clear distinction stood out. Below is an example of the histogram of variance for a real finger and a spoof for a large fingerprint image where the feature is much more distinct.

Figure below shows the variance in the histogram plotted for a full fingerprint image for a real finger and a spoof, where a dark block represents high variance and a lighter block shows low variance in the block. The real finger shows higher variance in the histogram vs the spoof image.

The variance of these histograms or some distance measure of the histogram like the Earth Mover's Distance (EMD) became a strong feature in the final antispoof engine. The final solution on the antispoof engine took several hundreds of features we computed from various intermediate representations on the image and fed into a neural network to compute a final result for liveness. The gradient feature described above [1], was one important and unique feature for which I was the sole inventor.

Conclusion

The full solution was by no means a small endeavor and it involved multiple teams from hardware, software, material experts and QA teams to try and break the antispoof engine. Geographically, we had teams in India, China and San Jose all in collaboration with us on this effort. As in any production solution, this was a team effort for the full solution and I was fortunate enough to innovate in this space.

The antispoof engine was the first of its kind on the mobile phone and was showcased at the Mobile World Congress in 2016. Competitors like Precise biometrics found alternate solutions in Feb 2017, a year later giving Synaptics a lead time of more than a year in the market with this offering [7]. This helped Synaptics offer a solution to the market for spoofs and ensure security on the device against spoofs and helped win the business with multiple tier 2 customers beyond Samsung like Alcatel, ASUS, Xaomi and many many others. As of 2016, 200 million fingerprint sensors were shipped with the full solution.

References

  1. Rohini Krishnapura, ‘Systems and methods for a gradient-based metric for spoof detection’, Issued Jan 8, 2019, US Patent number: 10176362, Assignee: Synaptics Incorporated

  2. Rohini Krishnapura, Anthony P. Russo, ‘Systems and methods for spoof detection based on local interest point locations’, Issued November 13, 2018, US Patent number: 10127429, Assignee: Synaptics Incorporated

  3. Rohini Krishnapura, Anthony P. Russo, ‘Systems and methods for improving spoof detection based on matcher alignment information’, Issued November 6, 2018, US Patent number: 10121054, Assignee: Synaptics Incorporated

  4. Synaptics Adds Proprietary Anti-Spoofing to SentryPoint Security Suite | Synaptics Incorporated, Feb 2016

  5. Area Touch and Swipe Fingerprint Sensors | Natural ID, Synaptics

  6. Protecting Against Fingerprint Spoofing in Mobile Devices, Synaptics White Paper, 2016

  7. Precise Biometrics software in Xiaomi Redmi Note 4X 16 February 2017 13:40 GMT

  8. Samsung Galaxy S5 fingerprint scanner already hacked using 'faux fingerprint'

© 2024. All rights reserved.