Philip Bontrager, lead researcher on the “DeepMasterPrint” fingerprint hack, thinks that the SureID process for high-fidelity fingerprint enrollment has multiple layers of protection against hackers.
“The NYU research into DeepMasterPrint is fascinating, but it focuses on low-fidelity, smartphone-based authentication,” says Ned Hayes. “SureID’s system is built with patent-pending technology that prevents fraudulent activity.”
Bontrager’s DeepMasterPrint uses artificial intelligence techniques to create a 3D representation of many prints, all of them derived from low-fidelity situations such as smartphone fingerprint login sensors. Bontrager agrees that the SureID solution is secured in ways that are inaccessible to the DeepMasterPrint exploit.
The NYU research – Bontrager – even draws a strong delineation between the study’s research and SureID’s fingerprinting process. “With multiple fingerprints, a higher area of print, and multiple biometrics – these elements, combined with personal assistance, makes it much harder to pull off a presentation attack in that setting,” he says.
Bontrager described the SureID system as more secure for three top reasons.
First, SureID uses a much more sophisticated fingerprint enrollment system than those Bontrager and team researched. “The DeepMasterPrint research focused on sensors commonly used with smart phones, which are low-fidelity and only scan a small portion of one or two fingers,” Bontrager tells us. In contrast, SureID’s fingerprint scanning system is fully FBI certified for higher-fidelity fingerprint capture with coverage of the complete fingertip. This additional scanning provides a much larger attack surface for any hacker and thus provides a higher level of security.
Second, SureID captures all ten fingerprints, including full flat prints of all four fingers at once. “That’s a much more secure setup than the smaller, low resolution sensors we tested,” says Bontrager. “Ten full roll fingerprints are much more unique than the small phone scans, creating a stronger and separate attack vector for each finger.”
Finally, SureID’s fingerprinting process requires a trained technician to both validate the person’s identity using ID documents and assist in the fingerprint capture – a process not tested by Bontrager’s research. “We’re not aware of DeepMasterPrints being used in the wild,” he told us. Hayes contrasted this with our process: “With a trained, certified individual present, it is harder to spoof data or biometrics. We provide a high security environment for the enrollment of multiple biometrics.”
The security and privacy protection the SureID enrollment system provides is attracting attention, since it provides greater protection for government, financial, and other corporate customers.
“In the future, high-security environments like SureID’s can power much more than fingerprint-based government reports,” says Hayes, CEO of SureID. “Due to customer demand, we are looking at new use cases, such as high-security access management, automobile and vehicle access, smart phone and device access, and emerging IOT and financial use cases.”
NYU PhD candidate Philip Bontrager is the lead researcher on the DeepMasterPrint project, presented in late 2018 at a security conference in Los Angeles. The original published paper is titled “DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution.” Contributors include Philip Bontrager, Aditi Roy, Julian Togelius, Nasir Memon of New York University and Arun Ross of Michigan State University. The published paper can be found here.