The use of fingerprints to authenticate an individual user is a familiar technology, but University of Maryland researchers have gone a step further.
With the help of their new invention, the authentication process could include not only the user’s fingerprint, but also the sensor on the mobile wireless device that obtained the fingerprint. This way, wireless devices can be kept more secure and make it harder for hackers to break into them.
“The invention helps push the security frontier to your phone,” said Professor John Baras of the Department of Electrical and Computer Engineering and the Institute for Systems Research within UMD’s A. James Clark School of Engineering.
Baras said that the new technology can not only identify the user’s fingerprints, but can identify which sensor the fingerprint was taken from, with extremely high precision. More specifically, the technology can tell whether or not the fingerprint used to get access to the mobile device was obtained from the fingerprint sensor installed on the mobile device. The attack recently demonstrated on an Apple iPhone equipped with a fingerprint sensor would be rendered impossible, using the UMD researchers’ technology.
Baras and his research group developed a smart algorithm that, when combined with fingerprinting, can ensure that iPhones, iPads and other wireless devices are strongly authenticated to the network and are protected by enhanced security gateways. This technology makes sure that the sensor from which the fingerprint is submitted is the authentic sensor installed on the wireless device.
The use of biometrics for user authentication has long been mistrusted due to potential security problems, especially in unrestricted or unsafe environments. A major concern is that wireless devices can be stolen and the biometric sensors data can then be manipulated. The Maryland researchers have addressed this concern with their invention, as access to data is authorized each time based on fresh user fingerprint data that must be authenticated as belonging to authenticated users and obtained by the sensor on the device.
This technology has two major broad applications, according to Baras: mobile wallets used for various kinds of payments, and mobile telemedicine. The technology does not require any additions to existing hardware, and can be added as ja software application for mobile wireless devices already equipped with fingerprint sensors.
“Security and trust of these devices is important because they are the gateway to the internet,” said Baras. “The stronger we make the security for these end-user devices, the better the application will be. If we start getting problems with security, trust, and privacy, people are going to have a problem using mobile wireless devices for the rapidly expanding set of applications that we are witnessing.”
It is not just the identity of the fingerprint that is unique. “We have identified that the sensor itself has a unique identification that can be found by properly processing signals that the sensor gets while obtaining the user fingerprint,” Baras said.
These techniques can be integrated with other hardware-based security techniques, such as special purpose chips, the trusted platform module (TPM), or other signal processing techniques, all within mobile wireless devices. “The TPM acts like a local policeman,” Baras said, “and with these combined and integrated techniques malware can also be identified.”
He explained that the identity of the user’s fingerprint as well as of the sensor could be extracted with a single process using his apparatus.
“Using this technology, we can attest that it is you and that the fingerprint was taken from your phone,” he said. “It’s like carrying your password and keys around on a secure hardware device. In any wireless device, iPad, or smartphone, you can add the biometric sensor to it and the sensor identifier software, and all of a sudden the device is much more secure.”
This technology is based on several inventions made by Baras and his graduate student Vladimir Ivanov from the Institute for Systems Research. Several patents have been granted to both.
Baras explained that the central theme of his research that led to these inventions is “to allocate some of the security functionality to hardware and not just to software. Hardware based security is much more difficult to attack by hackers and intruders for two reasons. First, the attacker must have the hardware and the device at hand. Second, the technology competence level required to attack hardware is much higher than attacking software. We are trying to add such methods and security schemes on smartphones and iPads to make their use in so many applications much more secure and trusted.”
Fingerprint authentication and wireless device security can be applied in banking, mobile commerce, healthcare records systems, and other industries where security is important. In fact, “as the proliferating use of smart phones world-wide demonstrates that indeed smart phones are the devices that can ‘do everything,’ it is essential that their security be substantially improved,” Baras said.
Baras and his fellow researchers are now seeking companies to license the technology. “If you have an iPhone or other smartphone or tablet with a fingerprint sensor, then all you add is the software implementation of the algorithm,” he said. “This is our first target.”
The Office of Technology Commercialization has been working with Baras to establish connections with companies to get the technology licensed. A prototype and a demo are available.
Challenges the researchers faced have included trying to get the precise signal generated by fingerprints and mapping it with the right sensor.
“When you place your finger on a sensor, a signal is generated and the challenge was how to process the signal to show that there is an identification pattern in the sensor that allows you to single a sensor out of a thousand others,” Baras explained.
Another technical challenge is integrating their software iwith other hardware-based security techniques, and within different hardware and software platforms used in mobile wireless devices, to have strong, multi-factor authentication and security.
Baras is also planning to expand into other categories of fingerprint sensors like optical, radio frequency sensors, in addition to the capacity-based fingerprint sensors he has worked with so far.
August 26, 2015