How AI is Revolutionising Biometric Verification

October 2023

Digital Identity Verification

Michael Greenwood

Senior Research Analyst

As we discuss in our latest digital identity verification research, AI is heavily used in biometric verification methods; either as the underlying mechanism of the primary verification method or as part of any additional checks that may run alongside the primary verification method.
 
There are two key examples of this:

Fingerprints

 
The most familiar form of biometric verification for many is fingerprint scans. This technology takes a scan of the user’s fingerprint and creates a digital impression of it.

This is not an exact representation of the print, but what the scanner does is record a series of distinct points, normally made up of where ridges and valleys end or meet. These points are called minutiae. When the finger is then scanned for verification, the scanner is comparing the minutiae it has on record to the minutiae of the finger on the scanner. This adds an additional layer of security, as if the data is stolen, the user’s fingerprint itself has not been taken, and currently there is no way to recreate a fingerprint from the minutiae stored for verification. This makes fingerprints an extremely secure piece of data to use for verification.
 
Fingerprint scanners have become a common feature of smartphones with even many lower-end models having fingerprint scanners integrated into the device. These were originally incorporated for easier and more secure access to the device, but are currently often incorporated into verification methods. It is now relatively common for apps that store sensitive data, such as banking apps. This is then incorporated into MFA to add additional layers of security. Many forms of digital identification use fingerprints as a form of verification, to ensure the individual trying to use the digital identity is the correct person. This incorporation into mobile devices makes verification quick and simple, with the user only needing to place their finger on the sensor.
 
This can be used to verify a user as the owner of an identity when onboarding. As part of the onboarding process a digital identity, linked to the user’s fingerprint, can be used to provide the users PII, with the user being confirmed as the owner of the identity using their fingerprint.

The security of fingerprints is predicated on the ideas that every fingerprint is unique, and the minutiae cannot be used to recreate a fingerprint. The science on whether fingerprints are truly unique is still not settled.  Two identical fingerprints have never been found but it is also the case that this has never been studied to a sufficient degree to be proven. That is not to say they are not unique, it has just never been proven that they are. If fingerprints were not unique, it could call into question the security of fingerprint verification. It is also not impossible that one day fingerprints could be reconstructed form the minutiae. If so, fingerprints would become at risk from data breaches, just as many other forms of verification are.
 
Fingerprint scanners can be vulnerable to spoofing. Older fingerprint scanners could be tricked by a high-definition picture of the finger, but this will not work on modern scanners. To spoof modern scanners, a 3D-version of the fingerprint needs to be created. If the spoofers had access to an image of the fingerprint, it could be possible to engrave the print into a material. It is also possible to 3D-print a mould of the finger, which soft materials like glue or silicon could be poured into. However, most commercially available 3D printers cannot print with the detail to create a good enough fake to trick a modern scanner.

Iris

 
Iris recognition systems take images of the eye using infrared light. As iris melanin is transparent under infrared light, its detail is revealed, regardless of the eye colour.  An algorithm uses this to build a representation of the user’s iris pattern, which future iris scans can be checked against.
 
There are two types of iris checks, close-up and iris at a distance. Close-up recognition hardware is used to illuminate the eye and capture the iris image. The hardware for this is relatively easy to implement. Iris at a distance is more difficult, with images needing to be captured at one to five meters’ distance. This can be implemented with commercially available equipment, but is less reliable.
 
Iris recognition has a very low false match rate, meaning it is good for ensuring that the right person is accessing an account. It can be difficult to get good scans of an iris from a large picture of the user’s eye, leading to higher false non-matches, which can negatively affect user experience. The scan can also struggle to recognise they iris when the user is wearing contact lenses.
 
The biggest threat to an iris scan is a presentation attack. This is an attack where an image of an individual’s iris with sufficient detail is used to spoof the iris scan. This generally requires a very high detailed image but early iris scans have been spoofed using general-purpose cameras. Patterned contact lenses can also be used to recreate an iris pattern, spoofing the scan. To protect against these forms of fraud, liveness checks can be implemented. This can include measuring the change in location of reflections of light caused by the moving of a pupil. This is an effect that a 2D image would be unable to recreate, and contact lenses can affect how light is reflected within the eye.