A Comparative Study of the Security of Facial Recognition and Fingerprint Scanners for Mobile Devices

Jose Angelo S. Geronimo¹, Alyza Beatrice D. Kim¹, Lance Heinrich S. Lim^1*, and Katrina Ysabel Solomon²

1De La Salle University Integrated School (Manila)

2De La Salle University, College of Computer Studies

*lance_heinrich_lim@dlsu.edu.ph

Abstract: Biometrics are biological measurements of an individual that can be used to identify them. This is commonly used to safeguard important documents or authenticate individuals to allow them exclusive access. In this modern age, there is a variety of personal data dispersed in people’s credit cards, phones, etc. This study aims to assess biometric authentication under different conditions, identify facial and fingerprint security levels, and evaluate the architectural security and spoofability of different devices based on four metrics. The study then concludes the more secure type between facial and fingerprint recognition for the devices. Through this study, mobile device users can better understand the risks when selecting a security lock, while mobile device developers and future biometrics research can utilize this study as a basis to prevent the tested attacks. Various devices capable of facial and/or fingerprint biometrics were utilized for the study. The data were gathered through a series of experiments to test different scenarios when registering and authenticating facial and fingerprint biometrics. For facial recognition, important factors include sufficient lighting, present facial features including the eyes, nose, and mouth, and a near distance in which the face is captured. Apple devices proved to be the most secure while Samsung and Huawei devices are less secure but have more features for flexibility. For fingerprint recognition, the presence of water and strong materials used for spoofing may result in a false rejection or false acceptance, respectively. Apple devices were the most secure followed by Samsung then Huawei devices.

Keywords: authentication systems; forgery of authentication systems; fingerprint biometric systems; facial biometric systems; security evaluation of biometric systems

1. INTRODUCTION

1.1. Authentication Systems

Identity theft, spoofing, and imposter attacks have been a long-standing problem that has grown more virulent ever since the advent of the Internet and other new technology. With this, passwords and two-factor authentication are just some of the processes that try to address these issues. Considering each person can be distinguished from another based on their DNA and innate behaviors, this is likely why physiological biometrics (facial and fingerprint) and morphological biometrics (penmanship,

mouse use, etc.) are some of the most reliable authentication systems. However, no system can be considered perfect if not the best. Passwords and biometrics are still susceptible to theft, spoofing, and imposter attacks. Spoofing, in biometrics, refers to possessing a recorded sample of another individual’s biometric data that can be used against them. Imposter attacks on the other hand refer to the impersonation or utilization of another individual’s biometric by posing as themselves or the true user.

Considering the personal preference and context in which the authentication system is applied, passwords or biometrics may be more convenient, and/or secure to use.

However, this study focuses on the security aspect of biometric authentication. For example, Cheluri (2017) explains that a facial and voice recognition system may be appropriate for databases requiring high security. However, in a practical sense, this might be inconvenient for most people despite it being secure. On the other hand, memory and theft are some of the biggest disadvantages of using passwords.

For previous research on facial recognition, Fourati (2020) and Jin (2020), discussed the problem of spoofing in facial recognition while also proposing improvements in the image quality assessment and adjustments to angles and distances to address the issue. For fingerprint recognition, these proved to be highly accurate and secure compared to facial recognition and just required modifications to non-ideal situations (e.g., wet hands). Biometrics are normally utilized in mobile phones, RFIDs, PC logs, etc.

1.2. Scope, Importance, and Objectives

The study is limited to addressing biometric authentication in the context of mobile devices, such as phones, tablets, and laptops, and prioritizes security that may or may not compromise authentication. This matter is relevant considering the amount of data that is present in mobile devices. Additionally, as technology continues to advance, modes of online theft and spoofing capabilities may also be inadvertently improved.

The main objective of this research is to provide a comparative study of the security of facial and fingerprint recognition in various devices. First, several tests were designed to compromise different scenarios when registering or authenticating in mobile devices. Second, evaluating the architectural security and spoofability of devices was done.

Third, facial and fingerprint security levels in mobile devices were identified through a set of metrics. Finally, facial and fingerprint biometric authentication in devices was compared in terms of security. These data were quantified by the four metrics namely Spoofing Acceptance Rate (SAR), Imposter Acceptance Rate (IAR), False Acceptance Rate (FAR), and False Rejection Rate (FRR). The SAR or IAR were used to distinguish between the type of attacks being tested by the trial. The FAR refers to the rate at which a false attempt is mistakenly being authenticated. The FRR refers to the rate at which a true attempt is mistakenly denied authentication. The devices must have a low or zero value for these metrics to indicate having strong security against biometric attacks. The

higher the value, the less secure the devices are against attacks.

2. METHODOLOGY

2.1. Conceptual Bases

Considering previous research discussing the difficulties and advancements in the field, there were numerous complex methods used to study how various biometric scanners can be bypassed. After evaluating the results from the respective studies, the proponents found it feasible to focus on simple experiments on physiological biometrics for mobile devices. This is because the aim of the study is to hone in on the most prominent factors on the successful methods of attack, based on previous research, to understand what might be lacking in biometric scanners. To accomplish this, the design of simpler tests that isolate different independent variables is both convenient and effective. The rationale for using mobile phones as biometric scanners is due to their widespread use and reliance on storing data.

There were four facial recognition experiments designed to test different methods of attack and isolate and manipulate the following variables: angles and perspectives, distance, facial accessories, and digital and photograph spoofs. First, Jin et al. (2020) found that different distances and angles were among altered variables that showed relevant results in their study of database training to distinguish spoofed faces. This study then assessed the extent of the impact these variables have on the registration and authentication processes. Second, Cheluri (2017) and Tiong et al. (2020) discussed that facial accessories such as glasses, hats, beards, etc. are more than capable of invalidating an authentication from the right user and more costly methods (e.g., iris scanner) may be required to resolve this. This is why the researchers have decided to test a number of common facial accessories to understand the limitations of mobile phones for this. Third, Jin et al. (2020) further mentioned that the generation of fake faces through 2D images is one of the most common spoofing attacks for facial recognition scanners. Due to limitations, a similar experiment was conducted by using simple digital and printed photographs of the proponents to test this form of attack. This study noted the important facial features such as the eyes, nose, and mouth along with keeping other possible factors constant such as lighting, background, etc. which may affect

the experiments conducted.

There were two fingerprint tests designed to measure different methods of attack, and isolate and manipulate the following variables: pruney/damp fingers and molded fingerprint spoofs. First, Yang et al. (2019) explained that not only is fingerprint recognition inaccurate in non-ideal conditions but is magnified in mobile devices which have a simpler algorithm. As such, tests with pruney and/or damp fingerprints were designed in order to identify the factors that cause inaccurate results and if modern devices are accurate in these situations. Second, Marasco & Sansone (2011) utilized an experiment with play-doh, gelatin, and silicon as materials to create molds that are tested against liveness detection capable devices. Results showed some scanners with fewer features were incapable of sensing the spoof attempt. With this, the molded fingerprint spoof tests are crucial to ensure that modern devices are not vulnerable to these attacks. It is important to note that there are three types of fingerprint scanners but mobile devices often utilize the capacitive scanner which makes use of capacitors arranged in arrays to detect spaces where the fingerprint rests and spaces that are black — which would indicate a ridge to avoid 2D attacks.

2.2. Materials and Experiment Proper

The experiment required 12 devices including eight (8) cell phones, three (3) tablets, and one (1) laptop. These devices span across different operating systems -- namely iOS, Android, and Windows -- and were tested based on their capabilities (i.e. if the device uses facial recognition, fingerprint recognition, or both). Specifically, nine (9) devices including six (6) cell phones, two (2) tablets, and one (1) laptop were capable of facial recognition. On the other hand, eight (8) devices including six (6) cell phones and two (2) tablets were capable of fingerprint recognition. Each test was done 10 times per device to ensure conciseness and the initial identification of security levels was based on the OS of the device. The following four (4) types of facial experiments and two (2) types of fingerprint tests were conducted:

Angles and Perspectives and Distance Trial: An adjustment on the facial capture angle or perspective may elongate, shorten, or block certain facial features that the device detects. The facial captures are also tested from various distances, being 50cm, 75cm, and 100 cm respectively. For the complete angles and perspectives experiment, it consists of 0, 15, 30, 45, and 60-degree angle trials for vertical and

horizontal adjustments of the mobile device. Note that the angles and distances trials are independent of each other. The set-up for these experiments is presented in Figure 1.

Figure 1

Facial experiment setup consisting of different angles (top) and distances (bottom)

Facial Accessories Trial: Using accessories such as face masks, face shields, sunglasses, and caps/hats were utilized.

These accessories cover a portion of the face and may render the user unrecognizable by certain devices. The facial accessories used in this study are seen in Figure 2.

Figure 2

Facial experiment setup consisting of different accessories (left to right): cloth face mask, surgical face mask, face shield, cap/hat, and eyeglasses/shades

Presentation Spoof Attacks Trial: Displaying digital and printed photographs were conducted to test the liveness detection capabilities of the devices. Samples of these photographs used in the study are seen in Figure 3.

Figure 3:

Printed (left) and Digital (right) Photograph Spoof

Pruning/Damping/Molding: Pruning fingers cause the fingerprint to distort while the presence of water on damp fingers serves as debris both of which can hinder the biometric scanners from accurately identifying the fingerprints. Molds made from various materials, specifically silicone sealant, rubberized paints, and glue were also used to replicate fingerprints which can be used to compromise weak scanners. The setup for these experiments is presented in Figure 4.

Figure 4:

Mold (top)/Pruney/Damp (bottom) finger trial setup

3. RESULTS AND DISCUSSION

The brand, names, and software systems of devices are listed in the following table (Table 1). Codes are then also assigned to each device for brevity when mentioned in the succeeding tables.

Table 1

List of 12 Devices, Types, and Codes

Device System

Software Facial Fingerprint Code Huawei Mate

30 Pro Android 10/EMUI 11.0.0.

✓ ✓ HM30-P

Huawei P20 Pro

Android /EMUI 10.0.0

✓ ✓ HP20-P

Huawei P40 Pro

Android 10/EMUI 11.0.0

✓ ✓ HP40-P

Samsung

Galaxy A51 Android 10/

One UI 3.1

✓ ✓ SA51-P

Samsung

Galaxy A71 Android 11/One UI 3.1

✓ ✓ SA71-P

iPhone XS IOS 14.6 ✓ AXS-P

iPhone 11 IOS 14.6 ✓ A11-P

iPhone 8+ IOS 14.3 ✓ A8+-P

iPad 5th gen IOS 14.6 ✓ A5-T

iPad Air 2 IOS 14.3 ✓ AA2-T

Huawei MatePad Pro

Android 10/EMUI 11.0.0

✓ HM-T Zenbook 13 ASUS

Windows 10

✓ Z13-L

Note. Codes are assigned based on the abbreviation of the model of the device and device type. First, A, H, and S stand for Apple, Huawei, and Samsung to identify the brand of each device. Second, abbreviations such as SA71 are used to identify the specific model of the device (Samsung Galaxy A71). Finally, P, T, and L stand for phone, tablet, and laptop to identify the type of device.

3.1. Angles and Perspectives Experiment

This experiment utilized the FRR metric to evaluate if the devices incorrectly deny access to the rightful user. The experiment resulted in findings that are able to distinguish the extent of the capabilities of each device compared to the others based on their horizontal and vertical test performances. Additionally, the data not seen in the graph below seems to follow that around a 30-45 degree angle and 30-degree angle are the maximum vertical and horizontal

adjustments for most mobile devices to still recognize the user.

Figure 5

Angles and Perspectives FRR Line Graph

3.2. Facial Accessories Experiment

This experiment utilized the FRR metric to evaluate if the devices incorrectly deny access to the rightful user since the user simply obscures one’s face. The experiment resulted in ruling out unimportant facial features and finding that the eyes, nose, and mouth are especially important.

During the performance of the face masks’ trial, an unintended finding (due to the incorrect wearing of the mask) was that the eyes and nose are actually sufficient for some devices to allow authentication. The small discrepancy in the data on wearing the face shield has also led to a similar finding as in the “Angles and Perspectives” experiment that emphasized the importance of lighting.

Figure 6

Facial Accessories FRR Line Graph

3.3. Distance Experiment

The FAR metric was used due to the impracticality of scenarios utilizing long-distance authentication. The distance experiment was effective in exposing the importance of software recency and presented a controversial argument regarding the difference in capability and security of devices which also led to the use of the FAR metric.

Figure 7

Distance FAR Line Graph

3.4. Presentation Spoof Attack Experiment

The SAR/IAR metric was used as the experiment involved having a previously good recorded sample of the user’s face to be used to authenticate. The results proved that modern devices are up to date when it comes to liveness

detection as neither the displayed nor printed picture was able to bypass the authentication of any device. Although, while performing the experiment, some important findings on software security options were discovered.

Figure 8

Presentation Spoof Attack SAR/IAR Line Graph

Note. The “*” symbol on the trials for the SA51-P device signifies the trials when the “faster recognition” mode is turned on in the device. “Faster recognition” is a feature present in the mobile device that is optional for users to utilize in order to make recognition faster but less accurate and secure. The device also explicitly states that videos or images may bypass authentication.

3.5. Pruning and Damping Experiment

The pruning and/or damping of the finger utilized the FRR metric as the fingerprint remains to be legitimate despite disorienting the fingerprint patterns by pruning or distorting the sensors by damping. The overall results showed a significant decrease from complete success in authenticating the user’s fingerprint. Based on the results, the system software and brands of devices seemed to be important factors in the results of the experiment.

Considering the different types of fingerprint sensors the devices are equipped with, the Apple devices have a circular sensor that sinks towards the sensor to better sense the sides and tips of the thumb. Huawei devices have a flat sensor on the screen and quickly recognize even light touches. Samsung devices also have a flat sensor on the screen but require users to press heavier and longer compared to Huawei devices. These are among the factors that may have affected the registration and authentication results.

Figure 9

Pruning and Damping FRR Line Graph

3.6. Molding Experiments

Since the molds are created by hardened materials that take the shape of the fingerprint pattern of the user, the metric used is the SAR. The results of the study varied mostly depending on the material used. Certain materials and variants of which such as the type of clay for the base and the type of glue were also crucial in creating the best and most accurate type of mold.

Figure 10

Molding SAR Line Graph

4. CONCLUSIONS

The four facial recognition experiments validated

previous claims on important factors for facial recognition while also ascertaining the advancements of facial biometrics between modern mobile devices. First, the distance and angles and perspectives trials were successfully able to estimate the limitations of devices at around 45 degrees and between 75 and 100 cm for the maximum possible angle and distance for verification, respectively.

Also, the facial accessories experiment included findings that confirmed that mobile devices require at least the eyes and nose of a face to allow authentication, in addition to proper lighting. Finally, the presentation spoof attacks were all unsuccessful, proving that liveness detection is present and effective in the devices. Among the four brands tested, Apple’s iPhones were the most secure next to Samsung and Huawei which were almost equal, and ASUS’ Zenbook was the least secure. Though not the most secure, Samsung and Huawei devices were flexible in their software to provide the option to adjust between convenience and security or even register multiple facial data.

The two fingerprint recognition experiments provided insight into making a good spoof attack while also providing empirical data to ascertain the advancements of fingerprint biometrics between mobile devices and their performance in a non-ideal situation. First, the pruned/damp experiment showed slightly more difficult to authenticate and register for pruney fingers compared to damp fingers but exceptional difficulty for pruney and damp fingers.

Second, the molding experiments showed how a rigid and fine type of material is relevant in creating a good spoof that is also durable. Overall, the spoofing mechanism, sensors, and spoof qualities affected the results more than the software and brand of the devices. Apple devices performed best followed by Samsung and then Huawei devices. This can possibly be attributed to the type of sensor of Apple devices which is a dedicated fingerprint sensor/button at the bottom, compared to Samsung and Huawei phones which have their built-in LED screen and strictness of verification.

5. ACKNOWLEDGMENTS

We would like to first thank De La Salle University- Integrated School Manila Campus for the funding and curriculum on practical research that provided us the opportunity of writing this paper. Second, we could not have written this paper without our research adviser, Miss Katrina Ysabel Solomon, for continuously guiding us throughout our writing of the paper, conducting experiments, and providing

insightful suggestions for improving the paper. Finally, we thank the volunteers who permitted their own mobile devices to be used in the experiments.

6. REFERENCES

Cheluri, T., Susanna, S., Madhavi, K., & Diana, M. (2017).

Evaluation of hybrid face and voice recognition systems for biometric identification in areas requiring high security. i-Manager’s Journal on

Pattern Recognition, 4(3), 9-.

https://doi.org/10.26634/jpr.4.3.13885

Fourati, E., Elloumi, W., & Chetouani, A. (2020).

Anti-spoofing in face recognition-based biometric authentication using Image Quality Assessment.

Multimedia Tools and Applications, 79(1-2), 865–889.

https://doi.org/10.1007/s11042-019-08115-w Jin Y.B. , Kun, H.S., & Eui C.L. (2020). Verifying the

effectiveness of new face spoofing DB with capture angle and distance.Electronics (Basel), 9(4), 661–.

https://doi.org/10.3390/electronics9040661 Marasco, E., & Sansone, C. (2011). On the robustness of

fingerprint liveness detection algorithms against new materials used for spoofing. BIOSIGNALS, 553-558. DOI:10.5220/0003270505530558 Tiong, L., Kim S., & Ro, Y. (2020). Multimodal facial

biometrics recognition: Dual-stream convolutional neural networks with multi-feature fusion layers.

Image and Vision Computing, 102.

https://doi.org/10.1016/j.imavis.2020.103977.

Yang, Y., Guo, B., Wang, Z., Li, M., Yu, Z., & Zhou, X.

(2019). BehaveSense: Continuous authentication for security-sensitive mobile apps using behavioral biometrics. Ad Hoc Networks, 84, 9–18.

https://doi.org/10.1016/j.adhoc.2018.09.015