Vein recognition is a biometric modality around which activity has picked up substantially, in terms of research but also pilots and new products. Nok Nok Labs VP of Products Rolf Lindemann tells Biometric Update in an email interview that while vein biometrics is still a relatively young field, “it’s showing a wealth of promise for the security landscape moving forward.”
Hand-based vascular biometrics have been around since the early 1980s, Lindemann writes, with the near-infrared (NIR) Veincheck system invented by Joe Rice.
“In essence, some of today’s research is focused on thermal infrared (a technology that cannot easily be used with today’s CCD chips) to depict the blood vessels and structure of veins in the human face. This thermal infrared imaging brings unique physical properties that can help identify cyberattacks like presentation attacks, spoofing and more.”
Because current mobile phones already include NIR sensors, Lindemann argues the industry should focus on leveraging that technology to achieve mass adoption.
The diameter of the average blood vessel is only 10 to 15 micrometers, he points out. Finger and palm vein biometrics can be captured without high resolution cameras, whereas people expect image capturing to take place at a larger distance for face-based systems. Recent advances in CCD camera resolutions has made facial vein biometrics a practical option, however, according to Lindemann.
Asked about the advantages of vein recognition over facial recognition-based liveness detection systems, Lindemann answers that Face Unlock on Jelly Bean and tests showing 3D printed heads unlocking mobile devices reveals the persistence of security concerns around that technology.
While 3D imaging makes presentation attacks more difficult, Lindemann takes the evidence of 2D photos being used to 3D-print masks that spoofed Face ID successfully, and other research, as indicating the limits of this technology. Lindemann also notes that face masks can be ordered online.
One of the two big advantages of vein recognition, Lindemann says, are the difficulty of surreptitious or involuntary capture; “There is no “Facebook” for face vein images at this time,” he points out. The other is the extreme difficulty of building a spoof of someone’s veins into a face mask. Beyond these advantages, twins who facial recognition systems cannot distinguish between also have different vein patterns.
Lindemann notes that Apple’s patents on vein recognition mention the use of infrared or near-infrared light, and that the CCD sensors typically used in smartphones can detect light in the NIR range, but most smartphones also include “NIR blocking filters.”
“These “NIR blocking filters” would have to be “switchable” by the “secure” authentication component. Most devices today already have a secure authentication component inside the Trusted Execution Environment (TEE),” Lindemann explains. “So the missing piece would be the dynamic way to switch such filters on or off. This is required to ensure that only the secure authentication component can switch it on when doing authentication.”
Beyond this, the devices would also need to run the appropriate software, which would operate within the trusted execution environment (TEE), to implement biometric face vein recognition. Some devices, like the iPhone, already have switchable NIR blocking filters for their 3D cameras, Lindemann observes.
Vein recognition could represent another layer of biometric security integrated with the face recognition systems already used in many applications.
“One of the most important considerations regarding vein recognition is its ability to combat the security challenges that come with other existing facial recognition technologies. For example, facial vein detection can improve presentation attack protection because the technology relies on infrared-light detectable veins, which are not included when printing facial images or even face masks today.”
Compliance with the FIDO protocols make the face vein recognition system’s security even more robust, Lindemann says, and the FIDO Alliance is likely to make its specific requirements for presentation attack detection even more strict over time.
Vein recognition can also defend against other scalable and targeted physical attacks, which Lindemann says both involve their own unique challenges and concerns. Not only are billions of stolen passwords available for sale on the dark web, but millions of smartphones are lost or stolen each year, and each is vulnerable to physical attacks, he suggests.
The answer to each problem, according to Lindemann, could lie in vein biometrics.
“Through vein recognition, security protocols can be amplified to better protect against the attacks that are plaguing companies and consumers the most,” he concludes.