Minimum fingerprint scanner resolution

[n-kai]

[Referenced doc] Fingerprint Toolbox Overview - 2.1.1. PAD data acquisition - Scanner image, 5. Requirements for Tools Fingerprint Toolbox Inventory - T.1　Cinferprint scanner

[Comment] Tools for basic attack potential (i.e. Standard equipment) should be easy to purchase as defined in the BIOSD (See Equipment in 9.1.2) however I couldn’t find 1000 dpi fingerprint scanners at Amazon.com and ebay.com (only 500 ppi scanners are available).

According to *1), inexpensive 500 ppi scanner can be used to spoof mobile fingerprint recognition so the toolbox should allow the evaluator to use 500 ppi scanner.

*1) https://blog.talosintelligence.com/2020/04/fingerprint-research.html

[Proposed change] For example, replace “The image resolution should be 1000 dpi or higher if the scanner supports it” in Fingerprint Toolbox Overview - 2.1.1. PAD data acquisition - Scanner image with “The image resolution shall be 500 ppi or higher”. Toolbox inventory should also be updated.

[gfiumara]

While it pains me, @n-kai is correct. Buying a 1000 PPI scanner is not an amazon.com type of task. There's only one or two 1000 PPI palm scanners that exist and purchasing one (in my experience) has always required contacting the company, talking to a sales person, etc.

If we choose to redefine to 500 PPI, any objection to saying EBTS Appendix F certified as well? These are still readily available and come with some expectation of quality of the capture.

[woodbe]

I don't see a problem. If a 500PPI scanner can be used to create sufficient spoofs, that would seem to be a likely avenue for the attacker. We can always increase the requirements later if this changes.

@gfiumara As for the EBTS stuff, I have no idea, but I don't see a problem with it. Again, if it turns out that they don't work as we expect for some reason, we update the toolbox to reflect the new information.

[gregott]

I was able to find two fingerprint scanners that support 1000 ppi, both from well-known companies in a short amount of time on the Internet. Also, some "500 ppi" scanners have higher native resolutions that are dialed back in the driver software to 500 ppi. I used one of these scanners with the company’s free SDK to acquire images. Further, we asked the company if we could get the native resolution image out of the scanner. They provided a free driver that let us select the resolution we wanted up to 1000 ppi. This scanner is less than $100 on Amazon today.

Labs taking the time to deal with a manufacturer to get the best available equipment that is commonly available at a reasonable price is part of the cost of doing business. It is not unreasonable for a company to interface with a manufacturer to specify what they want to purchase.

My philosophy on testing is that if the labs are as good as the best adversary, then the test results will have the most useful meaning. If the PAD technology can detect PAIs based on 1000 ppi images, we can probably expect they will be able to detect PAIs based on 500 ppi images. The reverse may not be true especially if the PAD is based on texture or level 3 information.

[n-kai]

According to the BIOSD, following is how the attack potential should be calculated.

Elapsed Time for identification should be 1. Window of Opportunity (Access to TOE) for Exploitation should be 4. Window of Opportunity (Access to Biometric Characteristics) should be 2 (Non-cooperative) (or 4 (Cooperative) according to #18?)

If we categorize the 1000 ppi scanner as Specialised equipment (2) and expertise to purchase and use such tool as Proficient (2), the total attack potential is 11 (9 is the highest potential) that is beyond our scope. So if we can agree that 1000 ppi tool = Standard equipment or expertise required to purchase 1000 ppi scanner = layman, the fingerprint toolbox can use 1000 ppi scanner.

Expertise Layman (0) is the level no real expertise needed and such that any person with a regular level of education is capable of performing the attack. For example, creating an artefact in a known (published) way without specific difficulties (difficult to buy materials) is considered at this level of expertise. Proficient (2) is the level such that some advanced knowledge in certain specific topics (biometrics) is required as well as good knowledge of the state-of-the-art of attacks. An attacker of this level is capable of adapting known attack methods to his needs. For example, adapting a known attack type (published) by the choice of specific (not published and sometimes difficult to find) materials in order to bypass a presentation attack detection mechanism and/or finding a non-evident way to present this artefact to the system can be considered at this level of expertise.

Equipment Standard equipment (0) is an orderable, easy to obtain and simple to operate equipment (e.g., computer, video cameras, mobile phones, "do it yourself" material, and artistic leisure materials). Specialised equipment (2) refers to fairly expensive equipment, not available in standard markets and which require of some specific formation to be used (e.g., laboratory equipment, advanced printer specific materials and inks, and advanced oscilloscopes).

[gregott]

There are at least two 1000 ppi commercial scanners on the market for purchase by anyone. They are no more difficult to operate than a 500 ppi scanner, although they may be more expensive. So I would not consider them specialized equipment as they are available in standard markets and do not require some specific formation to be used any more than the lower resolution scanners do. If this is indeed the case, then the Expertise and Equipment scores both go to 0 reducing the total score by 4.

[woodbe]

@woodbe will work on adding example columns for scanner manufacturers.

Will also need language stating that this is not endorsement or requirement to use vendor products which may be listed

[gfiumara]

@woodbe: catching up, but if you haven't already found a disclaimer, you may consider adapting one we use

Certain commercial equipment, instruments, or materials are identified in this toolbox in order to specify the procedure adequately. Such identification is not intended to imply recommendation or endorsement by the BIO-iTC, nor is it intended to imply that the materials or equipment identified are necessarily the best available for the purpose.

[woodbe]

@gfiumara Perfect, I hadn't had a chance to work on this yet, so I'll use that.

[gregott]

Here are two scanners I found with native resolutions of 1000 dpi.

• HID® Crossmatch L Scan™ (hidglobal.com) • HiScan PRO (biometrika.it)

[woodbe]

Closing as the minimum requirements have been updated based on this issue and have been merged.