Your Body Is Your PIN With Bodyprint

[Christian Holz, Senaka Buthpitiya, and Marius Knaust] are researchers at Yahoo that have created a biometric solution for those unlucky folks that always forget their smartphone PIN codes. Bodyprint is an authentication system that allows a variety of body parts to act as the password.  These range from ears to fists.

Bodyprint uses the phone’s touchscreen as an image scanner. In order to do so, the researchers rooted an LG Nexus 5 and modified the touchscreen module. When a user sets up Bodyprint, they hold the desired body part to the touchscreen. A series of images are taken, sorted into various intensity categories. These files are stored in a database that identifies them by body type and associates the user authentication with them. When the user wants to access their phone, they simply hold that body part on the touchscreen, and Bodyprint will do the rest. There is an interesting security option: the two person authentication process. In the example shown in the video below, two users can restrict file access on a phone. Both users must be present to unlock the files on the phone.

How does Bodyprint compare to capacitive fingerprint scanners? These scanners are available on the more expensive phone models, as they require a higher touchscreen resolution and quality sensor. Bodyprint makes do with a much lower resolution of approximately 6dpi while increasing the false rejection rate to help compensate.  In a 12 participant study using the ears to authenticate, accuracy was over 99% with a false rejection rate of 1 out of 13.

29 thoughts on “Your Body Is Your PIN With Bodyprint

  1. I can see that two person authentication being really useful for certain *ahem* images. Take them together, enjoy them together, and they can’t leak as easily.

  2. What’s to keep attackers from using a “high-res” picture of the body part in question? It’s the same weakness many iris scanners have. Biometrics as single factor authentication also open you up to amputation cryptoanalysis.

    1. No, it’s not the same thing. It’s a complete different thing altogether.

      Bodyprint will record the patterns of your body part in the capacitive screen. Unless you create a 3d replica of that body part, it won’t be fooled. It will not use the camera of the phone.

          1. Depends on the value of the data you’re going after, really. Governments regularly perform far more expensive and time-consuming activities than making rubber molds to get access to information they really want…

        1. Yes, but then you have to get a cast of their entire hand. It’s a bit like saying “oh, passwords are useless because you can just watch someone type it in.”

          1. Depending on what you’re protecting (Informants, an affair, financial information) your statement is correct. A weak password/phrase could be gleaned by shoulder surfing or a telephoto lens. That’s not to say we shouldn’t use any of these things ever, but users should be aware of the weaknesses and plan accordingly (ie; have a threat model). How you protect compromising pictures from a nosey spouse will be different than an authoritarian state.

            All too often biometrics are promoted as a silver bullet solution.

      1. Look at how cheap light field cameras have gotten, and the Intel adverts suggesting that 3d scanning cameras (possibly like the kinect?) will be the new webcam on laptops. So even if you need better sampling than what the built-in cameras support, record some video and over-sample.

  3. Too much room for errors and eventually it will be defeated because of false negatives buffer.

    Why not use voice? So much research when into voice recognition that it should be very reliable now. Show a random pass-phrase, challenge the owner to read it.

    1. Yes, I mean honestly I ‘totally’ have to agree– I mean what, really is the ‘target market’ here ? Really the true ‘need’ for TPM and all that, or just the ‘appearance’, ‘convenience’, and ease of ‘hey, don’t steal my phone’ ?

      That said, I can only think of perhaps the ‘marketability’ aspects of this approach in the sense that the oldest ‘Hollywood Trick’ to technology that never actually *existed* at that time was just to record one’s voice, not to mention on one of those sexy little Olympus pocket tapes– Further, even today, we’re ‘lifting fingerprints’ (if not actually ‘cutting off fingers’– and again, in the films). And….

      Really, I think if you have any of the above problems, you really, likely have other issues you have to more importantly handle. *Smirk*.

      I feel a lot of these devices are much more about the ‘perception’ of being secure– which actually is not inconsequential, home alarms, registered guns, guards, etc, but as a society I feel a bit like in ‘imagining’ the way things would be, we tossed the ‘baby out with the bathwater’. Thus this.

      Unless you’re Van Gogh, and then you’d have trouble….

      1. The target market isn’t people who want more security — that should be obvious. It’s for increased convenience at the expense of some security. With this system, your phone unlocks automatically when you pick it up or hold it to your ear, as opposed to having to press a specific button or enter a code.

  4. WARNING : Using attributes of a person as part of an authentication system is a dangerous because you cannot change any of them. If an attacker reverse engineers the data of for example your ear, then they can use that to authenticate against all your ear secured devices for ever.

  5. With the false negative provided I’m curious what their false positive rate was on this. How often did they test it with people who weren’t the owner and how often were they able to pass it?

  6. Three issues:
    1. Can’t have earrings or rings for half of the options. Not just because of the signature but also scratches.

    2.. Huge smearing on the phone and requirement to hold it in an odd way when using things like the palm.

    3. The ‘smart cloud’ gets info about your body parts.

    And as someone already pointed out: security on a phone or tablet is a bit half-baked since they spy on you massively. but I guess it’s more intended for people who use their phone for payment and don’t want thieves to have too much access for that reason rather than about privacy.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.