Robustness of multi-modal biometric verification systems under realistic spoofing attacks Battista Biggio, Zahid Akthar, Giorgio Fumera, Gian Luca Marcialis, and Fabio Roli Department of Electrical and Electronic Engineering - University of Cagliari Piazza d’Armi, 09123 Cagliari, Italy {battista.biggio, z.momin, fumera, marcialis, roli} diee.unica.it Abstract Recent works have shown that multi-modal biometric systems are not robust against spoofing attacks [12, 15, 13]. However, this conclusion has been obtained under the hy- pothesis of a “worst case” attack, where the attacker is able to replicate perfectly the genuine biometric traits. Aim of this paper is to analyse the robustness of some multi-modal verification systems, combining fingerprint and face bio- metrics, under realistic spoofing attacks, in order to investi- gate the validity of the results obtained under the worst-case attack assumption. 1. Introduction A spoofing attack consists in submitting an artificial replica of a biometric trait to the sensor [1]. For instance, a fake fingerprint or a photo of the targeted client [2, 3, 4]. These replicas are acquired and processed as “live” biomet- rics. Thus, the verification system may accept them as be- longing to a genuine user, if they are very similar to the client’s template. So far this kind of attacks has been analysed especially for fingerprints [5, 6], but this security issue has been also pointed out for face, iris and other biometrics as well [8, 9, 10]. To address this issue, “liveness” detection methods have been proposed [7]. However, embedding a liveness detection module into a biometric verification system can increase the probability of rejection of a genuine user to an extent that is not acceptable for practical applications. As an alternative to liveness detection, it has been claimed that multi-modal biometric systems are intrinsi- cally more robust against spoofing attacks [11]. The mo- tivation is that all biometrics should be spoofed to crack a multi-modal system. However, this claim has been recently rejected: it has been shown by experiments that spoofing only one biometric can be sufficient to crack the system, even when more than two biometrics are used [12, 15, 13]. Most of the results reported in [12, 15, 13] refer how- ever to a “worst-case” scenario, obtained by simulating the fake scores under the assumption that their distribution is equal to the genuine users’ one, namely, that the attacker is able to replicate the attacked biometric perfectly. It is thus interesting to further investigate to which extent the above worst-case scenario is realistic, and thus, whether the con- clusion drawn from these results (that multi-modal biomet- rics are not intrinsically more robust against spoofing at- tacks) holds in realistic scenarios. With regard to this issue, we note that in the works mentioned above one only ex- periment was carried out in a realistic setting [15], using a small subset of a spoofed fingerprint data set, coming from the LivDet09 Fingerprint Liveness Detection Competition [14]. The corresponding fake score distribution turned out to be significantly different from the genuine one. Quot- ing from [15], this “indicates that the spoofed fingerprints where not perfect counterfeits in general”. In other words, this result showed that in a realistic case the worst-case as- sumption may not hold. No experiment was made on real- istic spoofed faces instead. In [15] it was argued that the worst-case assumption is reasonable for 2D face systems, as it is easy to show a picture of a genuine user in front of a camera. However, we point out that a scenario in which the attacker can always capture the exact client’s face used as template into the system may be not realistic. According to the above motivations, it is still necessary to test the robustness of multi-modal biometric systems un- der various realistic attack scenarios, beside the ones inves- tigated in [12, 13, 15]. Such analysis should allow pointing out to what extent the drop of performance under the worst- case attack scenario is representative of the performance un- der real spoofing attacks. To this aim, in this paper we analyse the robustness of multi-modal biometric systems made up of a face and a fingerprint matcher, against spoofing attacks that represent several realistic attack scenarios. To create realistic spoofs, we collected four data sets. Two data sets contain fake fin- gerprints fabricated with silicon and latex. Two other data 1