Robust biometric scheme against replay attacks using one-time biometric templates

Abstract

User authentication is an important issue on the Internet and usually solved through static and often unique passwords. Another method is to use biometrics, but biometric data are sensitive and need to be protected. Protection schemes such as cancelable biometric template generation have appeared, but they are sensitive to replay attacks. In this paper, we propose an original method to generate one-time biometric templates for user authentication applications. This proposed scheme limits replay attacks, consisting of an attacker maliciously retransmitting an intercepted user's identity proof. Our method is generic: any biometric modality could be used, the identity verification is realized by the service/identity provider to be realistic. Biometric features are extracted from captures using deep learning and then protected with biohashing, a cancelable biometric scheme. Finally, a step consisting of cryptographic hashing and symmetric encryption guarantees the generation of a one-time, non-replayable template. We have tested our scheme on two common biometric databases, from faces and fingerprints, and the results confirm its efficiency and robustness to attacks given a rigorous threat model.