ProxyPrints: From Database Breach to Spoof, A Plug-and-Play Defense for Biometric Systems

TL;DR

ProxyPrints introduces a middleware layer for fingerprint systems that enhances security by enabling revocable, unlinkable aliases, preventing spoofing attacks without compromising recognition accuracy.

Contribution

It is the first practical middleware solution that adds cancellable biometrics to existing fingerprint systems without modifying proprietary matching software.

Findings

Preserves matching accuracy on benchmark datasets

Provides strong security and revocability against spoofing

Enables breach detection through alias monitoring

Abstract

Fingerprint recognition systems are widely deployed for authentication and forensic applications, but the security of stored fingerprint data remains a critical vulnerability. While many systems avoid storing raw fingerprint images in favor of minutiae-based templates, recent research shows that these templates can be reverse-engineered to reconstruct realistic fingerprint images, enabling physical spoofing attacks that compromise user identities with no means of remediation. We present ProxyPrints, the first practical defense that brings cancellable biometrics to existing fingerprint recognition systems without requiring modifications to proprietary matching software. ProxyPrints acts as a transparent middleware layer between the fingerprint scanner and the matching algorithm, transforming each scanned fingerprint into a consistent, unlinkable alias. This transformation allows biometric identities to be revoked and replaced in the event of a breach, without affecting authentication accuracy. Additionally, ProxyPrints provides organizations with breach detection capabilities by enabling the identification of out-of-band spoofing attempts involving compromised aliases. We evaluate ProxyPrints on standard benchmark datasets and commercial fingerprint recognition systems, demonstrating that it preserves matching performance while offering strong security and revocability. Our open-source implementation includes tools for alias generation and deployment in real-world pipelines, making ProxyPrints a drop-in, scalable solution for fingerprint data protection.