Poisoning Attacks to Compromise Face Templates

Adaptive biometric systems update clients' templates during operation to account for natural changes over time (e. g., aging of biometric templates). Recently, it has been shown that this update can be exploited by an attacker to compromise the clients' templates: by presenting a proper sequence of fake biometric traits to the sensor, the attacker may eventually impersonate the targeted clients without any fake trait, and even force the system to deny access to them. This attack has however been shown only for PCA-based face verification, with one template per client, under worstcase assumptions about the attacker's knowledge of the system. In this paper, we show that it can be successful even in the case of multiple templates per client, for different matchers, and under more realistic scenarios, and validate it by experiments to highlight its practical relevance.