Top Banner
Biometric Authentication The Myths and The Facts
44

Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Mar 22, 2019

Download

Documents

dinhthuan
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Biometric Authentication

The Myths and The Facts

Page 2: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Specialising in Biometric Authentication

Founded 2003 by Trevor Swainson

UK and Ireland Distributor Fingerprint vendors such as Authentec (UPEK), Crossmatch, L1, DigitalPersona, Futrionics,

M2SYS, Softex Inc, Neurotechnology & SecuGen

Vein vendors such as M2SYS, Fujitsu-PFU & Hitachi

Currently growing at 300% per annum

Paul Guckian, CEO

Background in IT Audit & Assurance - CISA, CISM, MSc, BSc

Worked primarily in financial services, Big4 and larger audit

consultancies

About Delaney Secure

Page 3: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Authentication as a security priority

Page 4: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Business drivers for better authentication

Business Values

• IT Cost savings (ROI)

• Staff Efficiency

• Regulatory Compliance & Security

• Increased Revenue

IT Cost Reductions

• Single multi-factor authentication platform

• Self Reset & Helpdesk support for PWD reset

• User/Application administration under one management console

• Leverage current directory infrastructure

Security & Compliances

• Multi-Factor Authentication

• SSO/eSSO

• Integrated Encryption

• Integrated Management Console

Efficiency & Ease of Use

• No delays because of PWD reset

• Access anywhere via Roaming sessions

• Reduced session start-up time

Page 5: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Something that you know, e.g. password, bank PIN It has the problem that things that you know can be accidentally or deliberately passed to someone

else. The potential damage of such transfer may be limited by the possibility of rendering the

transferred knowledge useless by changing the password, PIN etc.

Something that you have, e.g. smart card, bank card, token

key fob. Again, it may accidentally or deliberately be transferred. Again, the damage done by such transfer

can be remedied by cancelling the device, or physically recovering it.

Something that you are, e.g. your fingerprints, iris, voice. This

is biometric authentication. This cannot easily be transferred to someone else, so in theory it is the ideal means of

authentication. It has some other problems, however.

Strong Authentication

Page 6: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Biometric Authentication

Page 7: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Wide variety of applications throughout consumer, commercial and government organisations.

Biometric Authentication

Enterprise Government Consumer

… focus on the commercial applications

Convenience Convenience & Security Security

Page 8: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Biometric Authentication in The Movies

Page 9: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

1. Biometrics is a new idea Evidence of biometric identification used in the building of the pyramids

Huge quality improvements in the last 10 years especially

2. Iris recognition devices use lasers to scan your eyes First company to produce such a system called itself IrisScan (now Iridian Technologies)

Iris recognition camera takes a black and white picture from up to 24 inches away and uses non-invasive, near-infrared illumination

3. Stolen body parts will work Most biometric devices there is an element of liveness detection, which can measure many variables, from a finger

pulse to a pupil response.

Extracted (or enucleated) eyeball quickly begins to decompose, with the cornea clouding over and obscuring the iris.

A severed finger also dies rapidly – typically becoming useless after around 10 minutes.

4. Inability to enrol or verify children or Asian women Recent advances in imaging have led to greater resolutions being achieved by fingerprint sensors

At least 1,300 primary schools in the UK are using fingerprint technology to replace old-fashioned password-based systems in their libraries

5. Commercial fingerprint system could be used by police Stems from a misunderstanding of how a biometric system typically works in a commercial environment.

Systems use a limited template which is typically encrypted, and cannot be reverse engineered

The feeding of identical template data to a fingerprint system’s matching engine by a hacker will normally fail, as this is almost a sure indication that the data has been stolen and that a replay attack is underway.

6. Biometrics are the silver bullet that will rid the world of terrorism/evil they are only able to confirm whether this is the same person that initially enrolled into the system e.g. if a

government doesn’t have a quality photograph of a known terrorist suspect, then the chances of stopping that person at a checkpoint using facial recognition are slim.

Six Common Myths

Page 10: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Feature Government Commercial

Objective “Beyond reasonable

doubt” “On the balance of

probability”

Stored Image Full Templates

Security vs. Convenience

Security Balanced

Testing Requirements

Rigorous Reasonable

Hardware Specifications

Detailed High Level

No of enrolled users

Large Limited

Commercial vs. Government Systems

Page 11: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Fingerprint

Finger Vein (Hitachi)

Palm Vein (Fujitsu)

Iris

Face Recognition

Hand Geometry

Keystroke Dynamics

Retina

Signature

Voice

DNA

Biometric Authentication - Options

Page 12: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Biometric Authentication - Options

Courtesy of the International Biometric Group

Page 13: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Biometric Authentication - Options

Courtesy of the International Biometric Group

Page 14: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Commerical Uses of Biometric Authentication

Quick Launch

File/Folder Lock

Secure Your Device

Touchpad

Navigation Unlock NFC- Based Mobile

Wallet

E-Commerce Transactions

Application Lock

OTP Soft Token

Password Replacement

SECURITY

CONVENIENCE Turbo

Scrolling

Page 15: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Network Access (Windows Domain) Single or multi-factor options (passwords, biometric, smartcards, token, OTP)

Easy to integrate as standalone or Windows AD integrated solutions

Looks and feels like Windows AD administration

Application Authentication (via SDKs) Particularly payment applications

Non-repudiation of user authentication

Free or low cost SDKs

Physical Access Control Integrated with door entry or club membership systems

Single or multifactor (PIN, smartcard and iris recognition)

Time and Attendance Stops ”buddy” punching

Typical Commercial Applications

Page 16: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Embedded biometric readers driving growth

Top 9 Laptop OEMs Shipping Models in 2011

Over 13 Million Phones Shipped with Biometric Sensors

Maturity of the fingerprint technology

It works

Its cheap

Its convenient

Growth in Commercial Biometric Authentication

Page 17: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Convenience Cannot forget, lose or share biometric data easily

Reduces costs and risks of password resets

Little user education

Improved security - address the weak ‘human’

element Users never ‘know’ their password

Cannot be easily socially engineered via remote methods

Complex passwords without user education

Non-repudiation of transactions Unequivocally link an individual to a transaction or event.

Varying quality of proof (e.g. vein vs. fingerprint)

Cost Lower cost of ownership than other multi-factor solutions

Full integrated platforms with biometric, smartcard and token options

Key Advantages

Page 18: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

User Enrolment needs to be robust Systems provide authentication, not identification

Need good quality template for matching

Replay Attacks Biometric templates don’t change over time, but can change algorithm

Some systems don't have a replay detection mechanism, and some do.

Forgery Biometric templates are difficult but not impossible to duplicate

Fingerprints are left behind, but typically not good enough quality. Vein,

Iris and others leave no residual trace

Scalability Huge advances in fingerprint matching algorithms, but some progress

required for vein and other larger templates to scale to national level

Key Limitations

Page 19: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Comparison with Other Authentication Solutions

Courtesy of IEEE, Vol. 91, No 12, Dec 2003

Page 20: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

How Fingerprint Authentication Works?

Page 21: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

21

Template Verification in action

Fingerprint Sensor CAPTURE

FEATURE

EXTRACTION Mathematical

Function ∫

139645004596032

873946450487472

Template

TEMPLATE

REGISTRATION Touch Sensor

4 Times 739645754596032

673946450487333

Store in Database

Registration Template

Page 22: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Template Matching in Action

DigitalPersona Company

CONFIDENTIAL

22

MATCH (verification) Touch

Sensor

739645754596032

673946450487333

Registration

Template

Template

139645004596032

873946450487472

FEATURE

EXTRACTION

COMPARE (Mathematically)

OK

Enable Authentication

FAIL

NO Authentication

Page 23: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Hardware Features

• Technique: reads live skin, improving capture reliability and quality

• Performance: Delivers excellent performance: FMR, FRR, FTE

• Operation: Works for many finger types (wet/dry/damaged) and capture conditions e.g. light

• Protection: SteelCoat protective coating for better sensor durability

• Security: Eliminates the capture of latent images & replay attacks

• Certification: FBI Certified or FIPS-201 Certified readers

(508 dpi)

RF signal

Injection

finger

FIPS 201 certified

Page 24: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Image Quality vs. Fingerprint Pressure

Image Quality (NFIQ) vs Finger Pressure (N)

3.12.9

2.1

2.5

2.3

1.31.31.4 1.3 1.31.0

2.0

3.0

4.0

5.0

Finger Pressure (N)

NFIQ

(1=Best,

5=Poor

CrossMatch V300 UPEK TCS1-EIM

3N (v.soft) 5N(soft) 7N (med) 9N (hard) 11N (v. hard)

Ref: Purdue University study: Dr Eric Kukula Aug 2007

Image quality score consistently better,

over wide range of finger capture pressures

Page 25: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Impact of light on fingerprint readers

Optical Fingerprint Sensors

Images wash out (Effected)

Placement Fingerprint Sensors

Keeps image quality (Unaffected)

Dynamic range: 184 (meets FIPS-201) Dynamic range: 59 (not meet FIPS-201)

Page 26: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Application Authentication: Biometric SDKs

Consumer market software suite

AP

P Packaged Application

Full Application Software

High level SDK (identity infrastruct.

level)

HIG

H

Application Bolt-On PBA + user

authentication

Mainstream library (SDK)

MID

Tight Integration With Software

Application

Suitable for 3rd party application

development on all major OS; Access to

most commonly required features (image capture, enroll, match)

Low level, device dependant interface

LOW

Tight Integration with Hardware

Basic Biometric Operations & Low level access to the

sensor/module features

DR

V

Device Driver USB

Ma

ins

tre

am

SDK’s

Page 27: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Audit of Biometric Systems

Page 28: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Standard Description Details

FIPS 140-2 (NIST)

Cryptographic modules produced by private sector vendors that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.

L1: cryptographic only; L2: cryptographic & anti-tampering L3: cryptographic & anti-tampering and data deletion L4: Protection of critical security parameters

FIPS 201-2 (NIST)

Architecture and technical requirements for a common identification standard for Federal employees and contractors

- Assurance provided by the issuer of an identity credential that the individual in possession of the credential has been correctly identified - Protection provided to an identity credential stored within the PIV Card and transmitted between the card and the PIV issuance and usage infrastructure - Protection provided to the identity verification system infrastructure and components throughout the entire life cycle.

IAFIS (FBI) Integrated Automated Fingerprint Identification System (IAFIS) Image Quality Specifications (IQS)

The certification process is not intended to endorse one product over a competitor's product but merely to certify that the product meets FBI standards

Common Biometric Standards

Page 29: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Enrolment The step with ensures ‘identification’ of the end user, and registration of a high quality template. Check the FTER rate. TIP: Use you best quality reader here

Data Storage Storage of the template in a data repository (e.g. SQL database or Active Directory) TIP: Use FIPS-401 compliant software

Data acquisition The user input to the matching process. Need a good quality, consistent and ‘clean’ input for best matching

Transmission Check the security of the data transmission between hardware and the software. Encryption is highly recommended.

Signal processing Matching algorithm which matches and validates the data. Ensure that the right level of sensitivity is set

Decision The output of the matching algorithm – leads to FAR and FRR statistics

Biometric System Functions

Page 30: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Measurement Description Calculation Improvements

False Rejection Rate (FRR)

A valid subject is rejected by the system

Number of false rejections / Number of attempts

Re-enrol the user - Better hardware - Better environment - Better biometric characteristic

Improve user input Adjust software sensitivity

False Acceptance Rate (FAR)

A invalid subject is accepted by the system

Number of invalid user acceptances / Number of attempts

Failure to Enrol (FTER)

User not registered by the system

No of failed enrolments / Number of attempts

Enrolment Time Time to register new user

Time from submission to confirmation

Improved matching algorithm Throughput Rate Time taken to

validate Time from submission to confirmation

Performance Measures

Page 31: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Security of the template transmission and storage is key (think

RSA security breach)

Considerations between local (cached storage) and

centralised storage Speed

Security

Resilience

Scalability of solutions Key decisions about system architecture

Consider size of templates and speed of matching

Protect the templates for replacement, tampering, loss and

destruction

Data Storage

Page 32: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Trial-and-error attack Classic way of measuring biometric

strength

Digital spoofing Transmit a digital pattern that mimics that

of a legitimate user’s biometric signature

Similar to password sniffing and replay

Biometrics can’t prevent such attacks by

themselves

Physical spoofing Present a biometric sensor with an image

that mimics the appearance of a legitimate

user

Three types of attacks

Note: Assumes that token is not stolen

Example

Type of Attack

Average Attack Space

Reusable Passwords Interactive or Off-Line

21 to 2

45

Biometrics Team 26 to 2

19

One-Time Password Tokens Interactive or Off-Line

219

to 263

Public Key Tokens Off-Line 263

to 2116

Page 33: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Common technical attacks

Page 34: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Common management challenges

Page 35: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Selecting & Acquiring the Biometric System Risk analysis of security controls

User acceptance of the biometric characteristic selected

Operation and Maintenance of the Biometric System User access management – enrolment, updating and removal

System interface with other applications

User Training & Acceptance User enrolment procedures, and template quality scores

User understanding of the use of templates (e.g. privacy concerns)

System Performance Monitoring of FRR, FAR and FTER, and review of system security parameters

Application & Database Controls Controlling access to the ‘back-end’ stored data and parameters

Audit Trails Ensuring the audit logs are secured and stored for review

Audit procedure using ISACA G36

Page 36: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Use certified hardware (e.g. FIPS-201, FBI)

Use certified software (e.g. FIPS-201, FBI)

Tightly control user enrolment with the best quality hardware

and environmental conditions

Ensure secure communication between the hardware and

software

Use as a multi-factor authentication, with token for external

and password internally for example

Consider the convenience, but don’t forget the security

Quick guides to better audit reports

Page 37: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Hardware

Usability – tightly control enrolment, no exceptions

Durability – pick the best hardware, not the most expensive, ask for independent reports

Security – consider certifications, consider communication security & tampering

Cost – more expensive doesn’t mean better, but cheap may undermine the entire project

Software

Features – balance convenience with security

Integration (Scalability) – select a biometric characteristic that scales suitably (1:N), or adapt

system to use 1:1 matching (e.g. using username)

Security – consider certification, ensure encryption of template and communications

Cost - more expensive doesn’t mean better, but cheap may undermine the entire project

Quick guide to better biometric projects

Page 38: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

The future

Page 39: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Soft or hard tokens

integrated with biometric

readers

Swipe releases or

enables a unique token

Can be used as part of a

soft-token generation

algorithm

Tokens and biometrics

Page 40: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Mobile Banking Enhancement to token only solutions

Replaces PIN numbers, or acts as 3rd factor

Secure Remote Access Enhancement to token only solutions

Replaces PIN numbers, or acts as 3rd factor

Payment Applications Enhancement to token only solutions

Replaces PIN numbers, or acts as 3rd factor

Biometric Tokens: Applications

Page 41: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Match-on-card Person's fingerprint and face templates on a smart card and performs template matching in a

microprocessor embedded in the card instead of matching biometric information on a PC

processor.

Biometric template stored on the card

Matching applet stored on the card

Match on terminal Person's fingerprint and face templates on a smart card and performs template matching in a

microprocessor embedded in the card instead of matching biometric information on a PC

processor.

Biometric template stored on the card

Matching applet stored on the terminal

The native level fingerprint matching implementation requires less than 8 kilobytes for algorithm code,

less than 1,700 bytes RAM for data and 1,300-1,700 bytes for template storage. The Java Card post-

issuance library for fingerprint matching requires less than 13 kilobytes for algorithm code, less than 600

bytes RAM for data and less than 1 kilobyte for template storage.

Smartcard and biometrics

Page 42: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Chip and PIN replacement ATM Machines (Deutsche Bank, Bank of Tokyo-Mitsubishi)

ePOS

PDQ machines

Age verification Nightclubs - Reduction in nightclub violence in Oz

Off-licence

Club membership Prevents membership ‘sharing’

Enables ‘unmanned’ gyms and other services

Biometric Card: Applications

Page 43: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Summary: Why biometrics?

• Addresses some of the ‘human weaknesses’ of password security and other two-factor solutions Convenient

• Eliminates insecure passwords that are used to protect operating systems, database access, server and client data, emails, applications and more Secure

• Designed to scale from one user to thousands of users with multiple types of authentication devices Scalable

• Available as single multi-factor platforms - costs of other “mix and match” solutions can cost much more. Cost effective

• Can be deployed on customer images and connected to a centralized Enterprise server at any time. Easy to Deploy

• Ties into standard tools used by IT managers to manage user information and users (e.g. Windows MMC) Manageable

• Can be adapted and re-engineered as required to meet customer requirements, with smartcards and tokens if required Integration

Page 44: Business Plan 2011 - bcs.org · DNA Biometric Authentication - Options . Biometric Authentication - Options Courtesy of the International Biometric Group . ... Huge advances in fingerprint

Questions & Discussion

Thank You Paul Guckian DelaneySecure Ltd W: www.delaneysecure.com T: (01342) 810 810 E: [email protected] Disclaimer: This presentation is intended for private entertainment and general educational purposes only in the context of the BCS IRMA group, and contains some references to restricted and copyright information. The information is of a general nature, and no reliance should be placed on the information contained herein.