Biometric For Authentication, Do we need it? Christophe Rosenberger GREYC Research Lab - France
OUTLINE Le pôle TES et le sans-contact Introduction User authentication GREYC - E-payment & Biometrics Introduction to biometrics Usable biometric solutions Perspectives 2
Introduction E-Secure transactions E-transactions ( E-secure Transactions Cluster) 3
Introduction Digital identity management One individual has many identities. 4
Introduction Le pôle TES et le sans-contact User authentication: Authentication methods are based on: We know [Secret] We own [Token, smartcard, RFID tag] We Are [Biometrics] The way we do things [Behavioral biometrics] The use of a reliable third party [Relationship] They are called authentication factors. 5
Introduction Digital identity management One individual can have different authentication factors. 6
Introduction Trends Trust in the identity of a user or a client Guarantee security (difficult to compromise) Respect the privacy Facilitate the usability 7
Le pôle TES et le sans-contact USER AUTHENTICATION 8
User authentication Solutions in the market 9
User authentication Le pôle TES et le sans-contact Biometrics The only one user authentication method It is more easy to use It is much more difficult to attack or falsify 10
Le pôle TES et le sans-contact GREYC RESEARCH LAB E-payment & Biometrics 11
ENSICAEN Le pôle TES et le sans-contact School of engineering of Caen ~ 780 students Department of Computer science : E-payment & Computer security: only one in France Strong partnerships with companies: Gemalto, Morpho, Fime... 12
GREYC Research Lab Le pôle TES et le sans-contact Research Group in Computer science, Automatics, Image processing and Electronics of Caen Laboratory staff: 7 CNRS researchers 25 Full professors 18 Associate professors 48 Assistant professors 79 PhD students 17 permanent staff 30 Engineers and post-doc Research topics: Electronics Image processing Algorithmic Document analysis Multi-agents Robotics navigation Automatics Computer security Natural language processing Biometrics Cryptography 13
E-payment & Biometrics Members (29): 3 full professors, 2 associate professors, 4 assistant professors, 4 permanent engineers, 8 PhD students, 2 Post-docs, 6 engineers. Research topics (2): Biometrics and Trust Application: E-payment Research projects: ASAP(ANR), LYRICS(ANR), PAY2YOU(FUI), CAPI(FUI), ADS+(FUI), INOSSEM(GE), LUCIDMAN(EUREKA) 14
E-payment & Biometrics Biometrics: Operational authentication that respects the privacy of users Le pôle TES Biometric le sans-contact authentication (palm veins, keystroke dynamics ) Evaluation of biometric systems (usability, security ) Protection of biometrics (cancelable biometrics, smartcards ) GREYC Keystroke Keystroke dynamics authentication 15
Le pôle TES et le sans-contact Introduction to biometrics 17
Biometrics Biometric modalities: Biological analysis: EEG signal, DNA Behavioural analysis: Keystroke dynamics, voice, gait, signature dynamics... Morphological analysis: Fingerprint, iris, palmprint, finger veins, face, ear 18
Biometrics Le pôle TES et le sans-contact Biometric system: general architecture 19 Source ISO/IEC19794-1 Information technology Biometric data interchange formats Part 1: Framework
Le pôle TES et le sans-contact Usable biometric solutions 20
Keystroke dynamics Le pôle TES et le sans-contact Authentication based on passwords Passwords can be shared between users Passwords are difficult to memorize Passwords can be stolen Passwords are vulnerable to guessing attacks 21
Keystroke dynamics Le pôle TES et le sans-contact Advantages A two authentication factor method knowledge of the password password typing Good acceptance invisible for a user (passphrase or password) no privacy issues (easy to change the password) avoid complex passwords difficult to remind low cost solution none additional sensor software based authentication method 22 R. Giot, M. El-Abed, B. Hemery, C. Rosenberger, "Unconstrained Keystroke Dynamics Authentication with Shared Secret", Elsevier Journal on Computers & Security (IF 0.868), Volume 30, Issues 6-7, Pages 427-445, September-October 2011
Keystroke dynamics Le pôle TES et le sans-contact How does it work? Record different times: PP (latency between two pressures), RR (latency between two releases), RP (latency between one release and one pressure) and PR (duration of a key press), Use this feature vector to measure the similarity of keystroke dynamics. 23
Keystroke dynamics Some recent articles in the media 24
25 Demo
Signature dynamics A signature Usual method to authenticate a person (contract...) Manual or automated verification Existing sensors: tablet, scanner... Can be copied 26
Signature dynamics Principle Taking into account user s behavior, Much more difficult to falsify, Based on a method (signature) widely used and recognized in a legal point of view. 27
Signature dynamics Software 28 V. Alimi, C. Rosenberger, S. Vernois, "A mobile contactless point of sale enhanced by the NFC technology and a match-on-card signature verification algorithm", Smart Mobility Conference, 2011 V. Alimi, C. Rosenberger, S. Vernois, A Mobile Contactless Point of Sale Enhanced by the NFC and Biometric Technologies, International Journal of Internet Technology and Secured Transactions, To appear 2012
Voice recognition Principle Voice is a natural choice to authenticate a user (for a mobile phone or even a computer) Dynamic authentication (to avoid the replay attack) Free text speaker recognition is needed 29
Voice recognition Verification process: 1. The user launches the android application 2. The application (offline) or server (online) generates a challenge (random sentence) 3. The user says the specific sentence in the microphone 4. The application (offline) or server (online) matches the biometric capture 5. The application (offline) or server (online) verifies that the challenge has been said by the user 6. If everything is OK, the user s identity is verified 30
Voice recognition Software 31 M. Baloul, E. Cherrier, C. Rosenberger, "Challenge-based Speaker Recognition For Mobile Authentication", IEEE Conference BIOSIG, 2012.
Cancelable biometrics Motivations : It is not always possible to revoke a biometric data Usable Principle Avoid to store the fingerprint image or minutiae Better performance Usable solution 32
Cancelable biometrics Verification process: Feature extraction Original Image Fingercode seed BioHashing Salting with the seed The original image is not stored The biocode is stored It is not possible to compute the pattern or retrieve the original image given the biocode A biocode can regenerated (other seed) The biohashing process improves performance BioCode 33
Cancelable biometrics Demo 34 R. Belguechi, E. Cherrier, C. Rosenberger, "Texture based Fingerprint BioHashing : Attacks and Robustness", IEEE/IAPR International Conference on Biometrics (ICB), p.7, 2012
Le pôle TES et le sans-contact Perspectives 35
Conclusion Le pôle TES et le sans-contact Biometrics The ONLY ONE solution for user authentication Many usable solutions exist Speaker recognition (especially for mobile phone or offpad) Signature dynamics (authentication, dematerialized documents) Keystroke dynamics (authentication, monitoring, access control...) Cancelable biometrics (allowing online verification) 36
37 http://www.epaymentbiometrics.ensicaen.fr/