Security and Privacy Challenges of Biometric Authentication for Online Transactions

Similar documents
Information Security. Rick Aldrich, JD, CISSP Booz Allen Hamilton

Testimony of. Cita M. Furlani Director

Biometrics and Cyber Security

Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

Usable Multi-Factor Authentication and Risk-Based Authorization

Identity: The Key to the Future of Healthcare

Biometric Performance Testing Methodology Standards. Michael Thieme, Vice President IBG, A Novetta Solutions Company

NIST E-Authentication Guidance SP and Biometrics

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Best Practices for Privileged User PIV Authentication

NIST Cybersecurity White Paper

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Usable Multi-Factor Authentication and Risk- Based Authorization

NIST Cyber Security Activities

US Cyber Marathon. David Ambrose, Chief Security Officer and Chief Privacy Officer Bureau of the Fiscal Service U.S. Department of the Treasury

Testimony of. Kevin Stine. Leader, Security Outreach and Integration Group. Computer Security Division. Information Technology Laboratory

Date: Wednesday March 12, 2014 Time: 10:00 am to 2:45 pm ET Location: Virtual Hearing

Role of Multi-biometrics in Usable Multi- Factor Authentication

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Building Security In:

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Society, Law Enforcement and the Internet

Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association. SAFE-BioPharma Association

FY14 Q2 Chief Information Officer Federal Information Security Management Act Reporting Metrics v1.0

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

OWA/2-Factor Authentication VPN FAQ. Outlook Web Access (OWA) QUESTIONS

DIVISION OF INFORMATION SECURITY (DIS)

Big Data, Big Risk, Big Rewards. Hussein Syed

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

REPORT. Next steps in cyber security

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

FINAL Version 1.1 April 13, 2011

I. Application Development

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview

THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY S OVERSIGHT OF THE TESTING

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers

Automated Regional Justice Information System (ARJIS) Acceptable Use Policy for Facial Recognition

Common Criteria Evaluations for the Biometrics Industry

addressed. Specifically, a multi-biometric cryptosystem based on the fuzzy commitment scheme, in which a crypto-biometric key is derived from

ISO Biometric Template Protection

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

How To Write A Cybersecurity Framework

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

State of South Carolina Policy Guidance and Training

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

FREQUENTLY ASKED QUESTIONS

Digital Identity Management

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Get Confidence in Mission Security with IV&V Information Assurance

CERIAS Tech Report

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Electronic Authentication Guideline. -- OR --

Middle Class Economics: Cybersecurity Updated August 7, 2015

Published International Standards Developed by ISO/IEC JTC 1/SC 37 - Biometrics

Department of Management Services. Request for Information

How TraitWare TM Can Secure and Simplify the Healthcare Industry

Identity and Access Management Initiatives in the United States Government

Past vs. Present: Third Party Risk

Framework for Improving Critical Infrastructure Cybersecurity

THE FFIEC CHALLENGE A Call for Reliable Authentication

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

BSA GLOBAL CYBERSECURITY FRAMEWORK

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

CDM Hardware Asset Management (HWAM) Capability

Spanish Certification Body. Challenges on Biometric Vulnerability Analysis on Fingerprint Devices. New. Technical Manager September 2008

THE WHITE HOUSE Office of the Press Secretary

Description of Biometric Data Interchange Format Standards

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

Is the Device User the Device Owner? A paper prepared for Biometrics UnPlugged: Mobility Rules Executive Summit - Tampa Monday, September 16, 2013

Multi-Factor Authentication for your Analytics Implementation. Siamak Ziraknejad VP, Product Management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Walter Fumy discusses the importance of IT security standards in today s world and the role that SC 27 plays in this field.

The De-identification of Personally Identifiable Information

Evaluation of DHS' Information Security Program for Fiscal Year 2015

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

ANNUAL REPORT TO CONGRESS: FEDERAL INFORMATION SECURITY MANAGEMENT ACT

Technological Evolution

Working Group 5 Identity Management and Privacy Technologies within ISO/IEC JTC 1/SC 27 IT Security Techniques

De Nieuwe Code voor Informatiebeveiliging

Federal Identity, Credentialing, and Access Management. Identity Scheme Adoption Process

Prof. Udo Helmbrecht

IDENTITY INFORMATION MANAGEMENT

24x7 Incident Handling and Response Center

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Compliance, audit, risk, security what s the difference and why do we need it?

AT&T Cybersecurity Policy Overview

This is a preview - click here to buy the full publication TECHNICAL REPORT INFORMATION TECHNOLOGY HOME ELECTRONIC SYSTEM (HES) APPLICATION MODEL

Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin S. Khan

Implementing a Quantitative Risk- Based Approach to Cyber Security

Using Voice Biometrics in the Call Center. Best Practices for Authentication and Anti-Fraud Technology Deployment

Professor John McCanny CBE FRS FREng

Transcription:

Security and Privacy Challenges of Biometric Authentication for Online Transactions Elaine Newton, PhD NIST Information Technology Laboratory, Computer Security Division elaine.newton@nist.gov 1-301-975-2532 1

Remote Authentication in the Federal Government OMB Memo 04-04 Describes 4 assurance levels, with qualitative degrees of confidence in the asserted identity s validity: Level 1 = Little or no confidence Level 2 = Some confidence Level 3: High confidence Level 4: Very high confidence NIST Special Publication 800-63 Technical requirements for remote authentication over an open network in response to OMB 04-04 2

NIST SP 800-63 (E-authentication Guidance) Adopted by non-usg orgs and an international standard project is based on 800-63. NIST (E. McCallister) is the lead editor, ISO/IEC Project 29115 Levels 3 and 4 require two-factor authentication Biometrics not included in authentication protocols in this guidance 3

Outlook for Identity Management WH Initiative on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Aims to improve the security of online transactions of consumers (e.g. online banking) Remote access for more services, available anytime, anywhere Risk-based choices of factors and methods Open standards, interoperable platforms 4

Authentication Use Case For law enforcement, immigration, etc. Enrollment and subsequent recognition attempts highly controlled Supervised / Attended Successful recognition Answers the question, Has this person been previously encountered? Is a unique pattern Comparison For online transactions, e.g. banking, health, etc. Enrollment Less controlled Probably not in person Subsequent recognition attempts Unattended Successful recognition Answers the question, How confident am I that this is the actual claimant? Is a tamper-proof rendering of a distinctive pattern 5

Biometric Security Issues Figure by Nalini Ratha, IBM 6

Focus Areas 1) Artefact/Liveness Detection New Project in ISO/IEC JTC1 SC37: 30107 2) Biometric Template Protection 3) Web Services To be covered by Kevin Mangold in the next talk 7

Anti-Spoofing/Liveness Detection Standards Project Threats/ Attacks Countermeasures Data / Data Formats (for Metrics) Measurement/ Evaluation QPL, Validation, or Certification Program High Confidence in factors available to consumers for authentication (and access) over open networks 8

Types of Biometric Spoofing From the 2nd Working Draft of IS Project 30107 9

Types of Detection From the 2nd Working Draft of IS Project 30107 10

Data Fields for Detecting Subversive Presentations* a) whether the capture device provides artefact/liveness detection [locally, where a one indicates the existence of artefact/liveness detection (one-byte-block)]; b) the generic [or normalized] artefact/liveness detection threshold used in capture (i.e. the sensitivity level at the time of the presentation) (one-byte-block); c) the technique-specific artefact/liveness detection threshold used in capture (i.e. the sensitivity level at the time of the presentation) (one-byte-block); *From the 2nd Working Draft of IS Project 30107 11

Data Fields for Detecting Subversive Presentations* (cont.) d) a local decision on aretefact/liveness detection, where a zero indicates failure to pass aretefact/liveness detection (one-byte block); e) a confidence score between 0 and 100, where higher values indicate higher likelihood of a live (or nonspoofed) sample, or a value of 255 indicating failure to compute (one-byte block); f) technique specific data (1 byte) and their units (1 byte) (two-byte block); and/or g) the level of supervision / surveillance during capture [denoted by the number for the condition in Table 3 (one-byte-block)]. In addition to: vendor ID, algorithm ID, and sensor ID. 12

How to Participate in the Development of 30107 In the US, interested parties should join INCITS M1 http://standards.incits.org/a/public/group/m1 In other countries, interested parties should participate in their country s Technical Advisory Group (TAG) to ISO/IEC JTC1 SC37 13

Biometric Template Protection Methods for protecting biometric data from misuse, such as linking data subjects records across databases and impersonation Need for metrics to evaluate algorithms incorporating both the security properties and accuracy Biometric Performance De-Identification Irreversibility Others http://collaborate.nist.gov/twiki-secbiotemp/ 14

Multi-Factor Authentication (MFA) Initiative Supported by the Comprehensive National Cybersecurity Initiative (CNCI) Objective: To improve cyber security through strengthening authentication assurance by Advancing multi-factor authentication Shifting the predominance of the usernamepassword paradigm for online transactions Addressing major gaps for remote authentication for higher risk online transactions 15

Thank you Questions? Elaine Newton, PhD elaine.newton@nist.gov 1-301-975-2532 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information