Biometric Authentication The Myths and The Facts
About Delaney Secure Specialising in Biometric Authentication Founded 2003 by Trevor Swainson UK and Ireland Distributor Fingerprint vendors such as Authentec (UPEK), Crossmatch, L1, DigitalPersona, Futrionics, M2SYS, Softex Inc, Neurotechnology & SecuGen Vein vendors such as M2SYS, Fujitsu-PFU & Hitachi Currently growing at 300% per annum Paul Guckian, CEO Background in IT Audit & Assurance - CISA, CISM, MSc, BSc Worked primarily in financial services, Big4 and larger audit consultancies
Authentication as a security priority
Business drivers for better authentication Business Values IT Cost savings (ROI) Staff Efficiency Regulatory Compliance & Security Increased Revenue IT Cost Reductions Single multi-factor authentication platform Self Reset & Helpdesk support for PWD reset User/Application administration under one management console Leverage current directory infrastructure Security & Compliances Multi-Factor Authentication SSO/eSSO Integrated Encryption Integrated Management Console Efficiency & Ease of Use No delays because of PWD reset Access anywhere via Roaming sessions Reduced session start-up time
Strong Authentication Something that you know, e.g. password, bank PIN It has the problem that things that you know can be accidentally or deliberately passed to someone else. The potential damage of such transfer may be limited by the possibility of rendering the transferred knowledge useless by changing the password, PIN etc. Something that you have, e.g. smart card, bank card, token key fob. Again, it may accidentally or deliberately be transferred. Again, the damage done by such transfer can be remedied by cancelling the device, or physically recovering it. Something that you are, e.g. your fingerprints, iris, voice. This is biometric authentication. This cannot easily be transferred to someone else, so in theory it is the ideal means of authentication. It has some other problems, however.
Biometric Authentication
Biometric Authentication Wide variety of applications throughout consumer, commercial and government organisations. Consumer Enterprise Government Convenience Convenience & Security Security focus on the commercial applications
Biometric Authentication in The Movies
Six Common Myths 1. Biometrics is a new idea Evidence of biometric identification used in the building of the pyramids Huge quality improvements in the last 10 years especially 2. Iris recognition devices use lasers to scan your eyes First company to produce such a system called itself IrisScan (now Iridian Technologies) Iris recognition camera takes a black and white picture from up to 24 inches away and uses non-invasive, nearinfrared illumination 3. Stolen body parts will work Most biometric devices there is an element of liveness detection, which can measure many variables, from a finger pulse to a pupil response. Extracted (or enucleated) eyeball quickly begins to decompose, with the cornea clouding over and obscuring the iris. A severed finger also dies rapidly typically becoming useless after around 10 minutes. 4. Inability to enrol or verify children or Asian women Recent advances in imaging have led to greater resolutions being achieved by fingerprint sensors At least 1,300 primary schools in the UK are using fingerprint technology to replace old-fashioned password-based systems in their libraries 5. Commercial fingerprint system could be used by police Stems from a misunderstanding of how a biometric system typically works in a commercial environment. Systems use a limited template which is typically encrypted, and cannot be reverse engineered The feeding of identical template data to a fingerprint system s matching engine by a hacker will normally fail, as this is almost a sure indication that the data has been stolen and that a replay attack is underway. 6. Biometrics are the silver bullet that will rid the world of terrorism/evil they are only able to confirm whether this is the same person that initially enrolled into the system e.g. if a government doesn t have a quality photograph of a known terrorist suspect, then the chances of stopping that person at a checkpoint using facial recognition are slim.
Commercial vs. Government Systems Objective Feature Government Commercial Beyond reasonable doubt On the balance of probability Stored Image Full Templates Security vs. Convenience Testing Requirements Hardware Specifications No of enrolled users Security Rigorous Detailed Large Balanced Reasonable High Level Limited
Biometric Authentication - Options Fingerprint Finger Vein (Hitachi) Palm Vein (Fujitsu) Iris Face Recognition Hand Geometry Keystroke Dynamics Retina Signature Voice DNA
Biometric Authentication - Options Courtesy of the International Biometric Group
Biometric Authentication - Options Courtesy of the International Biometric Group
Commerical Uses of Biometric Authentication File/Folder Lock OTP Soft Token Password Replacement Quick Launch SECURITY Secure Your Device CONVENIENCE Turbo Scrolling Application Lock Unlock NFC- Based Mobile Wallet E-Commerce Transactions Touchpad Navigation
Typical Commercial Applications Network Access (Windows Domain) Single or multi-factor options (passwords, biometric, smartcards, token, OTP) Easy to integrate as standalone or Windows AD integrated solutions Looks and feels like Windows AD administration Application Authentication (via SDKs) Particularly payment applications Non-repudiation of user authentication Free or low cost SDKs Physical Access Control Integrated with door entry or club membership systems Single or multifactor (PIN, smartcard and iris recognition) Time and Attendance Stops buddy punching
Growth in Commercial Biometric Authentication Embedded biometric readers driving growth Top 9 Laptop OEMs Shipping Models in 2011 Over 13 Million Phones Shipped with Biometric Sensors Maturity of the fingerprint technology It works Its cheap Its convenient
Key Advantages Convenience Cannot forget, lose or share biometric data easily Reduces costs and risks of password resets Little user education Improved security - address the weak human element Users never know their password Cannot be easily socially engineered via remote methods Complex passwords without user education Non-repudiation of transactions Unequivocally link an individual to a transaction or event. Varying quality of proof (e.g. vein vs. fingerprint) Cost Lower cost of ownership than other multi-factor solutions Full integrated platforms with biometric, smartcard and token options
Key Limitations User Enrolment needs to be robust Systems provide authentication, not identification Need good quality template for matching Replay Attacks Biometric templates don t change over time, but can change algorithm Some systems don't have a replay detection mechanism, and some do. Forgery Biometric templates are difficult but not impossible to duplicate Fingerprints are left behind, but typically not good enough quality. Vein, Iris and others leave no residual trace Scalability Huge advances in fingerprint matching algorithms, but some progress required for vein and other larger templates to scale to national level
Comparison with Other Authentication Solutions Courtesy of IEEE, Vol. 91, No 12, Dec 2003
How Fingerprint Authentication Works?
Template Verification in action CAPTURE Fingerprint Sensor FEATURE EXTRACTION Mathematical Function Template 139645004596032 873946450487472 TEMPLATE REGISTRATION Touch Sensor 4 Times Registration Template 739645754596032 673946450487333 Store in Database 21
Template Matching in Action MATCH (verification) Touch Sensor FEATURE EXTRACTION 139645004596032 873946450487472 Template COMPARE (Mathematically) OK FAIL 739645754596032 673946450487333 Registration Template Enable Authentication NO Authentication DigitalPersona Company CONFIDENTIAL 22
Hardware Features finger RF signal Injection (508 dpi) FIPS 201 certified Technique: reads live skin, improving capture reliability and quality Performance: Delivers excellent performance: FMR, FRR, FTE Operation: Works for many finger types (wet/dry/damaged) and capture conditions e.g. light Protection: SteelCoat protective coating for better sensor durability Security: Eliminates the capture of latent images & replay attacks Certification: FBI Certified or FIPS-201 Certified readers
Image Quality vs. Fingerprint Pressure Image Quality (NFIQ) vs Finger Pressure (N) 1.0 1.4 1.3 1.3 1.3 1.3 NFIQ (1=Best, 5=Poor 2.0 3.0 3.1 2.9 2.5 2.3 2.1 4.0 5.0 3N (v.soft) 5N(soft) 7N (med) 9N (hard) 11N (v. hard) Finger Pressure (N) CrossMatch V300 UPEK TCS1-EIM Image quality score consistently better, over wide range of finger capture pressures Ref: Purdue University study: Dr Eric Kukula Aug 2007
Impact of light on fingerprint readers Placement Fingerprint Sensors Keeps image quality (Unaffected) Optical Fingerprint Sensors Images wash out (Effected) Dynamic range: 184 (meets FIPS-201) Dynamic range: 59 (not meet FIPS-201)
Mainstream SDK s Application Authentication: Biometric SDKs Consumer market software suite APP Packaged Application Full Application Software High level SDK (identity infrastruct. level) HIGH Application Bolt-On PBA + user authentication Mainstream library (SDK) MID Tight Integration With Software Application Suitable for 3 rd party application development on all major OS; Access to most commonly required features (image capture, enroll, match) Low level, device dependant interface LOW Tight Integration with Hardware Basic Biometric Operations & Low level access to the sensor/module features DRV Device Driver USB
Audit of Biometric Systems
Common Biometric Standards Standard Description Details FIPS 140-2 (NIST) FIPS 201-2 (NIST) IAFIS (FBI) Cryptographic modules produced by private sector vendors that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. Architecture and technical requirements for a common identification standard for Federal employees and contractors Integrated Automated Fingerprint Identification System (IAFIS) Image Quality Specifications (IQS) L1: cryptographic only; L2: cryptographic & anti-tampering L3: cryptographic & anti-tampering and data deletion L4: Protection of critical security parameters - Assurance provided by the issuer of an identity credential that the individual in possession of the credential has been correctly identified - Protection provided to an identity credential stored within the PIV Card and transmitted between the card and the PIV issuance and usage infrastructure - Protection provided to the identity verification system infrastructure and components throughout the entire life cycle. The certification process is not intended to endorse one product over a competitor's product but merely to certify that the product meets FBI standards
Biometric System Functions Enrolment Data Storage Data acquisition Transmission Signal processing Decision The step with ensures identification of the end user, and registration of a high quality template. Check the FTER rate. TIP: Use you best quality reader here Storage of the template in a data repository (e.g. SQL database or Active Directory) TIP: Use FIPS-401 compliant software The user input to the matching process. Need a good quality, consistent and clean input for best matching Check the security of the data transmission between hardware and the software. Encryption is highly recommended. Matching algorithm which matches and validates the data. Ensure that the right level of sensitivity is set The output of the matching algorithm leads to FAR and FRR statistics
Performance Measures Measurement Description Calculation Improvements False Rejection Rate (FRR) False Acceptance Rate (FAR) A valid subject is rejected by the system A invalid subject is accepted by the system Number of false rejections / Number of attempts Number of invalid user acceptances / Number of attempts Re-enrol the user - Better hardware - Better environment - Better biometric characteristic Improve user input Failure to Enrol (FTER) User not registered by the system No of failed enrolments / Number of attempts Adjust software sensitivity Enrolment Time Time to register new user Time from submission to confirmation Throughput Rate Time taken to validate Time from submission to confirmation Improved matching algorithm
Data Storage Security of the template transmission and storage is key (think RSA security breach) Considerations between local (cached storage) and centralised storage Speed Security Resilience Scalability of solutions Key decisions about system architecture Consider size of templates and speed of matching Protect the templates for replacement, tampering, loss and destruction
Three types of attacks Trial-and-error attack Classic way of measuring biometric strength Digital spoofing Transmit a digital pattern that mimics that of a legitimate user s biometric signature Similar to password sniffing and replay Biometrics can t prevent such attacks by themselves Physical spoofing Present a biometric sensor with an image that mimics the appearance of a legitimate user Example Type of Attack Note: Assumes that token is not stolen Average Attack Space Reusable Passwords Interactive or Off-Line 2 1 to 2 45 Biometrics Team 2 6 to 2 19 One-Time Password Tokens Interactive 2 19 to 2 63 or Off-Line Public Key Tokens Off-Line 2 63 to 2 116
Common technical attacks
Common management challenges
Audit procedure using ISACA G36 Selecting & Acquiring the Biometric System Risk analysis of security controls User acceptance of the biometric characteristic selected Operation and Maintenance of the Biometric System User access management enrolment, updating and removal System interface with other applications User Training & Acceptance User enrolment procedures, and template quality scores User understanding of the use of templates (e.g. privacy concerns) System Performance Monitoring of FRR, FAR and FTER, and review of system security parameters Application & Database Controls Controlling access to the back-end stored data and parameters Audit Trails Ensuring the audit logs are secured and stored for review
Quick guides to better audit reports Use certified hardware (e.g. FIPS-201, FBI) Use certified software (e.g. FIPS-201, FBI) Tightly control user enrolment with the best quality hardware and environmental conditions Ensure secure communication between the hardware and software Use as a multi-factor authentication, with token for external and password internally for example Consider the convenience, but don t forget the security
Quick guide to better biometric projects Hardware Usability tightly control enrolment, no exceptions Durability pick the best hardware, not the most expensive, ask for independent reports Security consider certifications, consider communication security & tampering Cost more expensive doesn t mean better, but cheap may undermine the entire project Software Features balance convenience with security Integration (Scalability) select a biometric characteristic that scales suitably (1:N), or adapt system to use 1:1 matching (e.g. using username) Security consider certification, ensure encryption of template and communications Cost - more expensive doesn t mean better, but cheap may undermine the entire project
The future
Tokens and biometrics Soft or hard tokens integrated with biometric readers Swipe releases or enables a unique token Can be used as part of a soft-token generation algorithm
Biometric Tokens: Applications Mobile Banking Enhancement to token only solutions Replaces PIN numbers, or acts as 3 rd factor Secure Remote Access Enhancement to token only solutions Replaces PIN numbers, or acts as 3 rd factor Payment Applications Enhancement to token only solutions Replaces PIN numbers, or acts as 3 rd factor
Smartcard and biometrics Match-on-card Person's fingerprint and face templates on a smart card and performs template matching in a microprocessor embedded in the card instead of matching biometric information on a PC processor. Biometric template stored on the card Matching applet stored on the card Match on terminal Person's fingerprint and face templates on a smart card and performs template matching in a microprocessor embedded in the card instead of matching biometric information on a PC processor. Biometric template stored on the card Matching applet stored on the terminal The native level fingerprint matching implementation requires less than 8 kilobytes for algorithm code, less than 1,700 bytes RAM for data and 1,300-1,700 bytes for template storage. The Java Card postissuance library for fingerprint matching requires less than 13 kilobytes for algorithm code, less than 600 bytes RAM for data and less than 1 kilobyte for template storage.
Biometric Card: Applications Chip and PIN replacement ATM Machines (Deutsche Bank, Bank of Tokyo-Mitsubishi) epos PDQ machines Age verification Nightclubs - Reduction in nightclub violence in Oz Off-licence Club membership Prevents membership sharing Enables unmanned gyms and other services
Summary: Why biometrics? Convenient Secure Scalable Cost effective Easy to Deploy Manageable Integration Addresses some of the human weaknesses of password security and other two-factor solutions Eliminates insecure passwords that are used to protect operating systems, database access, server and client data, emails, applications and more Designed to scale from one user to thousands of users with multiple types of authentication devices Available as single multi-factor platforms - costs of other mix and match solutions can cost much more. Can be deployed on customer images and connected to a centralized Enterprise server at any time. Ties into standard tools used by IT managers to manage user information and users (e.g. Windows MMC) Can be adapted and re-engineered as required to meet customer requirements, with smartcards and tokens if required
Questions & Discussion Thank You Paul Guckian DelaneySecure Ltd W: www.delaneysecure.com T: (01342) 810 810 E: paul.guckian@delaney.eu.com Disclaimer: This presentation is intended for private entertainment and general educational purposes only in the context of the BCS IRMA group, and contains some references to restricted and copyright information. The information is of a general nature, and no reliance should be placed on the information contained herein.