Role of Multi-biometrics in Usable Multi- Factor Authentication Dr. Nalini K Ratha* IBM T.J. Watson Research Center Yorktown Heights, NY 10598 ratha@us.ibm.com *: In collaboration with colleagues from security and usability team This work is supported by a grant from the United States Department of Homeland Security under contract FA8750-12-C-0265.
Agenda Research Mobile Authentication Usable Biometric Authentication Biometric authentication and multi-factor biometric fusion Risk-based authorization Future
Mobile Is Becoming A Primary Personal Computing Platform Business Financial Personal Physical 3
DID YOU BRING YOUR SECURITY TOKEN WITH YOU TODAY (and BYOD)?
MY PHONE Me
Interaction with mobile devices is brief typically a minute or less Often interrupt driven PIN and gesture are most common No password is also very common Passwords using reduced size keyboard Entry of corporate compliant passwords dominates the interaction time User frustration Removal of security profile Avoid corporate compliance Biometric authentication Popular choices: face, voice, fingerprint 6
Mobile Money Mobile Devices Are Authentication Tokens Starbucks 26M transactions and growing Square - $4B/year CC transactions Visa s paywave mobile payments system Barclaycard Many others. Schlage Door locks Craftsman Garage Door Opener Mobile Wallets are Proliferating ApplePay Google Wallet, including Citi EnStream (Canada) Sprint Alcatel-Lucent Square O2 UK New Zealand Use of NFC as part of mobile wallet technology 7
Usable Authentication Risk-Based Authorization Authentication Confidence / Biometric Authentication Authentication Context Trust Centric Environmental Situation Authentication Challenges and Policies Behavior History Multi-Factor Authentication Situational Impariments Usable Security / Risk Communication Contextual Design?!
Smart devices: extremely rich in channels Fingerprint NFC Heartbeat Sensor Temperature Sensor Accelerometer Barometer Multi-touch sensitive display High res display Cameras Pointing devices Voice Soft keyboard Web access Bluetooth GPS SMS/Text Gyro Cell towers Wi-fi/WiMax
Human Interaction Paradigm Shift Interaction being driven by mobile Multi-modal features required Camera Vision Eye tracking Speech recognition Touch / Haptics Text spoken Transactions No wires Location Motion
Biometrics challenges in mobile devices Sensor and algorithmic Fingerprint scanner Swipe sensors or small area sensors Camera: fixed focus, low res Poor quality images Often front facing camera is the weaker May not be suitable for iris Microphone Each brand carries different type of microphone Challenge for speaker recognition On poor/low quality data there will be significant accuracy challenges on any single biometrics Third party tests have shown that with supervised data collection using professional biometric scanners, we can get acceptable accuracy Not a single biometrics can meet the real end-user performance Need to look for more than one factor
Why Mobile is Different: Situational Impairments Anywhere access creates usability needs for everyone design for disabilities solves usability problems for everyone. Outside light Ambient noise Single hand Bumpy road Aging eyes Eyes busy Public places
Context Research Secure Multi-Modal Authentication Authentication Tests Enrollment Driving Gloves on Voice Fingerprint Auth. service selects challenges Verify against enrollment Hands busy Face reco Bad light QRCode Public place Knowledge
Why multi-factor biometrics? Improved accuracy with better usability Fusion always gets better accuracy when the underlying modalities (biometrics) are uncorrelated. 14 Table shows 2008 state of the art.
Authorization Research IBM Mobile Security Architecture Sketch Security Policies IBM Security Policy Manager Risk Policies Application Owners Operations Mobile Device Applications Middleware Operating System Hardware sensor sensor sensor Log Analysis Integrity Measurements Biometric / Fusion authentication ISAM WebSEAL Risk-Based Authorization Web Policy Decision WebSphere Portal / App. Server SSO (TAI) Policy Decision Security Services (PDP) Auth. (STS) PEPs (Java, Web Services) Authz. (RTSS) Device Profiling History Context Admin. Policy Information Identity and Access Management User Profiling Situation Risk Scoring TFIM TAMeb TIM
Multi-Factor Client / Server Architecture Overview Objective: Based on context, "authenticate just enough" to accommodate user preference and (situational) impairments 16
Architecture Research Mobile Device Mobile Apps Mobile Apps Proxy or Mobile Gateway Network Services Authentication Client Risk Assessment Content Sensitivity / Value Customizable User Interfaces MFA-RBA Services Context Evaluation Client framework Worklight / PhoneGap-based Bio Lib Context Lib Security Lib OOBAC Biometric Fusion Presence Detection Risk-Based Authorization Face Quality Detection Voice Quality Detection Gesture Quality Detection Environment Detection Biometric Engines Enrollment & Verification 3 rd Party Biometric Engines Multi-factor Authentication and Risk-Based Authorization Services
Risk-Based Authorization: Balancing Security and Usability Authenticating just enough, based on context, to accommodate situational impairments and user preferences Models the customer and device context and behaviors Time, location, environment, Mobile Transaction Contextual Risk Factors Home Estimates possible change in possession of the device Determine required authentication confidence required Biometric Fusion Policy generates biometric challenges Non-biometric data required to establish context Crowded Location Daily Commute Risk? Loss of physical control Public Location Office Usability Security 18
Biometric Verification Technologies for this Project Speaker Face Fingerprint 19
User Interface Design and Risk Communication Risk Indicator Network Security Authentication Methods Anti-Phishing Unauthorized Account Access An initial mock-up. Not the real design!