10 th cacr information security workshop

10th CACR Information Security Workshop

Biometrics—The Foundation of Quick & Positive Authentication

8 May 2002

Dario Stipisic

Senior Consultant212-809-9491

[email protected]

© Copyright 2002 International Biometric Group www.biometricgroup.com

Biometrics: DefinitionBiometrics: Definition

Biometrics: the automated measurement of physiological or behavioral characteristics to determine or authenticate identity

Leading technologies in public sector– AFIS (large-scale identification through fingerprints)– Finger-scan – Facial-scan

Other technologies– Iris-scan– Signature-scan– Hand-scan


Why Are Biometrics Used?Why Are Biometrics Used?

Security– Protect sensitive data– High degree of identity certainty in transactions– Create databases with singular identities

Accountability– Improve auditing / reporting / record keeping

Convenience– Reduce password-related problems– Simplified access to controlled areas


Questions…Questions…

Questions no longer asked: – Should we consider looking at biometrics?– Are biometrics a viable security solution?

Questions now asked: – Which biometric technology and which vendor

can address specific security issues?– What is the business case behind a biometric

implementation?• Decrease losses due to fraud• Increase employee accountability• Increase customer convenience


Behavioral and Physiological BiometricsBehavioral and Physiological Biometrics

Behavioral - Voice, Signature, Keystroke– Easier to use, often less expensive, less accurate, more

subject to day-to-day fluctuation – Appropriate for relatively low-security, low-risk

applications where acquisition devices are already in place (camera, telephone, signature pad)

Physiological - Finger, Hand, Iris, Retina, Face– Higher accuracy, stable, require slightly more effort

Biometric usage is both behavioral and physiological– Finger-scan, for example, requires the appropriate

“behavior” – placing finger on device correctly– Voice patterns are based, to some degree, on

physiological characteristics


Biometrics Vs. Other Authentication MethodsBiometrics Vs. Other Authentication Methods

Pros– Biometrics cannot be lost, shared, stolen, forgotten, or

easily repudiated– Biometrics enable strong auditing and reporting

capabilities– Can alter security requirements on a transactional basis– Only technology capable of identifying non-cooperative

individuals

Cons– Biometrics do not provide 100% accuracy– Percentage of users cannot use some technologies– Characteristics can change over time


Typical Biometric ApplicationsTypical Biometric Applications

Large-scale government identification– Drivers license (IL, WV, GA, possibly CA, MD, MA)– Voter registration (throughout Latin America)– Public benefits (CA, NY, TX, South Africa, Philippines)– National ID (Nigeria, Argentina, possibly China)– Tens of millions of individuals enrolled

Time and attendance, access control– Hand geometry, finger-scan– Hundreds of thousands of individuals enrolled

Network Security– Windows NT Login, Intranets– Tens of thousands of users enrolled


Identification vs. VerificationIdentification vs. Verification

Verification: Am I who I claim to be?– Faster, more accurate, less expensive– The more common method for IT security– More accountability– Requires that users enter a unique username or

present a card/token Identification: Who am I?

– Used to locate duplicate identities in databases– Used when entering a username/ID is not feasible– Privacy challenges


Biometric TemplatesBiometric Templates

Definition– Distinctive, encoded files derived and encoded from the

unique features of a biometric sample A basic element of biometric systems

– Templates, not samples, are used in biometric matching– Created during enrollment and verification– Much smaller amount of data than sample (1/100th, 1/1000th)– Cannot reverse-engineer sample from template – Size facilitates encryption, storage on various tokens– Vendor templates are not interchangeable– Different templates are generated each time an individual

provides a biometric sample


MatchingMatching

Biometric systems do not provide a 100% match Comparing strings of binary data (templates) Result of match (“score”) compared to pre-

determined threshold – system indicates “match” or “no match”

Verification data1011010100101Vendor Algorithm

Enrollment data0010100100111

Scoring

Threshold

Match / No Match Decision


Real-World AccuracyReal-World Accuracy

Vendor claims (1/1000, 1/1000000) are not always based on experience in real-world deployments

System accuracy defined through three metrics – False match (imposter breaks in)– False non-match (correct user locked out)– Failure to enroll (user cannot register in

system) Comparative testing shows that some devices

and technologies provide very high accuracy, others very low accuracy

Regardless of technology, some small percentage will be unable to enroll


Biometric Market SizeBiometric Market Size

2001 Total Revenue: $524m USD Projected 2003 Revenue: $1.05b USD Most revenues today from law enforcement /

public sector identification Revenues for IT-oriented technologies

– Finger-scan: $99.37m– Middleware: $24.2m– Less than $20m: voice-scan, signature-scan, iris-scan

Source: Biometric Market Report 2000-2005


Major Developments in the MarketplaceMajor Developments in the Marketplace

Large-scale ID systems for travel, licensing being developed

Finger-scan devices manufactured by Infineon, ST, Fujitsu, Sony, Motorola

Compaq, Dell, Toshiba shipping biometric devices with PCs

1m users of facial-scan for ATM check-cashing Microsoft, Intel to incorporate biometric

functionality in future versions of OS Increased adoption of standards – file formats,

encryption, APIs Convergence with smart card technology


Growth of the Biometric MarketGrowth of the Biometric Market

* Source: Biometric Market Report 2000-2005


Biometric TechnologiesBiometric Technologies



Comparative Technology Growth Comparative Technology Growth

Technology 2000 2003Finger-Scan 57.2 266.6Facial-Scan 13.1 105.9Hand-Scan 18.8 31.4Middleware 11.4 111.2

Iris-Scan 9.2 29.8Voice-Scan 6.2 42.8

Signature-Scan 3.0 28.5Keystroke-Scan 0.0 7.2

AFIS 282.0 426.2Total 399.4 1049.7



Future Market Trends

PC/Network security, e-commerce will drive growth– From less than 20% of total biometric revenue to

over 40% by 2005 Emergence of Retail – ATM - Point of Sale sector

– From $10m today to $131m by 2005 Biometric revenue models based on transactional

authentication, not device sales Larger firms will absorb or eliminate many/most

of today’s biometric players

Source: Biometric Market Report 2000-2005


Privacy Protection, Privacy ErosionPrivacy Protection, Privacy Erosion

Biometric Protection of Privacy– Limiting access to sensitive data– Individual control over personal information– Potential weapon against identity fraud / theft

Biometric Erosion of Privacy– If used for broader purposes than originally

intended (linking disparate data, tracking behavior)– If captured without informed consent


Privacy FearsPrivacy Fears

Informational Privacy – Function creep– Use as unique identifier– Associating unrelated data– Use by law enforcement agencies without

oversight– Generally based on misuse of technology as

opposed to intended uses Personal Privacy

– Inherent discomfort with or opposition to biometrics– Perception of invasiveness


Mitigating FactorsMitigating Factors

Most biometrics incapable of identification Substantial amount of biometric data required for

large-scale identification Very few shared public or private sector systems

aside from law enforcement Core matching algorithms not cross-compatible Deployers can implement operational and design-

oriented protections against system abuse Technology not infallible or foolproof Legislation accompanies public sector

deployment to protect against misuse Biometric usage has been closely monitored


IBG’s BioPrivacy™ InitiativeIBG’s BioPrivacy™ Initiative

Analysis of biometric applications– BioPrivacy Impact Framework Not all biometric

deployments bear the same privacy risks: specific features of biometric deployments increase or decrease the likelihood of misuse

Analysis of core biometric technologies– BioPrivacy Technology Risk Ratings Certain

technologies are more prone to be misused than others and require extra precautions

Steps towards a privacy-sympathetic system– BioPrivacy Best Practices Ensure that deployers

adhere to privacy principles regarding consent, use limitation, storage limitation, and accountability


BioPrivacy Impact FrameworkBioPrivacy Impact Framework

Overt vs. Covert Opt-in vs. Mandatory Verification vs. Identification Fixed Duration vs. Indefinite Duration Private Sector vs. Public Sector Individual / Customer vs. Employee / Citizen User Ownership vs. Institutional Ownership Personal Storage vs. Template Database Behavioral vs. Physiological Templates vs. Identifiable Data


Technology Risk Rating CriteriaTechnology Risk Rating Criteria

Verification/Identification Overt/Covert Behavioral/Physiological Give/Grab

– Technologies in which the user "gives" biometric data are rated “lower-risk”

– Technologies in which the system "grabs" user data without the user initiating a sequence are rated “higher-risk”


BioPrivacy 25 Best PracticesBioPrivacy 25 Best Practices

Implement as many Best Practices as possible without undermining the basic operations of the biometric system

Few deployers will be able to adhere to all BioPrivacy Best Practices

Inability to comply with certain Best Practices is balanced by adherence to others

Four Categories– Scope and Capabilities– Data Protection– User Control Of Personal Data– Disclosure, Auditing and Accountability

10 th cacr information security workshop

Documents

biometric technology

biometric implementation

time copyright

scanhandscan copyright

users enrolled copyright

controlled areas copyright

security requirements

specific security issues