10 th cacr information security workshop
DESCRIPTION
10 th CACR Information Security Workshop. Biometrics—The Foundation of Quick & Positive Authentication 8 May 2002 Dario Stipisic Senior Consultant 212-809-9491 [email protected]. Biometrics: Definition. - PowerPoint PPT PresentationTRANSCRIPT
10th CACR Information Security Workshop
Biometrics—The Foundation of Quick & Positive Authentication
8 May 2002
Dario Stipisic
Senior Consultant212-809-9491
© Copyright 2002 International Biometric Group Page 2www.biometricgroup.com
Biometrics: DefinitionBiometrics: Definition
Biometrics: the automated measurement of physiological or behavioral characteristics to determine or authenticate identity
Leading technologies in public sector– AFIS (large-scale identification through fingerprints)– Finger-scan – Facial-scan
Other technologies– Iris-scan– Signature-scan– Hand-scan
© Copyright 2002 International Biometric Group Page 3www.biometricgroup.com
Why Are Biometrics Used?Why Are Biometrics Used?
Security– Protect sensitive data– High degree of identity certainty in transactions– Create databases with singular identities
Accountability– Improve auditing / reporting / record keeping
Convenience– Reduce password-related problems– Simplified access to controlled areas
© Copyright 2002 International Biometric Group Page 4www.biometricgroup.com
Questions…Questions…
Questions no longer asked: – Should we consider looking at biometrics?– Are biometrics a viable security solution?
Questions now asked: – Which biometric technology and which vendor
can address specific security issues?– What is the business case behind a biometric
implementation?• Decrease losses due to fraud• Increase employee accountability• Increase customer convenience
© Copyright 2002 International Biometric Group Page 5www.biometricgroup.com
Behavioral and Physiological BiometricsBehavioral and Physiological Biometrics
Behavioral - Voice, Signature, Keystroke– Easier to use, often less expensive, less accurate, more
subject to day-to-day fluctuation – Appropriate for relatively low-security, low-risk
applications where acquisition devices are already in place (camera, telephone, signature pad)
Physiological - Finger, Hand, Iris, Retina, Face– Higher accuracy, stable, require slightly more effort
Biometric usage is both behavioral and physiological– Finger-scan, for example, requires the appropriate
“behavior” – placing finger on device correctly– Voice patterns are based, to some degree, on
physiological characteristics
© Copyright 2002 International Biometric Group Page 6www.biometricgroup.com
Biometrics Vs. Other Authentication MethodsBiometrics Vs. Other Authentication Methods
Pros– Biometrics cannot be lost, shared, stolen, forgotten, or
easily repudiated– Biometrics enable strong auditing and reporting
capabilities– Can alter security requirements on a transactional basis– Only technology capable of identifying non-cooperative
individuals
Cons– Biometrics do not provide 100% accuracy– Percentage of users cannot use some technologies– Characteristics can change over time
© Copyright 2002 International Biometric Group Page 7www.biometricgroup.com
Typical Biometric ApplicationsTypical Biometric Applications
Large-scale government identification– Drivers license (IL, WV, GA, possibly CA, MD, MA)– Voter registration (throughout Latin America)– Public benefits (CA, NY, TX, South Africa, Philippines)– National ID (Nigeria, Argentina, possibly China)– Tens of millions of individuals enrolled
Time and attendance, access control– Hand geometry, finger-scan– Hundreds of thousands of individuals enrolled
Network Security– Windows NT Login, Intranets– Tens of thousands of users enrolled
© Copyright 2002 International Biometric Group Page 8www.biometricgroup.com
Identification vs. VerificationIdentification vs. Verification
Verification: Am I who I claim to be?– Faster, more accurate, less expensive– The more common method for IT security– More accountability– Requires that users enter a unique username or
present a card/token Identification: Who am I?
– Used to locate duplicate identities in databases– Used when entering a username/ID is not feasible– Privacy challenges
© Copyright 2002 International Biometric Group Page 9www.biometricgroup.com
Biometric TemplatesBiometric Templates
Definition– Distinctive, encoded files derived and encoded from the
unique features of a biometric sample A basic element of biometric systems
– Templates, not samples, are used in biometric matching– Created during enrollment and verification– Much smaller amount of data than sample (1/100th, 1/1000th)– Cannot reverse-engineer sample from template – Size facilitates encryption, storage on various tokens– Vendor templates are not interchangeable– Different templates are generated each time an individual
provides a biometric sample
© Copyright 2002 International Biometric Group Page 10www.biometricgroup.com
MatchingMatching
Biometric systems do not provide a 100% match Comparing strings of binary data (templates) Result of match (“score”) compared to pre-
determined threshold – system indicates “match” or “no match”
Verification data1011010100101Vendor Algorithm
Enrollment data0010100100111
Scoring
Threshold
Match / No Match Decision
© Copyright 2002 International Biometric Group Page 11www.biometricgroup.com
Real-World AccuracyReal-World Accuracy
Vendor claims (1/1000, 1/1000000) are not always based on experience in real-world deployments
System accuracy defined through three metrics – False match (imposter breaks in)– False non-match (correct user locked out)– Failure to enroll (user cannot register in
system) Comparative testing shows that some devices
and technologies provide very high accuracy, others very low accuracy
Regardless of technology, some small percentage will be unable to enroll
© Copyright 2002 International Biometric Group Page 12www.biometricgroup.com
Biometric Market SizeBiometric Market Size
2001 Total Revenue: $524m USD Projected 2003 Revenue: $1.05b USD Most revenues today from law enforcement /
public sector identification Revenues for IT-oriented technologies
– Finger-scan: $99.37m– Middleware: $24.2m– Less than $20m: voice-scan, signature-scan, iris-scan
Source: Biometric Market Report 2000-2005
© Copyright 2002 International Biometric Group Page 13www.biometricgroup.com
Major Developments in the MarketplaceMajor Developments in the Marketplace
Large-scale ID systems for travel, licensing being developed
Finger-scan devices manufactured by Infineon, ST, Fujitsu, Sony, Motorola
Compaq, Dell, Toshiba shipping biometric devices with PCs
1m users of facial-scan for ATM check-cashing Microsoft, Intel to incorporate biometric
functionality in future versions of OS Increased adoption of standards – file formats,
encryption, APIs Convergence with smart card technology
© Copyright 2002 International Biometric Group Page 14www.biometricgroup.com
Growth of the Biometric MarketGrowth of the Biometric Market
* Source: Biometric Market Report 2000-2005
© Copyright 2002 International Biometric Group Page 15www.biometricgroup.com
Biometric TechnologiesBiometric Technologies
* Source: Biometric Market Report 2000-2005
© Copyright 2002 International Biometric Group Page 16www.biometricgroup.com
Comparative Technology Growth Comparative Technology Growth
Technology 2000 2003Finger-Scan 57.2 266.6Facial-Scan 13.1 105.9Hand-Scan 18.8 31.4Middleware 11.4 111.2
Iris-Scan 9.2 29.8Voice-Scan 6.2 42.8
Signature-Scan 3.0 28.5Keystroke-Scan 0.0 7.2
AFIS 282.0 426.2Total 399.4 1049.7
* Source: Biometric Market Report 2000-2005
© Copyright 2002 International Biometric Group Page 17www.biometricgroup.com
Future Market Trends
PC/Network security, e-commerce will drive growth– From less than 20% of total biometric revenue to
over 40% by 2005 Emergence of Retail – ATM - Point of Sale sector
– From $10m today to $131m by 2005 Biometric revenue models based on transactional
authentication, not device sales Larger firms will absorb or eliminate many/most
of today’s biometric players
Source: Biometric Market Report 2000-2005
© Copyright 2002 International Biometric Group Page 18www.biometricgroup.com
Privacy Protection, Privacy ErosionPrivacy Protection, Privacy Erosion
Biometric Protection of Privacy– Limiting access to sensitive data– Individual control over personal information– Potential weapon against identity fraud / theft
Biometric Erosion of Privacy– If used for broader purposes than originally
intended (linking disparate data, tracking behavior)– If captured without informed consent
© Copyright 2002 International Biometric Group Page 19www.biometricgroup.com
Privacy FearsPrivacy Fears
Informational Privacy – Function creep– Use as unique identifier– Associating unrelated data– Use by law enforcement agencies without
oversight– Generally based on misuse of technology as
opposed to intended uses Personal Privacy
– Inherent discomfort with or opposition to biometrics– Perception of invasiveness
© Copyright 2002 International Biometric Group Page 20www.biometricgroup.com
Mitigating FactorsMitigating Factors
Most biometrics incapable of identification Substantial amount of biometric data required for
large-scale identification Very few shared public or private sector systems
aside from law enforcement Core matching algorithms not cross-compatible Deployers can implement operational and design-
oriented protections against system abuse Technology not infallible or foolproof Legislation accompanies public sector
deployment to protect against misuse Biometric usage has been closely monitored
© Copyright 2002 International Biometric Group Page 21www.biometricgroup.com
IBG’s BioPrivacy™ InitiativeIBG’s BioPrivacy™ Initiative
Analysis of biometric applications– BioPrivacy Impact Framework Not all biometric
deployments bear the same privacy risks: specific features of biometric deployments increase or decrease the likelihood of misuse
Analysis of core biometric technologies– BioPrivacy Technology Risk Ratings Certain
technologies are more prone to be misused than others and require extra precautions
Steps towards a privacy-sympathetic system– BioPrivacy Best Practices Ensure that deployers
adhere to privacy principles regarding consent, use limitation, storage limitation, and accountability
© Copyright 2002 International Biometric Group Page 22www.biometricgroup.com
BioPrivacy Impact FrameworkBioPrivacy Impact Framework
Overt vs. Covert Opt-in vs. Mandatory Verification vs. Identification Fixed Duration vs. Indefinite Duration Private Sector vs. Public Sector Individual / Customer vs. Employee / Citizen User Ownership vs. Institutional Ownership Personal Storage vs. Template Database Behavioral vs. Physiological Templates vs. Identifiable Data
© Copyright 2002 International Biometric Group Page 23www.biometricgroup.com
Technology Risk Rating CriteriaTechnology Risk Rating Criteria
Verification/Identification Overt/Covert Behavioral/Physiological Give/Grab
– Technologies in which the user "gives" biometric data are rated “lower-risk”
– Technologies in which the system "grabs" user data without the user initiating a sequence are rated “higher-risk”
© Copyright 2002 International Biometric Group Page 24www.biometricgroup.com
BioPrivacy 25 Best PracticesBioPrivacy 25 Best Practices
Implement as many Best Practices as possible without undermining the basic operations of the biometric system
Few deployers will be able to adhere to all BioPrivacy Best Practices
Inability to comply with certain Best Practices is balanced by adherence to others
Four Categories– Scope and Capabilities– Data Protection– User Control Of Personal Data– Disclosure, Auditing and Accountability