Attack Vectors in Biometric Recognition Systems

Attack Vectors in Biometric Recognition Systems
Clare Nelson, CISSP, CIPP/E
@Safe_SaaS
clare_nelson@clearmark.biz
Presentation Posted on SlideShare: https://www.slideshare.net/search/slideshow?searchfrom=header&q=clare+nelson
October 27, 2017
Graphic: https://tomatosoup13.deviantart.com/art/Daenerys-and-Her-Dragon-Game-of-Thrones-640714812

Clare Nelson, @Safe_SaaS
Contents
• The Problem
• Vulnerabilities
• Attack Diagram
• Presentation Attack Detection (PAD)
• Deceive Machine Learning
• Mobile Device Vulnerabilities
• Template Security and Evolution
• Biometrics and Blockchain
• The Future
Graphic: https://cardnotpresent.com/tag/biometric-authentication/

Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
The Problem
Biometrics Offer Great
Promise
But Spoofing is Still Too
Easy

Samsung Galaxy S8
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments
Source: http://www.businessinsider.com/samsung-galaxy-s8-iris-scanner-fbi-fingerprint-tech-princeton-identity-2017-4
April 2017
Face spoofed
May 2017
Iris spoofed

iPhone X, Face ID
Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-id/
Source: http://bgr.com/2017/09/12/iphone-x-price-specs-features/
Source: https://findbiometrics.com/apple-face-id-iphone-x-409125/
September 2017
Announced
TBD Date
Face ID spoofed

Biometric Recognition

Automated recognition of
individuals based on their
biological and behavioral
characteristics
Source: http://biometrics.derawi.com/?page_id=101
Source: http://searchsecurity.techtarget.com/definition/biometric-authentication
Graphic: https://findbiometrics.com/biometrics-market-2025-tractica-402062/

image archive
Biometric Recognition System
Source: https://www.aware.com/what-are-biometrics/biometric-processes/
match no match,
non-match
Biometrics are unique physical
and behavioral features
• Can be sensed by devices
• Interpreted by computers
• Used as proxies of our
physical selves in the digital
realm
biometric sample biometric template
biometric sample biometric template
Xtemplate database
live capture
live capture

Ask if Images Are Saved
Source: http://www.bioelectronix.com/what_is_biometrics.html
Digital image Biometric templateFeature
extraction

Terms
• Presentation Attack
• Presentation Attack Detection
(PAD)

Presentation Attack
ISO/IEC 30107 Definition
Presentation Attack
Presentation to the biometric data
capture subsystem with the goal of
interfering with the operation of the
biometric system
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:30107:-1:ed-1:v1:en
Graphic: https://www.semanticscholar.org/paper/Presentation-attack-detection-algorithm-for-face-a-Raghavendra-Busch/5b7cbc9067dd1bbe115fe91b0ac25a5819052534
Presentation attacks may have a number of
goals including
• Impersonation
• Not being recognized
Biometric systems may not differentiate
between attacks and non-conformant
presentations
(a) Raw images (b) 2D Cepstrum results (c) Binarized Statistical
Image Features (BSIF) results

Non-Conformant Presentation
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017)
Graphic: http://www.businessinsider.com/apple-suppliers-iphone-x-sales-shipments-2017-9
Graphic: http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/nightvision1.htm
Face ID
• Polarized lenses are no problem
• Some lenses block infrared (IR) radiation
• Use passcode
• Take off sunglasses

Presentation Attack,
ISO/IEC 30107
Graphic: https://www.cse.msu.edu/~rossarun/pubs/FengJainRoss_AlteredFingerprint_TechReport09.pdf
“Presentation attack can be
implemented through a number
of methods, e.g. artefact,
mutilations, replay, etc.”
(a) Transplanted fingerprints from toes,
(b) Bitten fingers, (c) Fingers burned by
acid, (d) Stitched fingers

Presentation Attack Detection (PAD)
Automated determination of a presentation attack
• Includes liveness detection
• Active, passive, or combination
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.qafis.com/anti-spoofing

Vulnerabilities
Classic Attack Diagram

Source: http://www.cse.msu.edu/~rossarun/BiometricsTextBook/Papers/Security/JainNandakumarNagar_TemplateSecuritySurvey_EURASIP08.pdf
Source: http://www.m2sys.com/blog/biometric-hardware/black-hat-iris-biometrics-attacks-dont-tell-the-whole-story/
Intrinsic
Failure
Administration
Biometric
System Failure
Biometric
Overtness
Individuality of
Biometric Trait
Sensor, Representation,
Compare Limitations
Hill Climbing
Replay
Steal, Modify
Templates
Function Creep
Trojan Horse Spoofing
Exception
Processing
Insider
Attack
Enrollment
Fraud
Non-Secure
Infrastructure
Intrinsic Failure
- How individual are partial fingerprints?
- Uniqueness not formally proven
- Challenged in court cases
Administration
- Depends on human interactions
- Open to social engineering
Biometric Overtness
- Biometrics are not secrets
Infrastructure
- Hill climbing attacks subsided since
2012 Black Hat talk on iris attacks
- If perfect match, then fail, step-up
- Vulnerabiities of mobile device and/or
server
- Includes Blockchain in some cases
Biometric System Vulnerabilities

Clare Nelson, @Safe_SaaSSource: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Biometric System Attack Diagram (Ratha 2001, ISO 2006, NIST 2015)
Demonstrate at least
90% resistance to
presentation attacks.
Presentation
Attack
Modify
Decision
Data
Storage
Process
Signal
Decision
Override
Decision
Engine
Data
Capture
Override
Comparator
Extract/Modify
Biometric
Sample
Modify Probe Modify Score
Modify
Biometric
Reference
Override
Capture
Device
Override
Signal
Processor
Override
Database
Intercept image
Compare
Deceive Machine Learning

Intercept Image at Sensor
Register Attacker Finger

Source: https://www.theguardian.com/technology/2015/apr/23/samsung-investigating-fingerprint-hack-galaxy-s5 (2015)
Source: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking-wp.pdf
Source: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking.pdf
Galaxy S5 Fingerprint Interception, Android (Black Hat USA 2015)
Kernel Space
Malware directly reads the
fingerprint sensor

Source: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking.pdf
User registered 3 fingers
• Attacker added 4th fingerprint
Fingerprint manager
Fingerprint Database Manipulation, Android, (Black Hat USA 2015)

Deceive Machine Learning

Deception of Deep Neural Networks
Source: https://arxiv.org/pdf/1511.04508.pdf
Source: https://stats.stackexchange.com/questions/182734/what-is-the-difference-between-a-neural-network-and-a-deep-neural-network
Car Cat
Image on right was created by
an adversarial algorithm from
the image on left
• The altered image is
incorrectly classified as a cat
by the Deep Neural Network
Neural Network Deep Neural Network

Deception of Deep Neural Networks
Source: https://www.popsci.com/byzantine-science-deceiving-artificial-intelligence
Slight distortions made to
original picture
Unaltered image,
Meenakshi Temple
Ostrich

Deception of Machine Learning
Adversarial Perturbations against Deep Neural Networks
Source: https://www.cs.cmu.edu/~sbhagava/papers/face-rec-ccs16.pdf
Source: https://www.researchgate.net/publication/312638997_Cracking_Classifiers_for_Evasion_A_Case_Study_on_the_Google's_Phishing_Pages_Filter
Perturbing eyeglass frames,
impersonate Russell Crowe
Attacker evades recognition or impersonates another
individual
• Deep Neural Networks (DNNs) can be misled by
mildly perturbing inputs
• Adversary mounts dodging or impersonation attack
after the system has been trained
• Adversary cannot “poison” the system by altering
training data, injecting mislabeled data, etc.
• Adversary can alter only the composition of inputs to
be classified
• Print eyeglass frame pattern, attach to frames
Geek frames

Attack Mobile Device

2016 OWASP Mobile Top 10
Source: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
M1 – Improper
Platform Usage
M2 – Insecure Data
Storage
M3 – Insecure
Communication
M4 – Insecure
Authentication
M10 – Extraneous
Functionality
M9 – Reverse
Engineering
M5 – Insufficient
Cryptography
M6 – Insecure
Authorization
M7 – Client Code
Quality
M8 – Code
Tampering

Mobile Biometrics Growth
Source: http://www.biometricupdate.com/201611/biometric-authentication-to-be-used-in-over-600m-mobile-devices-by-2021-juniper-research
Source: https://aimbrain.com/wp-content/uploads/2017/09/AimBrain-Cloud-Biometrics-BIDaaS-Paper-final.pdf
Finger, Iris, Face, Voice
Native, comes with device from manufacturer
2016
190 million
mobile device
2021
600 million
mobile devices
2023
Biometric authentication
enables $1.37 trillion
payment and nonpayment
transactions

Liveness Detection

Liveness Detection
Source: ISO 30107 download page: http://standards.iso.org/ittf/PubliclyAvailableStandards/c053227_ISO_IEC_30107-1_2016.zip
Anatomical characteristics
• Absorption of illumination by the skin and
blood
Involuntary (physiological) reactions
• Reaction of the iris to light
• Heart activity (pulse)
Voluntary reactions or subject behaviors
• Squeeze fingers in hand geometry
• Respond to cue (blink, turn head)
Determine if a biometric sample is being
captured from a living subject at the point of
capture

Liveness Detection: Blink, please
Graphic: https://news.bitcoin.com/hypr-3-million-blockchain-biometrics/

Blink, please
Graphic: https://www.amazon.co.uk/Celebrity-Mask-elastic-string-attahment/dp/B012X0EORE

Fast Identity Online (FIDO) Alliance
• Protocol for liveness detection evaluation, enroll live
fingers, then attempting spoof attacks against the
enrolled templates
• Attacks performed with different spoof materials
(species) must meet same performance standard
International Standards Organization (ISO)
• Standards for liveness detection, ISO/IEC 30107
• Presentation Attack Detection
Federal Office for Information Security, Germany
• International standard, Common Criteria, offers
certification for liveness detection to sensor
manufacturers
• Safran Morpho (France) is the first and only vendor
thus far to achieve this rigorous certification
Source: https://precisebiometrics.com/products/fingerprint-spoof-liveness-detection/
Source: https://www.morpho.com/en/media/safran-identity-security-enhances-convenience-and-security-its-selfie-check-mobile-authentication-solution-20170223
Graphic: http://www.bbc.com/news/technology-34466322
Emerging Standards for Liveness Detection
Turn head to right, left, down, or combination

Clare Nelson, @Safe_SaaSSource: http://livdet.org/index.php
Liveness Detection Competition
Iris, Finger
Live-Det Iris 2017
Iris Liveness Detection Competition
Hosts
• University, Notre Dame University
• West Virginia University
• Warsaw University of Technology
Part of International Joint Conference on Biometrics
(IJCB) 2017

How Detect Virtual Reality Spoof?
Source: https://www.iso.org/standard/53227.html
Source: https://www.wired.com/2016/08/hackers-trick-facial-recognition-logins-photos-facebook-thanks-zuck/
Digital 3-D facial models based on publicly
available photos (Facebook)
• Displayed with mobile virtual reality
technology
• Defeated facial recognition systems Input
Web Photos
Feature
Extraction
3D Model
Construction
Image
Texturing
Gaze
Correction
Viewing with Virtual Reality System Expression Animation
1 2 3 4
56

Trusted Biometrics under Spoofing Attacks (TABULA RASA)
Graphic: https://ec.europa.eu/commission/index_en
Graphic: http://www.ee.oulu.fi/~gyzhao/research/gait_recognition.htm
Graphic: http://www.homelandsecuritynewswire.com/dr20120302-researchers-develop-pulse-biometrics
Funded by the European Commission
Global, institutions from all over the world
TABULA RASA project
1. Standards, direct attacks to a range of biometrics, how
vulnerable the different biometric traits are to these attacks
2. Combine multiple biometric traits to build a single system
that is robust to direct attacks, and examine novel methods
to perform liveness detection
3. Study novel biometrics which might be robust to direct
attacks
- Vein or electro-physiological signals (such as the heart
beat)
- Gait

Presentation Attack Detection
(PAD) Algorithms

Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBPs) as PAD

Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBP) as PAD

Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
PAD for Finger: Implement in Hardware, Software, or Both
Software
Assess characteristics of sample: sharpness of lines, presence of pores.
• Easier to implement
• Easier to update, including over the air (OTA) as anti-spoofing
techniques improve
• Leverage machine learning
Hardware
Requires additional capabilities in fingerprint scanner: ability to sense
pulse, temperature, and capacitance; none of which can be done in
software alone
• Greater ability to detect “liveness” of finger being scanned
• More expensive
• Consumes more power
• May introduce latency if, for example, there is a need to sense
multiple heartbeats

Biometric Template
Protection

Template Reverse Engineering:
Fingerprint Reconstruction from Minutiae
Source: http://biometrics.cse.msu.edu/Publications/Fingerprint/FengJain_FpReconstruct_PAMI10.pdf
Problem
Widespread deployment of
fingerprint recognition
systems
• Compromised fingerprint
templates may be used to make
fake fingers
• Fake fingers could then be used to
deceive all fingerprint systems the
same person is enrolled in
Fingerprint Reconstruction

Is it Possible to Reverse-Engineer a Biometric Template?
Is it possible to regenerating the original
biometric sample from its template? YES
• Template is a compact description of
original data
• Template generation techniques had been
presumed to be “one-way” schemes
• But, inverse biometrics can regenerate
original biometric samples from templates
Source: http://publications.idiap.ch/downloads/papers/2017/Akhtar_IEEEMM_2017.pdf
Source: http://ieeexplore.ieee.org/document/6460373/
Source
Biometrics: In Search of Identity and
Security
Zahid Akhtar, Abdenour Hadid, Mark Nixon,
Massimo Tistarelli, Jean-Luc Dugelay, Sébastien
Marcel
• University of Quebec, Canada
• University of Oulu, Finland
• University of Southampton, UK
• University of Sassari, Italy
• EURECOM, France
• Idiap Research Institute, Switzerland
June 2017
IEEE MultiMediaI ( Volume: PP, Issue 99)

Biometric Template Protection
• Biohashing, salting
• Non-invertible transform
Cancelable
Biometrics
• Key binding
• Key generation
Biometric
Encryption
• Paillier probabilistic
• Ongoing research
Homomorphic
Encryption

Cancelable Biometrics
Intentional, systematically repeatable, distortions
of biometric signals based on transforms
• Provides comparison of biometric templates in
the transformed domain
• Instead of storing the biometrics, transformed
templates are stored in the enrollment database
Inversion of transformed biometric templates must
not be feasible for potential imposters
The application of transforms provides irreversibility
and unlinkability of biometric templates
• Prevents the use of same captured template for
other applications
Source: https://arxiv.org/pdf/1703.05455.pdf
Source: http://www.sciencedirect.com/science/article/pii/S0031320317300249
Source: https://www.bayometric.com/biometric-template-security/
Advantage
• The transformed template is revocable
• Biometric traits are irrevocable (hard to
reset fingerprints or face math)
Enrollment
Authentication
Enrolled data
Query data
Transformation
Transformation
Transform Domain
Cancellable
Template
Match
Parameters

Biometric Cryptosystems
Cryptographic keys are generated from the
corresponding biometric minutiae values
• Only store biometrically encrypted PIN or
password, not the large biometric sample
Source: http://digitalcommons.unf.edu/cgi/viewcontent.cgi?article=1773&context=etd
Use of biometric encryption
• FBI, Integrated Automated Fingerprint
Identification System (IAFIS)
• US, VISIT Program
• Transportation Security Administration (TSA)
Registered Traveler
• Program with U.S. National Science and Technology
Council’s Subcommittee on Biometrics

Homomorphic Encryption
ISO/IEC 24745 standard on biometric
information protection
Irreversibility
• Biometric data shall be processed by
irreversible transforms before storage
• Not feasible to reconstruct biometric
sample from template
Unlinkability
• The unique biometric data (renewability)
can be used to generate different
versions of protected biometric
templates, while not allowing their cross-
matching (diversity)
• Stored biometric references should not
be linkable across applications or
databases
Source: https://pdfs.semanticscholar.org/4ded/dc1f8726e0f2f2b20f82d49cc7beae402f2e.pdf

Evolution of Biometric
Templates

Add Behavioral Biometrics, Device Sensor Data to Template
Source: http://www.bioelectronix.com/what_is_biometrics.html
Digital image
Add multiple biological and
behavioral biometrics, plus derived
sensor data from device
Biometric
Template
Feature
extraction

Point-in-Time on Mobile Device vs Continuous in Cloud
Source: https://aimbrain.github.io/aimbrain-api/
Graphic: http://publications.idiap.ch/downloads/papers/2017/Akhtar_IEEEMM_2017.pdf
Point in time
Dozens of biometric and device-
derived attributes, context, behavior
• Harder to reverse engineer, attack,
or spoof
12:02 PM
• Mobile Device
Continuous 24x7 data collection
• Biometric Identity as a Service (BIDaaS)
Time, location, interaction

Biometrics and Blockchain

Blockchain
Source: https://www.slideshare.net/RobertvanMlken/blockchain-on-the-oracle-cloud-the-next-big-thing-80512974
• Permanent ledger
• Records written by owner with
private key
• Everyone can view the record using
the owner’s public key
• Data stored on the record can be
encrypted, hashed
• Distributed, many copies
• Hashing algorithm used to connect
the blocks is hard to break

Biometrics and Blockchain (Accenture, Microsoft Example)
Source: https://biometricsinstitute.org/data/Events/M182/11.30_IBM.pdf
Source: https://findbiometrics.com/id2020-supporters-blockchain-biometrics-406194/
Source: http://identity.foundation/
Source: http://id2020.org/
DECENTRALIZED IDENTITIES
anchored by
BLOCKCHAIN IDs
linked to
ZERO-TRUST DATASTORES
that are
UNIVERSALLY DISCOVERABLE
ID2020
1.1 B people have no officially
recognized identity
Accenture identity system based
on Ethereum
• Runs on Azure
• Fingerprint, iris biometrics,
among others
• Supports identification in a
decentralized manner
• Identifies registered individuals
by their biometric traits

Biometrics and Blockchain (IBM Hyperledger Example)
Decentralized Immutable Blockchain-based Object Storage (DInO)
Object
Store

Biometrics and Blockchain (IBM Hyperledger Example)
Interoperability of Biometrics
Using blockchain
Inter-Departmental
Data Sharing
Intra-Departmental
Data Sharing
DD
DD
Inter-Departmental
Data Sharing
International Border
Management
International Border
Management

Source: https://www.youtube.com/watch?v=UJBMerQ3kJA&t=14s
Graphic: https://www.qafis.com/face
Blockchain Concerns
• Cryptography, is it open source and peer vetted?
• How recover lost private keys?
• How revoke keys if stolen?
• Private blockchains may not be as publicly
decentralized as the Bitcoin scheme
• Possible single points of failure subject to DDoS,
hacking
• Super-user points of access by the governing
bodies that define rules and permissions
• Load issues at high volume, large scale

Database vs Blockchain
Source: https://www.thepaypers.com/expert-opinion/blockchain-for-dummies-a-quick-guide-into-the-ledger-technology/761925
Secure? central database
of a trusted third party
Blockchain network, security by sharing?
More secure, or
just a different
threat model?
If still storing biometric
images, especially in the
clear, then not much
advancement
Blockchain databases or mines
Backup database
Database

Blockchain, Difficult to Assess Risk
• Numerous blockchain varieties, implementations, e.g. private Ethereum
• “Difficult to construct a threat model on which to perform a risk assessment”
• Blockchain is complex, emerging, poorly understood
Source: https://www.vox.com/culture/2016/10/25/13341168/pepe-the-frog-alt-right-scott-adams
Source: https://www.gartner.com/smarterwithgartner/blockchain-combines-innovation-with-risk/

The Future

Consumer
Applications
High Security
Applications
Low Risk
Applications
Biometrics: Attack Mitigations Based on Level of Risk
Graphic: https://www.accenture.com/us-en/success-unhcr-innovative-identity-management-system
Source: https://thestack.com/cloud/2017/06/22/accenture-and-microsoft-partner-on-blockchain-identity-prototype/
Source: https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_9/Accenture-Beating-the-Biometrics-Fraudsters.pdf#zoom=50
Know Your Risk Level
• Apply or invoke mitigations based
on risk
• Weigh, consider, calculate
• Expense
• Performance degradation
• User experience
• Contextual, adaptive mitigation
options
False Reject Rate (FRR)
FalseAcceptanceRate(FAR)
Fraud detection may not be required
Strong fraud detection required
Convenient fraud detection required

Alipay ‘Smile to Pay’
Source: http://www.alizila.com/alipay-launches-smile-to-pay-commercial-use/
Multistep process, 1-2 seconds of facial
scanning
• 3D camera
• Liveness detection algorithm
• Algorithm can detect shadows and
other features that can only come
from living beings
• Blocks photos or video from attackers
• Adds phone number check
• KFC in Hangzhou, China
Today smile and phone number, tomorrow just smile

When Does Law Enforcement
Demand to Read Your Data
Become a Demand to Read Your
Mind?
Source: https://cacm.acm.org/magazines/2017/9/220420-when-does-law-enforcements-demand-to-read-your-data-become-a-demand-to-read-your-mind/fulltext (September 2017)
– Andrew Conway, Peter Eckersley
Communications of the ACM, September 2017
“That gadget in your hand is not a phone, it is a
prosthetic part of your mind, which happens to make
telephone calls.”
Which parts of our thoughts should be shielded against
prying or attacks? How do this?

Brainwave Biometrics
Source: https://findbiometrics.com/brainwave-biometrics-research-311115/
Investigate Security
Vulnerabilities of Brainprint
Biometrics
• Evaluate the strengths and
weaknesses of brain
biometrics
National Science Foundation
(NSF)
• Awarded $1.2 M
• November 2016

Gratitude

We Stand on the Shoulders of Giants
Graphic: http://researcher.watson.ibm.com/researcher/view.php?person=us-ratha
Graphic: http://www.idiap.ch/~marcel/professional/Welcome.html
Graphic: https://www.egr.msu.edu/people/profile/jain
Graphic: http://nislab.no/people/norwegian_information_security_laboratory/professors/christoph_busch
Sébastien Marcel
Anil Jain
Christoph Busch
Nalina Ratha

@Safe_SaaS
clare_nelson@clearmark.biz
Presentation posted:
https://www.slideshare.net/search/slideshow?s
earchfrom=header&q=clare+nelson
Questions?

References

• Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device-
fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ
%3D%3D (September 2015)
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-methods-taxonomy-
abbie-barbir.html (2014)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July 2015)
• Elliott, Stephen; Kukula, Eric: A definitional framework for the human/biometric sensor interaction model, https://www.spiedigitallibrary.org/conference-
proceedings-of-spie/7667/1/A-definitional-framework-for-the-humanbiometric-sensor-interaction-model/10.1117/12.850595.short (April 2010)
• Jain, Anil; Nandakumar, Karthik; Nagar, Abhishek; Biometric Template
Securityhttp://biometrics.cse.msu.edu/Publications/SecureBiometrics/JainNandakumarNagar_TemplateSecuritySurvey_EURASIP08.pdf (2007)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA, https://www.blackhat.com/docs/us-
15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-wp.pdf (August 2015)
References, 1 of 3

• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-Identity-Whitepaper-
v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• Jankovich, Thomas; “Blockchain Makes Digital ID a Reality,” https://finxtech.com/2016/12/02/blockchain-makes-digital-id-reality/ (December 2016)
• Jin, Zhe; Lai, Yen-Lung; Hwang, Jung Yeon; Ranking Based Locality Sensitive Hashing Enabled Cancelable Biometrics: Index-of-Max Hashing,
https://arxiv.org/pdf/1703.05455.pdf (2017)
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• Kunk, S.K., Biometric Authentication: A Machine Learning Approach, Prentice Hall (2005).
• mikeh, Machine Learning and Biometrics, Neya Systems blog, http://neyasystems.com/machine-learning-biometrics/ (March 23, 2013)
• MyData Identity Network based on User Managed Access (UMA),
https://docs.google.com/presentation/d/1j3aX8AQGdVtigF1WZouL8WccmYQzZQQje3wuaC2Zb1I/edit#slide=id.g1386e8a6aa_2_914
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA)
Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
References, 2 of 3

• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-
fingerprints/index.html (July 2015)
• Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/ (August 2015)
• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf (February 2014)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009, published 2013)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-
fingerprint-scanner-flaw/ (April 2015)
References, 3 of 3

Backup Slides

Source: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Source: http://www.iphonehacks.com/2017/01/synaptics-launches-multi-factor-facial-fingerprint-recognition-engine-smartphones-tablets.html
Fusion Strategies: Example of Face and Finger
Better accuracy
• Bimodal biometric system using face and
fingerprint.
• Salient features of the face and fingerprint were
extracted, and fused/combined.

Source: https://findbiometrics.com/aimbrain-uk-patent-biometric-context-system-410184/
Source: http://www.freepatentsonline.com/20170177999.pdf
Leverage sensors on device to add data points to the biometric template
Raw sensory data may be collected continuously
• Collect raw sensory data when user is consciously using device
• Collect raw sensory data when user is not aware
• If device is in user’s pocket, collect raw sensory data about how a user
walks, sits, stands
• Supports continuous invisible identity verification (PIN or fingerprint
verification is only for a moment in time)
• Location
• User activity (user’s movement speed, whether user is listening to music)
• Device connections
• Device orientation (If mobile device, landscape, portrait)
• If touchscreen, the touch time, touch timing, touch pressure, touch area,
touch location coordinates
• Accelerometer data
• Gyroscope data
• GPS coordinates
• Hover coordinates
Conditional behavioral biometrics
Assesses the contextual conditions around a given biometric
factor
• Background noise in a voice recording
• Lighting around a face
Incorporates contextual features into an overall biometric
template
• Sub-process of its overall biometric authentication system
• Face
• Voice
• Behavioral biometrics
United States Application US20170177999
June 2017

Source: https://findbiometrics.com/aimbrain-uk-patent-biometric-context-system-410184/
Source: http://www.freepatentsonline.com/20170177999.pdf
Source: https://aimbrain.com/press-releases/2017/10/17/aimbrain-adds-conditional-biometrics-patent-authenticate-user-across-multiple-contexts/
Graphic: http://publications.idiap.ch/downloads/papers/2017/Akhtar_IEEEMM_2017.pdf
Derived sensory data features include
- Duration of a touchscreen interaction
- Physical touchscreen interaction distance
- Time between touchscreen interactions
- Maximum, minimum and/or average deviation from
a straight line during touchscreen interaction
- Acceleration of deceleration of a touchscreen
interaction
- Curvature of a touchscreen interaction
- Length of a touchscreen interaction
- Background tremor while using the device
- Tremor during interaction with the device (from
accelerometer and gyroscope data)
- Device (user) speed based on GPS and other device
location services
- Orientation of the device (from magnetometer data)
Gives confidence score along with the pass/fail
authentication result
• Enrollment is performed on each device separately
• User model is updated continuously
• Model can be regenerated completely
Creates a detailed mathematical construct of each user
• How they look, sound or behave across a broad range of
settings
• Highly specific data is clustered and linked, to build a
unique, digital identity
• Authenticate person quickly and seamlessly whenever
they interact with their bank, in virtually any
environment

Lack of Common Vocabulary
Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf
Graphic: https://www.britannica.com/topic/Tower-of-Babel
Source, Domain Associated Terms
Biometrics Text
Books
FAR FRR
Type II Type I
NIST FMR FNMR
ISO/IEC More, detailed More, detailed
Risk False Positive False Negative,
False Reject, Insult
Rate
Equal Error Rate (EER), also known as Crossover Error Rate (CER)
Vocabulary Updates
2017 ISO/IEC 2382-37

Issues with Biometrics
Facial recognition is prone to problems with lighting
conditions
• Vendor evaluation
• Face recognition did not work in outdoor
Austin sunshine, or in an office, standing
near window
• Vendor response: “Go inside”
Voice recognition is prone to environmental background
noise
• Unnamed financial services market leader
• User experience
• In car, with some background noise
• Call, and use voice: “At Unnamed, my voice
is my password”
• Failed after multiple attempts, due to
background noise
• Works at home, in quiet office
Graphic: http://www.securitysales.com/tag/biometrics/
Fingerprint recognition is prone to moisture, dirty reader
• At unnamed employer
• Use fingerprint reader
• Touch with a registered finger
• Fails if finger is slightly damp, or reader is dirty
• Guard recommended: ridge builder (liquid with no
ingredients listed, nor provided by manufacturer)

Anti-Spoofing, Presentation Attack Detection (PAD)
As is the case for biometric recognition, PAD techniques are subject to errors,
both false positive and false negative:
• false positive indications wrongly categorize routine presentations as
attacks, thus impairing the efficiency of the system
• false negative indications wrongly categorize presentation attacks as
routine, not preventing a security breach.
Therefore, the decision to use a specific implementation of PAD will depend
upon the requirements of the application and consideration of the trade-offs
with respect to security and efficiency.

Issues

Source: http://www.pymnts.com/news/security-and-risk/2017/digital-identity-way-beyond-the-social-security-number/ (August 2017)
Graphic: http://01greekmythology.blogspot.com/2015/02/panacea.html
Biometrics offers no panacea in the quest for digital
identities that prove foolproof and hack-proof
Biometrics offer great promise, but
• They are not all created equal
• They are not a secret
• They can be lifted
• They can be forged
• They can be compromised because they are not
private
Issues with Biometrics, No Panacea
– Paul Grassi, senior standards and technology advisor of
the Trusted Identities Group at the National Institute of
Standards and Technology (NIST)
Greek goddess of universal remedy

Issues with Biometrics: Security is Often Overestimated
Use biometrics with another method of authentication
Biometrics are a complementary security control to make
it easier for a human to interact with technology
• Combine with an additional security control such as a
passphrase or multi-factor authentication
Trust must be continuously challenged
• Ensure person behind the device is really the person who
they say they are
Source: https://www.thestreet.com/story/14301038/1/iphonex-facial-biometrics-could-prevent-hackers-from-accessing-information.html
– Joseph Carson, chief security scientist at Thycotic
Will iPhone X support
face and passcode,
or just one or the other?

Source: https://www.slideshare.net/centralohioissa/jamie-bowser-a-touchid-of-ios-security
Touch ID Architecture, Release 3
Touch ID
Sensor
Fingerprint Map
Local Authentication
Security Framework
Secure Enclave
3rd Party
Applications
Apple
Applications
With iOS 9, third-party
apps can use Security
Framework, Local
Authentication

Examples of Artificial and Human Presentation Attack Instruments
Source: https://www.iso.org/standard/53227.html .

When Is the Image Discarded?
iOS, Finger, Home Button
- Capacitive steel ring
- Detects capacitance similar to human finger
- Triggers conductive imaging array to scan the object
(finger) currently covering the fingerprint scanner
- The resulting raster scan image is temporarily stored in
encrypted memory within the Secure Enclave
- Image is vectorized for analysis, following which it is
discarded
- Only a model of the fingerprint as a collection of nodes
is stored permanently in the encrypted memory of the
Secure Enclave
- Apple claims that constructing a user’s fingerprint from
this model is not feasible
- Touch ID allows for five unsuccessful attempts at
fingerprint verification before Touch ID is disabled and
will no longer unlock the device
Source: https://courses.csail.mit.edu/6.857/2016/files/12.pdf

Evolution of Biometric Spoofing
Source: http://ieeexplore.ieee.org/document/6990726/

Spoofing
Source: https://www.linkedin.com/pulse/biometric-spoofing-nadh-thota
Types of Fake Fingerprints
Fake Eye Images, Contact Lens etc.,
enable hackers to fake Iris sample
Real Fake

Source: https://www.computer.org/csdl/trans/tp/2006/01/i0031.html
Face Spoofing
Matching 2.5D Face Scans to 3D Models

Types of Detection
Source: https://www.nist.gov/sites/default/files/documents/2016/11/30/401_newton.pdf
Vendor ID, Algorithm ID, and Sensor ID

Example of a PAD Patent
Source: https://patentscope.wipo.int/search/en/detail.jsf?docId=WO2016023582&recNum=73&docAn=EP2014067290&queryString=&maxRec=2797947
A METHOD OF DETECTING A FALSIFIED
PRESENTATION TO A VASCULAR RECOGNITION
SYSTEM
Hand palm vascular system
Pub. No.: WO/2016/023582
International Application No.: PCT/EP2014/067290
Publication Date: 18.02.2016
International Filing Date: 13.08.2014

Contactless Biometric Recognition
Source: http://healthcare.fai.fujitsu.com/resource/essentials-to-achieve-optimal-clinical-workflow.pdf
Source: http://www.amfastech.com/2013/03/a-seminar-on-palm-vein-technology.html
Solution
• Palm vein
• Capture palm vein pattern with near-infrared rays
• Works with clinician, surgeon gloves
• Fujitsu data sheet
• FAR (false accept rate) = 0.00001%
• FRR (false reject rate) = 1.0%

Artefact
Artefact - artificial object or
representation presenting a copy of
biometric characteristics or synthetic
biometric patterns

Face ID

iPhone X

iPhone X, Face ID
Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-id/
Source: http://bgr.com/2017/09/12/iphone-x-price-specs-features/

FaceID Training
Apple trained on 1 billion plus faces, global, got permission
• Maintains this database
“We do not gather customer data when you enroll in Face ID, it stays on your device, we
do not send it to the cloud for training data”
There is an adaptive feature of Face ID that allows it to continue to recognize your
changing face as you change hair styles, grow a beard or have plastic surgery.
• This adaptation is done completely on device by applying re-training and deep
learning in the redesigned Secure Enclave.
• None of that training or re-training is done in Apple’s cloud.
• Apple has stated that it will not give access to that data to anyone, for any price.
When you train the data it gets immediately stored in the Secure Enclave as a
mathematical model that cannot be reverse-engineered back into a “model of a face.”
• Any re-training also happens there.
• It’s on your device, in your secure enclave, period.
Face ID
Secure Enclave, Updated
with Secure Enclave
Processor
Truly no reverse
engineering?
- Anonymization?

Face ID: Enroll, Can You Read Instructions without Glasses?
Source: http://www.idownloadblog.com/2017/09/15/face-id-overview/ (September 2017)
• Settings
• Face ID & Passcode
• Enroll Face
• Get Started
• Follow Onscreen Instructions (Read without
Glasses?)
• Gently move your head while looking at
the screen to complete the circle

Face ID: Demo Failed Twice
Source: https://www.youtube.com/watch?v=unIkqhB2nA0 (September 2017)
Source: http://www.nydailynews.com/news/national/apple-reveals-iphone-x-new-face-id-tech-fails-demo-article-1.3491125 (September 2017)
We all experience demo failures
• Craig Federighi, SVP Software
Engineering
• Face ID failed twice
• Why did Federighi wipe his face
afterward?
• Stock dipped from $163 a share to
$159
• Closed at $161

Face ID: Attention Detection
Face ID requires that it be able to see:
• Eyes
• Nose
• Mouth
The “Attention” feature won’t work for everyone
• Blind
• Vision impaired
• Cannot stare directly at phone to communicate intent
In those cases, where a face is recognized, but it can’t see eyes,
just turn off the “attention detection” feature
• Still get Face ID, but at a lower level of overall security
because cannot ensure user’s eyes are directly focused on it
There are scenarios
where it just won’t work

Face ID: Evil Twin Warning
Source: https://www.youtube.com/watch?v=unIkqhB2nA0

Don’t Use Biomatrics as Single or Primary Factor
Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Graphic: http://www.itproportal.com/2016/04/07/the-role-of-biometric-authentication-techniques-in-security/
Remote System Access
Exclude biometrics as single or
primary authentication factor
• Biometric samples are not
secrets
• Biometric samples are different
each time they are captured

Galaxy S5 Fingerprint Interception (Black Hat USA 2015)
Read the data coming directly from the fingerprint
sensor before it reaches the secure zone
Wei and Zhang
Most vendors fail to lock down the sensor
(from being accessed by the normal world
programs) when the processor switched back
from the secure world
Without the proper lockXdown, the attacker
can directly read the fingerprint sensor
Attackers can do this stealthily in the
background
• Attackers can keep reading the fingerprints
on every touch of the victim’s fingers
Attackers with remote code execution exploits
can remotely harvest everyone’s fingerprints in
a large scale, without being noticed

Clare Nelson, @Safe_SaaSSource: https://www.semanticscholar.org/paper/Face-Spoof-Detection-With-Image-Distortion-Wen-Han/cdac436dcebe8b2c90a8de5479bd3bbd8d9a087f
Presentation Attack Detection (PAD), Genuine or Spoof?

Source: http://my.clarkson.edu/biosal/pdf/Presentations%20and%20Attacks.pdf
Are All Biometric Templates Alike?
Is it easy to foil the template process?
• Each biometric system has specialized features and a
specific format of a template
• Foiling it requires significant knowledge of the system
under attack which for most consumer applications is
a trade secret, plus associated malware to interfere in
the biometric compare software itself
• If malware is injected, it is more likely that other
means of corrupting the software would be easier to
employ, e.g., overriding the compare decision

Source: https://pages.nist.gov/SOFA/
Source: http://www.theverge.com/2016/7/21/12247370/police-fingerprint-3D-printing-unlock-phone-murder (2016)
Presentation attacks
based on:
• Time
• Expertise
• Equipment
NIST: Level of Effort
Police 3D-printed a murder
victim's finger to unlock his
phone.

Presentation Attack Detection (PAD) Algorithms
Source: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey

ISO/IEC Updates on
Biometrics

Presentation Attack Detection (PAD), Emerging Standards
ISO/IEC DIS 30107-2
Information technology -- Biometric presentation attack detection
-- Part 2: Data formats
ISO/IEC FDIS 30107-3
Information technology -- Biometric presentation attack detection
-- Part 3: Testing and reporting
NEW: ISO/IEC 30107-4

Presentation Attack Detection (PAD) for Mobile Devices
Source: https://cacm.acm.org/magazines/2016/4/200169-multimodal-biometrics-for-enhanced-mobile-device-security/abstract
Source: http://www.planetbiometrics.com/article-details/i/5803/ (April 2017)
Source: http://profit.ndtv.com/news/life-and-careers/article-new-smartphone-from-infocus-to-support-aadhaar-authentication-1634102
ISO/IEC 30107-4
Biometric presentation attack detection – Profile for
evaluation of mobile devices
Address spoofing and presentation attacks against mobile
devices
Presentation Attack Detection (PAD) includes:
• Fake fingerprints
• Video replays
• Voice recordings
Concern for commercial and government agencies:
• Rely on mobile device authentication for transactions
and identity confirmation

Types of Presentation Attack Instruments (ISO 30107)
Source: https://www.iso.org/standard/53227.html .
Examples
• Coerced, human presentation attack instrument (unconscious, forced under duress)
• Partial, artificial presentation attack instrument (glue on finger)

Source: https://www.youtube.com/watch?v=q3ymzRYXezI
Coerced, Other Natural, Presentation Attack Instrument

NIST Updates on Biometrics

Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Graphic: http://www.oulu.fi/infotech/annual_report/2013/cmv
NIST Update on Allowable Use of Biometrics
SP 800-63B, Authentication and Lifecycle Management
Implement Presentation Attack Detection (PAD)
• Demonstrate at least 90% resistance to
presentation attacks
• PAD may be mandatory in the future

How can you
tell if it’s a
bad guy?
Source: https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/
Source: https://realizethelies.com/tag/facial-recognition-software/
Source: https://www.iso.org/standard/55194.html (2017)
Biometric Verification Biometric Identification
Comparison 1-to-1 1-to-Many
Purpose Confirm or deny claimed
identity
Identify a specific
individual
Use Case
Example
Unlock mobile device Airport security, identify
a suspect
Scope
“Biometric Authentication” is deprecated

Spoofing
Cause biometric system to
recognize an illegitimate user as
a genuine one
• Present a synthetic or forged
version of the biometric trait
to the sensor
Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Source: https://www.slideshare.net/SBAResearch/31c3-in20min
Source: http://my.clarkson.edu/biosal/pdf/Presentations%20and%20Attacks.pdf

Anti-Spoofing
Source: https://pralab.diee.unica.it/sites/default/files/fumera14-spoof-chapter.pdf
Source: http://www.springer.com/us/book/9781447165231
Countermeasure
Detect if the biometric signal acquired by some
sensors belongs to a “live” person or is an
artificial replica
• Fake finger
• 2d photo of a face
• 3d mask of a face
Detect imposter with special makeup or ability
to mimic traits of the legitimate user
• Voice (HSBC spoof)

Presentation Attack Instrument
Source: http://www.firstpost.com/tech/news-analysis/hacker-bypasses-the-iris-scanner-in-the-samsung-galaxy-s8-with-a-contact-lens-and-printed-photo-3703315.html (movie of S8 iris spoof)
Biometric characteristic or object used
in a presentation attack
• Artefacts
• Lifeless biometric characteristics (i.e.
stemming from dead bodies)
• Altered biometric characteristics (e.g.
altered fingerprints) that are used in an
attack
Contact lens on infrared picture used by Starbug to spoof
Samsung Galaxy S8 iris recognition

Clare Nelson, @Safe_SaaSSource: http://www.cse.msu.edu/~rossarun/BiometricsTextBook/Papers/Security/JainNandakumarNagar_TemplateSecuritySurvey_EURASIP08.pdf
Primary Use Cases: Enrollment and Verification
T = biometric image from enrollment
Q = biometric sample during recognition
XT = T feature sets
XQ = Q feature sets
S = compare score
Enrollment may not just happen once,
biometric traits age or change over time
- Redo face every 4 years?
- Redo if major weight loss, or
cosmetic surgery, or significant
change
- How young start?
Authentication
- Implement retry limits

Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Presentation Attack Detection (PAD), Techniques
Liveness detection: Facial
thermogram, blood pressure,
fingerprint sweat, or specific
reflection properties of the eye,
pulse, perspiration, pupillary unrest
(hippus), brain wave signals (EEG),
or electric heart signals.
Protect the system against
the injection of reconstructed
or synthetic samples into the
communication channel
between the sensor and the
feature extractor.
Fusion strategies to increase
resistance. Multimodal, use more
than one biometric, or combine
unimodal with an anti-spoofing
technique. The score reflects
more than one input, unknown
to the attacker.

Android 2016

Store Biometrics on Device or Server, Cloud? Split?
Source: Webinar by Forrester and Nok Nok Labs, February 1, 2017
Graphic: http://findbiometrics.com/topics/fido-alliance/
Graphic: https://www.carphonewarehouse.com/apple/iphone-6.html
Graphic: http://kryptostech.com/server-management/
Graphic: http://www.planetbiometrics.com/article-details/i/5463/desc/facebook-rolling-out-support-for-fido/
Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017)
Biometrics only stored on personal device
(FIDO Alliance, others)
• Biometrics remain on the device, are not
transmitted
• Not susceptible to theft by insiders or
identity thieves who can access a server
repository
Biometrics stored on server
• Works if no mobile phone, works with land line
• Works if person calls in
• Privacy concerns
• Need consent, was it freely given?
• Server access, how secure?
• Susceptible to theft, unwanted modification by
insiders or identity thieves

Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=52946
Graphic: https://fidoalliance.org/approach-vision/
NIST Answer
SP 800-63B, Authentication and Lifecycle Management
The potential for attacks on a larger scale
is greater at central verifiers (servers)
Local device comparison is preferred
Example from Fast IDentity Online (FIDO) Alliance

Authentication
SDK
Biometrics
SDK
Something you have
Something you know
Something you are
(face, iris, voice)
Finger sensor only
Strategy Choice: Use What’s on Device, or Add Biometrics SDK?

Why Add Biometrics SDK?
Some authentication vendors only support what is
integrated, manufactured in the phone
Touch ID [Face ID] can be used for verification by third
party apps
Similarly, works with Android, some variations.
Third party applications
• Can bypass Touch ID fallback to password or device
passcode
• User may have an unlimited number of Touch ID
verification attempts with this option
• Defeat retry limits
Source: https://www.arxan.com/wp-content/uploads/2016/09/ARXAN_Mobile-DATA.3-.pdf

Biometrics on Blockchain, Accenture's Biometric Identity Management System
Source: https://medium.com/@decentralized.identity/the-rising-tide-of-decentralized-identity-2e163e4ec663
Devices are associated
with Identity Hubs via
identity-signed
registration of device-
specific public attestation
keys
Hub-Associated Devices
synchronize state and
update locally cached
data via subscription to,
and processing of, the
Identity Hub change feed
Master ID
Key(s)

Clare Nelson, CISSP, CIPP/E
CEO, Founder
ClearMark Consulting
Identity, Privacy, Information Security
• Background
o Encrypted TCP/IP variants for NSA
o Product Management at DEC (HP), EMC2
o Director Global Alliances at Dell, Novell
o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security
• Co-founder C1ph3r_Qu33ns, mentor women in information security
• Publications include:
o ISSA Journal, Security Metrics: An Overview
o ISSA Journal, Multi-Factor Authentication: What to Look For
• Talks/Keynotes: (ISC)2 Security Congress, OWN I.T., Cloud Identity
Summit, InfraGard, HackFormers, BSides Austin, LASCON, OWASP
AppSec USA, ISSA Austin, Fortune 500 financial services, FTC Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html

Attack Vectors in Biometric Recognition Systems

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Attack Vectors in Biometric Recognition Systems

Similar to Attack Vectors in Biometric Recognition Systems (20)

More from Clare Nelson, CISSP, CIPP-E

More from Clare Nelson, CISSP, CIPP-E (14)

Recently uploaded

Recently uploaded (20)

Attack Vectors in Biometric Recognition Systems

Editor's Notes