Biometric Recognition for Authentication, BSides Austin, May 2017

Biometric Recognition for
Multi-Factor Authentication:
How Measure Strength?
Which Modality is Best?
Clare Nelson, CISSP, CIPP/E
@Safe_SaaS
clare_nelson @ clearmark.biz
Presentation Posted on SlideShare:
https://www.slideshare.net/eralcnoslen/biometric-recognition-for-
authentication-bsides-austin-may-2017
May 5, 2017

Graphic: https://www.airloom.com/technology/security-as-a-service/
Introduction
• Disclaimer
• Biography
• Contents
• Scope

Clare Nelson, @Safe_SaaS
The views presented herein,
expressed in any form, represent
my personal views, and do not
reflect the views of my employer.
Graphic: http://rununcensored.com/wp-content/uploads/2013/06/disclaimer.jpg

Director, Office of the CTO at AllClear ID
Identity, Security, and Privacy
• Background
o Encrypted TCP/IP variants for NSA
o Product Management at DEC (HP), EMC2
o Director Global Alliances at Dell, Novell
o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security
o CEO ClearMark Consulting, MFA Technology and Architecture
• 2001-2014 CEO ClearMark Consulting
• 2014 Co-founder C1ph3r_Qu33ns
• Publications include:
o 2010 August, ISSA Journal, Security Metrics: An Overview
o 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For
• Talks: InfraGard, HackFormers; BSides Austin; LASCON; OWASP
AppSec USA, ISSA Austin; clients including Fortune 500
financial services, 2015 FTC Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html

Contents
Biometric Recognition for Multi-Factor Authentication
1. Scope
2. The Problem
3. Definitions
4. How Well Does it Work?
5. Multimodal Biometric Recognition
6. Biometric Recognition is Probabilistic
7. Attack Vectors
8. How to Measure Biometric Recognition
9. The Future
10. Gratitude and Recognition
Graphic: http://www.computerhope.com/jargon/h/hacker.htm
How can you
tell if it’s a
bad guy?

How can you
tell if it’s a
bad guy?
Source: https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/
Source: https://realizethelies.com/tag/facial-recognition-software/
Source: https://www.iso.org/standard/55194.html (2017)
Biometric Verification Biometric Identification
Comparison 1-to-1 1-to-Many
Purpose Confirm or deny
claimed identity
Identity a specific
individual
Use Case
Example
Mobile app
authentication
Airport security
Biometric Recognition
Primary Focus: Biometric Recognition for Multi-Factor Authentication (MFA),
Mobile Use Case
Scope
(“Biometric Authentication” is deprecated)

The Problem

Spoofing is Still Too Easy
Face Unlock
• Spoofed
2011 Galaxy Nexus
2017 Samsung S8
Source: http://www.dailystar.co.uk/tech/news/601633/Samsung-Galaxy-S8-face-recognition-privacy-security-warning
Source: http://www.androidpolice.com/2011/11/16/still-not-convinced-that-face-unlock-is-easily-fooled-by-a-photo-heres-another-video-showing-face-programming-and-photo-unlocking-from-start-to-end/
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments
There is no standard method for measuring strength, or comparing solutions.

Lunacy
Source: https://www.tumblr.com/search/lunatic%20moon
Blink, smile, or turn head.
We tell impostors how to
spoof the system.

Samsung Galaxy S8
Contrary to Earlier Reports:
• Will not let users authenticate payments
through facial recognition.
• Camera and deep learning technology:
Facial recognition for financial
transactions 4+ years away.
• Iris and fingerprint are more secure.
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017)
Source: http://www.economist.com/blogs/economist-explains/2015/06/economist-explains-12

Why Care?
By 2022
• Market for mobile and wearable
biometric recognition for authentication
will exceed $6.2 billion.
• Over 3.3 billion users.
Source: https://webshop.bellabeat.com/
Source: http://www.goodeintelligence.com/press-releases/multi-modal-mobile-biometric-authentication-drives-revenues-to-over-6-2-billion-by-2022/ (April 2017)

Definitions
• Multi-Factor Authentication
• Biometric Recognition

Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
Source: https://www.securetechalliance.org/publications-mobile-identity-authentication/
Know Have Are
Definition of Multi-Factor Authentication
Mobile Identity Authentication
March 27, 2017

Something You Are
Biological Biometrics
Behavioral Biometrics
Graphic: http://thepeepspot.com/9-best-compliments-to-make-a-woman-smile/

Biometric Recognition
Automated recognition of individuals based on
their biological and behavioral characteristics.
Source: http://biometrics.derawi.com/?page_id=101
Source: http://searchsecurity.techtarget.com/definition/biometric-authentication
Graphic: http://www.aspire-security.eu/access-control.html
Biometric Recognition Systems
Compare sample to template. On device, or server.
• Template is established during enrollment.
• If comparison score meets criteria, then recognition
is confirmed.

What is Feature Extraction?
Source: https://www.security-audit.com/files/ratha.pdf (2001)
Digital image of fingerprint.
• Includes ridge bifurcations and ridge
endings.
• Collectively referred to as minutiae.
Algorithm, extract features.
• Each feature has (x, y) location and ridge direction at that
location (ϴ).
• Sensor noise and other variability in the imaging process,
feature extraction may miss some minutiae, and/or may
generate spurious minutiae.
• Due to the elasticity of the human skin, the relationship
between minutiae may be randomly distorted from one
impression to the next.
Dimensionality
Reduction

Finger
Face
Iris
Graphic: http://www.ibmsystemsmag.com/ibmi/trends/whatsnew/Biometric-Authentication-101/

Graphics: https://www.scienceabc.com/innovation/lesser-known-methods-biometrics-identification-retinal-fingerprint-scan-gait-analysis-keystroke.html

Biometric Modes, Endless Variations
• Face 2D, 3D.
• Pulse response, electric square pulse signal
• Fingerprints 2D, 3D via ultrasonic waves, in-display.
• Finger veins, Palm veins, Eye veins.
• Palms prints and/or the whole hand.
• Feet.
• Signature.
• Keystroke, typing, mouse, touch pad.
• Voice.
• Eyeprint, Iris, retina, features of eye movements.
• Face, head – its shape, specific movements.
• Ears, lip prints.
• How you sit.
• Gait, Odor, DNA.
• ECG (Bionym’s Nymi wristband, smartphone, laptop, car, home).
• EEG.1
• Tests: Microchip in Pills, Digital Tattoos.
• Smartphone/behavioral: Authenticate based on g-sensor and gyroscope,
how you write your signature in the air.2
• Hand movement when answering the smartphone, use data from the
smartphone’s accelerator, gyroscope, and light sensor.3
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf
2Source: http://www.airsig.com
3Source: http://www.biometricupdate.com/201703/mobile-app-uses-hand-movement-to-authenticate-smartphone-owner
Source: http://www.cvphysiology.com/Arrhythmias/A009

Behavioral Biometrics: Passive, Continuous Authentication
500+ Metrics, Human-Device Interactions
• Invisible challenge.
 How find missing cursor.
• Leverage gyroscope, touch screen, accelerometer.
• Cloud, monitors 2 billion sessions/month.
Learns behavior patterns of fraudsters.
Detects presence of malware.
Source: http://www.biocatch.com
Source: https://www.extremetech.com/extreme/215170-artificial-neural-networks-are-changing-the-world-what-are-they

Behavioral Biometrics: Implicit Authentication
Passive sensor data. How you walk, type, and sit.
Source: https://blog.unify.id/2016/09/12/unifyid-technical-overview/

Biometric Recognition for
Multi-Factor Authentication
How Well Does it Work?

Don’t Use as Single or Primary Factor
Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Graphic: http://www.itproportal.com/2016/04/07/the-role-of-biometric-authentication-techniques-in-security/
Remote System Access
• Exclude biometrics as single or
primary authentication factor.
 Biometric samples are not
secrets.
 Biometric samples are
different each time they
are captured.

Source: http://blog.normshield.com/2017/01/machine-learning-in-cyber-security_31.html
Which Biometric Mode is Best?

Contactless Biometric Recognition, Healthcare
Source: http://healthcare.fai.fujitsu.com/resource/essentials-to-achieve-optimal-clinical-workflow.pdf
Source: http://www.amfastech.com/2013/03/a-seminar-on-palm-vein-technology.html
Solution
• Palm vein
• Capture palm vein pattern with near-infrared rays
• Works with clinician, surgeon gloves
• Fujitsu data sheet
• FAR (false accept rate) = 0.00001%
• FRR (false reject rate) = 1.0%

Iris more accurate than face
Source: https://www.youtube.com/watch?v=KyDoFrojEYk&list=PLrUBqh62arzt_Uf_UamHtRFDYl1tpRVCK
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST: Face versus Iris Recognition, Factor of 100,000 in Accuracy
Iris versus Face
But what is the user experience?

Biometric Recognition is
Probabilistic

Biometrics Recognition is not 100% Reliable
• Every biometric recognition configuration must account for some
level of false negatives and false positives.
• In highly secure environments, false positives may present an
unacceptable risk.
• False negatives require a fallback authentication mechanism.
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905
Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations

User Experience Versus Security
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal
Source: http://www.descartesbiometrics.com/wp-content/uploads/2014/11/HELIX-Whitepaper.pdf
Convenience
Security
FAR
• Ratio of the number of false acceptances
divided by the number of identification
attempts
FRR
• Ratio of the number of false recognitions
divided by the number of identification
attempts
EER
• Proportion of false acceptances is equal to
the proportion of false rejections

Vocabulary, 2017 ISO/IEC 2382-37
Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf
Source Associated Terms
Biometrics Text
Books
FAR FRR
Type II Type I
ISO/IEC More, detailed More, detailed
NIST FMR FNMR
Risk False Positive False Negative,
False Reject, Insult
Rate
Equal Error Rate (EER), also known as Crossover Error Rate (CER)

FAR, need to know FRR plus number of attempts
Source: http://www.goodeintelligence.com/press-releases/multi-modal-mobile-biometric-authentication-drives-revenues-to-over-6-2-billion-by-2022/ (April 2017)
Apple claims a FAR of 1/50,000 for Touch ID
• Out of 50,000 imposter comparisons, up to
one will be accepted as genuine.
• 1/50,000 = 0.002%.
Android
• Similar
 Requires FAR not more than 0.002%
 Recommends FRR no more than 10%

FRR at Varying FAR
September 2015
Source: http://www.eyeverify.com/independent-accuracy-studies
EyeVerify: Two Studies for Eyeprint ID, Mobile

Not All FARs are Created Equal
• Synthetic versus real data.
• Calculated versus claimed.

Presentation Attack
Detection
Anti-Spoofing

Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.qafis.com/anti-spoofing
Presentation Attack Detection (PAD), Anti-Spoofing
Anti-Spoofing
Anti-Spoofing
• Active: user must participate, blink,
smile, turn head
• Passive: user participation is not needed,
hardware or software algorithms.
NIST: PAD should detect spoofing 90% of the time

Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBPs) as PAD

Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBP) as PAD

Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
PAD for Finger: Implement in Hardware, Software, or Both
Software:
Assess characteristics of sample: sharpness of lines, presence of pores.
• Easier to implement.
• Easier to update, including over the air (OTA) as anti-spoofing
techniques improve.
• Leverage machine learning.
Hardware:
Requires additional capabilities in fingerprint scanner: ability to sense
pulse, temperature, and capacitance; none of which can be done in
software alone.
• Greater ability to detect “liveness” of finger being scanned.
• More expensive.
• Consumes more power.
• May introduce latency if, for example, there is a need to sense
multiple heartbeats.

Clare Nelson, @Safe_SaaSSource: https://www.semanticscholar.org/paper/Face-Spoof-Detection-With-Image-Distortion-Wen-Han/cdac436dcebe8b2c90a8de5479bd3bbd8d9a087f
Presentation Attack Detection (PAD), Genuine or Spoof?

What is the Attack Model?
How Measure the Strength
of Biometric Recognition for
Authentication?

Clare Nelson, @Safe_SaaSSource: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Biometric System Attack Diagram (Ratha 2001, ISO 2006, NIST 2015)
Demonstrate at least
90% resistance to
presentation attacks.
Presentation
Attack
Modify
Decision
Data
Storage
Process
Signal
Compare Decision
Override
Decision
Engine
Data
Capture
Override
Comparator
Extract/Modify
Biometric
Sample
Modify Probe Modify Score
Modify
Biometric
Reference
Override
Capture
Device
Override
Signal
Processor
Override
Database

Source: https://pages.nist.gov/SOFA/
Source: https://www.secureidnews.com/news-item/sofa-b-enabling-organizations-to-measure-the-strength-of-biometric-technologies/?tag=biometrics
Strength of Function for Authenticators (SOFA) - Biometrics
Measurement of biometric system strength:
• Provide a level of quantitative assurance.
• Outline a process to support evaluation of
biometric authenticators.
NIST
ISO/IEC FIDO
SOFA Equation
• Level of Effort
• PAD Error Rate (PADER)
• False Match Rate (FMR)
• False Non-Match Rate (FNMR)

SOFA-B (NIST, April 2017)
Source: https://www.nist.gov/sites/default/files/documents/2016/11/21/sofa_discussiondraftoverview-v1_1.pdf (April 2017)
ZeroInfo case: No masquerade attempt, brute force, no knowledge.
Targeted case: Create a sample that resembles the individual biometric characteristic.

Source: https://pages.nist.gov/SOFA/
Source: http://www.theverge.com/2016/7/21/12247370/police-fingerprint-3D-printing-unlock-phone-murder (2016)
Presentation attacks
based on:
• Time
• Expertise
• Equipment
Level of Effort
Police 3D-printed a murder
victim's finger to unlock his
phone.

SOFA-B (NIST, April 2017)
Source: https://github.com/logos
Provide Comments:
https://github.com/usnistgov/SOFA/issues/
Call to Action

Presentation Attack Detection (PAD), Emerging Standards
Source: https://www.iso.org/standard/53227.html
ISO/IEC DIS 30107-2
Information technology -- Biometric presentation attack detection
-- Part 2: Data formats
ISO/IEC FDIS 30107-3
Information technology -- Biometric presentation attack detection
-- Part 3: Testing and reporting
NEW: April 28, 2017, Part 4

Presentation Attack Detection (PAD) for Mobile Devices
Source: https://cacm.acm.org/magazines/2016/4/200169-multimodal-biometrics-for-enhanced-mobile-device-security/abstract
Source: http://www.planetbiometrics.com/article-details/i/5803/ (April 2017)
Source: http://profit.ndtv.com/news/life-and-careers/article-new-smartphone-from-infocus-to-support-aadhaar-authentication-1634102
ISO/IEC 30107-4
Biometric presentation attack detection – Profile for
evaluation of mobile devices.
Address spoofing and presentation attacks against mobile
devices.
Presentation Attack Detection (PAD) includes:
• Fake fingerprints.
• Video replays.
• Voice recordings.
Concern for commercial and government agencies:
• Rely on mobile device authentication for transactions
and identity confirmation.

Issues

1. Difficult to reset, revoke.
2. Not secret.
3. Biometric samples are different each time captured.
4. Exist in public domain, and elsewhere (5.6M+ fingerprints stolen in
2015 OPM breach1).
5. May undermine privacy, make identity theft more likely.2
6. Persist in government and private databases, accreting information
whether we like it or not.3
7. User acceptance or preference varies by geography, demographic.
8. Difficult to measure strength of one biometric recognition system,
or compare it with another.
9. Liveness detection and other PAD methods are not hidden from
impostors.
10. Difficult to ascertain vendor components, algorithm ID, sensor ID.
Issues
1Source: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html
2Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
3Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/
Photo: http://www.rineypackard.com/facial-recognition.php

Master Key to Unlock Finger
Sensors?
Source: https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html?_r=2 (April 2017)
Computer simulations
• Created Master Prints
• Matched prints 65% of time
Nasir Memon
Professor of Computer Science and Engineering
New York University

The Future

“Thought Auth”1
EEG Biosensor
• MindWave™ headset.2
• Measures brainwave signals.
• EEG monitor.
• International Conference on
Financial Cryptography and Data
Security (2013).3
1Source: Clare Nelson, March 2015
2Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/
3Source: http://www.technewsworld.com/story/77762.html
Facebook telepathy

Homomorphic Encryption
VTT Technical Research Centre, Finland
• Biometric recognition for MFA
Risk that a person's biometric
identifiers leak out of the database.
• Protect biological or behavioral
biometric data.
• Uses homomorphic encryption.
Source: http://www.vttresearch.com/media/news/vtts-encryption-method-takes-authentication-to-a-new-level

Touchless, 4-Finger Biometric Recognition
Veridium
• Captures all four fingerprints at once
• Increases the complexity of the data
collected.
• Enhances overall security well beyond
partial prints, like those captured by
sensor-based mobile fingerprint
solutions.
• Just need 5MP camera and LED flash.
• Claims FRR 1.0% at FAR 0.01%
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3Dnews
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Source: http://www.goodeintelligence.com/report/mobile-wearable-biometric-authentication-market-analysis-forecasts-2017-2022/

Gratitude and Recognition

We Stand on the Shoulders of Giants
Source: https://alchetron.com/John-Daugman-489257-W
Source: http://www.idiap.ch/~marcel/professional/Welcome.html
Source: https://www.egr.msu.edu/people/profile/jain
Source: http://nislab.no/people/norwegian_information_security_laboratory/professors/christoph_busch
John Daugman
Sébastien Marcel
Anil Jain
Christoph Busch

Questions?
@Safe_SaaS
clare_nelson@clearmark.biz
Presentation Posted: Slideshare

Clare Nelson, @Safe_SaaSSource: http://www.idtp.com/identity/
Terms
Biometric data processing
: biometric system data processing including capture, quality assessment, presentation attack (spoof) detection, feature extraction, database enrollment, fusion, matching, and
decision processes
Biometric sensors and hardware
: variation and types of biometric sensors and technology (e.g. capacitive, thermal, optical, infrared, multi-spectrum) required to capture high-quality samples for various modalities
and applications
Biometric system integration
: the hardware and software interfacing necessary to produce a functioning biometric system optimized for a specific application, including proper utilization of biometric software
development kits
Biometric system performance
: system performance and metrics including Equal Error Rate (EER), False Accept Rate (FAR), False Reject Rate (FRR), False Match Rate (FMR), False Non-Match Rate (FNMR), detection
error tradeoff (DET) and receiver operating characteristic (ROC) curves, Genuine and Impostor score histograms, and considerations for threshold optimization for population,
operating environment, and application requirements
Biometric standards
: NIST, ISO, FIDO standards
Enrollment and capture processes
: considerations for enrollment and live capture processes and errors such as failure to acquire (FTA) and failure to enroll (FTE)
Sample quality
: biometric sample quality has a direct measurable impact on the performance of the system; proper quality assessment algorithms and thresholds ensure the integrity of enrolled
biometric templates
Spoofing and presentation attack detection
: recognizing and preventing attempts to use manufactured or fake biometric samples (also known as liveness detection)
Verification and Identification
: verification processes require a one-to-one comparison between biometric samples to make a matching decision, while identification processes require one-to-many matching,
where a sample (probe) is compared to a database (gallery) to obtain a ranked candidate list
Physiological and behavioral modalities
: biometric traits (i.e. fingerprint, face, iris, voice, vascular, DNA) and their characteristics of universality, uniqueness, permanence, measurability, performance, acceptability, and
circumvention
Soft biometrics
: height, weight, skin color, scars, marks, tattoos
Multimodal biometrics
: combining (or fusing) biometric traits to improve decision accuracy, hinder spoofing, and account for unavailability of biometric traits

References

• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your
Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-scanner-flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication
(September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-
methods-taxonomy-abbie-barbir.html (2014)
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA)
Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA,
https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-
wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-
fingerprints/index.html (July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July
2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009,
published 2013)
• Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-
2014 (December 2014)
References

• Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf
(February 2014)
• Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device-
fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJ
xPr3GKtYNysBvRhXlDQ%3D%3D (September 2015)
• Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/
(August 2015)
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/.
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/.
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-
Identity-Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• Jankovich, Thomas; “Blockchain Makes Digital ID a Reality,” https://finxtech.com/2016/12/02/blockchain-makes-digital-id-reality/
(December 2016)
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• NSTIC Paper
• MyData Identity Network based on User Managed Access (UMA),
https://docs.google.com/presentation/d/1j3aX8AQGdVtigF1WZouL8WccmYQzZQQje3wuaC2Zb1I/edit#slide=id.g1386e8a6aa_2_9
14
References

• Kunk, S.K., Biometric Authentication: A Machine Learning Approach, Prentice Hall (2005).
• mikeh, Machine Learning and Biometrics, Neya Systems blog, http://neyasystems.com/machine-learning-biometrics/ (March 23,
2013).
References

Backup

Artificial Dog Nose
It smells you once, and knows you forever.
Matt Staymates, a mechanical engineer at NIST.
• Schlieren imaging system, visualizes flow of
vapors into an explosives detection device fitted
with an artificial dog nose, mimics "active
sniffing" of a dog.
• Artificial dog nose developed by Staymates and
colleagues at NIST, MIT Lincoln Laboratory, FDA.
• Improves trace chemical detection as much as
16-fold.
Source: http://phys.org/news/2016-12-scientists-artificial-dog-nose-mimics.html
Photo: http://dogs.petbreeds.com/l/95/Labrador-Retriever

Presentation Attack Detection (PAD)

Types of Detection
Source: https://www.nist.gov/sites/default/files/documents/2016/11/30/401_newton.pdf
Vendor ID, Algorithm ID, and Sensor ID

Is it Better to Store
Biometric Information on
Mobile Device, or a
Centralized Server?
What Does the FIDO
Alliance Recommend?

Store Biometrics on Personal Device or Server?
Source: Webinar by Forrester and Nok Nok Labs, February 1, 2017
Graphic: http://findbiometrics.com/topics/fido-alliance/
Graphic: https://www.carphonewarehouse.com/apple/iphone-6.html
Graphic: http://kryptostech.com/server-management/
Graphic: http://www.planetbiometrics.com/article-details/i/5463/desc/facebook-rolling-out-support-for-fido/
Enroll, biometrics only stored on personal
device (FIDO Alliance, others).
• Biometrics remain on the device, are not
transmitted.
• Not susceptible to theft by insiders or
identity thieves who can access a server
repository.
Enroll, biometrics stored on server.
• No-password model.
• Works if no mobile phone, works with land line.
• Works if person calls in.
• Privacy concerns.
• Susceptible to theft, unwanted modification by
insiders or identity thieves.

Clare Nelson, @Safe_SaaSSource: https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:-37:ed-2:v1:en (2017)
Spoofing, Biometric Presentation Attack
Biometric Presentation Attack
Presentation to the biometric capture system with the
goal of interfering with the operation of the biometric
system.

Clare Nelson, @Safe_SaaSSource: http://livdet.org/index.php
Presentation Attack Detection, Liveness Detection Competition
Hosts: University, Notre Dame University, West Virginia
University, and Warsaw University of Technology
This will be held as part of the IJCB 2017.
The competition has two sub-competitions:
• Part I: Software-based
• Part II: System-based Test
International Joint Conference on Biometrics

IARPA Face Recognition Algorithm Contest
Source: https://www.challenge.gov/challenge/face-recognition-prize-challenge/ (April 2017)
Face Identification and Face Verification
• 1-to-1 compare.
• 1-to-many compare.
• “Face recognition is hard.”
• Algorithms commit false negative and
false positive errors.
 Head pose, illumination, and facial
expression.
Looking for advancements in
face recognition accuracy.

Face Recognition Algorithm Evaluation
Source: https://www.nist.gov/programs-projects/face-recognition-vendor-test-frvt-ongoing
Source: http://www.planetbiometrics.com/article-details/i/5406/desc/nist-to-hold-new-round-of-face-recognition-algorithm-evaluation/
Face Recognition Algorithm Evaluation
• Includes verification of:
 Visa images.
 De-duplication of passports.
 Recognition across photojournalism
images.
 Identification of child exploitation victims.
• Part of the Face Recognition Vendor Test
(FRVT).
• Results will be posted to the NIST website.

November 2016 NIST Algorithm Test Results, Finger
Source: https://www.innovatrics.com/awards/pft/
• FMR = Fail Match Rate
• FNMR = Fail Non-Match Rate
• POEBVA = Point of Entry BVA (Data used for compliance
testing)
 BVA = German Federal Office of Administration
Assess the core algorithmic
capability to perform one-to-one
verification.

Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Presentation Attack Detection (PAD), Techniques
Liveness detection: Facial
thermogram, blood pressure,
fingerprint sweat, or specific
reflection properties of the eye,
pulse, perspiration, pupillary unrest
(hippus), brain wave signals (EEG),
or electric heart signals.
Protect the system against
the injection of reconstructed
or synthetic samples into the
communication channel
between the sensor and the
feature extractor.
Fusion strategies to increase
resistance. Multimodal, use more
than one biometric, or combine
unimodal with an anti-spoofing
technique. The score reflects
more than one input, unknown
to the bad guy.

Quantum Biometrics (April 2017)
Human Eye Can Detect a Single Photon
Identify individuals by the way their eyes
detect photons.
• Beam a random pattern of flashes into
the eye.
• Vary the intensity of light in each flash.
It is detected as a recognizable pattern by a
person with a specific alpha map but seems
random to anyone else.
Source: https://www.technologyreview.com/s/604266/quantum-biometrics-exploits-the-human-eyes-ability-to-detect-single-photons/?utm_campaign=add_this&utm_source=twitter&utm_medium=post

Source: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Source: http://www.iphonehacks.com/2017/01/synaptics-launches-multi-factor-facial-fingerprint-recognition-engine-smartphones-tablets.html
Fusion Strategies: Example of Face and Finger
Better accuracy
• Bimodal biometric system using face and
fingerprint.
• Salient features of the face and fingerprint were
extracted, and fused/combined.

Clare Nelson, @Safe_SaaSSource: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Existing and Emerging Methods and Standards, Increased Synergy
Determine How Well Biometric Recognition Solutions Work
• Measure strength, use NIST SOFA-B
 NIST creating synergy with ISO/IEC and FIDO
• Test face or finger recognition algorithms with NIST
• In future, FIDO certification for biometrics
• ISO/IEC standards for PAD, for mobile
• PAD algorithms
• Increased understanding of FAR, FRR, EER
• Accredited, third-party testing of all or part of the biometric
recognition system
 iBeta
• Usability research and testing
• Contests, e.g., LivDet, IARPA
• If store biometrics only on device, then provide a free version
to test accuracy and usability. Otherwise, difficult to get
feedback.
• Research Institutes, e.g., IDIAP Research Institute in
Switzerland

Presentation Attack Detection (PAD) Algorithms
Source: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey

Source: https://www.trusona.com/patented-anti-replay/
Source: https://en.wikipedia.org/wiki/Albert_Einstein
Adding any new static user
credentials like longer
passwords or [biological]
biometrics is futile.
– Trusona
Argument for Behavioral Biometrics

Source: http://www.behaviosec.com
• Requires JavaScript.
• Learning curve.
• Privacy impact from constant
monitoring.
• Varies.
Injury to hand.
Intoxicated.

What is Multimodal
Biometric Recognition?
Why is its Adoption
Growing?

Multimodal Biometrics
Research from California State University, Fullerton
• Use ear plus face and fingerprint.
• Multimodal biometrics adds layer of security to
the existing mobile device security.
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3Dnews
Graphic: http://www.rd.com/health/wellness/unique-body-parts/
Researchers claim some mobile biometric
recognition for authentication suffers from:
• Poor quality mobile hardware.
 Camera.
 Microphone.
• Environmental condition.
 Lighting.
 Background Noise.
• User error.
• Use of unimodal biometrics, less secure.

Google Trust API
Source: http://www.itshacking.xyz/good-bye-passwords-as-google-plans-a-different-verification-option/
Source: https://techcrunch.com/2015/05/29/googles-atap-wants-to-eliminate-passwords-for-good/
Get Rid of Password
• How you swipe
• How you move
• How you type
• How you talk
• Your face
• Combine all above for Multimodal
Timeline
• First announced as project Abacus
• Now called Trust API

Types of Spoofing
Source: https://www.iso.org/standard/53227.html .

Acoustic Ear-Shape Biometric Authentication
NEC
A microphone embedded within an
earphone analyzes the resonance of sounds
within the ear cavity in order to produce a
biometric profile.
Source: http://www.handsonlabs.org/nec-developing-acoustic-ear-shape-biometric-authentication-solution/
Requires earphones

Presentation Attacks
Spoofing

Spoofing
The ability to fool a biometric system
into recognizing an illegitimate user as
a genuine one by means of presenting
a synthetic or forged version of the
original biometric trait to the sensor.
Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Source: https://www.slideshare.net/SBAResearch/31c3-in20min

Spoofing
Source: https://www.linkedin.com/pulse/biometric-spoofing-nadh-thota
Types of Fake Fingerprints
Fake Eye Images, Contact Lens etc.,
enable hackers to fake Iris sample
Real Fake

Source: https://www.computer.org/csdl/trans/tp/2006/01/i0031.html
Face Spoofing
Matching 2.5D Face Scans to 3D Models

Biometric Recognition for Authentication, BSides Austin, May 2017

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Biometric Recognition for Authentication, BSides Austin, May 2017

Similar to Biometric Recognition for Authentication, BSides Austin, May 2017 (20)

More from Clare Nelson, CISSP, CIPP-E

More from Clare Nelson, CISSP, CIPP-E (7)

Recently uploaded

Recently uploaded (20)

Biometric Recognition for Authentication, BSides Austin, May 2017