Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Biometric Recognition for Authentication, BSides Austin, May 2017
1. Biometric Recognition for
Multi-Factor Authentication:
How Measure Strength?
Which Modality is Best?
Clare Nelson, CISSP, CIPP/E
@Safe_SaaS
clare_nelson @ clearmark.biz
Presentation Posted on SlideShare:
https://www.slideshare.net/eralcnoslen/biometric-recognition-for-
authentication-bsides-austin-may-2017
May 5, 2017
3. Clare Nelson, @Safe_SaaS
The views presented herein,
expressed in any form, represent
my personal views, and do not
reflect the views of my employer.
Graphic: http://rununcensored.com/wp-content/uploads/2013/06/disclaimer.jpg
4. Clare Nelson, @Safe_SaaS
Clare Nelson, CISSP, CIPP/E
Director, Office of the CTO at AllClear ID
Identity, Security, and Privacy
• Background
o Encrypted TCP/IP variants for NSA
o Product Management at DEC (HP), EMC2
o Director Global Alliances at Dell, Novell
o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security
o CEO ClearMark Consulting, MFA Technology and Architecture
• 2001-2014 CEO ClearMark Consulting
• 2014 Co-founder C1ph3r_Qu33ns
• Publications include:
o 2010 August, ISSA Journal, Security Metrics: An Overview
o 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For
• Talks: InfraGard, HackFormers; BSides Austin; LASCON; OWASP
AppSec USA, ISSA Austin; clients including Fortune 500
financial services, 2015 FTC Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html
5. Clare Nelson, @Safe_SaaS
Contents
Biometric Recognition for Multi-Factor Authentication
1. Scope
2. The Problem
3. Definitions
4. How Well Does it Work?
5. Multimodal Biometric Recognition
6. Biometric Recognition is Probabilistic
7. Attack Vectors
8. How to Measure Biometric Recognition
9. The Future
10. Gratitude and Recognition
Graphic: http://www.computerhope.com/jargon/h/hacker.htm
How can you
tell if it’s a
bad guy?
6. Clare Nelson, @Safe_SaaS
How can you
tell if it’s a
bad guy?
Source: https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/
Source: https://realizethelies.com/tag/facial-recognition-software/
Source: https://www.iso.org/standard/55194.html (2017)
Biometric Verification Biometric Identification
Comparison 1-to-1 1-to-Many
Purpose Confirm or deny
claimed identity
Identity a specific
individual
Use Case
Example
Mobile app
authentication
Airport security
Biometric Recognition
Primary Focus: Biometric Recognition for Multi-Factor Authentication (MFA),
Mobile Use Case
Scope
(“Biometric Authentication” is deprecated)
8. Clare Nelson, @Safe_SaaS
Spoofing is Still Too Easy
Face Unlock
• Spoofed
2011 Galaxy Nexus
2017 Samsung S8
Source: http://www.dailystar.co.uk/tech/news/601633/Samsung-Galaxy-S8-face-recognition-privacy-security-warning
Source: http://www.androidpolice.com/2011/11/16/still-not-convinced-that-face-unlock-is-easily-fooled-by-a-photo-heres-another-video-showing-face-programming-and-photo-unlocking-from-start-to-end/
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments
There is no standard method for measuring strength, or comparing solutions.
10. Clare Nelson, @Safe_SaaS
Samsung Galaxy S8
Contrary to Earlier Reports:
• Will not let users authenticate payments
through facial recognition.
• Camera and deep learning technology:
Facial recognition for financial
transactions 4+ years away.
• Iris and fingerprint are more secure.
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017)
Source: http://www.economist.com/blogs/economist-explains/2015/06/economist-explains-12
11. Clare Nelson, @Safe_SaaS
Why Care?
By 2022
• Market for mobile and wearable
biometric recognition for authentication
will exceed $6.2 billion.
• Over 3.3 billion users.
Source: https://webshop.bellabeat.com/
Source: http://www.goodeintelligence.com/press-releases/multi-modal-mobile-biometric-authentication-drives-revenues-to-over-6-2-billion-by-2022/ (April 2017)
13. Clare Nelson, @Safe_SaaS
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
Source: https://www.securetechalliance.org/publications-mobile-identity-authentication/
Know Have Are
Definition of Multi-Factor Authentication
Mobile Identity Authentication
March 27, 2017
14. Clare Nelson, @Safe_SaaS
Something You Are
Biological Biometrics
Behavioral Biometrics
Graphic: http://thepeepspot.com/9-best-compliments-to-make-a-woman-smile/
15. Clare Nelson, @Safe_SaaS
Biometric Recognition
Automated recognition of individuals based on
their biological and behavioral characteristics.
Source: http://biometrics.derawi.com/?page_id=101
Source: http://searchsecurity.techtarget.com/definition/biometric-authentication
Graphic: http://www.aspire-security.eu/access-control.html
Biometric Recognition Systems
Compare sample to template. On device, or server.
• Template is established during enrollment.
• If comparison score meets criteria, then recognition
is confirmed.
16. Clare Nelson, @Safe_SaaS
What is Feature Extraction?
Source: https://www.security-audit.com/files/ratha.pdf (2001)
Digital image of fingerprint.
• Includes ridge bifurcations and ridge
endings.
• Collectively referred to as minutiae.
Algorithm, extract features.
• Each feature has (x, y) location and ridge direction at that
location (ϴ).
• Sensor noise and other variability in the imaging process,
feature extraction may miss some minutiae, and/or may
generate spurious minutiae.
• Due to the elasticity of the human skin, the relationship
between minutiae may be randomly distorted from one
impression to the next.
Dimensionality
Reduction
19. Clare Nelson, @Safe_SaaS
Biometric Modes, Endless Variations
• Face 2D, 3D.
• Pulse response, electric square pulse signal
• Fingerprints 2D, 3D via ultrasonic waves, in-display.
• Finger veins, Palm veins, Eye veins.
• Palms prints and/or the whole hand.
• Feet.
• Signature.
• Keystroke, typing, mouse, touch pad.
• Voice.
• Eyeprint, Iris, retina, features of eye movements.
• Face, head – its shape, specific movements.
• Ears, lip prints.
• How you sit.
• Gait, Odor, DNA.
• ECG (Bionym’s Nymi wristband, smartphone, laptop, car, home).
• EEG.1
• Tests: Microchip in Pills, Digital Tattoos.
• Smartphone/behavioral: Authenticate based on g-sensor and gyroscope,
how you write your signature in the air.2
• Hand movement when answering the smartphone, use data from the
smartphone’s accelerator, gyroscope, and light sensor.3
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf
2Source: http://www.airsig.com
3Source: http://www.biometricupdate.com/201703/mobile-app-uses-hand-movement-to-authenticate-smartphone-owner
Source: http://www.cvphysiology.com/Arrhythmias/A009
21. Clare Nelson, @Safe_SaaS
Behavioral Biometrics: Implicit Authentication
Passive sensor data. How you walk, type, and sit.
Source: https://blog.unify.id/2016/09/12/unifyid-technical-overview/
23. Clare Nelson, @Safe_SaaS
Don’t Use as Single or Primary Factor
Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Graphic: http://www.itproportal.com/2016/04/07/the-role-of-biometric-authentication-techniques-in-security/
Remote System Access
• Exclude biometrics as single or
primary authentication factor.
Biometric samples are not
secrets.
Biometric samples are
different each time they
are captured.
25. Clare Nelson, @Safe_SaaS
Contactless Biometric Recognition, Healthcare
Source: http://healthcare.fai.fujitsu.com/resource/essentials-to-achieve-optimal-clinical-workflow.pdf
Source: http://www.amfastech.com/2013/03/a-seminar-on-palm-vein-technology.html
Solution
• Palm vein
• Capture palm vein pattern with near-infrared rays
• Works with clinician, surgeon gloves
• Fujitsu data sheet
• FAR (false accept rate) = 0.00001%
• FRR (false reject rate) = 1.0%
26. Iris more accurate than face
Source: https://www.youtube.com/watch?v=KyDoFrojEYk&list=PLrUBqh62arzt_Uf_UamHtRFDYl1tpRVCK
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST: Face versus Iris Recognition, Factor of 100,000 in Accuracy
Iris versus Face
But what is the user experience?
28. Clare Nelson, @Safe_SaaS
Biometrics Recognition is not 100% Reliable
• Every biometric recognition configuration must account for some
level of false negatives and false positives.
• In highly secure environments, false positives may present an
unacceptable risk.
• False negatives require a fallback authentication mechanism.
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905
Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations
29. Clare Nelson, @Safe_SaaS
User Experience Versus Security
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal
Source: http://www.descartesbiometrics.com/wp-content/uploads/2014/11/HELIX-Whitepaper.pdf
Convenience
Security
FAR
• Ratio of the number of false acceptances
divided by the number of identification
attempts
FRR
• Ratio of the number of false recognitions
divided by the number of identification
attempts
EER
• Proportion of false acceptances is equal to
the proportion of false rejections
30. Clare Nelson, @Safe_SaaS
Vocabulary, 2017 ISO/IEC 2382-37
Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf
Source Associated Terms
Biometrics Text
Books
FAR FRR
Type II Type I
ISO/IEC More, detailed More, detailed
NIST FMR FNMR
Risk False Positive False Negative,
False Reject, Insult
Rate
Equal Error Rate (EER), also known as Crossover Error Rate (CER)
31. FAR, need to know FRR plus number of attempts
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal
Source: http://www.goodeintelligence.com/press-releases/multi-modal-mobile-biometric-authentication-drives-revenues-to-over-6-2-billion-by-2022/ (April 2017)
Apple claims a FAR of 1/50,000 for Touch ID
• Out of 50,000 imposter comparisons, up to
one will be accepted as genuine.
• 1/50,000 = 0.002%.
Android
• Similar
Requires FAR not more than 0.002%
Recommends FRR no more than 10%
32. Clare Nelson, @Safe_SaaS
FRR at Varying FAR
September 2015
Source: http://www.eyeverify.com/independent-accuracy-studies
EyeVerify: Two Studies for Eyeprint ID, Mobile
33. Clare Nelson, @Safe_SaaS
Not All FARs are Created Equal
• Synthetic versus real data.
• Calculated versus claimed.
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal
35. Clare Nelson, @Safe_SaaS
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.qafis.com/anti-spoofing
Presentation Attack Detection (PAD), Anti-Spoofing
Anti-Spoofing
Anti-Spoofing
• Active: user must participate, blink,
smile, turn head
• Passive: user participation is not needed,
hardware or software algorithms.
NIST: PAD should detect spoofing 90% of the time
36. Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBPs) as PAD
37. Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBP) as PAD
38. Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
PAD for Finger: Implement in Hardware, Software, or Both
Software:
Assess characteristics of sample: sharpness of lines, presence of pores.
• Easier to implement.
• Easier to update, including over the air (OTA) as anti-spoofing
techniques improve.
• Leverage machine learning.
Hardware:
Requires additional capabilities in fingerprint scanner: ability to sense
pulse, temperature, and capacitance; none of which can be done in
software alone.
• Greater ability to detect “liveness” of finger being scanned.
• More expensive.
• Consumes more power.
• May introduce latency if, for example, there is a need to sense
multiple heartbeats.
41. Clare Nelson, @Safe_SaaSSource: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Biometric System Attack Diagram (Ratha 2001, ISO 2006, NIST 2015)
Demonstrate at least
90% resistance to
presentation attacks.
Presentation
Attack
Modify
Decision
Data
Storage
Process
Signal
Compare Decision
Override
Decision
Engine
Data
Capture
Override
Comparator
Extract/Modify
Biometric
Sample
Modify Probe Modify Score
Modify
Biometric
Reference
Override
Capture
Device
Override
Signal
Processor
Override
Database
42. Clare Nelson, @Safe_SaaS
Source: https://pages.nist.gov/SOFA/
Source: https://www.secureidnews.com/news-item/sofa-b-enabling-organizations-to-measure-the-strength-of-biometric-technologies/?tag=biometrics
Strength of Function for Authenticators (SOFA) - Biometrics
Measurement of biometric system strength:
• Provide a level of quantitative assurance.
• Outline a process to support evaluation of
biometric authenticators.
NIST
ISO/IEC FIDO
SOFA Equation
• Level of Effort
• PAD Error Rate (PADER)
• False Match Rate (FMR)
• False Non-Match Rate (FNMR)
43. Clare Nelson, @Safe_SaaS
SOFA-B (NIST, April 2017)
Source: https://www.nist.gov/sites/default/files/documents/2016/11/21/sofa_discussiondraftoverview-v1_1.pdf (April 2017)
ZeroInfo case: No masquerade attempt, brute force, no knowledge.
Targeted case: Create a sample that resembles the individual biometric characteristic.
44. Clare Nelson, @Safe_SaaS
Source: https://pages.nist.gov/SOFA/
Source: http://www.theverge.com/2016/7/21/12247370/police-fingerprint-3D-printing-unlock-phone-murder (2016)
Presentation attacks
based on:
• Time
• Expertise
• Equipment
Level of Effort
Police 3D-printed a murder
victim's finger to unlock his
phone.
45. Clare Nelson, @Safe_SaaS
SOFA-B (NIST, April 2017)
Source: https://github.com/logos
Provide Comments:
https://github.com/usnistgov/SOFA/issues/
Call to Action
46. Clare Nelson, @Safe_SaaS
Presentation Attack Detection (PAD), Emerging Standards
Source: https://www.iso.org/standard/53227.html
ISO/IEC DIS 30107-2
Information technology -- Biometric presentation attack detection
-- Part 2: Data formats
ISO/IEC FDIS 30107-3
Information technology -- Biometric presentation attack detection
-- Part 3: Testing and reporting
NEW: April 28, 2017, Part 4
47. Clare Nelson, @Safe_SaaS
Presentation Attack Detection (PAD) for Mobile Devices
Source: https://www.iso.org/standard/53227.html
Source: https://cacm.acm.org/magazines/2016/4/200169-multimodal-biometrics-for-enhanced-mobile-device-security/abstract
Source: http://www.planetbiometrics.com/article-details/i/5803/ (April 2017)
Source: http://profit.ndtv.com/news/life-and-careers/article-new-smartphone-from-infocus-to-support-aadhaar-authentication-1634102
ISO/IEC 30107-4
Biometric presentation attack detection – Profile for
evaluation of mobile devices.
Address spoofing and presentation attacks against mobile
devices.
Presentation Attack Detection (PAD) includes:
• Fake fingerprints.
• Video replays.
• Voice recordings.
Concern for commercial and government agencies:
• Rely on mobile device authentication for transactions
and identity confirmation.
49. Biological Biometrics
1. Difficult to reset, revoke.
2. Not secret.
3. Biometric samples are different each time captured.
4. Exist in public domain, and elsewhere (5.6M+ fingerprints stolen in
2015 OPM breach1).
5. May undermine privacy, make identity theft more likely.2
6. Persist in government and private databases, accreting information
whether we like it or not.3
7. User acceptance or preference varies by geography, demographic.
8. Difficult to measure strength of one biometric recognition system,
or compare it with another.
9. Liveness detection and other PAD methods are not hidden from
impostors.
10. Difficult to ascertain vendor components, algorithm ID, sensor ID.
Issues
1Source: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html
2Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
3Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/
Photo: http://www.rineypackard.com/facial-recognition.php
50. Clare Nelson, @Safe_SaaS
Master Key to Unlock Finger
Sensors?
Source: https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html?_r=2 (April 2017)
Computer simulations
• Created Master Prints
• Matched prints 65% of time
Nasir Memon
Professor of Computer Science and Engineering
New York University
52. Clare Nelson, @Safe_SaaS
“Thought Auth”1
EEG Biosensor
• MindWave™ headset.2
• Measures brainwave signals.
• EEG monitor.
• International Conference on
Financial Cryptography and Data
Security (2013).3
1Source: Clare Nelson, March 2015
2Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/
3Source: http://www.technewsworld.com/story/77762.html
Facebook telepathy
53. Clare Nelson, @Safe_SaaS
Homomorphic Encryption
VTT Technical Research Centre, Finland
• Biometric recognition for MFA
Risk that a person's biometric
identifiers leak out of the database.
• Protect biological or behavioral
biometric data.
• Uses homomorphic encryption.
Source: http://www.vttresearch.com/media/news/vtts-encryption-method-takes-authentication-to-a-new-level
54. Clare Nelson, @Safe_SaaS
Touchless, 4-Finger Biometric Recognition
Veridium
• Captures all four fingerprints at once
• Increases the complexity of the data
collected.
• Enhances overall security well beyond
partial prints, like those captured by
sensor-based mobile fingerprint
solutions.
• Just need 5MP camera and LED flash.
• Claims FRR 1.0% at FAR 0.01%
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3Dnews
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Source: http://www.goodeintelligence.com/report/mobile-wearable-biometric-authentication-market-analysis-forecasts-2017-2022/
56. Clare Nelson, @Safe_SaaS
We Stand on the Shoulders of Giants
Source: https://alchetron.com/John-Daugman-489257-W
Source: http://www.idiap.ch/~marcel/professional/Welcome.html
Source: https://www.egr.msu.edu/people/profile/jain
Source: http://nislab.no/people/norwegian_information_security_laboratory/professors/christoph_busch
John Daugman
Sébastien Marcel
Anil Jain
Christoph Busch
58. Clare Nelson, @Safe_SaaSSource: http://www.idtp.com/identity/
Terms
Biometric data processing
: biometric system data processing including capture, quality assessment, presentation attack (spoof) detection, feature extraction, database enrollment, fusion, matching, and
decision processes
Biometric sensors and hardware
: variation and types of biometric sensors and technology (e.g. capacitive, thermal, optical, infrared, multi-spectrum) required to capture high-quality samples for various modalities
and applications
Biometric system integration
: the hardware and software interfacing necessary to produce a functioning biometric system optimized for a specific application, including proper utilization of biometric software
development kits
Biometric system performance
: system performance and metrics including Equal Error Rate (EER), False Accept Rate (FAR), False Reject Rate (FRR), False Match Rate (FMR), False Non-Match Rate (FNMR), detection
error tradeoff (DET) and receiver operating characteristic (ROC) curves, Genuine and Impostor score histograms, and considerations for threshold optimization for population,
operating environment, and application requirements
Biometric standards
: NIST, ISO, FIDO standards
Enrollment and capture processes
: considerations for enrollment and live capture processes and errors such as failure to acquire (FTA) and failure to enroll (FTE)
Sample quality
: biometric sample quality has a direct measurable impact on the performance of the system; proper quality assessment algorithms and thresholds ensure the integrity of enrolled
biometric templates
Spoofing and presentation attack detection
: recognizing and preventing attempts to use manufactured or fake biometric samples (also known as liveness detection)
Verification and Identification
: verification processes require a one-to-one comparison between biometric samples to make a matching decision, while identification processes require one-to-many matching,
where a sample (probe) is compared to a database (gallery) to obtain a ranked candidate list
Physiological and behavioral modalities
: biometric traits (i.e. fingerprint, face, iris, voice, vascular, DNA) and their characteristics of universality, uniqueness, permanence, measurability, performance, acceptability, and
circumvention
Soft biometrics
: height, weight, skin color, scars, marks, tattoos
Multimodal biometrics
: combining (or fusing) biometric traits to improve decision accuracy, hinder spoofing, and account for unavailability of biometric traits
60. Clare Nelson, @Safe_SaaS
• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your
Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-scanner-flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication
(September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-
methods-taxonomy-abbie-barbir.html (2014)
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA)
Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA,
https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-
wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-
fingerprints/index.html (July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July
2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009,
published 2013)
• Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-
2014 (December 2014)
References
61. Clare Nelson, @Safe_SaaS
• Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf
(February 2014)
• Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device-
fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJ
xPr3GKtYNysBvRhXlDQ%3D%3D (September 2015)
• Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/
(August 2015)
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/.
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/.
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-
Identity-Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• Jankovich, Thomas; “Blockchain Makes Digital ID a Reality,” https://finxtech.com/2016/12/02/blockchain-makes-digital-id-reality/
(December 2016)
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• NSTIC Paper
• MyData Identity Network based on User Managed Access (UMA),
https://docs.google.com/presentation/d/1j3aX8AQGdVtigF1WZouL8WccmYQzZQQje3wuaC2Zb1I/edit#slide=id.g1386e8a6aa_2_9
14
References
62. Clare Nelson, @Safe_SaaS
• Kunk, S.K., Biometric Authentication: A Machine Learning Approach, Prentice Hall (2005).
• mikeh, Machine Learning and Biometrics, Neya Systems blog, http://neyasystems.com/machine-learning-biometrics/ (March 23,
2013).
References
64. Clare Nelson, @Safe_SaaS
Artificial Dog Nose
It smells you once, and knows you forever.
Matt Staymates, a mechanical engineer at NIST.
• Schlieren imaging system, visualizes flow of
vapors into an explosives detection device fitted
with an artificial dog nose, mimics "active
sniffing" of a dog.
• Artificial dog nose developed by Staymates and
colleagues at NIST, MIT Lincoln Laboratory, FDA.
• Improves trace chemical detection as much as
16-fold.
Source: http://phys.org/news/2016-12-scientists-artificial-dog-nose-mimics.html
Photo: http://dogs.petbreeds.com/l/95/Labrador-Retriever
68. Clare Nelson, @Safe_SaaS
Store Biometrics on Personal Device or Server?
Source: Webinar by Forrester and Nok Nok Labs, February 1, 2017
Graphic: http://findbiometrics.com/topics/fido-alliance/
Graphic: https://www.carphonewarehouse.com/apple/iphone-6.html
Graphic: http://kryptostech.com/server-management/
Graphic: http://www.planetbiometrics.com/article-details/i/5463/desc/facebook-rolling-out-support-for-fido/
Enroll, biometrics only stored on personal
device (FIDO Alliance, others).
• Biometrics remain on the device, are not
transmitted.
• Not susceptible to theft by insiders or
identity thieves who can access a server
repository.
Enroll, biometrics stored on server.
• No-password model.
• Works if no mobile phone, works with land line.
• Works if person calls in.
• Privacy concerns.
• Susceptible to theft, unwanted modification by
insiders or identity thieves.
69. Clare Nelson, @Safe_SaaSSource: https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:-37:ed-2:v1:en (2017)
Spoofing, Biometric Presentation Attack
Biometric Presentation Attack
Presentation to the biometric capture system with the
goal of interfering with the operation of the biometric
system.
70. Clare Nelson, @Safe_SaaSSource: http://livdet.org/index.php
Presentation Attack Detection, Liveness Detection Competition
Hosts: University, Notre Dame University, West Virginia
University, and Warsaw University of Technology
This will be held as part of the IJCB 2017.
The competition has two sub-competitions:
• Part I: Software-based
• Part II: System-based Test
International Joint Conference on Biometrics
71. Clare Nelson, @Safe_SaaS
IARPA Face Recognition Algorithm Contest
Source: https://www.challenge.gov/challenge/face-recognition-prize-challenge/ (April 2017)
Face Identification and Face Verification
• 1-to-1 compare.
• 1-to-many compare.
• “Face recognition is hard.”
• Algorithms commit false negative and
false positive errors.
Head pose, illumination, and facial
expression.
Looking for advancements in
face recognition accuracy.
72. Clare Nelson, @Safe_SaaS
Face Recognition Algorithm Evaluation
Source: https://www.nist.gov/programs-projects/face-recognition-vendor-test-frvt-ongoing
Source: http://www.planetbiometrics.com/article-details/i/5406/desc/nist-to-hold-new-round-of-face-recognition-algorithm-evaluation/
Face Recognition Algorithm Evaluation
• Includes verification of:
Visa images.
De-duplication of passports.
Recognition across photojournalism
images.
Identification of child exploitation victims.
• Part of the Face Recognition Vendor Test
(FRVT).
• Results will be posted to the NIST website.
73. Clare Nelson, @Safe_SaaS
November 2016 NIST Algorithm Test Results, Finger
Source: https://www.innovatrics.com/awards/pft/
• FMR = Fail Match Rate
• FNMR = Fail Non-Match Rate
• POEBVA = Point of Entry BVA (Data used for compliance
testing)
BVA = German Federal Office of Administration
Assess the core algorithmic
capability to perform one-to-one
verification.
74. Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Presentation Attack Detection (PAD), Techniques
Liveness detection: Facial
thermogram, blood pressure,
fingerprint sweat, or specific
reflection properties of the eye,
pulse, perspiration, pupillary unrest
(hippus), brain wave signals (EEG),
or electric heart signals.
Protect the system against
the injection of reconstructed
or synthetic samples into the
communication channel
between the sensor and the
feature extractor.
Fusion strategies to increase
resistance. Multimodal, use more
than one biometric, or combine
unimodal with an anti-spoofing
technique. The score reflects
more than one input, unknown
to the bad guy.
75. Clare Nelson, @Safe_SaaS
Quantum Biometrics (April 2017)
Human Eye Can Detect a Single Photon
Identify individuals by the way their eyes
detect photons.
• Beam a random pattern of flashes into
the eye.
• Vary the intensity of light in each flash.
It is detected as a recognizable pattern by a
person with a specific alpha map but seems
random to anyone else.
Source: https://www.technologyreview.com/s/604266/quantum-biometrics-exploits-the-human-eyes-ability-to-detect-single-photons/?utm_campaign=add_this&utm_source=twitter&utm_medium=post
76. Clare Nelson, @Safe_SaaS
Source: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Source: http://www.iphonehacks.com/2017/01/synaptics-launches-multi-factor-facial-fingerprint-recognition-engine-smartphones-tablets.html
Fusion Strategies: Example of Face and Finger
Better accuracy
• Bimodal biometric system using face and
fingerprint.
• Salient features of the face and fingerprint were
extracted, and fused/combined.
77. Clare Nelson, @Safe_SaaSSource: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Existing and Emerging Methods and Standards, Increased Synergy
Determine How Well Biometric Recognition Solutions Work
• Measure strength, use NIST SOFA-B
NIST creating synergy with ISO/IEC and FIDO
• Test face or finger recognition algorithms with NIST
• In future, FIDO certification for biometrics
• ISO/IEC standards for PAD, for mobile
• PAD algorithms
• Increased understanding of FAR, FRR, EER
• Accredited, third-party testing of all or part of the biometric
recognition system
iBeta
• Usability research and testing
• Contests, e.g., LivDet, IARPA
• If store biometrics only on device, then provide a free version
to test accuracy and usability. Otherwise, difficult to get
feedback.
• Research Institutes, e.g., IDIAP Research Institute in
Switzerland
79. Clare Nelson, @Safe_SaaS
Source: https://www.trusona.com/patented-anti-replay/
Source: https://en.wikipedia.org/wiki/Albert_Einstein
Adding any new static user
credentials like longer
passwords or [biological]
biometrics is futile.
– Trusona
Argument for Behavioral Biometrics
82. Clare Nelson, @Safe_SaaS
Multimodal Biometrics
Research from California State University, Fullerton
• Use ear plus face and fingerprint.
• Multimodal biometrics adds layer of security to
the existing mobile device security.
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3Dnews
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Graphic: http://www.rd.com/health/wellness/unique-body-parts/
Researchers claim some mobile biometric
recognition for authentication suffers from:
• Poor quality mobile hardware.
Camera.
Microphone.
• Environmental condition.
Lighting.
Background Noise.
• User error.
• Use of unimodal biometrics, less secure.
83. Clare Nelson, @Safe_SaaS
Google Trust API
Source: http://www.itshacking.xyz/good-bye-passwords-as-google-plans-a-different-verification-option/
Source: https://techcrunch.com/2015/05/29/googles-atap-wants-to-eliminate-passwords-for-good/
Get Rid of Password
• How you swipe
• How you move
• How you type
• How you talk
• Your face
• Combine all above for Multimodal
Timeline
• First announced as project Abacus
• Now called Trust API
85. Clare Nelson, @Safe_SaaS
Acoustic Ear-Shape Biometric Authentication
NEC
A microphone embedded within an
earphone analyzes the resonance of sounds
within the ear cavity in order to produce a
biometric profile.
Source: http://www.handsonlabs.org/nec-developing-acoustic-ear-shape-biometric-authentication-solution/
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Requires earphones
87. Clare Nelson, @Safe_SaaS
Spoofing
The ability to fool a biometric system
into recognizing an illegitimate user as
a genuine one by means of presenting
a synthetic or forged version of the
original biometric trait to the sensor.
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Source: https://www.slideshare.net/SBAResearch/31c3-in20min
88. Clare Nelson, @Safe_SaaS
Spoofing
Source: https://www.linkedin.com/pulse/biometric-spoofing-nadh-thota
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Types of Fake Fingerprints
Fake Eye Images, Contact Lens etc.,
enable hackers to fake Iris sample
Real Fake
89. Clare Nelson, @Safe_SaaS
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.computer.org/csdl/trans/tp/2006/01/i0031.html
Face Spoofing
Matching 2.5D Face Scans to 3D Models