Biometric Authentication: The Unleashed Dragon

Biometrics and Multi-Factor
Authentication
The Unleashed Dragon

Biometrics and Multi-Factor Authentication:
The Unleashed Dragon
Clare Nelson, CISSP, CIPP/E
@Safe_SaaS
clare_nelson@clearmark.biz
Presentation Posted on SlideShare:
https://www.slideshare.net/eralcnoslen
September 25, 2017
Graphic: https://tomatosoup13.deviantart.com/art/Daenerys-and-Her-Dragon-Game-of-Thrones-640714812

Clare Nelson, @Safe_SaaS
Clare Nelson, CISSP, CIPP/E
CEO, Founder
ClearMark Consulting
Security, Privacy, Identity
• Background
o Encrypted TCP/IP variants for NSA
o Product Management at DEC (HP), EMC2
o Director Global Alliances at Dell, Novell
o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security
• 2014 Co-founded C1ph3r_Qu33ns, mentor women in cybersecurity
• Publications include:
o 2010 August, ISSA Journal, Security Metrics: An Overview
o 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For
• Talks/Keynotes: Cloud Identity Summit 2017, InfraGard,
HackFormers; BSides Austin; LASCON; OWASP AppSec USA, ISSA
Austin; clients including Fortune 500 financial services, 2015 FTC
Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html

Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Introduction
• Contents
• Scope

Contents
Biometric Recognition for Multi-Factor Authentication
1. Biological and Behavioral Biometrics
2. Benefits and Issues
3. What Every CISO Should Know
• Laws, Standards, and Guidelines
4. How to Measure Biometric Recognition
5. Attack Vectors
6. Multimodal Biometric Recognition
7. Continuous Authentication with Biometrics
8. Face ID Update
9. The Future
Graphic: http://www.computerhope.com/jargon/h/hacker.htm
How can you
tell if it’s a
bad guy?

How can you
tell if it’s a
bad guy?
Source: https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/
Source: https://realizethelies.com/tag/facial-recognition-software/
Source: https://www.iso.org/standard/55194.html (2017)
Biometric Verification Biometric Identification
Comparison 1-to-1 1-to-Many
Purpose Confirm or deny claimed
identity
Identify a specific
individual
Use Case
Example
Unlock device Airport security, identify
a suspect
Biometric Recognition
Biometric Recognition for Multi-Factor Authentication (MFA), Mobile Use Case
Scope
(“Biometric Authentication” is deprecated)

Definitions
• Multi-Factor Authentication
• Biometric Recognition

Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
Source: https://www.securetechalliance.org/publications-mobile-identity-authentication/
Know Have Are
Definition of Multi-Factor Authentication

Biometric Recognition
Automated recognition of individuals based on
their biological or behavioral characteristics
Source: http://biometrics.derawi.com/?page_id=101
Source: http://searchsecurity.techtarget.com/definition/biometric-authentication
Graphic: http://www.aspire-security.eu/access-control.html
Biometric Recognition Systems
Compare sample to template
• On device, or server
• Template is established during enrollment, or
updated later as part of adaptive machine learning
(iPhone X neural engine)
• If comparison score meets criteria, then recognition
is confirmed
Math model
Digital image

What is Feature Extraction?
Source: https://www.security-audit.com/files/ratha.pdf (2001)
Digital image of fingerprint
• Includes ridge bifurcations and ridge
endings
• Collectively referred to as minutiae
Algorithm, extract features
• Each feature has (x, y) location and ridge direction at that
location (ϴ)
• Sensor noise and other variability in the imaging process
• Feature extraction may miss some minutiae, and/or
• Feature extraction may generate spurious minutiae
• Due to the elasticity of the human skin, the relationship
between minutiae may be randomly distorted from one
impression to the next
Dimensionality
Reduction

Typically, Images Are Not Saved
Source: http://www.bioelectronix.com/what_is_biometrics.html
Digital image Math modelFeature extraction
Fingerprint image is not saved, only
series of numbers (binary code), used
for verification

Categories of Biometrics
Biological Biometrics
(Physical)
Behavioral Biometrics
Graphic: http://thepeepspot.com/9-best-compliments-to-make-a-woman-smile/

Finger
Face
Iris
Graphic: http://www.ibmsystemsmag.com/ibmi/trends/whatsnew/Biometric-Authentication-101/

Graphics: https://www.scienceabc.com/innovation/lesser-known-methods-biometrics-identification-retinal-fingerprint-scan-gait-analysis-keystroke.html

Biometric Modes, Prolific Innovation
• Face 2D, 3D
• Fingerprints 2D, 3D via ultrasonic waves, in-display
• Finger veins, Palm veins, Eye veins
• Palms prints and/or the whole hand
• Feet
• Eyeprint, Iris, Retina, Features of eye movements
• Face, head – its shape, specific movements
• Ears, lip prints
• Signature, Voice
• How you sit, Gait, Odor, DNA
• Keystroke, typing, mouse, touch pad
• Electrocardiogram (ECG), Electroencephalogram (EEG)1
• Tests: Microchip in Pills, Digital Tattoos
• Smartphone/behavioral: Authenticate based on g-sensor and
gyroscope, how you write your signature in the air2
• Hand movement when answering the smartphone, use data from
the smartphone’s accelerator, gyroscope, and light sensor3
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf
2Source: http://www.airsig.com
3Source: http://www.biometricupdate.com/201703/mobile-app-uses-hand-movement-to-authenticate-smartphone-owner
Source: http://www.cvphysiology.com/Arrhythmias/A009
Reference

Behavioral Biometrics: Used in Passive, Continuous Authentication
500+ Metrics, Human-Device Interactions
• Leverage gyroscope, touch screen,
accelerometer
• Cloud, monitors 2 billion sessions/month
• Learns behavior patterns of fraudsters
• Detects presence of malware
• Invisible challenge
• How find missing cursor
Source: http://www.biocatch.com
Source: https://www.extremetech.com/extreme/215170-artificial-neural-networks-are-changing-the-world-what-are-they

Behavioral Biometrics: Used in Implicit Authentication
Passive sensor data. How you walk, type, and sit.
Source: https://blog.unify.id/2016/09/12/unifyid-technical-overview/

Benefits

Benefits of Biometrics
• Convenient
• No tokens, cards, or fobs to lose or misplace
• Reduces friction in some cases
• No memorization required
• Low cognitive load once past learning curve
• Difficult to delegate, difficult to lend your fingers or face
to another person
• A password is easily delegated or shared
• User acceptance is growing
• India Aadhaar
• iPhone Touch ID, now Face ID
• Secure enough if used as “Restricted Factor”
• Use to unlock device, or authenticate to smartphone
• Caution for some implementations for financial
transactions, secure access
Graphic: https://cardnotpresent.com/tag/biometric-authentication/
• Market growth and technology
advancements
• Feedback and training from earlier
implementations improves solutions

Issues

Source: http://www.pymnts.com/news/security-and-risk/2017/digital-identity-way-beyond-the-social-security-number/ (August 2017)
Graphic: http://01greekmythology.blogspot.com/2015/02/panacea.html
Biometrics offers no panacea in the quest for digital
identities that prove foolproof and hack-proof
Biometrics offer great promise, but
• They are not all created equal
• They are not a secret
• They can be lifted
• They can be forged
• They can be compromised because they are not
private
Issues with Biometrics, No Panacea
– Paul Grassi, senior standards and technology advisor of
the Trusted Identities Group at the National Institute of
Standards and Technology (NIST)
Greek goddess of universal remedy

Issues with Biometrics
Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Privacy_Legislation_on_Biometric_System_Deployment.pdf
Source: http://findbiometrics.com/cylab-honored-for-long-distance-iris-scanner-24272/
Biometrics can reveal medical conditions
• Pregnancy
• Diabetes
• Heart disease
• Parkinson’s
Biometrics make it easier to gather personal information
• Ability to do so covertly
Biometrics can be collected at a distance
• Increased accuracy with which individuals can be
identified remotely
• Iris at 43 feet
Biometrics can be used to link databases that have been
anonymized
• De-anonymization techniques
Long-Distance Iris Scanner

Source: https://insights.samsung.com/2017/03/29/which-biometric-authentication-method-is-most-secure/
Source: https://www.cse.wustl.edu/~jain/cse571-11/ftp/biomet/
Source: https://www.cse.wustl.edu/~jain/cse571-11/ftp/biomet/#Rahul10
Samsung S8
• Iris recognition does not work for
everyone
• There are exceptions for every
biometric modality
Criteria for Biometric System
Collect
-ability
How can you
tell if it’s a
bad guy?
Universality
Uniqueness Circumvention
Permanence
Acceptability
Performance
Issues with Biometrics: Failure to Enroll (FTE), Failure to Acquire (FTA)
FTE
FTA

Issues with Biometrics: Security is Often Overestimated
Use biometrics with another method of authentication
• Biometrics are a complementary security control to
make it easier for a human to interact with technology
• Combine with an additional security control such as a
passphrase or multi-factor authentication
• Trust must be continuously challenged
• Ensure person behind the device is really the person who
they say they are
Source: https://www.thestreet.com/story/14301038/1/iphonex-facial-biometrics-could-prevent-hackers-from-accessing-information.html
– Joseph Carson, chief security scientist at Thycotic
Will iPhone X support
face and passcode,
or just one or the other?

The Spoofing Problem

Samsung Galaxy S8
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017)
Source: http://www.businessinsider.com/samsung-galaxy-s8-iris-scanner-fbi-fingerprint-tech-princeton-identity-2017-4
April 2017
Face spoofed
May 2017
Iris spoofed

iPhone X, Face ID
Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-id/
Source: http://bgr.com/2017/09/12/iphone-x-price-specs-features/
Source: https://findbiometrics.com/apple-face-id-iphone-x-409125/
September 2017
Announced
TBD Date
Face ID spoofed

Biometrics Market Growth

Source: http://www.acuity-mi.com/hdfsjosg/euyotjtub/GBMRPreview.pdf
Graphic: https://www.stableinvestor.com/2013/02/calculate-compound-annual-growth-rate.html
20222021202020192016 2017 2018
CAGR ~41%
$50 billion
Mobile Biometrics: Consumer Market Growth
CAGR = [(Final Amount / Starting Amount) (1 / Number of Years)]-1

Source: Unnamed keynote speaker at Cloud Identity Summit, Chicago, June 2017
Graphic: https://www.stableinvestor.com/2013/02/calculate-compound-annual-growth-rate.html
Biometrics Growth Drivers
“Financial services are in a
race to the bottom to
remove friction”
– Keynote Speaker, Cloud Identity Summit, June 2017
“Take the F out of
authentication”

What Every CISO Should Know
• Biometric Recognition for
Multi-Factor Authentication

What CISOs Need To Know Before Adopting Biometrics
Before adopting biometric recognition
• Risk assessment, policy, compliance
• Architectural decisions
• E.g., Is a fingerprint reader installed on a
workstation less risky than biometric
authentication passed over a network?
• Store and process biometric data securely
• Encryption
• Privileged access management
• Other physical security measures
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905
Graphic: https://www.shrednations.com/2015/04/defining-protecting-personally-identifiable-information/

Biometrics Recognition is not 100% Reliable
Every biometric recognition system must account
for some level of false negatives and false positives
• In highly secure environments, false positives may
present an unacceptable risk
• False negatives require a fallback authentication
mechanism
Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations

Biometric data is Personally Identifiable Information (PII)
• Biometric data presents an extra layer of complexity
• User interactions
• Compliance
• Organizations with US government contracts may have
to comply with Privacy Act of 1974 PII management
practices
Graphic: https://www.airloom.com/technology/security-as-a-service/

Privacy Act of 1974
• Applies to federal agencies
• Safeguard individual privacy from the misuse of
federal records
• Governs the collection, maintenance, use, and
dissemination of PII
• Prohibits disclosure of information without written
consent of the individual
• Unless the disclosure is pursuant to one of 12
exceptions
• Individuals can access and amend their records
• Individuals can find out if their records have been
disclosed and can make corrections
Source: https://www.justice.gov/opcl/privacy-act-1974
Reference

Don’t Use as Single or Primary Factor
Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Graphic: http://www.itproportal.com/2016/04/07/the-role-of-biometric-authentication-techniques-in-security/
Remote System Access
Exclude biometrics as single or
primary authentication factor
• Biometric samples are not
secrets
• Biometric samples are different
each time they are captured

Is the US legal system
up to the challenge?

There is no federal law protecting
biometric information
Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/

US Biometric Information Protection Laws
2008 Illinois
Biometric
Information
Privacy Act
(BIPA)
2009 Texas
Texas Business
and Commerce
Code § 503.001
2017 Under
Consideration:
CT, NH, AK, WA,
more
Source: https://www.secureidnews.com/news-item/five-states-considering-bills-to-restrict-biometrics-use/ (February 2017)
Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
Source: http://www.drinkerbiddle.com/insights/publications/2017/02/four-more-states-propose-biometrics-legislation

Source: http://www.chicagotribune.com/bluesky/originals/ct-biometric-illinois-privacy-whats-next-bsi-20170113-story.html
Illinois Biometrics Information Privacy Act (BIPA)
L.A. Tan Enterprises
• December 2016 settlement
• $1.5 million to class of
customers
• Failed to collect written
consent
• Shared fingerprint scans with
software vendor
Document Policy
• Retention
• Collection
• Disclosure
• Destruction
• Notification
• Consent in Writing, Signed

Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/
Passcode versus Fingerprint or Face
Law
Enforcement
Request
Must You
Comply?
Testimonial or
Non-Testimonial?
Protection from Government,
Law Enforcement
Passcode No Testimonial, personal
knowledge
Fifth Amendment right against self
incrimination
Fingerprint Yes Non-Testimonial, like a key Undetermined, Fourth Amendment
does not protect fingerprints. Power
off to disable.
Face
(Face ID)
Yes,
Depends
Non-Testimonial. However,
law officer can simply hold
phone up to your face.
Disable Face ID

NIST SP 800-63
• Update Published June 2017
• New Biometrics Guidelines

Source: https://pages.nist.gov/800-63-3/
Did You Throw a NIST Party on June 22, 2017?
Contributors
Digital Identity Guidelines, Four Documents

Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Graphic: http://www.oulu.fi/infotech/annual_report/2013/cmv
NIST Update on Allowable Use of Biometrics
SP 800-63B, Authentication and Lifecycle Management
Supports only limited use of biometrics for authentication
• False Match Rate (FMR) does not provide confidence in
the authentication of the subscriber by itself
• FMR does not account for spoofing attacks
• Biometrics SHALL be used only as part of MFA with a
physical authenticator (something you have)
• Biometric characteristics do not constitute secrets
• They can be obtained online or by taking a picture of
someone with a camera phone (e.g., facial images) with
or without their knowledge
• Lifted from objects someone touches (e.g., latent
fingerprints)
• Captured with high resolution images (e.g., iris
patterns)
Implement Presentation Attack Detection (PAD)
• Demonstrate at least 90% resistance to
presentation attacks
PAD may be mandatory
requirement in the future

Question: Store Biometrics on Device or Server, Cloud? Split?
Source: Webinar by Forrester and Nok Nok Labs, February 1, 2017
Graphic: http://findbiometrics.com/topics/fido-alliance/
Graphic: https://www.carphonewarehouse.com/apple/iphone-6.html
Graphic: http://kryptostech.com/server-management/
Graphic: http://www.planetbiometrics.com/article-details/i/5463/desc/facebook-rolling-out-support-for-fido/
Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017)
Biometrics only stored on personal device
(FIDO Alliance, others)
• Biometrics remain on the device, are not
transmitted
• Not susceptible to theft by insiders or
identity thieves who can access a server
repository
Biometrics stored on server
• Works if no mobile phone, works with land line
• Works if person calls in
• Privacy concerns
• Need consent, was it freely given?
• Server access, how secure?
• Susceptible to theft, unwanted modification by
insiders or identity thieves

Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=52946
Graphic: https://fidoalliance.org/approach-vision/
Answer from NIST
The potential for attacks on a larger scale
is greater at central verifiers (servers),
local device comparison is preferred
Example from Fast IDentity Online (FIDO) Alliance

What is the impact of
GDPR?

Source: http://www.privacy-regulation.eu/en/4.htm
Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf
EU General Data Protection Regulation (GDPR)
GDPR
Starts May 25, 2018
Data Protection Directive
Since 1995
Personal Data
• Name
• Photo
• E-mail address
• Phone number
• Address
• Personal identification
numbers
• IP address
• Mobile device identifiers
• Geo-location
• Biometric data
• Psychological identity
• Genetic identity
• Economic status
• Cultural identity
• Social identity
Expanding definition
of personal data

Article 9.1
…processing of biometric data for the
purpose of uniquely identifying a
natural person…shall be prohibited
But there are many exceptions

Source: https://dma.org.uk/event/webinar-the-ico-s-gdpr-consent-guidance
Processing of Biometric Data (GDPR, Article 9)
• Prohibited
• 10+ exceptions
• Consent
• Person gives explicit consent to the
processing of those personal data
• For one or more specified purposes
• Employment
Consent (GDPR, Article 7)
• Freely given
• Prove it was given
• Clear, plain language, no legalese
• Right to withdraw consent, easy to withdraw

Clare Nelson, @Safe_SaaSSource: https://www.facebook.com/jterstegge/posts/1857555150924472
Privacy
Right to be let alone
Data Protection
Right to NOT have data
collected and used in ways
that impact your rights and
freedoms
GDPR
Privacy is a
Fundamental
Human Right
GDPR and Facial Recognition
GDPR Exceptions
Reasons of substantial
public interest
CCTV Captures
• Face
• Location
• Time
• How you walk
• People around you

What is Multimodal Biometric
Recognition?

Multimodal Biometrics
Research from California State University, Fullerton
• Use ear plus face and fingerprint
• Multimodal biometrics adds layer of security to
the existing mobile device security
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3Dnews
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Graphic: http://www.rd.com/health/wellness/unique-body-parts/
Researchers claim some mobile biometric
recognition for authentication suffers from:
• Poor quality mobile hardware
• Camera
• Microphone
• Environmental condition
• Lighting
• Background noise
• User error
• Use of unimodal biometrics, less secure

What is Continuous
Authentication with
Biometrics?

Machine learning offers the potential to authenticate
users based on multiple assessments, including
• Behavior
• Appearance
• Voice
• Speed at which they type
A user’s device can constantly calculate a trust score
that the user is who they claim to be
• Verify device, not pwned, same device
Together these factors are
• 10 times safer than fingerprints
• 100 times safer than four-digit PINs
Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017)
Source: https://www.safaribooksonline.com/library/view/continuous-authentication-using/9781613501290/
Continuous Authentication with Biometrics
Ahmed Awad E. Ahmed,
Issa Traore
September 2011

Biometric Recognition is
Probabilistic
(not Deterministic)

Convenience versus Security
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal
Source: http://www.descartesbiometrics.com/wp-content/uploads/2014/11/HELIX-Whitepaper.pdf
Convenience
Security
False Acceptance Rate (FAR)
• Ratio of the number of false acceptances
divided by the number of identification
attempts
False Reject Rate (FRR)
• Ratio of the number of false recognitions
divided by the number of identification
attempts
Equal Error Rate (EER)
• Proportion of false acceptances is equal to
the proportion of false rejections

FAR, need to know FRR plus number of attempts
Source: http://www.goodeintelligence.com/press-releases/multi-modal-mobile-biometric-authentication-drives-revenues-to-over-6-2-billion-by-2022/ (April 2017)
Apple claims a FAR of 1/50,000 for Touch ID
• Out of 50,000 imposter comparisons, up to
one will be accepted as genuine
• 1/50,000 = 0.002%
Android
• Similar
• Requires FAR not more than 0.002%
• Recommends FRR no more than 10%
What is the associated FRR?

FRR at Varying FAR
September 2015
Source: http://www.eyeverify.com/independent-accuracy-studies
EyeVerify: Two Studies for Eyeprint ID, Mobile

Not All FARs are Created Equal
• Synthetic versus real data
• Calculated versus claimed
iPhone X, Face ID
False acceptance rate of 1 in 1,000,000

Source: http://www.eyelock.com/
1 in 500
Voice Recognition
1 in 10,000
Fingerprint
1 in 50,000
Touch ID
1 in 100,000
Facial Recognition
1 in 500,000
Single Iris
1 in 800,000,000,000,000
DNA
General Ranking, It Depends, Many Variables
1 in 1,000,00,000

Source: http://blog.normshield.com/2017/01/machine-learning-in-cyber-security_31.html (January 2017)
Which Biometric Mode is Best? Not an Exact Science to Compare
Iris is more
unique than
face, even
among twins

What is the Attack Model?

Clare Nelson, @Safe_SaaSSource: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Biometric System Attack Diagram (Ratha 2001, ISO 2006, NIST 2015)
Demonstrate at least
90% resistance to
presentation attacks.
Presentation
Attack
Modify
Decision
Data
Storage
Process
Signal
Compare Decision
Override
Decision
Engine
Data
Capture
Override
Comparator
Extract/Modify
Biometric
Sample
Modify Probe Modify Score
Modify
Biometric
Reference
Override
Capture
Device
Override
Signal
Processor
Override
Database

Presentation Attack Detection
(PAD)
Anti-Spoofing

Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.qafis.com/anti-spoofing
Presentation Attack Detection (PAD), Anti-Spoofing
Anti-Spoofing
Anti-Spoofing
• Active: user must participate, blink,
smile, turn head
• Passive: user participation is not needed,
hardware or software algorithms
3D Mask

Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBPs) as PAD

Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBP) as PAD

Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
PAD for Finger: Implement in Hardware, Software, or Both
Software:
Assess characteristics of sample: sharpness of lines, presence of pores.
• Easier to implement.
• Easier to update, including over the air (OTA) as anti-spoofing
techniques improve.
• Leverage machine learning.
Hardware:
Requires additional capabilities in fingerprint scanner: ability to sense
pulse, temperature, and capacitance; none of which can be done in
software alone.
• Greater ability to detect “liveness” of finger being scanned.
• More expensive.
• Consumes more power.
• May introduce latency if, for example, there is a need to sense
multiple heartbeats.

Emerging Standard for
Presentation Attack Detection
(PAD)

Presentation Attack Detection (PAD), Emerging Standards
Source: https://www.iso.org/standard/53227.html
ISO/IEC DIS 30107-2
Information technology -- Biometric presentation attack detection
-- Part 2: Data formats
ISO/IEC FDIS 30107-3
Information technology -- Biometric presentation attack detection
-- Part 3: Testing and reporting
NEW: ISO/IEC 30107-4

Presentation Attack Detection (PAD) for Mobile Devices
Source: https://cacm.acm.org/magazines/2016/4/200169-multimodal-biometrics-for-enhanced-mobile-device-security/abstract
Source: http://www.planetbiometrics.com/article-details/i/5803/ (April 2017)
Source: http://profit.ndtv.com/news/life-and-careers/article-new-smartphone-from-infocus-to-support-aadhaar-authentication-1634102
ISO/IEC 30107-4
Biometric presentation attack detection – Profile for
evaluation of mobile devices.
Address spoofing and presentation attacks against mobile
devices.
Presentation Attack Detection (PAD) includes:
• Fake fingerprints.
• Video replays.
• Voice recordings.
Concern for commercial and government agencies:
• Rely on mobile device authentication for transactions
and identity confirmation.

How Measure the Strength of
Biometric Recognition for
Authentication?

Source: https://pages.nist.gov/SOFA/
Source: https://www.secureidnews.com/news-item/sofa-b-enabling-organizations-to-measure-the-strength-of-biometric-technologies/?tag=biometrics
Strength of Function for Authenticators (SOFA) - Biometrics
Measurement of biometric system strength:
• Provide a level of quantitative assurance.
• Outline a process to support evaluation of
biometric authenticators.
NIST
ISO/IEC FIDO
SOFA Equation
• Level of Effort
• PAD Error Rate (PADER)
• False Match Rate (FMR)
• False Non-Match Rate (FNMR)

SOFA-B (NIST, April 2017)
Source: https://www.nist.gov/sites/default/files/documents/2016/11/21/sofa_discussiondraftoverview-v1_1.pdf (April 2017)
ZeroInfo case: No masquerade attempt, brute force, no knowledge.
Targeted case: Create a sample that resembles the individual biometric characteristic.
Reference

Source: https://pages.nist.gov/SOFA/
Source: http://www.theverge.com/2016/7/21/12247370/police-fingerprint-3D-printing-unlock-phone-murder (2016)
Presentation attacks
based on:
• Time
• Expertise
• Equipment
Level of Effort
Police 3D-printed a murder
victim's finger to unlock his
phone.

Face ID

Face ID: Demo Failed Twice
Source: https://www.youtube.com/watch?v=unIkqhB2nA0 (September 2017)
Source: http://www.nydailynews.com/news/national/apple-reveals-iphone-x-new-face-id-tech-fails-demo-article-1.3491125 (September 2017)
We all experience demo failures
• Craig Federighi, SVP Software
Engineering
• Face ID failed twice
• Why did Federighi wipe his face
afterward?
• Stock dipped from $163 a share to
$159
• Closed at $161

Face ID: Attention Detection
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017)
“Attention” feature
Won’t work for everyone
• Blind
• Vision impaired
• Cannot stare directly at phone to communicate intent
In those cases, where a face is recognized, but it can’t see eyes,
just turn off the “attention detection” feature
• Still get Face ID, but at a lower level of overall security
because cannot ensure user’s eyes are directly focused on it
Face ID requires that it be able to see:
• Eyes
• Nose
• Mouth
There are scenarios
where it just won’t work

Face ID: What About Sunglasses?
Graphic: http://www.businessinsider.com/apple-suppliers-iphone-x-sales-shipments-2017-9
Graphic: http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/nightvision1.htm
• Polarized lenses are no problem
• Some lenses block infrared (IR) radiation
• Use passcode
• Take off sunglasses

Face ID: Evil Twin Warning
Source: https://www.youtube.com/watch?v=unIkqhB2nA0

The Future

“Thought Auth”1
EEG Biosensor
• MindWave™ headset2
• Measures brainwave signals
• EEG monitor
• International Conference on
Financial Cryptography and
Data Security (2013)3
1Source: Clare Nelson, March 2015
2Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/
3Source: http://www.technewsworld.com/story/77762.html
Facebook telepathy

When Does Law Enforcement
Demand to Read Your Data
Become a Demand to Read Your
Mind?
Source: https://cacm.acm.org/magazines/2017/9/220420-when-does-law-enforcements-demand-to-read-your-data-become-a-demand-to-read-your-mind/fulltext (September 2017)
– Andrew Conway, Peter Eckersley
Communications of the ACM, September 2017
“That gadget in your hand is not a phone, it is a
prosthetic part of your mind, which happens to make
telephone calls.
• We need to ask which parts of our thoughts should be
categorically shielded against prying by the state.”

Master Key to Unlock Finger
Sensors?
Source: https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html?_r=2 (April 2017)
Computer simulations
• Similarities of partial prints
• Created “Master Prints”
• Matched prints 65% of time
Nasir Memon
Professor of Computer Science and Engineering
New York University

Gratitude

We Stand on the Shoulders of Giants
Source: https://alchetron.com/John-Daugman-489257-W
Source: http://www.idiap.ch/~marcel/professional/Welcome.html
Source: https://www.egr.msu.edu/people/profile/jain
Source: http://nislab.no/people/norwegian_information_security_laboratory/professors/christoph_busch
John Daugman
Sébastien Marcel
Anil Jain
Christoph Busch

@Safe_SaaS
clare_nelson@clearmark.biz
Slides
posted:https://www.slideshare.net/eral
cnoslen
Questions?

Key Points

Key Points Summary
• In Multi-Factor Authentication (MFA), biometrics are a RESTRICTED factor
• Biometric systems have error rates, FAR, FRR; they are probabilistic
• Biometrics are not secrets
• NIST SP 800-63B, Authentication and Lifecycle Management, Allowable use of
Biometrics (new from June 2017)
• Biometrics may be used to
• Unlock multi-factor authenticators
• Prevent repudiation of enrollment
• Biometrics SHALL be used only as part of multi-factor authentication
with a physical authenticator (something you have).
• Biometric comparison can be performed locally device or central server
• NIST: Since the potential for attacks on a larger scale is greater at
central servers, local device comparison is preferred
• The biometric system SHOULD implement Presentation Attack Detection
(PAD)
• Testing of the biometric system SHOULD demonstrate at least 90%
resistance to presentation attacks
• PAD is being considered as a mandatory requirement in the future
• SOFA-B, measure strength of biometric recognition system
• ISO/IEC 30107 Presentation Attack Detection (PAD) guidelines
• Part 4 coming: Biometric presentation attack detection – Profile for
evaluation of mobile devices
• United States biometrics laws vary by state, only in IL
and TX, more coming
• Require written consent from consumers
• GDPR
• Prohibits processing of biometrics
• Many exceptions: consumer gives consent, is an
employee, or done for Reasons of substantial
public interest
• Mobile biometrics consumer market growth: 41%
CAGR 2016-2022, reaching $50B in 2022
• Future solutions, for some use cases:
• Combine multimodal, behavioral biometrics
with machine learning (if applicable, use
continuous authentication)
• Machine learning offers the potential to
authenticate users based on multiple
assessments, including
• Behavior
• Appearance
• Voice
• Speed at which they type
• Verify device, not pwned, same device
• A user’s device can constantly calculate a
trust score that the user is who they claim
to be
Reference

Clare Nelson, @Safe_SaaSSource: http://www.idtp.com/identity/
Terms
Biometric data processing
: biometric system data processing including capture, quality assessment, presentation attack (spoof) detection, feature extraction, database enrollment, fusion, matching, and
decision processes
Biometric sensors and hardware
: variation and types of biometric sensors and technology (e.g. capacitive, thermal, optical, infrared, multi-spectrum) required to capture high-quality samples for various modalities
and applications
Biometric system integration
: the hardware and software interfacing necessary to produce a functioning biometric system optimized for a specific application, including proper utilization of biometric software
development kits
Biometric system performance
: system performance and metrics including Equal Error Rate (EER), False Accept Rate (FAR), False Reject Rate (FRR), False Match Rate (FMR), False Non-Match Rate (FNMR), detection
error tradeoff (DET) and receiver operating characteristic (ROC) curves, Genuine and Impostor score histograms, and considerations for threshold optimization for population,
operating environment, and application requirements
Biometric standards
: NIST, ISO, FIDO standards
Enrollment and capture processes
: considerations for enrollment and live capture processes and errors such as failure to acquire (FTA) and failure to enroll (FTE)
Sample quality
: biometric sample quality has a direct measurable impact on the performance of the system; proper quality assessment algorithms and thresholds ensure the integrity of enrolled
biometric templates
Spoofing and presentation attack detection
: recognizing and preventing attempts to use manufactured or fake biometric samples (also known as liveness detection)
Verification and Identification
: verification processes require a one-to-one comparison between biometric samples to make a matching decision, while identification processes require one-to-many matching,
where a sample (probe) is compared to a database (gallery) to obtain a ranked candidate list
Physiological and behavioral modalities
: biometric traits (i.e. fingerprint, face, iris, voice, vascular, DNA) and their characteristics of universality, uniqueness, permanence, measurability, performance, acceptability, and
circumvention
Soft biometrics
: height, weight, skin color, scars, marks, tattoos
Multimodal biometrics
: combining (or fusing) biometric traits to improve decision accuracy, hinder spoofing, and account for unavailability of biometric traits

References

• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-
scanner-flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication (September 2014) Six
technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-methods-taxonomy-
abbie-barbir.html (2014)
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA)
Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA, https://www.blackhat.com/docs/us-
15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-
fingerprints/index.html (July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July 2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009, published 2013)
• Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-2014 (December
2014)
References, 1 of 2

• Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf (February 2014)
• Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device-
fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhX
lDQ%3D%3D (September 2015)
• Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/ (August 2015)
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/.
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/.
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-Identity-Whitepaper-
v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• Jankovich, Thomas; “Blockchain Makes Digital ID a Reality,” https://finxtech.com/2016/12/02/blockchain-makes-digital-id-reality/ (December 2016)
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• MyData Identity Network based on User Managed Access (UMA),
https://docs.google.com/presentation/d/1j3aX8AQGdVtigF1WZouL8WccmYQzZQQje3wuaC2Zb1I/edit#slide=id.g1386e8a6aa_2_914
• Kunk, S.K., Biometric Authentication: A Machine Learning Approach, Prentice Hall (2005).
• mikeh, Machine Learning and Biometrics, Neya Systems blog, http://neyasystems.com/machine-learning-biometrics/ (March 23, 2013).
References, 2 of 2

Backup Slides

Artificial Dog Nose
It smells you once, and knows you forever.
Matt Staymates, a mechanical engineer at NIST.
• Schlieren imaging system, visualizes flow of
vapors into an explosives detection device fitted
with an artificial dog nose, mimics "active
sniffing" of a dog.
• Artificial dog nose developed by Staymates and
colleagues at NIST, MIT Lincoln Laboratory, FDA.
• Improves trace chemical detection as much as
16-fold.
Source: http://phys.org/news/2016-12-scientists-artificial-dog-nose-mimics.html
Photo: http://dogs.petbreeds.com/l/95/Labrador-Retriever

Presentation Attack Detection (PAD)

Types of Detection
Source: https://www.nist.gov/sites/default/files/documents/2016/11/30/401_newton.pdf
Vendor ID, Algorithm ID, and Sensor ID

Clare Nelson, @Safe_SaaSSource: https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:-37:ed-2:v1:en (2017)
Spoofing, Biometric Presentation Attack
Biometric Presentation Attack
Presentation to the biometric capture system with the
goal of interfering with the operation of the biometric
system.

Clare Nelson, @Safe_SaaSSource: http://livdet.org/index.php
Presentation Attack Detection, Liveness Detection Competition
Hosts: University, Notre Dame University, West Virginia
University, and Warsaw University of Technology
This will be held as part of the IJCB 2017.
The competition has two sub-competitions:
• Part I: Software-based
• Part II: System-based Test
International Joint Conference on Biometrics

IARPA Face Recognition Algorithm Contest
Source: https://www.challenge.gov/challenge/face-recognition-prize-challenge/ (April 2017)
Face Identification and Face Verification
• 1-to-1 compare.
• 1-to-many compare.
• “Face recognition is hard.”
• Algorithms commit false negative and
false positive errors.
 Head pose, illumination, and facial
expression.
Looking for advancements in
face recognition accuracy.

Face Recognition Algorithm Evaluation
Source: https://www.nist.gov/programs-projects/face-recognition-vendor-test-frvt-ongoing
Source: http://www.planetbiometrics.com/article-details/i/5406/desc/nist-to-hold-new-round-of-face-recognition-algorithm-evaluation/
Face Recognition Algorithm Evaluation
• Includes verification of:
 Visa images.
 De-duplication of passports.
 Recognition across photojournalism
images.
 Identification of child exploitation victims.
• Part of the Face Recognition Vendor Test
(FRVT).
• Results will be posted to the NIST website.

November 2016 NIST Algorithm Test Results, Finger
Source: https://www.innovatrics.com/awards/pft/
• FMR = Fail Match Rate
• FNMR = Fail Non-Match Rate
• POEBVA = Point of Entry BVA (Data used for compliance
testing)
 BVA = German Federal Office of Administration
Assess the core algorithmic
capability to perform one-to-one
verification.

Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Presentation Attack Detection (PAD), Techniques
Liveness detection: Facial
thermogram, blood pressure,
fingerprint sweat, or specific
reflection properties of the eye,
pulse, perspiration, pupillary unrest
(hippus), brain wave signals (EEG),
or electric heart signals.
Protect the system against
the injection of reconstructed
or synthetic samples into the
communication channel
between the sensor and the
feature extractor.
Fusion strategies to increase
resistance. Multimodal, use more
than one biometric, or combine
unimodal with an anti-spoofing
technique. The score reflects
more than one input, unknown
to the bad guy.

Quantum Biometrics (April 2017)
Human Eye Can Detect a Single Photon
Identify individuals by the way their eyes
detect photons.
• Beam a random pattern of flashes into
the eye.
• Vary the intensity of light in each flash.
It is detected as a recognizable pattern by a
person with a specific alpha map but seems
random to anyone else.
Source: https://www.technologyreview.com/s/604266/quantum-biometrics-exploits-the-human-eyes-ability-to-detect-single-photons/?utm_campaign=add_this&utm_source=twitter&utm_medium=post

Source: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Source: http://www.iphonehacks.com/2017/01/synaptics-launches-multi-factor-facial-fingerprint-recognition-engine-smartphones-tablets.html
Fusion Strategies: Example of Face and Finger
Better accuracy
• Bimodal biometric system using face and
fingerprint.
• Salient features of the face and fingerprint were
extracted, and fused/combined.

Clare Nelson, @Safe_SaaSSource: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Existing and Emerging Methods and Standards, Increased Synergy
Determine How Well Biometric Recognition Solutions Work
• Measure strength, use NIST SOFA-B
 NIST creating synergy with ISO/IEC and FIDO
• Test face or finger recognition algorithms with NIST
• In future, FIDO certification for biometrics
• ISO/IEC standards for PAD, for mobile
• PAD algorithms
• Increased understanding of FAR, FRR, EER
• Accredited, third-party testing of all or part of the biometric
recognition system
 iBeta
• Usability research and testing
• Contests, e.g., LivDet, IARPA
• If store biometrics only on device, then provide a free version
to test accuracy and usability. Otherwise, difficult to get
feedback.
• Research Institutes, e.g., IDIAP Research Institute in
Switzerland

Presentation Attack Detection (PAD) Algorithms
Source: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey

Source: http://www.behaviosec.com
• Requires JavaScript
• Learning curve
• Privacy impact from constant
monitoring
• Varies
Injury to hand
Intoxicated

Types of Spoofing
Source: https://www.iso.org/standard/53227.html .

Spoofing
The ability to fool a biometric system
into recognizing an illegitimate user as
a genuine one by means of presenting
a synthetic or forged version of the
original biometric trait to the sensor.
Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Source: https://www.slideshare.net/SBAResearch/31c3-in20min

Spoofing
Source: https://www.linkedin.com/pulse/biometric-spoofing-nadh-thota
Types of Fake Fingerprints
Fake Eye Images, Contact Lens etc.,
enable hackers to fake Iris sample
Real Fake

Source: https://www.computer.org/csdl/trans/tp/2006/01/i0031.html
Face Spoofing
Matching 2.5D Face Scans to 3D Models

iPhone X, Face ID
Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-id/
Source: http://bgr.com/2017/09/12/iphone-x-price-specs-features/

Source: https://www.slideshare.net/centralohioissa/jamie-bowser-a-touchid-of-ios-security
Touch ID Architecture, Release 3
With iOS 9, third-party
apps could use security
Local Authentication
Touch ID
Sensor
Fingerprint Map
Local Authentication
Security Framework
Secure Enclave
3rd Party
Applications
Apple
Applications

Vocabulary, 2017 ISO/IEC 2382-37
Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf
Source, Domain Associated Terms
Biometrics Text
Books
FAR FRR
Type II Type I
ISO/IEC More, detailed More, detailed
NIST FMR FNMR
Risk False Positive False Negative,
False Reject, Insult
Rate
Equal Error Rate (EER), also known as Crossover Error Rate (CER)
Reference

Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf (March 2017)
1. Device has just been turned on, or
restarted
2. Device hasn’t been unlocked for more than
48 hours
3. Device has received a remote lock
command
4. After 5 unsuccessful attempts to match a
fingerprint
5. When setting up or enrolling new fingers
with Touch ID
6. The passcode hasn’t been used to unlock
the device in the last 156 hours (6.5 days)
and Touch ID has not unlocked the device in
the last 4 hours
When is Passcode Required?
156 hours
4 hours
Passcode
Touch ID

Source: https://www.facebook.com/jterstegge/posts/1857555150924472
Source: https://www.facebook.com/TheEconomist/videos/10155826328554060/?hc_ref=ARShy0cXkxwBhuFfrsnXCc9Usugj0-XSVLv7sVcTsDVF6PlWhH_tD99BTsYW50qoMmA&pnref=story
Face recognition in CCTV
Example of the link between:
• Privacy (the right to be let alone)
AND
• Data protection (the right not to have data collected and used in ways
that impact people's rights and freedoms)
This technology, especially it's pervasiveness, is very very worrying.....
GDPR has put biometrics in the 'special data' category
• It is prohibited to process face recognition data, except for some very
limited purposes
Serious flaw in GDPR Artic;e 9(2)(g) GDPR
• Allows governments to use of this technology "for reasons of substantial
public interest" and "subject to suitable safeguards to protect people's
rights and freedoms”
Reference
Jeroen Terstegge CIPP E-US
Partner at Privacy Management Partners
Utrecht Area, Netherlands
Face Recognition, GDPR Privacy Concerns

Face ID False Acceptance Rate (FAR)
Source: https://arstechnica.com/gadgets/2017/09/face-id-on-the-iphone-x-is-probably-going-to-suck/ (September 2017)
The Face ID claim of false acceptance rate (FAR) of 1 in 1,000,000
• Verified by third party, independent testing?
• Touch ID FAR is 1 in 50,000
• Just because they project 30,000 dots on a face and does not make it
more accurate, it still has all the problems every other face recognition
system has
• Neural networks, neural engine
Other issues include awkward ergonomics and time to perform successful
face capture and compare
• How hold phone
• Get out of bright sunlight?
• Take off sunglasses?
• How many retries before Failure to Acquire (FTA)?
Many people may simply use their passcode
Surgeons and people who wear a
garment that covers their face (i.e.
women in some Muslim countries
are required to wear a niqab in
public) will need to use the
passcode instead
What is FRR for iPhone X?

Minnesota Senator Raises Concerns over iPhone X, Face ID
Published letter:
https://www.franken.senate.gov/?p=press_release&id=37
59
Security and Privacy concerns with iPhone X, Face ID
Source: http://money.cnn.com/2017/09/14/technology/al-franken-iphone-x-face-id/index.html (September 2017)

Iris more accurate than face
Source: https://www.youtube.com/watch?v=KyDoFrojEYk&list=PLrUBqh62arzt_Uf_UamHtRFDYl1tpRVCK
Iris versus Face

Clare Nelson, @Safe_SaaSSource: https://twitter.com/G_ant (September 2017)
Are You Confused? Reference
Which biometrics are static, which are dynamic?

FaceID Training
Apple trained on 1 billion plus faces, global, got permission
• Maintains this database
“We do not gather customer data when you enroll in Face ID, it stays on your device, we
do not send it to the cloud for training data”
There is an adaptive feature of Face ID that allows it to continue to recognize your
changing face as you change hair styles, grow a beard or have plastic surgery.
• This adaptation is done completely on device by applying re-training and deep
learning in the redesigned Secure Enclave.
• None of that training or re-training is done in Apple’s cloud.
• Apple has stated that it will not give access to that data to anyone, for any price.
When you train the data it gets immediately stored in the Secure Enclave as a
mathematical model that cannot be reverse-engineered back into a “model of a face.”
• Any re-training also happens there.
• It’s on your device, in your secure enclave, period.
Face ID
Secure Enclave, Updated
with Secure Enclave
Processor
Truly no reverse
engineering?
- Anonymization?
Reference

Source: https://www.secureidnews.com/news-item/five-states-considering-bills-to-restrict-biometrics-use/ (February 2017)
“Entities may have to consider
changes to their notice and
consent practices, or decide to
not collect or store biometric
data at all.”
– Jeffrey Neuburger
National Law Review

Source: http://www.americanbar.org/publications/blt/2016/05/08_claypoole.html
Maze of sectoral laws, state laws, pending cases, and
recommendations
• Patchwork of privacy laws and rules governing the use and
collection of biometric data
• Practitioners, technology developers, and privacy-conscious
individuals should watch this rapidly developing legal
landscape
• Companies employing technologies using biometric
identifiers may want to err on the side of caution and
ensure that their notification and consent processes are
clear and conspicuous
• For cautious businesses, employ an opt-in structure for your
technologies using biometric identifiers
• Look hard at your retention policies and look harder at your
disposal practices
CISO Concerns: Consent, Retention, Disposal

Homomorphic Encryption
VTT Technical Research Centre, Finland
• Biometric recognition for MFA
• Risk that a person's biometric identifiers
leak out of the database
• Protect biological or behavioral biometric
data
• Uses homomorphic encryption
Source: http://www.vttresearch.com/media/news/vtts-encryption-method-takes-authentication-to-a-new-level

Face ID: Enroll, Can You Read Instructions without Glasses?
Source: http://www.idownloadblog.com/2017/09/15/face-id-overview/ (September 2017)
• Settings
• Face ID & Passcode
• Enroll Face
• Get Started
• Follow Onscreen Instructions (Read without
Glasses?)
• Gently move your head while looking at
the screen to complete the circle

Face ID, Initial Use Cases
Source: http://www.idownloadblog.com/2017/09/15/face-id-overview/ (September 2017)
• iPhone unlock—Unlock your phone with a glance
• Auto-Lock—Keep the screen lit when reading
• iTunes and App Store—Approve app and media purchases
• Apple Pay—Check out with just a glance
• Safari Autofill—Unlock saved Safari passwords for use on
websites and in apps
• Animoji—Animate emoji using your voice and facial
expressions
• Messages—Reveal messages when looking at the Lock
screen
• Notifications—Display protected notifications on the Lock
screen
• Alarms/ringers—Lower the alarm/ringer volume with a
glance

Fingerprint Readers Eclipsed 1 Billion, Is Face the Next Wave?
Source: https://www2.deloitte.com/nl/nl/pages/technologie-media-telecom/articles/tmt-predictions-2017.html

Lack of Common Vocabulary
Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf
Graphic: https://www.britannica.com/topic/Tower-of-Babel
Source, Domain Associated Terms
Biometrics Text
Books
FAR FRR
Type II Type I
NIST FMR FNMR
ISO/IEC More, detailed More, detailed
Risk False Positive False Negative,
False Reject, Insult
Rate
Equal Error Rate (EER), also known as Crossover Error Rate (CER)
Vocabulary Updates
2017 ISO/IEC 2382-37

Even when organizations do not actively
attempt to abuse personal data, it is
difficult to ensure its privacy, as illustrated
by some of the well-publicized breaches
OPM Breach
5.6 M Fingerprints
Biometrics are often used in situations where
there is a significant asymmetry of power
• Employers monitoring employees
• Governments monitoring those entering and
leaving the country
Consent to process biometrics is not
freely given if asymmetry of power

• Not revocable, easy to reset password, not
easy to reset fingerprint
• In MFA, biometrics are a restricted factor
• No two biometrics scans are the same, each
one is unique (Ratha 2001)
• If there is a perfect match, then you know
something is wrong, impostor, or malfunction
• Algorithms commit false negative and false
positive errors
• Head pose, illumination, and facial
expression
Source: https://www.slideshare.net/eralcnoslen/who-will-win-the-biometrics-race-v10
• Privacy issues
• Religious, head covering, need private place for face
recognition
• GDPR, biometrics are sensitive personal data, need
consent tied to specific purpose, must be easy to
withdraw consent
• Consent must be freely given
• United States Biometric Information Privacy Act (BIPA)
laws in IL, TX;
• Vary by state, need written consent, document
purpose, retention
• Anti-spoofing technology still evolving
• Targeted attacks, mass attacks on horizon (Dr. Memon)

Source: https://www2.deloitte.com/lu/en/pages/banking-and-securities/articles/psd2-rts-on-authentication-and-communication.html
Timeline
• GDPR
• May 2018
• PSD2 includes specific requirements for
biometric recognition for multi-factor
authentication, or what it terms, “Strong
Customer Authentication (SCA)”
• SCA not until 2019
• Still in revision process
• Final document not published
• Many drafts published, indicates
possible guidelines
General Data Protection Regulation (GDPR) and
Second Payment Services Directive (PSD2)

Source: http://www.duhaime.org/LegalDictionary/L/Legalese.aspx
If Collect Consent to Process Biometrics
• Clear, plain language
• Freely given
• As easy to withdraw as to give consent
No Legalese

Source: https://www.whitecase.com/publications/article/chapter-4-territorial-application-unlocking-eu-general-data-protection
An organization based outside the
EU is subject to the GDPR if
• Offers goods or services to EU
data subjects
• Monitors the behavior of EU
data subjects
Does the GDPR Apply to US-Based Entities?
GDPR applies to EU/EEA citizens in the US
• EEA = EU + Norway, Iceland, Liechtenstein
• Brexit in future

Second Payment
Services Directive
(PSD2)

EU PSD2 Requirements for Biometric Recognition for Authentication
Date: 23 February 2017
Source: https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf
Source: http://nordicapis.com/psd2-sanctions-access-to-personal-banking-data-amplifying-fintech-growth/
• Low False Acceptance Rate (FAR)
• Anti-spoofing measures
Convenience
Security

EU PSD2 Requirements for Biometric Recognition for Authentication
Date: 23 February 2017
Source: https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf
Source: http://nordicapis.com/psd2-sanctions-access-to-personal-banking-data-amplifying-fintech-growth/
• Independence of factors in multi-factor
authentication
• The breach of one of the factors does not
compromise the reliability of the other
factors
• Use of separated secure execution
environments
Know Have Are

Contactless Biometric Recognition, Healthcare
Source: http://healthcare.fai.fujitsu.com/resource/essentials-to-achieve-optimal-clinical-workflow.pdf
Source: http://www.amfastech.com/2013/03/a-seminar-on-palm-vein-technology.html
Solution
• Palm vein
• Capture palm vein pattern with near-infrared rays
• Works with clinician, surgeon gloves
• Fujitsu data sheet
• FAR (false accept rate) = 0.00001%
• FRR (false reject rate) = 1.0%

Clare Nelson, @Safe_SaaSSource: https://www.semanticscholar.org/paper/Face-Spoof-Detection-With-Image-Distortion-Wen-Han/cdac436dcebe8b2c90a8de5479bd3bbd8d9a087f
Presentation Attack Detection (PAD), Genuine or Spoof? Reference

For a variety of reasons, this document supports only limited use of biometrics
for authentication. These reasons include:
• The biometric False Match Rate (FMR) does not provide confidence in the
authentication of the subscriber by itself.
• In addition, FMR does not account for spoofing attacks.
• Biometric comparison is probabilistic, whereas the other authentication factors
are deterministic.
• Biometric template protection schemes provide a method for revoking biometric
credentials that is comparable to other authentication factors (e.g., PKI
certificates and passwords). However, the availability of such solutions is limited,
and standards for testing these methods are under development.
• Biometric characteristics do not constitute secrets.
• They can be obtained online or by taking a picture of someone with a
camera phone (e.g., facial images) with or without their knowledge, lifted
from objects someone touches (e.g., latent fingerprints), or captured with
high resolution images (e.g., iris patterns).
• While presentation attack detection (PAD) technologies (e.g., liveness
detection) can mitigate the risk of these types of attacks, additional trust in
the sensor or biometric processing is required to ensure that PAD is
operating in accordance with the needs of the CSP and the subscriber.
Therefore, the limited use of biometrics for authentication is supported
with the following requirements and guidelines:
• Biometrics SHALL be used only as part of multi-factor
authentication with a physical authenticator (something you have).
• The biometric system SHALL operate with an FMR [ISO/IEC 2382-
37] of 1 in 1000 or better.
• This FMR SHALL be achieved under conditions of a
conformant attack (i.e., zero-effort impostor attempt) as
defined in [ISO/IEC 30107-1].
• The biometric system SHOULD implement PAD.
• Testing of the biometric system to be deployed SHOULD
demonstrate at least 90% resistance to presentation attacks
for each relevant attack type (i.e., species), where resistance
is defined as the number of thwarted presentation attacks
divided by the number of trial presentation attacks.
• Testing of presentation attack resistance SHALL be in
accordance with Clause 12 of [ISO/IEC 30107-3].
• The PAD decision MAY be made either locally on the
claimant’s device or by a central verifier.
PAD = Presentation Attack Detection
PAD is being considered as a mandatory requirement in future
editions of this guideline.
5.2.3. Use of Biometrics

Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=52946
ISO/IEC 24745 = Information technology – Security
techniques – Biometric information protection
The biometric system SHALL allow no more than 5 consecutive failed
authentication attempts or 10 consecutive failed attempts if PAD meeting
the above requirements is implemented. Once that limit has been reached,
the biometric authenticator SHALL either:
• Impose a delay of at least 30 seconds before the next attempt,
increasing exponentially with each successive attempt (e.g., 1 minute
before the following failed attempt, 2 minutes before the second
following attempt), or
• Disable the biometric user authentication and offer another factor (e.g.,
a different biometric modality or a PIN/Passcode if it is not already a
required factor) if such an alternative method is already available.
The verifier SHALL make a determination of sensor and endpoint
performance, integrity, and authenticity. Acceptable methods for making
this determination include, but are not limited to:
• Authentication of the sensor or endpoint.
• Certification by an approved accreditation authority.
• Runtime interrogation of signed metadata (e.g., attestation) as
described in Section 5.2.4.
5.2.3. Use of Biometrics
Biometric comparison can be performed locally on claimant’s device or
at a central verifier.
• Since the potential for attacks on a larger scale is greater at central
verifiers, local comparison is preferred.
If comparison is performed centrally:
• Use of the biometric as an authentication factor SHALL be limited to
one or more specific devices that are identified using approved
cryptography.
• Since the biometric has not yet unlocked the main authentication
key, a separate key SHALL be used for identifying the device.
Biometric revocation, referred to as biometric template protection
in ISO/IEC 24745, SHALL be implemented.
All transmission of biometrics SHALL be over the authenticated
protected channel.
Biometric samples collected in the authentication process MAY be used
to train comparison algorithms or — with user consent — for other
research purposes.
• Biometric samples and any biometric data derived from the
biometric sample such as a probe produced through signal
processing SHALL be zeroized immediately after any training or
research data has been derived.
Reference

Face ID: What About Doppelgängers?
Graphics: https://www.linkedin.com/feed/update/urn:li:activity:6309838132355432448/
Graphics: http://www.thedailybeast.com/these-people-are-strangers-doppelgangers-around-the-world-photos

Facial recognition is prone to problems with lighting
conditions
• Vendor evaluation
• Face recognition did not work in outdoor
Austin sunshine, or in an office, standing
near window
• Vendor response: “Go inside”
Voice recognition is prone to environmental background
noise
• Unnamed financial services market leader
• User experience
• In car, with some background noise
• Call, and use voice: “At Unnamed, my voice
is my password”
• Failed after multiple attempts, due to
background noise
• Works at home, in quiet office
Graphic: http://www.securitysales.com/tag/biometrics/
Fingerprint recognition is prone to moisture, dirty reader
• At unnamed employer
• Use fingerprint reader
• Touch with a registered finger
• Fails if finger is slightly damp, or reader is dirty
• Guard recommended: ridge builder (liquid with no
ingredients listed, nor provided by manufacturer)
Reference

Spoofing is Still Too Easy
Face Unlock
• Spoofed
• 2011 Galaxy Nexus
• 2017 Samsung S8
Source: http://www.dailystar.co.uk/tech/news/601633/Samsung-Galaxy-S8-face-recognition-privacy-security-warning
Source: http://www.androidpolice.com/2011/11/16/still-not-convinced-that-face-unlock-is-easily-fooled-by-a-photo-heres-another-video-showing-face-programming-and-photo-unlocking-from-start-to-end/
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments
Emerging standard method for measuring strength, or comparing solutions.

(d) No private entity in possession of a biometric identifier or biometric
information may disclose, redisclose, or otherwise disseminate a person's or a
customer's biometric identifier or biometric information unless:
(1) the subject of the biometric identifier or biometric information or the
subject's legally authorized representative consents to the disclosure or
redisclosure;
(2) the disclosure or redisclosure completes a financial transaction
requested or authorized by the subject of the biometric identifier or the
biometric information or the subject's legally authorized representative;
(3) the disclosure or redisclosure is required by State or federal law or
municipal ordinance; or
(4) the disclosure is required pursuant to a valid warrant or subpoena
issued by a court of competent jurisdiction.
(e) A private entity in possession of a biometric identifier or biometric
information shall:
(1) store, transmit, and protect from disclosure all biometric identifiers
and biometric information using the reasonable standard of care within
the private entity's industry; and
(2) store, transmit, and protect from disclosure all biometric identifiers
and biometric information in a manner that is the same as or more
protective than the manner in which the private entity stores, transmits,
and protects other confidential and sensitive information.
Illinois Biometrics Information Privacy Act (BIPA)
Sec. 15. Retention; collection; disclosure; destruction.
(a) A private entity in possession of biometric identifiers or biometric information must
develop a written policy, made available to the public, establishing a retention schedule and
guidelines for permanently destroying biometric identifiers and biometric information when
the initial purpose for collecting or obtaining such identifiers or information has been
satisfied or within 3 years of the individual's last interaction with the private entity,
whichever occurs first.
(b) No private entity may collect, capture, purchase, receive through trade, or otherwise
obtain a person's or a customer's biometric identifier or biometric information, unless it first:
(1) informs the subject or the subject's legally authorized representative in writing
that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject's legally authorized representative in writing of
the specific purpose and length of term for which a biometric identifier or biometric
information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or
biometric information or the subject's legally authorized representative.
(c) No private entity in possession of a biometric identifier or biometric information may sell,
lease, trade, or otherwise profit from a person's or a customer's biometric identifier or
biometric information.
Reference
Policy, retention, destruction, notification, written consent, disclosure, secure storage, secure transmission

Diamond ordered to “provide a fingerprint or
thumbprint”
Diamond asked officers, “Which finger do you
want?”
• This requirement compelled a testimonial
communication
Source: http://www.twincities.com/2017/09/12/can-you-be-ordered-to-unlock-your-cell-phone-mn-supreme-court-tackles-issue/amp/ (September 2017)
Minnesota Supreme Court: Case about Unlocking Mobile Phone
Diamond argued that the government violated
his Fifth Amendment rights
• Made him select which finger to use

Source: http://www.independent.co.uk/news/business/analysis-and-features/kfc-store-china-facial-recognition-pay-customers-fast-food-a7923876.html
China KFC, Pay with Smile
Hangzhou Concept Store
• Customers use “Smile to
Pay” facial recognition

iPhone X

Issues with Biometrics: Not Safe for Payments
Samsung Galaxy S8: Contrary to Earlier
Reports:
Users cannot use facial recognition to
authenticate payments
• Camera and deep learning technology
still evolving for facial recognition
• Iris and fingerprint are more secure
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017)
Source: http://www.economist.com/blogs/economist-explains/2015/06/economist-explains-12

Graphic: https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html
Doubt over whether organizations
can be trusted to follow regulations
• Obtain user consent before
processing biometrics
• Secure and protect biometrics
“The ISO has decided not to approve two NSA-designed block
encryption algorithms: Speck and Simon.
• It's because the NSA is not trusted to put security ahead of
surveillance.”
(September 21, 2017)

Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf
Article Article Title Term Definition
4 Definitions Personal
data
Any information relating to an identified or identifiable natural person ('data
subject'); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;
Genetic
data
Personal data relating to the inherited or acquired genetic characteristics of a
natural person which give unique information about the physiology or the health of
that natural person and which result, in particular, from an analysis of a biological
sample from the natural person in question;
Biometric
data
Personal data resulting from specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person, which allow or
confirm the unique identification of that natural person, such as facial images or
dactyloscopic data;
Reference

Article Article Title Definition Notes
7 Conditions
for Consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data
subject has consented to processing of his or her personal data.
Provability
2. If the data subject's consent is given in the context of a written declaration which also concerns
other matters, the request for consent shall be presented in a manner which is clearly
distinguishable from the other matters, in an intelligible and easily accessible form, using clear and
plain language. Any part of such a declaration which constitutes an infringement of this Regulation
shall not be binding.
Clear, plain language
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of
consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to
giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give
consent.
Right to withdraw
consent, easy to
withdraw
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter
alia, the performance of a contract, including the provision of a service, is conditional on consent to
the processing of personal data that is not necessary for the performance of that contract.
Freely given
Reference

Article Article Title Definition Notes
9 Processing of special
categories of personal
data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the
processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural
person's sex life or sexual orientation shall be prohibited.
Prohibited
2. Paragraph 1 shall not apply if one of the following applies: Exceptions:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member
State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
• Consent
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of
employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to
Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• Employment
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally
incapable of giving consent;
• Unable to give
consent
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit
body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members
of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body
without the consent of the data subjects;
• Foundation or non-
profit
(e) processing relates to personal data which are manifestly made public by the data subject; • Personal data is
public
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; • Legal defence
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim
pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the
interests of the data subject;
• Public interest
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical
diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or
Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
• Preventive medicine
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or
ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which
provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
• Public health
interest
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance
with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection
and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
• Archiving, scientific
or historical
research
Reference

Source: http://www.chicagotribune.com/bluesky/originals/ct-biometric-illinois-privacy-whats-next-bsi-20170113-story.html
Source: https://www.pattishall.com/pdf/2016-01%20Pattishall%20Insights.pdf
L.A. Tan Enterprises
• December 2016 settlement
• $1.5 million to class of customers
• Failed to collect written consent
• Shared fingerprint scans with software vendor
Facebook
• Ongoing
• 3 men against Facebook, tagging lawsuit
• Facebook collection, storage, use of biometric
information without informed consent
Illinois at Forefront of Active Court Cases

Source: https://www.law360.com/technology/articles/923703/kroger-unit-sued-over-alleged-storage-of-worker-fingerprints?nl_pk=65afb77a-0e17-49b2-b31e-5e6346836849&utm_source=newsletter&utm_medium=email&utm_campaign=technology (May 2017)
Source: http://www.thenewstribune.com/news/business/article150218582.html
Source: http://www.americanbar.org/publications/blt/2016/05/08_claypoole.html
No Consent
An Illinois and Wisconsin supermarket
chain owned by Kroger
• Class action
• Stored employee fingerprint
information without consent
Illinois: Storage Of Employee Fingerprints

Issues with Biometrics, NIST List
• The biometric False Match Rate (FMR) does not provide confidence in the
authentication of the subscriber by itself
• FMR does not account for spoofing attacks
• Biometric comparison is probabilistic, whereas the other authentication
factors are deterministic
• Biometric template protection schemes provide a method for revoking
biometric credentials that is comparable to other authentication factors
(e.g., PKI certificates and passwords).
• However, the availability of such solutions is limited, and standards for testing
these methods are under development.
• Biometric characteristics do not constitute secrets.
• They can be obtained online or by taking a picture of someone with a camera
phone (e.g., facial images) with or without their knowledge, lifted from objects
someone touches (e.g., latent fingerprints), or captured with high resolution
images (e.g., iris patterns).
While presentation attack detection (PAD) technologies (e.g., liveness
detection) can mitigate the risk of these types of attacks, additional trust in
the sensor or biometric processing is required to ensure that PAD is operating
in accordance with the needs of the Credential Service Provider (CSP) and the
subscriber.
FMR is also
known as FAR
Touch ID
• 1 in 50,000
Face ID
• 1 in 1,000,000
Biometrics may be used to
• Unlock multi-factor
authenticators
• Prevent repudiation of
enrollment
Reference

• Biometric recognition systems have error rates, biometric
samples are compared with a template, probabilistic
• Biometric recognition systems have False Acceptance
Rates (FARs) and False Reject Rates (FRRs), the
comparison yields a probability of a match
• Biometrics can be collected without user knowledge, or
consent
• Unique enough?
• For now, until mass scale attacks (Memon’s work, end of
this presentation)
• Exceptions for twins, doppelgängers
• Universal enough?
• Exceptions in human population
• Example: Fingerprint sampling does not work for
everyone, ridge builder solution sometimes applied, in
other cases need an alternative to biometrics
Source: http://www.biometricupdate.com/201611/cmu-researchers-develop-glasses-that-dupe-facial-recognition
• Stable enough?
• Fingerprints don’t change as much as face or
voice
• Update periodically, Face ID neural engine
• Research: can spoof face based on neural network
recognition (CMU 2016), use colorful glasses
• Overreliance on mobile device
• Mobile biometrics use case
• Mobile device may be compromised, mobile
attack surface includes browser, OS, device
• OWASP Mobile Top 10 references these and
more
• Keylogger installed
• Man-in-the-Middle (MiTM) attack
• Rooted, Jailbroken devices may be less
secure
• Full control of device from iOS or Android
vulnerabilities, hardware vulnerabilities
• Social engineering
Reference

Provide Choices, Biometric Recognition Preferences Vary
Source: http://www.paymentscardsandmobile.com/banks-trusted-deliver-biometric-future/
Consumer Preference
Consumers don’t
know what this is

Source: https://fidoalliance.org/how-fido-works/
Graphic: https://www.nist.gov/sites/default/files/documents/2016/12/06/10_ibpc-prez-fido-ssanden-v5.pdf
Graphiic: https://findbiometrics.com/solutions/facial-recognition/
Mobile Biometrics: Fast Identity Online (FIDO) Example
Use biometrics to unlock smartphone, use device and encryption for online authentication
Biometrics Encryption

Acoustic Ear-Shaped Biometric Recognition
NEC
• Microphone embedded within earphone
• Analyzes the resonance of sounds within
the ear cavity
• Produces a biometric profile
Source: http://www.handsonlabs.org/nec-developing-acoustic-ear-shape-biometric-authentication-solution/
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Requires earphones

1. Exist in public domain, and elsewhere (5.6M+ fingerprints stolen
in 2015 OPM breach1)
2. May undermine privacy, make identity theft more likely2
3. Persist in government and private databases, accreting
information whether we like it or not3
4. User acceptance or preference varies by geography, demographic.
5. Unique, permanent biological identifiers can’t be changed or
replaced in the event of a breach, so they are very dangerous if
they end up in the wrong hands4
6. September 2017 Minnesota Senator letter about Face ID, voices
privacy and security concerns
Biometric Backlash
1Source: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html
2Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
3Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/
Graphic: http://www.rineypackard.com/facial-recognition.php
4Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017)
Given these, plus other biometrics
issues detailed in this presentation,
the ability to opt out of biometrics
may prevail in some market segments

Source: http://www.planetbiometrics.com/article-details/i/1414/
“The move towards multi-factor
authentication opens a door for
biometrics as part of these solutions.
Combining that with mobile platforms
is a winning combination.”
Cathy Tilton, Daon

Biometric Authentication: The Unleashed Dragon

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Biometric Authentication: The Unleashed Dragon

Similar to Biometric Authentication: The Unleashed Dragon (20)

More from Clare Nelson, CISSP, CIPP-E

More from Clare Nelson, CISSP, CIPP-E (14)

Recently uploaded

Recently uploaded (20)

Biometric Authentication: The Unleashed Dragon

Editor's Notes