Biometrics and multi-factor authentication are growing areas. Issues with biometrics include that they are not perfectly reliable and can reveal private medical information. While biometrics offer convenience, security professionals recommend not relying on biometrics alone and combining them with other authentication methods. The biometrics market is growing rapidly due to increased usage on mobile devices and a push for more convenient authentication.
3. Biometrics and Multi-Factor Authentication:
The Unleashed Dragon
Clare Nelson, CISSP, CIPP/E
@Safe_SaaS
clare_nelson@clearmark.biz
Presentation Posted on SlideShare:
https://www.slideshare.net/eralcnoslen
September 25, 2017
Graphic: https://tomatosoup13.deviantart.com/art/Daenerys-and-Her-Dragon-Game-of-Thrones-640714812
4. Clare Nelson, @Safe_SaaS
Clare Nelson, CISSP, CIPP/E
CEO, Founder
ClearMark Consulting
Security, Privacy, Identity
• Background
o Encrypted TCP/IP variants for NSA
o Product Management at DEC (HP), EMC2
o Director Global Alliances at Dell, Novell
o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security
• 2014 Co-founded C1ph3r_Qu33ns, mentor women in cybersecurity
• Publications include:
o 2010 August, ISSA Journal, Security Metrics: An Overview
o 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For
• Talks/Keynotes: Cloud Identity Summit 2017, InfraGard,
HackFormers; BSides Austin; LASCON; OWASP AppSec USA, ISSA
Austin; clients including Fortune 500 financial services, 2015 FTC
Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html
6. Clare Nelson, @Safe_SaaS
Contents
Biometric Recognition for Multi-Factor Authentication
1. Biological and Behavioral Biometrics
2. Benefits and Issues
3. What Every CISO Should Know
• Laws, Standards, and Guidelines
4. How to Measure Biometric Recognition
5. Attack Vectors
6. Multimodal Biometric Recognition
7. Continuous Authentication with Biometrics
8. Face ID Update
9. The Future
Graphic: http://www.computerhope.com/jargon/h/hacker.htm
How can you
tell if it’s a
bad guy?
7. Clare Nelson, @Safe_SaaS
How can you
tell if it’s a
bad guy?
Source: https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/
Source: https://realizethelies.com/tag/facial-recognition-software/
Source: https://www.iso.org/standard/55194.html (2017)
Biometric Verification Biometric Identification
Comparison 1-to-1 1-to-Many
Purpose Confirm or deny claimed
identity
Identify a specific
individual
Use Case
Example
Unlock device Airport security, identify
a suspect
Biometric Recognition
Biometric Recognition for Multi-Factor Authentication (MFA), Mobile Use Case
Scope
(“Biometric Authentication” is deprecated)
9. Clare Nelson, @Safe_SaaS
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
Source: https://www.securetechalliance.org/publications-mobile-identity-authentication/
Know Have Are
Definition of Multi-Factor Authentication
10. Clare Nelson, @Safe_SaaS
Biometric Recognition
Automated recognition of individuals based on
their biological or behavioral characteristics
Source: http://biometrics.derawi.com/?page_id=101
Source: http://searchsecurity.techtarget.com/definition/biometric-authentication
Graphic: http://www.aspire-security.eu/access-control.html
Biometric Recognition Systems
Compare sample to template
• On device, or server
• Template is established during enrollment, or
updated later as part of adaptive machine learning
(iPhone X neural engine)
• If comparison score meets criteria, then recognition
is confirmed
Math model
Digital image
11. Clare Nelson, @Safe_SaaS
What is Feature Extraction?
Source: https://www.security-audit.com/files/ratha.pdf (2001)
Digital image of fingerprint
• Includes ridge bifurcations and ridge
endings
• Collectively referred to as minutiae
Algorithm, extract features
• Each feature has (x, y) location and ridge direction at that
location (ϴ)
• Sensor noise and other variability in the imaging process
• Feature extraction may miss some minutiae, and/or
• Feature extraction may generate spurious minutiae
• Due to the elasticity of the human skin, the relationship
between minutiae may be randomly distorted from one
impression to the next
Dimensionality
Reduction
12. Clare Nelson, @Safe_SaaS
Typically, Images Are Not Saved
Source: http://www.bioelectronix.com/what_is_biometrics.html
Digital image Math modelFeature extraction
Fingerprint image is not saved, only
series of numbers (binary code), used
for verification
16. Clare Nelson, @Safe_SaaS
Biometric Modes, Prolific Innovation
• Face 2D, 3D
• Fingerprints 2D, 3D via ultrasonic waves, in-display
• Finger veins, Palm veins, Eye veins
• Palms prints and/or the whole hand
• Feet
• Eyeprint, Iris, Retina, Features of eye movements
• Face, head – its shape, specific movements
• Ears, lip prints
• Signature, Voice
• How you sit, Gait, Odor, DNA
• Keystroke, typing, mouse, touch pad
• Electrocardiogram (ECG), Electroencephalogram (EEG)1
• Tests: Microchip in Pills, Digital Tattoos
• Smartphone/behavioral: Authenticate based on g-sensor and
gyroscope, how you write your signature in the air2
• Hand movement when answering the smartphone, use data from
the smartphone’s accelerator, gyroscope, and light sensor3
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf
2Source: http://www.airsig.com
3Source: http://www.biometricupdate.com/201703/mobile-app-uses-hand-movement-to-authenticate-smartphone-owner
Source: http://www.cvphysiology.com/Arrhythmias/A009
Reference
17. Clare Nelson, @Safe_SaaS
Behavioral Biometrics: Used in Passive, Continuous Authentication
500+ Metrics, Human-Device Interactions
• Leverage gyroscope, touch screen,
accelerometer
• Cloud, monitors 2 billion sessions/month
• Learns behavior patterns of fraudsters
• Detects presence of malware
• Invisible challenge
• How find missing cursor
Source: http://www.biocatch.com
Source: https://www.extremetech.com/extreme/215170-artificial-neural-networks-are-changing-the-world-what-are-they
18. Clare Nelson, @Safe_SaaS
Behavioral Biometrics: Used in Implicit Authentication
Passive sensor data. How you walk, type, and sit.
Source: https://blog.unify.id/2016/09/12/unifyid-technical-overview/
20. Clare Nelson, @Safe_SaaS
Benefits of Biometrics
• Convenient
• No tokens, cards, or fobs to lose or misplace
• Reduces friction in some cases
• No memorization required
• Low cognitive load once past learning curve
• Difficult to delegate, difficult to lend your fingers or face
to another person
• A password is easily delegated or shared
• User acceptance is growing
• India Aadhaar
• iPhone Touch ID, now Face ID
• Secure enough if used as “Restricted Factor”
• Use to unlock device, or authenticate to smartphone
• Caution for some implementations for financial
transactions, secure access
Graphic: https://cardnotpresent.com/tag/biometric-authentication/
• Market growth and technology
advancements
• Feedback and training from earlier
implementations improves solutions
22. Source: http://www.pymnts.com/news/security-and-risk/2017/digital-identity-way-beyond-the-social-security-number/ (August 2017)
Graphic: http://01greekmythology.blogspot.com/2015/02/panacea.html
Biometrics offers no panacea in the quest for digital
identities that prove foolproof and hack-proof
Biometrics offer great promise, but
• They are not all created equal
• They are not a secret
• They can be lifted
• They can be forged
• They can be compromised because they are not
private
Issues with Biometrics, No Panacea
– Paul Grassi, senior standards and technology advisor of
the Trusted Identities Group at the National Institute of
Standards and Technology (NIST)
Greek goddess of universal remedy
23. Clare Nelson, @Safe_SaaS
Issues with Biometrics
Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Privacy_Legislation_on_Biometric_System_Deployment.pdf
Source: http://findbiometrics.com/cylab-honored-for-long-distance-iris-scanner-24272/
Biometrics can reveal medical conditions
• Pregnancy
• Diabetes
• Heart disease
• Parkinson’s
Biometrics make it easier to gather personal information
• Ability to do so covertly
Biometrics can be collected at a distance
• Increased accuracy with which individuals can be
identified remotely
• Iris at 43 feet
Biometrics can be used to link databases that have been
anonymized
• De-anonymization techniques
Long-Distance Iris Scanner
24. Clare Nelson, @Safe_SaaS
Source: https://insights.samsung.com/2017/03/29/which-biometric-authentication-method-is-most-secure/
Source: https://www.cse.wustl.edu/~jain/cse571-11/ftp/biomet/
Source: https://www.cse.wustl.edu/~jain/cse571-11/ftp/biomet/#Rahul10
Samsung S8
• Iris recognition does not work for
everyone
• There are exceptions for every
biometric modality
Criteria for Biometric System
Collect
-ability
How can you
tell if it’s a
bad guy?
Universality
Uniqueness Circumvention
Permanence
Acceptability
Performance
Issues with Biometrics: Failure to Enroll (FTE), Failure to Acquire (FTA)
FTE
FTA
25. Clare Nelson, @Safe_SaaS
Issues with Biometrics: Security is Often Overestimated
Use biometrics with another method of authentication
• Biometrics are a complementary security control to
make it easier for a human to interact with technology
• Combine with an additional security control such as a
passphrase or multi-factor authentication
• Trust must be continuously challenged
• Ensure person behind the device is really the person who
they say they are
Source: https://www.thestreet.com/story/14301038/1/iphonex-facial-biometrics-could-prevent-hackers-from-accessing-information.html
– Joseph Carson, chief security scientist at Thycotic
Will iPhone X support
face and passcode,
or just one or the other?
27. Clare Nelson, @Safe_SaaS
Samsung Galaxy S8
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017)
Source: http://www.businessinsider.com/samsung-galaxy-s8-iris-scanner-fbi-fingerprint-tech-princeton-identity-2017-4
April 2017
Face spoofed
May 2017
Iris spoofed
28. Clare Nelson, @Safe_SaaS
iPhone X, Face ID
Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-id/
Source: http://bgr.com/2017/09/12/iphone-x-price-specs-features/
Source: https://findbiometrics.com/apple-face-id-iphone-x-409125/
September 2017
Announced
TBD Date
Face ID spoofed
31. Clare Nelson, @Safe_SaaS
Source: Unnamed keynote speaker at Cloud Identity Summit, Chicago, June 2017
Graphic: https://www.stableinvestor.com/2013/02/calculate-compound-annual-growth-rate.html
Biometrics Growth Drivers
“Financial services are in a
race to the bottom to
remove friction”
– Keynote Speaker, Cloud Identity Summit, June 2017
“Take the F out of
authentication”
33. Clare Nelson, @Safe_SaaS
What CISOs Need To Know Before Adopting Biometrics
Before adopting biometric recognition
• Risk assessment, policy, compliance
• Architectural decisions
• E.g., Is a fingerprint reader installed on a
workstation less risky than biometric
authentication passed over a network?
• Store and process biometric data securely
• Encryption
• Privileged access management
• Other physical security measures
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905
Graphic: https://www.shrednations.com/2015/04/defining-protecting-personally-identifiable-information/
34. Clare Nelson, @Safe_SaaS
Biometrics Recognition is not 100% Reliable
Every biometric recognition system must account
for some level of false negatives and false positives
• In highly secure environments, false positives may
present an unacceptable risk
• False negatives require a fallback authentication
mechanism
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905
Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations
35. Clare Nelson, @Safe_SaaS
What CISOs Need To Know Before Adopting Biometrics
Biometric data is Personally Identifiable Information (PII)
• Biometric data presents an extra layer of complexity
• User interactions
• Compliance
• Organizations with US government contracts may have
to comply with Privacy Act of 1974 PII management
practices
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905
Graphic: https://www.airloom.com/technology/security-as-a-service/
36. Clare Nelson, @Safe_SaaS
What CISOs Need To Know Before Adopting Biometrics
Privacy Act of 1974
• Applies to federal agencies
• Safeguard individual privacy from the misuse of
federal records
• Governs the collection, maintenance, use, and
dissemination of PII
• Prohibits disclosure of information without written
consent of the individual
• Unless the disclosure is pursuant to one of 12
exceptions
• Individuals can access and amend their records
• Individuals can find out if their records have been
disclosed and can make corrections
Source: https://www.justice.gov/opcl/privacy-act-1974
Reference
37. Clare Nelson, @Safe_SaaS
Don’t Use as Single or Primary Factor
Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Graphic: http://www.itproportal.com/2016/04/07/the-role-of-biometric-authentication-techniques-in-security/
Remote System Access
Exclude biometrics as single or
primary authentication factor
• Biometric samples are not
secrets
• Biometric samples are different
each time they are captured
39. There is no federal law protecting
biometric information
Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/
40. US Biometric Information Protection Laws
2008 Illinois
Biometric
Information
Privacy Act
(BIPA)
2009 Texas
Texas Business
and Commerce
Code § 503.001
2017 Under
Consideration:
CT, NH, AK, WA,
more
Source: https://www.secureidnews.com/news-item/five-states-considering-bills-to-restrict-biometrics-use/ (February 2017)
Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
Source: http://www.drinkerbiddle.com/insights/publications/2017/02/four-more-states-propose-biometrics-legislation
42. Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/
Passcode versus Fingerprint or Face
Law
Enforcement
Request
Must You
Comply?
Testimonial or
Non-Testimonial?
Protection from Government,
Law Enforcement
Passcode No Testimonial, personal
knowledge
Fifth Amendment right against self
incrimination
Fingerprint Yes Non-Testimonial, like a key Undetermined, Fourth Amendment
does not protect fingerprints. Power
off to disable.
Face
(Face ID)
Yes,
Depends
Non-Testimonial. However,
law officer can simply hold
phone up to your face.
Disable Face ID
45. Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Graphic: http://www.oulu.fi/infotech/annual_report/2013/cmv
NIST Update on Allowable Use of Biometrics
SP 800-63B, Authentication and Lifecycle Management
Supports only limited use of biometrics for authentication
• False Match Rate (FMR) does not provide confidence in
the authentication of the subscriber by itself
• FMR does not account for spoofing attacks
• Biometrics SHALL be used only as part of MFA with a
physical authenticator (something you have)
• Biometric characteristics do not constitute secrets
• They can be obtained online or by taking a picture of
someone with a camera phone (e.g., facial images) with
or without their knowledge
• Lifted from objects someone touches (e.g., latent
fingerprints)
• Captured with high resolution images (e.g., iris
patterns)
Implement Presentation Attack Detection (PAD)
• Demonstrate at least 90% resistance to
presentation attacks
PAD may be mandatory
requirement in the future
46. Clare Nelson, @Safe_SaaS
Question: Store Biometrics on Device or Server, Cloud? Split?
Source: Webinar by Forrester and Nok Nok Labs, February 1, 2017
Graphic: http://findbiometrics.com/topics/fido-alliance/
Graphic: https://www.carphonewarehouse.com/apple/iphone-6.html
Graphic: http://kryptostech.com/server-management/
Graphic: http://www.planetbiometrics.com/article-details/i/5463/desc/facebook-rolling-out-support-for-fido/
Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017)
Biometrics only stored on personal device
(FIDO Alliance, others)
• Biometrics remain on the device, are not
transmitted
• Not susceptible to theft by insiders or
identity thieves who can access a server
repository
Biometrics stored on server
• Works if no mobile phone, works with land line
• Works if person calls in
• Privacy concerns
• Need consent, was it freely given?
• Server access, how secure?
• Susceptible to theft, unwanted modification by
insiders or identity thieves
50. EU General Data Protection Regulation (GDPR)
Source: http://www.privacy-regulation.eu/en/9.htm
Article 9.1
…processing of biometric data for the
purpose of uniquely identifying a
natural person…shall be prohibited
But there are many exceptions
51. EU General Data Protection Regulation (GDPR)
Source: http://www.privacy-regulation.eu/en/9.htm
Source: https://dma.org.uk/event/webinar-the-ico-s-gdpr-consent-guidance
Source: http://www.privacy-regulation.eu/en/9.htm
Processing of Biometric Data (GDPR, Article 9)
• Prohibited
• 10+ exceptions
• Consent
• Person gives explicit consent to the
processing of those personal data
• For one or more specified purposes
• Employment
Consent (GDPR, Article 7)
• Freely given
• Prove it was given
• Clear, plain language, no legalese
• Right to withdraw consent, easy to withdraw
52. Clare Nelson, @Safe_SaaSSource: https://www.facebook.com/jterstegge/posts/1857555150924472
Privacy
Right to be let alone
Data Protection
Right to NOT have data
collected and used in ways
that impact your rights and
freedoms
GDPR
Privacy is a
Fundamental
Human Right
GDPR and Facial Recognition
GDPR Exceptions
Reasons of substantial
public interest
CCTV Captures
• Face
• Location
• Time
• How you walk
• People around you
54. Clare Nelson, @Safe_SaaS
Multimodal Biometrics
Research from California State University, Fullerton
• Use ear plus face and fingerprint
• Multimodal biometrics adds layer of security to
the existing mobile device security
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3Dnews
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Graphic: http://www.rd.com/health/wellness/unique-body-parts/
Researchers claim some mobile biometric
recognition for authentication suffers from:
• Poor quality mobile hardware
• Camera
• Microphone
• Environmental condition
• Lighting
• Background noise
• User error
• Use of unimodal biometrics, less secure
56. Machine learning offers the potential to authenticate
users based on multiple assessments, including
• Behavior
• Appearance
• Voice
• Speed at which they type
A user’s device can constantly calculate a trust score
that the user is who they claim to be
• Verify device, not pwned, same device
Together these factors are
• 10 times safer than fingerprints
• 100 times safer than four-digit PINs
Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017)
Source: https://www.safaribooksonline.com/library/view/continuous-authentication-using/9781613501290/
Continuous Authentication with Biometrics
Ahmed Awad E. Ahmed,
Issa Traore
September 2011
58. Clare Nelson, @Safe_SaaS
Convenience versus Security
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal
Source: http://www.descartesbiometrics.com/wp-content/uploads/2014/11/HELIX-Whitepaper.pdf
Convenience
Security
False Acceptance Rate (FAR)
• Ratio of the number of false acceptances
divided by the number of identification
attempts
False Reject Rate (FRR)
• Ratio of the number of false recognitions
divided by the number of identification
attempts
Equal Error Rate (EER)
• Proportion of false acceptances is equal to
the proportion of false rejections
59. FAR, need to know FRR plus number of attempts
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal
Source: http://www.goodeintelligence.com/press-releases/multi-modal-mobile-biometric-authentication-drives-revenues-to-over-6-2-billion-by-2022/ (April 2017)
Apple claims a FAR of 1/50,000 for Touch ID
• Out of 50,000 imposter comparisons, up to
one will be accepted as genuine
• 1/50,000 = 0.002%
Android
• Similar
• Requires FAR not more than 0.002%
• Recommends FRR no more than 10%
What is the associated FRR?
60. Clare Nelson, @Safe_SaaS
FRR at Varying FAR
September 2015
Source: http://www.eyeverify.com/independent-accuracy-studies
EyeVerify: Two Studies for Eyeprint ID, Mobile
61. Clare Nelson, @Safe_SaaS
Not All FARs are Created Equal
• Synthetic versus real data
• Calculated versus claimed
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal
iPhone X, Face ID
False acceptance rate of 1 in 1,000,000
62. Source: http://www.eyelock.com/
1 in 500
Voice Recognition
1 in 10,000
Fingerprint
1 in 50,000
Touch ID
1 in 100,000
Facial Recognition
1 in 500,000
Single Iris
1 in 800,000,000,000,000
DNA
General Ranking, It Depends, Many Variables
1 in 1,000,00,000
67. Clare Nelson, @Safe_SaaS
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.qafis.com/anti-spoofing
Presentation Attack Detection (PAD), Anti-Spoofing
Anti-Spoofing
Anti-Spoofing
• Active: user must participate, blink,
smile, turn head
• Passive: user participation is not needed,
hardware or software algorithms
3D Mask
68. Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBPs) as PAD
69. Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
Presentation Attack Detection (PAD), Using Algorithms
(a) Bona fide image
(b) Laser printer artefact
(c) Inkjet printer artefact
(d) Display attack using iPad
Using Local Binary Patterns (LBP) as PAD
70. Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
PAD for Finger: Implement in Hardware, Software, or Both
Software:
Assess characteristics of sample: sharpness of lines, presence of pores.
• Easier to implement.
• Easier to update, including over the air (OTA) as anti-spoofing
techniques improve.
• Leverage machine learning.
Hardware:
Requires additional capabilities in fingerprint scanner: ability to sense
pulse, temperature, and capacitance; none of which can be done in
software alone.
• Greater ability to detect “liveness” of finger being scanned.
• More expensive.
• Consumes more power.
• May introduce latency if, for example, there is a need to sense
multiple heartbeats.
72. Clare Nelson, @Safe_SaaS
Presentation Attack Detection (PAD), Emerging Standards
Source: https://www.iso.org/standard/53227.html
ISO/IEC DIS 30107-2
Information technology -- Biometric presentation attack detection
-- Part 2: Data formats
ISO/IEC FDIS 30107-3
Information technology -- Biometric presentation attack detection
-- Part 3: Testing and reporting
NEW: ISO/IEC 30107-4
73. Clare Nelson, @Safe_SaaS
Presentation Attack Detection (PAD) for Mobile Devices
Source: https://www.iso.org/standard/53227.html
Source: https://cacm.acm.org/magazines/2016/4/200169-multimodal-biometrics-for-enhanced-mobile-device-security/abstract
Source: http://www.planetbiometrics.com/article-details/i/5803/ (April 2017)
Source: http://profit.ndtv.com/news/life-and-careers/article-new-smartphone-from-infocus-to-support-aadhaar-authentication-1634102
ISO/IEC 30107-4
Biometric presentation attack detection – Profile for
evaluation of mobile devices.
Address spoofing and presentation attacks against mobile
devices.
Presentation Attack Detection (PAD) includes:
• Fake fingerprints.
• Video replays.
• Voice recordings.
Concern for commercial and government agencies:
• Rely on mobile device authentication for transactions
and identity confirmation.
75. Clare Nelson, @Safe_SaaS
Source: https://pages.nist.gov/SOFA/
Source: https://www.secureidnews.com/news-item/sofa-b-enabling-organizations-to-measure-the-strength-of-biometric-technologies/?tag=biometrics
Strength of Function for Authenticators (SOFA) - Biometrics
Measurement of biometric system strength:
• Provide a level of quantitative assurance.
• Outline a process to support evaluation of
biometric authenticators.
NIST
ISO/IEC FIDO
SOFA Equation
• Level of Effort
• PAD Error Rate (PADER)
• False Match Rate (FMR)
• False Non-Match Rate (FNMR)
76. Clare Nelson, @Safe_SaaS
SOFA-B (NIST, April 2017)
Source: https://www.nist.gov/sites/default/files/documents/2016/11/21/sofa_discussiondraftoverview-v1_1.pdf (April 2017)
ZeroInfo case: No masquerade attempt, brute force, no knowledge.
Targeted case: Create a sample that resembles the individual biometric characteristic.
Reference
77. Clare Nelson, @Safe_SaaS
Source: https://pages.nist.gov/SOFA/
Source: http://www.theverge.com/2016/7/21/12247370/police-fingerprint-3D-printing-unlock-phone-murder (2016)
Presentation attacks
based on:
• Time
• Expertise
• Equipment
Level of Effort
Police 3D-printed a murder
victim's finger to unlock his
phone.
79. Clare Nelson, @Safe_SaaS
Face ID: Demo Failed Twice
Source: https://www.youtube.com/watch?v=unIkqhB2nA0 (September 2017)
Source: http://www.nydailynews.com/news/national/apple-reveals-iphone-x-new-face-id-tech-fails-demo-article-1.3491125 (September 2017)
We all experience demo failures
• Craig Federighi, SVP Software
Engineering
• Face ID failed twice
• Why did Federighi wipe his face
afterward?
• Stock dipped from $163 a share to
$159
• Closed at $161
80. Clare Nelson, @Safe_SaaS
Face ID: Attention Detection
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017)
“Attention” feature
Won’t work for everyone
• Blind
• Vision impaired
• Cannot stare directly at phone to communicate intent
In those cases, where a face is recognized, but it can’t see eyes,
just turn off the “attention detection” feature
• Still get Face ID, but at a lower level of overall security
because cannot ensure user’s eyes are directly focused on it
Face ID requires that it be able to see:
• Eyes
• Nose
• Mouth
There are scenarios
where it just won’t work
81. Clare Nelson, @Safe_SaaS
Face ID: What About Sunglasses?
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017)
Graphic: http://www.businessinsider.com/apple-suppliers-iphone-x-sales-shipments-2017-9
Graphic: http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/nightvision1.htm
• Polarized lenses are no problem
• Some lenses block infrared (IR) radiation
• Use passcode
• Take off sunglasses
84. Clare Nelson, @Safe_SaaS
“Thought Auth”1
EEG Biosensor
• MindWave™ headset2
• Measures brainwave signals
• EEG monitor
• International Conference on
Financial Cryptography and
Data Security (2013)3
1Source: Clare Nelson, March 2015
2Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/
3Source: http://www.technewsworld.com/story/77762.html
Facebook telepathy
85. Clare Nelson, @Safe_SaaS
When Does Law Enforcement
Demand to Read Your Data
Become a Demand to Read Your
Mind?
Source: https://cacm.acm.org/magazines/2017/9/220420-when-does-law-enforcements-demand-to-read-your-data-become-a-demand-to-read-your-mind/fulltext (September 2017)
– Andrew Conway, Peter Eckersley
Communications of the ACM, September 2017
“That gadget in your hand is not a phone, it is a
prosthetic part of your mind, which happens to make
telephone calls.
• We need to ask which parts of our thoughts should be
categorically shielded against prying by the state.”
86. Clare Nelson, @Safe_SaaS
Master Key to Unlock Finger
Sensors?
Source: https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html?_r=2 (April 2017)
Computer simulations
• Similarities of partial prints
• Created “Master Prints”
• Matched prints 65% of time
Nasir Memon
Professor of Computer Science and Engineering
New York University
88. Clare Nelson, @Safe_SaaS
We Stand on the Shoulders of Giants
Source: https://alchetron.com/John-Daugman-489257-W
Source: http://www.idiap.ch/~marcel/professional/Welcome.html
Source: https://www.egr.msu.edu/people/profile/jain
Source: http://nislab.no/people/norwegian_information_security_laboratory/professors/christoph_busch
John Daugman
Sébastien Marcel
Anil Jain
Christoph Busch
91. Clare Nelson, @Safe_SaaS
Key Points Summary
• In Multi-Factor Authentication (MFA), biometrics are a RESTRICTED factor
• Biometric systems have error rates, FAR, FRR; they are probabilistic
• Biometrics are not secrets
• NIST SP 800-63B, Authentication and Lifecycle Management, Allowable use of
Biometrics (new from June 2017)
• Biometrics may be used to
• Unlock multi-factor authenticators
• Prevent repudiation of enrollment
• Biometrics SHALL be used only as part of multi-factor authentication
with a physical authenticator (something you have).
• Biometric comparison can be performed locally device or central server
• NIST: Since the potential for attacks on a larger scale is greater at
central servers, local device comparison is preferred
• The biometric system SHOULD implement Presentation Attack Detection
(PAD)
• Testing of the biometric system SHOULD demonstrate at least 90%
resistance to presentation attacks
• PAD is being considered as a mandatory requirement in the future
• SOFA-B, measure strength of biometric recognition system
• ISO/IEC 30107 Presentation Attack Detection (PAD) guidelines
• Part 4 coming: Biometric presentation attack detection – Profile for
evaluation of mobile devices
• United States biometrics laws vary by state, only in IL
and TX, more coming
• Require written consent from consumers
• GDPR
• Prohibits processing of biometrics
• Many exceptions: consumer gives consent, is an
employee, or done for Reasons of substantial
public interest
• Mobile biometrics consumer market growth: 41%
CAGR 2016-2022, reaching $50B in 2022
• Future solutions, for some use cases:
• Combine multimodal, behavioral biometrics
with machine learning (if applicable, use
continuous authentication)
• Machine learning offers the potential to
authenticate users based on multiple
assessments, including
• Behavior
• Appearance
• Voice
• Speed at which they type
• Verify device, not pwned, same device
• A user’s device can constantly calculate a
trust score that the user is who they claim
to be
Reference
92. Clare Nelson, @Safe_SaaSSource: http://www.idtp.com/identity/
Terms
Biometric data processing
: biometric system data processing including capture, quality assessment, presentation attack (spoof) detection, feature extraction, database enrollment, fusion, matching, and
decision processes
Biometric sensors and hardware
: variation and types of biometric sensors and technology (e.g. capacitive, thermal, optical, infrared, multi-spectrum) required to capture high-quality samples for various modalities
and applications
Biometric system integration
: the hardware and software interfacing necessary to produce a functioning biometric system optimized for a specific application, including proper utilization of biometric software
development kits
Biometric system performance
: system performance and metrics including Equal Error Rate (EER), False Accept Rate (FAR), False Reject Rate (FRR), False Match Rate (FMR), False Non-Match Rate (FNMR), detection
error tradeoff (DET) and receiver operating characteristic (ROC) curves, Genuine and Impostor score histograms, and considerations for threshold optimization for population,
operating environment, and application requirements
Biometric standards
: NIST, ISO, FIDO standards
Enrollment and capture processes
: considerations for enrollment and live capture processes and errors such as failure to acquire (FTA) and failure to enroll (FTE)
Sample quality
: biometric sample quality has a direct measurable impact on the performance of the system; proper quality assessment algorithms and thresholds ensure the integrity of enrolled
biometric templates
Spoofing and presentation attack detection
: recognizing and preventing attempts to use manufactured or fake biometric samples (also known as liveness detection)
Verification and Identification
: verification processes require a one-to-one comparison between biometric samples to make a matching decision, while identification processes require one-to-many matching,
where a sample (probe) is compared to a database (gallery) to obtain a ranked candidate list
Physiological and behavioral modalities
: biometric traits (i.e. fingerprint, face, iris, voice, vascular, DNA) and their characteristics of universality, uniqueness, permanence, measurability, performance, acceptability, and
circumvention
Soft biometrics
: height, weight, skin color, scars, marks, tattoos
Multimodal biometrics
: combining (or fusing) biometric traits to improve decision accuracy, hinder spoofing, and account for unavailability of biometric traits
94. Clare Nelson, @Safe_SaaS
• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-
scanner-flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication (September 2014) Six
technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-methods-taxonomy-
abbie-barbir.html (2014)
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA)
Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA, https://www.blackhat.com/docs/us-
15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-
fingerprints/index.html (July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July 2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009, published 2013)
• Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-2014 (December
2014)
References, 1 of 2
95. Clare Nelson, @Safe_SaaS
• Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf (February 2014)
• Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device-
fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhX
lDQ%3D%3D (September 2015)
• Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/ (August 2015)
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/.
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/.
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-Identity-Whitepaper-
v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• Jankovich, Thomas; “Blockchain Makes Digital ID a Reality,” https://finxtech.com/2016/12/02/blockchain-makes-digital-id-reality/ (December 2016)
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• MyData Identity Network based on User Managed Access (UMA),
https://docs.google.com/presentation/d/1j3aX8AQGdVtigF1WZouL8WccmYQzZQQje3wuaC2Zb1I/edit#slide=id.g1386e8a6aa_2_914
• Kunk, S.K., Biometric Authentication: A Machine Learning Approach, Prentice Hall (2005).
• mikeh, Machine Learning and Biometrics, Neya Systems blog, http://neyasystems.com/machine-learning-biometrics/ (March 23, 2013).
References, 2 of 2
97. Clare Nelson, @Safe_SaaS
Artificial Dog Nose
It smells you once, and knows you forever.
Matt Staymates, a mechanical engineer at NIST.
• Schlieren imaging system, visualizes flow of
vapors into an explosives detection device fitted
with an artificial dog nose, mimics "active
sniffing" of a dog.
• Artificial dog nose developed by Staymates and
colleagues at NIST, MIT Lincoln Laboratory, FDA.
• Improves trace chemical detection as much as
16-fold.
Source: http://phys.org/news/2016-12-scientists-artificial-dog-nose-mimics.html
Photo: http://dogs.petbreeds.com/l/95/Labrador-Retriever
99. Clare Nelson, @Safe_SaaS
Types of Detection
Source: https://www.nist.gov/sites/default/files/documents/2016/11/30/401_newton.pdf
Vendor ID, Algorithm ID, and Sensor ID
100. Clare Nelson, @Safe_SaaSSource: https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:-37:ed-2:v1:en (2017)
Spoofing, Biometric Presentation Attack
Biometric Presentation Attack
Presentation to the biometric capture system with the
goal of interfering with the operation of the biometric
system.
101. Clare Nelson, @Safe_SaaSSource: http://livdet.org/index.php
Presentation Attack Detection, Liveness Detection Competition
Hosts: University, Notre Dame University, West Virginia
University, and Warsaw University of Technology
This will be held as part of the IJCB 2017.
The competition has two sub-competitions:
• Part I: Software-based
• Part II: System-based Test
International Joint Conference on Biometrics
102. Clare Nelson, @Safe_SaaS
IARPA Face Recognition Algorithm Contest
Source: https://www.challenge.gov/challenge/face-recognition-prize-challenge/ (April 2017)
Face Identification and Face Verification
• 1-to-1 compare.
• 1-to-many compare.
• “Face recognition is hard.”
• Algorithms commit false negative and
false positive errors.
Head pose, illumination, and facial
expression.
Looking for advancements in
face recognition accuracy.
103. Clare Nelson, @Safe_SaaS
Face Recognition Algorithm Evaluation
Source: https://www.nist.gov/programs-projects/face-recognition-vendor-test-frvt-ongoing
Source: http://www.planetbiometrics.com/article-details/i/5406/desc/nist-to-hold-new-round-of-face-recognition-algorithm-evaluation/
Face Recognition Algorithm Evaluation
• Includes verification of:
Visa images.
De-duplication of passports.
Recognition across photojournalism
images.
Identification of child exploitation victims.
• Part of the Face Recognition Vendor Test
(FRVT).
• Results will be posted to the NIST website.
104. Clare Nelson, @Safe_SaaS
November 2016 NIST Algorithm Test Results, Finger
Source: https://www.innovatrics.com/awards/pft/
• FMR = Fail Match Rate
• FNMR = Fail Non-Match Rate
• POEBVA = Point of Entry BVA (Data used for compliance
testing)
BVA = German Federal Office of Administration
Assess the core algorithmic
capability to perform one-to-one
verification.
105. Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Presentation Attack Detection (PAD), Techniques
Liveness detection: Facial
thermogram, blood pressure,
fingerprint sweat, or specific
reflection properties of the eye,
pulse, perspiration, pupillary unrest
(hippus), brain wave signals (EEG),
or electric heart signals.
Protect the system against
the injection of reconstructed
or synthetic samples into the
communication channel
between the sensor and the
feature extractor.
Fusion strategies to increase
resistance. Multimodal, use more
than one biometric, or combine
unimodal with an anti-spoofing
technique. The score reflects
more than one input, unknown
to the bad guy.
106. Clare Nelson, @Safe_SaaS
Quantum Biometrics (April 2017)
Human Eye Can Detect a Single Photon
Identify individuals by the way their eyes
detect photons.
• Beam a random pattern of flashes into
the eye.
• Vary the intensity of light in each flash.
It is detected as a recognizable pattern by a
person with a specific alpha map but seems
random to anyone else.
Source: https://www.technologyreview.com/s/604266/quantum-biometrics-exploits-the-human-eyes-ability-to-detect-single-photons/?utm_campaign=add_this&utm_source=twitter&utm_medium=post
107. Clare Nelson, @Safe_SaaS
Source: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Source: http://www.iphonehacks.com/2017/01/synaptics-launches-multi-factor-facial-fingerprint-recognition-engine-smartphones-tablets.html
Fusion Strategies: Example of Face and Finger
Better accuracy
• Bimodal biometric system using face and
fingerprint.
• Salient features of the face and fingerprint were
extracted, and fused/combined.
108. Clare Nelson, @Safe_SaaSSource: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf
Existing and Emerging Methods and Standards, Increased Synergy
Determine How Well Biometric Recognition Solutions Work
• Measure strength, use NIST SOFA-B
NIST creating synergy with ISO/IEC and FIDO
• Test face or finger recognition algorithms with NIST
• In future, FIDO certification for biometrics
• ISO/IEC standards for PAD, for mobile
• PAD algorithms
• Increased understanding of FAR, FRR, EER
• Accredited, third-party testing of all or part of the biometric
recognition system
iBeta
• Usability research and testing
• Contests, e.g., LivDet, IARPA
• If store biometrics only on device, then provide a free version
to test accuracy and usability. Otherwise, difficult to get
feedback.
• Research Institutes, e.g., IDIAP Research Institute in
Switzerland
112. Clare Nelson, @Safe_SaaS
Spoofing
The ability to fool a biometric system
into recognizing an illegitimate user as
a genuine one by means of presenting
a synthetic or forged version of the
original biometric trait to the sensor.
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Source: https://www.slideshare.net/SBAResearch/31c3-in20min
113. Clare Nelson, @Safe_SaaS
Spoofing
Source: https://www.linkedin.com/pulse/biometric-spoofing-nadh-thota
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Types of Fake Fingerprints
Fake Eye Images, Contact Lens etc.,
enable hackers to fake Iris sample
Real Fake
114. Clare Nelson, @Safe_SaaS
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.computer.org/csdl/trans/tp/2006/01/i0031.html
Face Spoofing
Matching 2.5D Face Scans to 3D Models
115. Clare Nelson, @Safe_SaaS
iPhone X, Face ID
Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-id/
Source: http://bgr.com/2017/09/12/iphone-x-price-specs-features/
117. Clare Nelson, @Safe_SaaS
Vocabulary, 2017 ISO/IEC 2382-37
Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf
Source, Domain Associated Terms
Biometrics Text
Books
FAR FRR
Type II Type I
ISO/IEC More, detailed More, detailed
NIST FMR FNMR
Risk False Positive False Negative,
False Reject, Insult
Rate
Equal Error Rate (EER), also known as Crossover Error Rate (CER)
Reference
118. Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf (March 2017)
1. Device has just been turned on, or
restarted
2. Device hasn’t been unlocked for more than
48 hours
3. Device has received a remote lock
command
4. After 5 unsuccessful attempts to match a
fingerprint
5. When setting up or enrolling new fingers
with Touch ID
6. The passcode hasn’t been used to unlock
the device in the last 156 hours (6.5 days)
and Touch ID has not unlocked the device in
the last 4 hours
When is Passcode Required?
156 hours
4 hours
Passcode
Touch ID
119. Clare Nelson, @Safe_SaaS
Source: https://www.facebook.com/jterstegge/posts/1857555150924472
Source: https://www.facebook.com/TheEconomist/videos/10155826328554060/?hc_ref=ARShy0cXkxwBhuFfrsnXCc9Usugj0-XSVLv7sVcTsDVF6PlWhH_tD99BTsYW50qoMmA&pnref=story
Face recognition in CCTV
Example of the link between:
• Privacy (the right to be let alone)
AND
• Data protection (the right not to have data collected and used in ways
that impact people's rights and freedoms)
This technology, especially it's pervasiveness, is very very worrying.....
GDPR has put biometrics in the 'special data' category
• It is prohibited to process face recognition data, except for some very
limited purposes
Serious flaw in GDPR Artic;e 9(2)(g) GDPR
• Allows governments to use of this technology "for reasons of substantial
public interest" and "subject to suitable safeguards to protect people's
rights and freedoms”
Reference
Jeroen Terstegge CIPP E-US
Partner at Privacy Management Partners
Utrecht Area, Netherlands
Face Recognition, GDPR Privacy Concerns
120. Clare Nelson, @Safe_SaaS
Face ID False Acceptance Rate (FAR)
Source: https://arstechnica.com/gadgets/2017/09/face-id-on-the-iphone-x-is-probably-going-to-suck/ (September 2017)
The Face ID claim of false acceptance rate (FAR) of 1 in 1,000,000
• Verified by third party, independent testing?
• Touch ID FAR is 1 in 50,000
• Just because they project 30,000 dots on a face and does not make it
more accurate, it still has all the problems every other face recognition
system has
• Neural networks, neural engine
Other issues include awkward ergonomics and time to perform successful
face capture and compare
• How hold phone
• Get out of bright sunlight?
• Take off sunglasses?
• How many retries before Failure to Acquire (FTA)?
Many people may simply use their passcode
Surgeons and people who wear a
garment that covers their face (i.e.
women in some Muslim countries
are required to wear a niqab in
public) will need to use the
passcode instead
What is FRR for iPhone X?
121. Minnesota Senator Raises Concerns over iPhone X, Face ID
Published letter:
https://www.franken.senate.gov/?p=press_release&id=37
59
Security and Privacy concerns with iPhone X, Face ID
Source: http://money.cnn.com/2017/09/14/technology/al-franken-iphone-x-face-id/index.html (September 2017)
122. Iris more accurate than face
Source: https://www.youtube.com/watch?v=KyDoFrojEYk&list=PLrUBqh62arzt_Uf_UamHtRFDYl1tpRVCK
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Iris versus Face
123. Clare Nelson, @Safe_SaaSSource: https://twitter.com/G_ant (September 2017)
Are You Confused? Reference
Which biometrics are static, which are dynamic?
124. Clare Nelson, @Safe_SaaS
FaceID Training
Apple trained on 1 billion plus faces, global, got permission
• Maintains this database
“We do not gather customer data when you enroll in Face ID, it stays on your device, we
do not send it to the cloud for training data”
There is an adaptive feature of Face ID that allows it to continue to recognize your
changing face as you change hair styles, grow a beard or have plastic surgery.
• This adaptation is done completely on device by applying re-training and deep
learning in the redesigned Secure Enclave.
• None of that training or re-training is done in Apple’s cloud.
• Apple has stated that it will not give access to that data to anyone, for any price.
When you train the data it gets immediately stored in the Secure Enclave as a
mathematical model that cannot be reverse-engineered back into a “model of a face.”
• Any re-training also happens there.
• It’s on your device, in your secure enclave, period.
Face ID
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017)
Secure Enclave, Updated
with Secure Enclave
Processor
Truly no reverse
engineering?
- Anonymization?
Reference
126. Source: http://www.americanbar.org/publications/blt/2016/05/08_claypoole.html
Maze of sectoral laws, state laws, pending cases, and
recommendations
• Patchwork of privacy laws and rules governing the use and
collection of biometric data
• Practitioners, technology developers, and privacy-conscious
individuals should watch this rapidly developing legal
landscape
• Companies employing technologies using biometric
identifiers may want to err on the side of caution and
ensure that their notification and consent processes are
clear and conspicuous
• For cautious businesses, employ an opt-in structure for your
technologies using biometric identifiers
• Look hard at your retention policies and look harder at your
disposal practices
CISO Concerns: Consent, Retention, Disposal
127. Clare Nelson, @Safe_SaaS
Homomorphic Encryption
VTT Technical Research Centre, Finland
• Biometric recognition for MFA
• Risk that a person's biometric identifiers
leak out of the database
• Protect biological or behavioral biometric
data
• Uses homomorphic encryption
Source: http://www.vttresearch.com/media/news/vtts-encryption-method-takes-authentication-to-a-new-level
128. Clare Nelson, @Safe_SaaS
Face ID: Enroll, Can You Read Instructions without Glasses?
Source: http://www.idownloadblog.com/2017/09/15/face-id-overview/ (September 2017)
• Settings
• Face ID & Passcode
• Enroll Face
• Get Started
• Follow Onscreen Instructions (Read without
Glasses?)
• Gently move your head while looking at
the screen to complete the circle
129. Clare Nelson, @Safe_SaaS
Face ID, Initial Use Cases
Source: http://www.idownloadblog.com/2017/09/15/face-id-overview/ (September 2017)
• iPhone unlock—Unlock your phone with a glance
• Auto-Lock—Keep the screen lit when reading
• iTunes and App Store—Approve app and media purchases
• Apple Pay—Check out with just a glance
• Safari Autofill—Unlock saved Safari passwords for use on
websites and in apps
• Animoji—Animate emoji using your voice and facial
expressions
• Messages—Reveal messages when looking at the Lock
screen
• Notifications—Display protected notifications on the Lock
screen
• Alarms/ringers—Lower the alarm/ringer volume with a
glance
130. Clare Nelson, @Safe_SaaS
Fingerprint Readers Eclipsed 1 Billion, Is Face the Next Wave?
Source: https://www2.deloitte.com/nl/nl/pages/technologie-media-telecom/articles/tmt-predictions-2017.html
131. Clare Nelson, @Safe_SaaS
Lack of Common Vocabulary
Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf
Graphic: https://www.britannica.com/topic/Tower-of-Babel
Source, Domain Associated Terms
Biometrics Text
Books
FAR FRR
Type II Type I
NIST FMR FNMR
ISO/IEC More, detailed More, detailed
Risk False Positive False Negative,
False Reject, Insult
Rate
Equal Error Rate (EER), also known as Crossover Error Rate (CER)
Vocabulary Updates
2017 ISO/IEC 2382-37
132. Clare Nelson, @Safe_SaaS
Issues with Biometrics
Even when organizations do not actively
attempt to abuse personal data, it is
difficult to ensure its privacy, as illustrated
by some of the well-publicized breaches
OPM Breach
5.6 M Fingerprints
Biometrics are often used in situations where
there is a significant asymmetry of power
• Employers monitoring employees
• Governments monitoring those entering and
leaving the country
Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Privacy_Legislation_on_Biometric_System_Deployment.pdf
Consent to process biometrics is not
freely given if asymmetry of power
133. Clare Nelson, @Safe_SaaS
Issues with Biometrics
• Not revocable, easy to reset password, not
easy to reset fingerprint
• In MFA, biometrics are a restricted factor
• No two biometrics scans are the same, each
one is unique (Ratha 2001)
• If there is a perfect match, then you know
something is wrong, impostor, or malfunction
• Algorithms commit false negative and false
positive errors
• Head pose, illumination, and facial
expression
Source: https://www.slideshare.net/eralcnoslen/who-will-win-the-biometrics-race-v10
• Privacy issues
• Religious, head covering, need private place for face
recognition
• GDPR, biometrics are sensitive personal data, need
consent tied to specific purpose, must be easy to
withdraw consent
• Consent must be freely given
• United States Biometric Information Privacy Act (BIPA)
laws in IL, TX;
• Vary by state, need written consent, document
purpose, retention
• Anti-spoofing technology still evolving
• Targeted attacks, mass attacks on horizon (Dr. Memon)
135. EU General Data Protection Regulation (GDPR)
Source: http://www.privacy-regulation.eu/en/9.htm
Source: http://www.duhaime.org/LegalDictionary/L/Legalese.aspx
If Collect Consent to Process Biometrics
• Clear, plain language
• Freely given
• As easy to withdraw as to give consent
No Legalese
138. Clare Nelson, @Safe_SaaS
EU PSD2 Requirements for Biometric Recognition for Authentication
Date: 23 February 2017
Source: https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf
Source: http://nordicapis.com/psd2-sanctions-access-to-personal-banking-data-amplifying-fintech-growth/
• Low False Acceptance Rate (FAR)
• Anti-spoofing measures
Convenience
Security
139. Clare Nelson, @Safe_SaaS
EU PSD2 Requirements for Biometric Recognition for Authentication
Date: 23 February 2017
Source: https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf
Source: http://nordicapis.com/psd2-sanctions-access-to-personal-banking-data-amplifying-fintech-growth/
• Independence of factors in multi-factor
authentication
• The breach of one of the factors does not
compromise the reliability of the other
factors
• Use of separated secure execution
environments
Know Have Are
140. Clare Nelson, @Safe_SaaS
Contactless Biometric Recognition, Healthcare
Source: http://healthcare.fai.fujitsu.com/resource/essentials-to-achieve-optimal-clinical-workflow.pdf
Source: http://www.amfastech.com/2013/03/a-seminar-on-palm-vein-technology.html
Solution
• Palm vein
• Capture palm vein pattern with near-infrared rays
• Works with clinician, surgeon gloves
• Fujitsu data sheet
• FAR (false accept rate) = 0.00001%
• FRR (false reject rate) = 1.0%
142. Source: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST Update on Allowable Use of Biometrics
SP 800-63B, Authentication and Lifecycle Management
For a variety of reasons, this document supports only limited use of biometrics
for authentication. These reasons include:
• The biometric False Match Rate (FMR) does not provide confidence in the
authentication of the subscriber by itself.
• In addition, FMR does not account for spoofing attacks.
• Biometric comparison is probabilistic, whereas the other authentication factors
are deterministic.
• Biometric template protection schemes provide a method for revoking biometric
credentials that is comparable to other authentication factors (e.g., PKI
certificates and passwords). However, the availability of such solutions is limited,
and standards for testing these methods are under development.
• Biometric characteristics do not constitute secrets.
• They can be obtained online or by taking a picture of someone with a
camera phone (e.g., facial images) with or without their knowledge, lifted
from objects someone touches (e.g., latent fingerprints), or captured with
high resolution images (e.g., iris patterns).
• While presentation attack detection (PAD) technologies (e.g., liveness
detection) can mitigate the risk of these types of attacks, additional trust in
the sensor or biometric processing is required to ensure that PAD is
operating in accordance with the needs of the CSP and the subscriber.
Therefore, the limited use of biometrics for authentication is supported
with the following requirements and guidelines:
• Biometrics SHALL be used only as part of multi-factor
authentication with a physical authenticator (something you have).
• The biometric system SHALL operate with an FMR [ISO/IEC 2382-
37] of 1 in 1000 or better.
• This FMR SHALL be achieved under conditions of a
conformant attack (i.e., zero-effort impostor attempt) as
defined in [ISO/IEC 30107-1].
• The biometric system SHOULD implement PAD.
• Testing of the biometric system to be deployed SHOULD
demonstrate at least 90% resistance to presentation attacks
for each relevant attack type (i.e., species), where resistance
is defined as the number of thwarted presentation attacks
divided by the number of trial presentation attacks.
• Testing of presentation attack resistance SHALL be in
accordance with Clause 12 of [ISO/IEC 30107-3].
• The PAD decision MAY be made either locally on the
claimant’s device or by a central verifier.
PAD = Presentation Attack Detection
PAD is being considered as a mandatory requirement in future
editions of this guideline.
5.2.3. Use of Biometrics
143. Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=52946
NIST Update on Allowable Use of Biometrics
SP 800-63B, Authentication and Lifecycle Management
ISO/IEC 24745 = Information technology – Security
techniques – Biometric information protection
The biometric system SHALL allow no more than 5 consecutive failed
authentication attempts or 10 consecutive failed attempts if PAD meeting
the above requirements is implemented. Once that limit has been reached,
the biometric authenticator SHALL either:
• Impose a delay of at least 30 seconds before the next attempt,
increasing exponentially with each successive attempt (e.g., 1 minute
before the following failed attempt, 2 minutes before the second
following attempt), or
• Disable the biometric user authentication and offer another factor (e.g.,
a different biometric modality or a PIN/Passcode if it is not already a
required factor) if such an alternative method is already available.
The verifier SHALL make a determination of sensor and endpoint
performance, integrity, and authenticity. Acceptable methods for making
this determination include, but are not limited to:
• Authentication of the sensor or endpoint.
• Certification by an approved accreditation authority.
• Runtime interrogation of signed metadata (e.g., attestation) as
described in Section 5.2.4.
5.2.3. Use of Biometrics
Biometric comparison can be performed locally on claimant’s device or
at a central verifier.
• Since the potential for attacks on a larger scale is greater at central
verifiers, local comparison is preferred.
If comparison is performed centrally:
• Use of the biometric as an authentication factor SHALL be limited to
one or more specific devices that are identified using approved
cryptography.
• Since the biometric has not yet unlocked the main authentication
key, a separate key SHALL be used for identifying the device.
Biometric revocation, referred to as biometric template protection
in ISO/IEC 24745, SHALL be implemented.
All transmission of biometrics SHALL be over the authenticated
protected channel.
Biometric samples collected in the authentication process MAY be used
to train comparison algorithms or — with user consent — for other
research purposes.
• Biometric samples and any biometric data derived from the
biometric sample such as a probe produced through signal
processing SHALL be zeroized immediately after any training or
research data has been derived.
Reference
144. Clare Nelson, @Safe_SaaS
Face ID: What About Doppelgängers?
Graphics: https://www.linkedin.com/feed/update/urn:li:activity:6309838132355432448/
Graphics: http://www.thedailybeast.com/these-people-are-strangers-doppelgangers-around-the-world-photos
145. Clare Nelson, @Safe_SaaS
Issues with Biometrics
Facial recognition is prone to problems with lighting
conditions
• Vendor evaluation
• Face recognition did not work in outdoor
Austin sunshine, or in an office, standing
near window
• Vendor response: “Go inside”
Voice recognition is prone to environmental background
noise
• Unnamed financial services market leader
• User experience
• In car, with some background noise
• Call, and use voice: “At Unnamed, my voice
is my password”
• Failed after multiple attempts, due to
background noise
• Works at home, in quiet office
Graphic: http://www.securitysales.com/tag/biometrics/
Fingerprint recognition is prone to moisture, dirty reader
• At unnamed employer
• Use fingerprint reader
• Touch with a registered finger
• Fails if finger is slightly damp, or reader is dirty
• Guard recommended: ridge builder (liquid with no
ingredients listed, nor provided by manufacturer)
Reference
146. Clare Nelson, @Safe_SaaS
Spoofing is Still Too Easy
Face Unlock
• Spoofed
• 2011 Galaxy Nexus
• 2017 Samsung S8
Source: http://www.dailystar.co.uk/tech/news/601633/Samsung-Galaxy-S8-face-recognition-privacy-security-warning
Source: http://www.androidpolice.com/2011/11/16/still-not-convinced-that-face-unlock-is-easily-fooled-by-a-photo-heres-another-video-showing-face-programming-and-photo-unlocking-from-start-to-end/
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments
Emerging standard method for measuring strength, or comparing solutions.
147. Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
(d) No private entity in possession of a biometric identifier or biometric
information may disclose, redisclose, or otherwise disseminate a person's or a
customer's biometric identifier or biometric information unless:
(1) the subject of the biometric identifier or biometric information or the
subject's legally authorized representative consents to the disclosure or
redisclosure;
(2) the disclosure or redisclosure completes a financial transaction
requested or authorized by the subject of the biometric identifier or the
biometric information or the subject's legally authorized representative;
(3) the disclosure or redisclosure is required by State or federal law or
municipal ordinance; or
(4) the disclosure is required pursuant to a valid warrant or subpoena
issued by a court of competent jurisdiction.
(e) A private entity in possession of a biometric identifier or biometric
information shall:
(1) store, transmit, and protect from disclosure all biometric identifiers
and biometric information using the reasonable standard of care within
the private entity's industry; and
(2) store, transmit, and protect from disclosure all biometric identifiers
and biometric information in a manner that is the same as or more
protective than the manner in which the private entity stores, transmits,
and protects other confidential and sensitive information.
Illinois Biometrics Information Privacy Act (BIPA)
Sec. 15. Retention; collection; disclosure; destruction.
(a) A private entity in possession of biometric identifiers or biometric information must
develop a written policy, made available to the public, establishing a retention schedule and
guidelines for permanently destroying biometric identifiers and biometric information when
the initial purpose for collecting or obtaining such identifiers or information has been
satisfied or within 3 years of the individual's last interaction with the private entity,
whichever occurs first.
(b) No private entity may collect, capture, purchase, receive through trade, or otherwise
obtain a person's or a customer's biometric identifier or biometric information, unless it first:
(1) informs the subject or the subject's legally authorized representative in writing
that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject's legally authorized representative in writing of
the specific purpose and length of term for which a biometric identifier or biometric
information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or
biometric information or the subject's legally authorized representative.
(c) No private entity in possession of a biometric identifier or biometric information may sell,
lease, trade, or otherwise profit from a person's or a customer's biometric identifier or
biometric information.
Reference
Policy, retention, destruction, notification, written consent, disclosure, secure storage, secure transmission
148. Diamond ordered to “provide a fingerprint or
thumbprint”
Diamond asked officers, “Which finger do you
want?”
• This requirement compelled a testimonial
communication
Source: http://www.twincities.com/2017/09/12/can-you-be-ordered-to-unlock-your-cell-phone-mn-supreme-court-tackles-issue/amp/ (September 2017)
Minnesota Supreme Court: Case about Unlocking Mobile Phone
Diamond argued that the government violated
his Fifth Amendment rights
• Made him select which finger to use
150. Clare Nelson, @Safe_SaaS
iPhone X
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017)
151. Clare Nelson, @Safe_SaaS
Issues with Biometrics: Not Safe for Payments
Samsung Galaxy S8: Contrary to Earlier
Reports:
Users cannot use facial recognition to
authenticate payments
• Camera and deep learning technology
still evolving for facial recognition
• Iris and fingerprint are more secure
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017)
Source: http://www.economist.com/blogs/economist-explains/2015/06/economist-explains-12
152. Clare Nelson, @Safe_SaaS
Issues with Biometrics
Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Privacy_Legislation_on_Biometric_System_Deployment.pdf
Graphic: https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html
Doubt over whether organizations
can be trusted to follow regulations
• Obtain user consent before
processing biometrics
• Secure and protect biometrics
“The ISO has decided not to approve two NSA-designed block
encryption algorithms: Speck and Simon.
• It's because the NSA is not trusted to put security ahead of
surveillance.”
(September 21, 2017)
153. Source: http://www.privacy-regulation.eu/en/4.htm
Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf
EU General Data Protection Regulation (GDPR)
Article Article Title Term Definition
4 Definitions Personal
data
Any information relating to an identified or identifiable natural person ('data
subject'); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;
Genetic
data
Personal data relating to the inherited or acquired genetic characteristics of a
natural person which give unique information about the physiology or the health of
that natural person and which result, in particular, from an analysis of a biological
sample from the natural person in question;
Biometric
data
Personal data resulting from specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person, which allow or
confirm the unique identification of that natural person, such as facial images or
dactyloscopic data;
Reference
154. EU General Data Protection Regulation (GDPR)
Article Article Title Definition Notes
7 Conditions
for Consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data
subject has consented to processing of his or her personal data.
Provability
2. If the data subject's consent is given in the context of a written declaration which also concerns
other matters, the request for consent shall be presented in a manner which is clearly
distinguishable from the other matters, in an intelligible and easily accessible form, using clear and
plain language. Any part of such a declaration which constitutes an infringement of this Regulation
shall not be binding.
Clear, plain language
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of
consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to
giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give
consent.
Right to withdraw
consent, easy to
withdraw
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter
alia, the performance of a contract, including the provision of a service, is conditional on consent to
the processing of personal data that is not necessary for the performance of that contract.
Freely given
Source: http://www.privacy-regulation.eu/en/9.htm
Reference
155. EU General Data Protection Regulation (GDPR)
Article Article Title Definition Notes
9 Processing of special
categories of personal
data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the
processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural
person's sex life or sexual orientation shall be prohibited.
Prohibited
2. Paragraph 1 shall not apply if one of the following applies: Exceptions:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member
State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
• Consent
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of
employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to
Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• Employment
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally
incapable of giving consent;
• Unable to give
consent
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit
body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members
of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body
without the consent of the data subjects;
• Foundation or non-
profit
(e) processing relates to personal data which are manifestly made public by the data subject; • Personal data is
public
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; • Legal defence
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim
pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the
interests of the data subject;
• Public interest
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical
diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or
Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
• Preventive medicine
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or
ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which
provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
• Public health
interest
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance
with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection
and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
• Archiving, scientific
or historical
research
Source: http://www.privacy-regulation.eu/en/9.htm
Reference
158. Clare Nelson, @Safe_SaaS
Issues with Biometrics, NIST List
• The biometric False Match Rate (FMR) does not provide confidence in the
authentication of the subscriber by itself
• FMR does not account for spoofing attacks
• Biometric comparison is probabilistic, whereas the other authentication
factors are deterministic
• Biometric template protection schemes provide a method for revoking
biometric credentials that is comparable to other authentication factors
(e.g., PKI certificates and passwords).
• However, the availability of such solutions is limited, and standards for testing
these methods are under development.
• Biometric characteristics do not constitute secrets.
• They can be obtained online or by taking a picture of someone with a camera
phone (e.g., facial images) with or without their knowledge, lifted from objects
someone touches (e.g., latent fingerprints), or captured with high resolution
images (e.g., iris patterns).
While presentation attack detection (PAD) technologies (e.g., liveness
detection) can mitigate the risk of these types of attacks, additional trust in
the sensor or biometric processing is required to ensure that PAD is operating
in accordance with the needs of the Credential Service Provider (CSP) and the
subscriber.
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
FMR is also
known as FAR
Touch ID
• 1 in 50,000
Face ID
• 1 in 1,000,000
Biometrics may be used to
• Unlock multi-factor
authenticators
• Prevent repudiation of
enrollment
Reference
159. Clare Nelson, @Safe_SaaS
Issues with Biometrics
• Biometric recognition systems have error rates, biometric
samples are compared with a template, probabilistic
• Biometric recognition systems have False Acceptance
Rates (FARs) and False Reject Rates (FRRs), the
comparison yields a probability of a match
• Biometrics can be collected without user knowledge, or
consent
• Unique enough?
• For now, until mass scale attacks (Memon’s work, end of
this presentation)
• Exceptions for twins, doppelgängers
• Universal enough?
• Exceptions in human population
• Example: Fingerprint sampling does not work for
everyone, ridge builder solution sometimes applied, in
other cases need an alternative to biometrics
Source: http://www.biometricupdate.com/201611/cmu-researchers-develop-glasses-that-dupe-facial-recognition
• Stable enough?
• Fingerprints don’t change as much as face or
voice
• Update periodically, Face ID neural engine
• Research: can spoof face based on neural network
recognition (CMU 2016), use colorful glasses
• Overreliance on mobile device
• Mobile biometrics use case
• Mobile device may be compromised, mobile
attack surface includes browser, OS, device
• OWASP Mobile Top 10 references these and
more
• Keylogger installed
• Man-in-the-Middle (MiTM) attack
• Rooted, Jailbroken devices may be less
secure
• Full control of device from iOS or Android
vulnerabilities, hardware vulnerabilities
• Social engineering
Reference
160. Clare Nelson, @Safe_SaaS
Provide Choices, Biometric Recognition Preferences Vary
Source: http://www.paymentscardsandmobile.com/banks-trusted-deliver-biometric-future/
Consumer Preference
Consumers don’t
know what this is
161. Clare Nelson, @Safe_SaaS
Source: https://fidoalliance.org/how-fido-works/
Graphic: https://www.nist.gov/sites/default/files/documents/2016/12/06/10_ibpc-prez-fido-ssanden-v5.pdf
Graphiic: https://findbiometrics.com/solutions/facial-recognition/
Mobile Biometrics: Fast Identity Online (FIDO) Example
Use biometrics to unlock smartphone, use device and encryption for online authentication
Biometrics Encryption
162. Clare Nelson, @Safe_SaaS
Acoustic Ear-Shaped Biometric Recognition
NEC
• Microphone embedded within earphone
• Analyzes the resonance of sounds within
the ear cavity
• Produces a biometric profile
Source: http://www.handsonlabs.org/nec-developing-acoustic-ear-shape-biometric-authentication-solution/
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Requires earphones
164. Biological Biometrics
1. Exist in public domain, and elsewhere (5.6M+ fingerprints stolen
in 2015 OPM breach1)
2. May undermine privacy, make identity theft more likely2
3. Persist in government and private databases, accreting
information whether we like it or not3
4. User acceptance or preference varies by geography, demographic.
5. Unique, permanent biological identifiers can’t be changed or
replaced in the event of a breach, so they are very dangerous if
they end up in the wrong hands4
6. September 2017 Minnesota Senator letter about Face ID, voices
privacy and security concerns
Biometric Backlash
1Source: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html
2Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
3Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/
Graphic: http://www.rineypackard.com/facial-recognition.php
4Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017)
Given these, plus other biometrics
issues detailed in this presentation,
the ability to opt out of biometrics
may prevail in some market segments
165. Clare Nelson, @Safe_SaaS
Source: http://www.planetbiometrics.com/article-details/i/1414/
“The move towards multi-factor
authentication opens a door for
biometrics as part of these solutions.
Combining that with mobile platforms
is a winning combination.”
Cathy Tilton, Daon
Editor's Notes
This presentation is posted on SlideShare, over 160 slides, basis for a text book
2 slides of references
Footnotes and sources on almost every slide
Extra summary slide at end for you to cut and paste for your trip report
My profile is on LinkedIn
I live at the intersection of Security, Privacy and Identity
More than a decade of Identity experience
Evaluated 200 MFA vendors, bought Encap
Evaluated 50+ biometrics vendors to add Face and or voice, none passed our criteria
Different from the talk description, I have added Face ID updates
ISO standards, Biometric Authentication, the term is deprecated
Quote Dan Crowley something you forgot, lost, or were
Secure Technology Alliance, was Smart Card Alliance
Includes Location
Mobile Identity Authentication, one could argue it mitigates using the same channel for know, have, are, all on mobile device, typically smartphone
What is feature extraction?
Ratha’s 2001 paper
theta
OPM, recent breaches announced in 2015, 21.5M, 5.6M fingerprint images from background checks, security clearances, were
Is it possible to recreate image from math model?
S: Feature extraction
Active versus Passive, Static versus Dynamic??
Biometrics Institute has more categories.
Not completely separate.
Closely linked in some cases.
EyeVerify combines many aspects of the eye, blood vessels in the white of the eye, the iris and more, for the EyePrint
How you walk, talk, type, swipe, sit, click
Ear print, Eye print, Face, Finger, Foot, Lip, Palm, Voice
Nose, colleague in HR, spoofs touch id of another HR person with her nose.
Pulse-response, good for continuous, steering wheel, keyboard.
Ear print, eye print, face print, finger print, foot print, lip print, palm print, voice print
No matter what biometric is used, the threat model stays the same. Just because you use a new, cool biometric, does not mean the threat model changes, or the ability for a bad guy to hack it goes away.
There is no lack of imagination when it comes to biometrics.
How many of you have a biometric authentication tattoo?
In use and in the lab,
EEG = electroencephalogram
Hand motion
Go to the AirSig website to see the demo.
What is one thing behavioral biometric pioneers are getting right?
Let’s applaud the invisible challenge, here is an example.
Another pioneer in the behavioral biomentrics field: Javascript is required.
When you cursor disappears, what do you do to find it? Move your mouse? How? One behavioral biometric company tracks this.
They create a test scenario where they make the cursor invisible. Then they record your reaction. Invisible challenge, make sure it is you.
You were not asked to name your first pet, you were not called, you were not asked to enter a secret passcode they just texted you. The challenge happened invisibly, without your knowledge, without interrupting you.
These two users have been paired to have the same height, weight, and BMI. As you can see, there are clear differences in how the two users sit down, as indicated by the grouping of dots.
Greek goddess of universal remedy
S: which is the most critical issue ?
What is the EU point of view?
43+ feet iris, moving target, with DoD
30 yards, face
One of my brilliant friends could not enroll iris with Samsung S8, is not human
Depends
Identity proofing for re-registration? Returning, known user? How know if on new phone?
APPLE has finally admitted how much life you can reasonably expect to get out of your iPhone, 3 years.
S: unlock device, then device and encryption
Samsung Galaxy S8 debut
Face using camera picture from a second phone
Iris by Starbug
How long will it take Starbug to spoof Face ID?
August 2017 report from Acuity Market Intelligence. This is why you should care, it is an unavoidable market phenomena.
August 2017 report from Acuity Market Intelligence. This is why you should care, it is an unavoidable market phenomena.
OPM breach
Biometrics are probabilistic. There is no exact match unless an impostor has replicated a sample.
OPM breach
Just read the red text, rest is there for reference for you to study later
New NIST: biometrics may be used to unlock authenticators and prevent repudiation of registration.
Repudiation = denial
There are two states, which ones?
State by State
Need written consent, easy for employees, harder for customers
or iOS 11 beta rumor: tap home button 5 times.
Fourth Amendment –protects against unreasonable searches and seizures by the government – does not protect fingerprints.
Digital Identity Guidelines
Repudiation: denial
2013, University of Oulu, Finland
3D mask for spoofing
Big debate
What does iPhone X do? Store on device, in secure enclave
New approach: split the biometric information between the user’s device and the data centre storage, meaning that if one is compromised, the hacker will not have all the information needed to gain verification
Repudiation: denial
EU Data Protection Directive, since 1995, over 20 years ago
Ever expanding definition of personal data
Dactyloscopic =
Dactyloscopy = science of fingerprint identification
3rd exception, public safety to mitigate crime and terrorist threats
Most promise, depends on use case
The more secure, the higher the insult rate.
Mileage may vary
What is the FRR? Don’t know.
Need entire accuracy report
Not one metric in isolation
http://eyelock.com/
What happens when marketing gets their paws on this?
Need to provide FAR and FRR together, else does not make sense
800 trillion
This figure depicts a generic biometric system and identifies the points at which an adversary may attack a biometric authenticator. The elements of this system could be self-contained in a mobile device, where the biometric is never released, or the system can be distributed among multiple corroborating entities.
NIST’s proposed approach is to develop a framework that considers potential vulnerabilities and their respective mitigation strategies as the primary method of evaluating biometric authenticators.
Based on these evaluations, each mitigation strategy would be assigned a score, the aggregate of which creates an overall score representing the strength of authentication of the biometric authenticator.
Defining this framework must avoid aggregation of scores in a manner that obfuscates the mitigations applied across the appropriate threat vectors. That is, the framework must account for efforts to achieve a higher score by mitigating a significant number of vulnerabilities in only portions of the overall system, while leaving others vulnerable.
Biometric Spoofing is nothing new, over a century
Will the real Raghavendra please stand up?
Which one is the real one? Which one is the iPad picture? Which one is from a laser printer, or an inkjet printer?
Raghavendra and Busch
Local binary patterns (LBP) is a type of visual descriptor used for classification in computer vision. LBP is the particular case of the Texture Spectrum model proposed in 1990.[1][2] LBP was first described in 1994.[3][4] It has since been found to be a powerful feature for texture classification
The expense and higher power consumption dictate the sensors in smartphones and wearables.
-1 is out
-2 in development, T of C
-3 draft out, 41 pages, 2016
DIS – Draft International Standard
FDIS – Final Draft International Standard
Plus FIDO working on biometric certification standard
Strength of function relates to the amount of effort required to defeat a security component.
This equation represents a “zero-information” or “a priori” attack scenario where the attacker is not aiming to masquerade as a specific individual but is attempting to gain access by chance. In this case, a successful attack requires defeating the presentation attack detection (PAD) and having a successful match with the template in the system. This is analogous to a “brute force” attack on passwords.
The equation for a “targeted” attack scenario is modified to reflect that, in this scenario, the attacker would create a sample that closely resembles an approved individual’s biometric characteristics. An attack in this scenario only needs to defeat the PAD. In other words, a targeted attacker would present biometric characteristics to a sensor that match a legitimate user. Therefore, the FNMR accounts for the potential for error of the matching algorithm. In this case, we state that SOFA is proportional to:
Effort is subjective. Look at Level C, 3D printed spoofs.
Michigan, 2016
September 12, 2017 iPhone X announcement
Might be a weak link?
What is IR? Infrared in electromagnetic spectrum
What is electromagnetic spectrum?
During the 9/12 announcement, Apple warned about this.
S: Does it apply to Dopplegangers too?
How many of you are ready to simply think to your computer?
This is not science fiction.
Test labs: using thought waves as an authentication factor.
This headset is from NeuroSky
International Conference on Financial Cryptography and Data Security back in April 2013,
Brainwave authentication can be used instead of passwords to protect computer logins, researchers at the University of California at Berkeley's School of Information said this week, UC Berkeley's John Chuang presented the team's findings at the 17th International Conference on Financial Cryptography and Data Security, held in Okinawa, Japan.
Also Texas Tech, what Abdul Serwadda. Doing research.
EEG = Electroencephalogram
ACM is to software what IEEE is to hardware
FBI versus Apple
Form targeted attacks to large scale, mass attacks
How unique are the partial fingerprints?
New York University and Michigan State University
Computer simulations
65% success rate
Hero researchers in the field of biometric recognition.
For your trip report
From ISO 30107 working group
Biometric Spoofing is nothing new, over a century
Odin, Loki
Anti-Spoofing in software
IAPR = International Association of Pattern Recognition
IARPA = Intelligence Advanced Research Project Activity
The Search Accuracy Prize is $25,000, the Search Speed Prize is $5,000, while the Verification Prize is $20,000.
Every face has numerous, distinguishable landmarks, the different peaks and valleys that make up facial features.
FaceIt defines these landmarks as nodal points. Each human face has approximately 80 nodal points. Is this blown away with Face ID 30,000 dots?
Number of nodal points varies.
Error rates are nonzero, varies by vendor.
Innovatrics came in first,
Accuracy varies, not deterministic like a password
IEEE
Three examples of anti-spoofing: 1) sensor, 2) feature extractor, 3) Score.
Vendors have plenty of examples of anti-spoofing techniques. They should incorporate these in product design, test, etc.
Researchers at National Technical University of Athens in Greece
Measuring the probability of detection is straightforward. The experiments involve repeatedly sending a flash of light into the eye and counting how often the subject becomes aware of it.
By lumping together all the environmental factors into a single parameter called alpha, physicists can then calculate the probability of detection.
Prem Sewak Sudhish , Anil K. Jain , and Kai Cao
Prem Sewak Sudhish , Anil K. Jain , and Kai Cao
Rhagvendra and Busch, 2017 paper in ACM Computing Survey
Blink, smile, turn heard one direction or the other
S: Texture
What are behavioral biometrics?
How are behavioral biometrics different from physical biometrics such as your fingerprint or voiceprint?
- In the case of behavioral biometrics, pioneers in this field detect threats based on user interaction with online, and mobile applications. They monitor typing rhythm and mouse patterns. It’s not what you type, it’s how you type. How many of you have a friend or colleague who just kills the keyboard when they type? They truly pound the keys!
- They continuously monitor you to build a profile and track how you type and swipe, etc.
When could you consider using behavioral biometrics?
- In some cases, it might be a reasonable additional layer, or an additional set of parameters, added to multi-factor authentication. You don’t want to use this alone or as a primary authentication method.
What are some of the drawbacks of behavioral biometrics?
1- Show of hands, how many of you disable JavaScript in your browser? How many of you use the Aviator browser? Many of the behavioral biometric solutions would not work then because they rely on javascript. In fact some of them inject javascript into the browser. To me that sounds like malware. How would you even get it installed?
Google’s project Abacus: authenticate based on type/swipe/walk/talk/and face
Highly intoxicated, quote from a co-founder
Angela Merkel,
German Defense Minister, Ursula van der Leyen
IEEE
Well documented cases. 2D and 3D spoofs.
2.5D, depth information provided
iPhone X, September 12 announcement, place orders in October, get in November
Earlier release, Touch ID with Local Authentication only available for Apple apps, now it is available for 3rd party apps
Remote lock, Lost Mode
August 2017 report from Acuity Market Intelligence
Hard to believe
NIST IREX-III = TBD?
September 2017, Gartner, Ant Allan: Confusing
That was the title of a nutrition book by Paavo Airola
Behavioral often called dynamic, and biological static
PSD2 calls biometrics inherence factors
These two users have been paired to have the same height, weight, and BMI. As you can see, there are clear differences in how the two users sit down, as indicated by the grouping of dots.
For example, Alice adds two encrypted numbers, Bob could decrypt the results, without either of them being able to determine the value of the individual numbers.
Allows computations to be carried out on ciphertext.
Yields encrypted result
Same as if computation done on plaintext.
September 12, 2017 iPhone X announcement
Apple Pay?
Wild West with terminology
Power: is consent freely given?
These two users have been paired to have the same height, weight, and BMI. As you can see, there are clear differences in how the two users sit down, as indicated by the grouping of dots.
The devil is in the lack of details
Dactyloscopic =
Dactyloscopy = science of fingerprint identification
EEA = EU +3, Brexit in future
FAR low
TEE = trusted execution environment
Secure Enclave
Fujitsu has palm vein readers for healthcare
No touch, no germs
De-oxygenated blood, returning to the heart that is picked up.
PalmSecure is Fujitsu
Japan, ATMS
In this case the Presentation Attack Detection worked, it identified a spoofed face.
Specular reflection = also known as regular reflection is the mirror-like reflection of waves, such as light, from a surface
Blurriness feature =
Chromatic moment = imperfect color reproduction property of printing and display media.
Color diversity = Genuine versus Spoof? Genuine has richer colors
Repudiation: denial
Repudiation: denial
François Brunelle of some of his doppelgänger pairs.
What is Einstein’s definition of insanity?
Comparing Naked FARs does not count.
Why is this?
What is Einstein’s definition of insanity?
Need written consent, easy for employees, harder for customers
September 2017, Diamond argued that he “was required to identify for the police which of his fingerprints would open the phone”
2014/2015 case
Hang cho
How well it work in bright sunlight? In a movie theater will it be obtrusive? In a meeting will it be obtrusive?
Backpedal
Since Snowden June 2013, EU lack of trust
Max Schrems filed complaint against Facebook, US can’t offer adequate protection, PRISM mass surveilance
Dactyloscopic =
Dactyloscopy = science of fingerprint identification
Genetic and Biometric data are sensitive data
Consent not freely given if employer/employee relationship, or government/citizen relationship, asymmetry of power
Genetic, healthcare data, long list of exceptions, 10 categories, starting with consent
collect fingerprints when someone signs up for a membership, which allows them to be identified as a member and check in at any salon. The complaints allege, however, that the salons violate the BIPA by not informing customers about this collection and use fingerprints, not obtaining a written release, and by not publishing a biometric data retention policy
What is Einstein’s definition of insanity?
Comparing Naked FARs does not count.
Why is this?
Key learning from USAA, offer choice of biometric modalities
Varies by country, by demographic, by use case
Behavioral, who knows what this is? Would all vote for it.
Could be biometrics + PIN. The most secure part, online, is encryption. Biometrics used to unlock mobile device, for example your smartphone.
Use it to unlock phone, not for financial transactions