What Every CISO, Product Strategist, or Consumer Needs to Know About Biometric Recognition for MFA

What Every CISO, Product Strategist, or
Consumer Needs to Know About
Biometric Recognition for MFA
Clare Nelson, CISSP, CIPP/E
@Safe_SaaS
clare_nelson@clearmark.biz
Presentation Posted on SlideShare:
https://www.slideshare.net/eralcnoslen/edit_my_uploads
May 17, 2017

Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Introduction
• Disclaimer
• Biography
• Contents

Clare Nelson, @Safe_SaaS
The views presented herein,
expressed in any form, represent
my personal views, and do not
necessarily reflect the views of
my employer.
Graphic: http://rununcensored.com/wp-content/uploads/2013/06/disclaimer.jpg

Director, Office of the CTO at AllClear ID
Identity, Security, and Privacy
• Background
o Encrypted TCP/IP variants for NSA
o Product Management at DEC (HP), EMC2
o Director Global Alliances at Dell, Novell
o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security
o CEO ClearMark Consulting, MFA Technology and Architecture
• 2001-2014 CEO ClearMark Consulting
• 2014 Co-founder C1ph3r_Qu33ns
• Publications include:
o 2010 August, ISSA Journal, Security Metrics: An Overview
o 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For
• Talks: InfraGard, HackFormers; BSides Austin; LASCON; OWASP
AppSec USA, ISSA Austin; clients including Fortune 500
financial services, 2015 FTC Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html

Contents
• Introduction, You are an advanced
audience.
1. What’s more accurate, face or iris?
2. What’s more secure, password or
biometrics?
3. Is the US legal system up to the challenge?
4. Impact of EU GDPR and PSD2
5. Does NIST provide quantitative anti-
spoofing requirements?
6. Will ISO/IEC define how to evaluate anti-
spoofing for mobile devices?
7. Will FIDO have biometric certification
programs in the future?
8. Trends
Graphic: http://www.computerhope.com/jargon/h/hacker.htm

Source: http://www.planetbiometrics.com/article-details/i/1414/
“The move towards multi-factor
authentication opens a door for
biometrics as part of these solutions.
Combining that with mobile platforms
is a winning combination.”
Cathy Tilton, Daon

What CISOs Need To Know Before Adopting Biometrics
Before adopting biometric recognition
• Risk assessment, policy, compliance
• Architectural decisions
ü E.g., Is a fingerprint reader installed on a
workstation less risky than biometric
authentication passed over a network?
• Secure devices that will store biometric data
through measures including
ü Encryption
ü Trusted platform modules in client machines
to prevent data theft
ü Other physical security measures
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905
Graphic: https://www.shrednations.com/2015/04/defining-protecting-personally-identifiable-information/

Biometric data is Personally Identifiable Information (PII)
• Biometric data presents an extra layer of complexity
ü User interactions
ü Compliance
• Organizations with US government contracts may have
to comply with Privacy Act of 1974 PII management
practices
Graphic: https://www.airloom.com/technology/security-as-a-service/

Privacy Act of 1974
• Applies to federal agencies
• Safeguard individual privacy from the misuse
• Governs the collection, maintenance, use,
and dissemination of PII
• Prohibits disclosure of information without
written consent of the individual
Source: https://www.justice.gov/opcl/privacy-act-1974

Biometric recognition for
authentication is not 100% reliable
• Biometric systems have false negatives and
false positives
• In highly secure environments, false positives
may present an unacceptable risk
• False negatives require a fallback
authentication mechanism
Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations

Don’t Use as Single or Primary Factor
Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Graphic: http://www.itproportal.com/2016/04/07/the-role-of-biometric-authentication-techniques-in-security/
Remote System Access
Exclude biometrics as single or
primary authentication factor
• Biometric samples are not
secrets
• Biometric samples are different
each time they are captured

Provide Choices, Biometric Recognition Preferences Vary
Source: http://www.paymentscardsandmobile.com/banks-trusted-deliver-biometric-future/
Consumer PreferenceFingerprint
scanning
Biometrics
+ other
method Iris
scanning Facial
recognition Voice
recognition
Behavioral
biometrics

What’s more
accurate, face or iris?
Use case is mobile
device

Many Variables
• Camera, Sensor
• Environment, lighting, noise
• Algorithms
• Threshold for comparison
• Template aging
• Testing, 3rd party testing
• Don’t just rely on FAR and FRR
• Anti-spoofing, active and passive
• User experience, cognitive effort required,
alternatives, choice
• How solution is integrated for use case
• Overall strength of biometrics system
Not Always a Clear Answer, It Depends

Iris more accurate than face
Source: https://www.youtube.com/watch?v=KyDoFrojEYk&list=PLrUBqh62arzt_Uf_UamHtRFDYl1tpRVCK
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST: Face versus Iris Recognition, Factor of 100,000 in Accuracy
Algorithms for Face versus Iris
But what is the user experience?

Source: http://www.eyelock.com/
1 in 500
Voice Recognition
1 in 10,000
Fingerprint
1 in 50,000
Touch ID
1 in 100,000
Facial Recognition
1 in 500,000
Single Iris
1 in 800,000,000,000,000
DNA
General Ranking, Again It Depends

.
Facial recognition for
financial transactions
is 4+ years away
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017)
Source: http://www.economist.com/blogs/economist-explains/2015/06/economist-explains-12

Samsung Galaxy S8
Contrary to Earlier Reports:
Users cannot use facial recognition to
authenticate payments
• Camera and deep learning technology still
evolving for facial recognition
• Iris and fingerprint are more secure
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017)
Source: http://www.economist.com/blogs/economist-explains/2015/06/economist-explains-12

Samsung S8
How can you
tell if it’s a
bad guy?
Source: https://insights.samsung.com/2017/03/29/which-biometric-authentication-method-is-most-secure/
Source: https://www.cse.wustl.edu/~jain/cse571-11/ftp/biomet/
Source: https://www.cse.wustl.edu/~jain/cse571-11/ftp/biomet/#Rahul10
Iris recognition does not work for
everyone
• There are exceptions for every
biometric modality
Criteria for Biometric System
Collect
-ability
Universality

Will 3D Facial Recognition be More Accurate?
Source: https://www.forbes.com/sites/gordonkelly/2017/02/19/iphone-8-touchid-facial-recognition-iris-scanner/#59dd71034eda (February 2017)
iPhone 8 Rumors
• 3D selfie camera
• Supports facial and iris recognition

What’s more secure,
password or biometrics?
Fingerprint
authentication on mobile

Source: https://www.slideshare.net/centralohioissa/jamie-bowser-a-touchid-of-ios-security
Touch ID Architecture, Release 3
With iOS 9, third-party
apps could use security
Local Authentication
Touch ID
Sensor
Fingerprint
Map
Local Authentication
Security Framework
Secure Enclave
3rd Party
Applications
Apple
Applications

Example: Don’t Just Unlock Static Password in Keychain
Source: https://www.vasco.com/
Static
password
My Bank
Unlock static
password from
keychain
Secure
channel,
One-time
crypto
My Bank
Use biometric, or
other data for crypto
Touch ID for My Bank
Touch ID or Enter Password
Enter Password
Cancel
Touch ID for My Bank
Touch ID or Enter Password
Enter Password
Cancel

Is the US legal system
up to the challenge?

There is no federal law protecting
biometric information
Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/

US Biometric Information Protection Laws
2008 Illinois
Biometric
Information
Privacy Act
(BIPA)
2009 Texas
Texas Business
and Commerce
Code § 503.001
2017 Under
Consideration:
CT, NH, AK, WA,
more
Source: https://www.secureidnews.com/news-item/five-states-considering-bills-to-restrict-biometrics-use/ (February 2017)
Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
Source: http://www.drinkerbiddle.com/insights/publications/2017/02/four-more-states-propose-biometrics-legislation

Illinois Biometrics Information Privacy Act (BIPA)
• Written Policy
• Retention
• Collection
• Disclosure
• Destruction
• Notification
• Consent in writing, signed

Source: http://www.chicagotribune.com/bluesky/originals/ct-biometric-illinois-privacy-whats-next-bsi-20170113-story.html
Source: https://www.pattishall.com/pdf/2016-01%20Pattishall%20Insights.pdf
L.A. Tan Enterprises
• December 2016 settlement
• $1.5 million to class of customers
• Failed to collect written consent
• Shared fingerprint scans with software vendor
Facebook
• Ongoing
• 3 men against Facebook, tagging lawsuit
• Facebook collection, storage, use of biometric
information without informed consent
Illinois at Forefront of Active Court Cases

Source: https://www.law360.com/technology/articles/923703/kroger-unit-sued-over-alleged-storage-of-worker-fingerprints?nl_pk=65afb77a-0e17-49b2-b31e-5e6346836849&utm_source=newsletter&utm_medium=email&utm_campaign=technology (May 2017)
Source: http://www.thenewstribune.com/news/business/article150218582.html
Source: http://www.americanbar.org/publications/blt/2016/05/08_claypoole.html
No Consent
An Illinois and Wisconsin supermarket
chain owned by Kroger
• Class action
• Stored employee fingerprint
information without consent
Illinois: Storage Of Employee Fingerprints

Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/
Fingerprint versus Passcode
Request Must
You?
Testimonial or Non-
Testimonial?
Protection from Law
Enforcement
Passcode No Testimonial, personal
knowledge
Fifth Amendment, right
against self incrimination
Fingerprint Yes Non-testimonial, like a
key
Undetermined, Fourth
Amendment does not
protect fingerprints
2014, Supreme Court ruled
• Locked devices contain
“the privacies of life”

Diamond argued the government violated his
Fifth Amendment rights
• Made Diamond select which finger to use
Diamond argued that he “was required to
identify for the police which of his fingerprints
would open the phone”
• This requirement compelled a testimonial
communication
Source: https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/01/18/minnesota-court-on-the-fifth-amendment-and-compelling-fingerprints-to-unlock-a-phone/?utm_term=.c41ea471a51f (January 2017)
Source: Larry Moore, January 2017
Minnesota: Fifth Amendment and Compelling Fingerprint Unlock

Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf (March 2017)
1. Device has just been turned on, or
restarted
2. Device hasn’t been unlocked for more than
48 hours
3. Device has received a remote lock
command
4. After 5 unsuccessful attempts to match a
fingerprint
5. When setting up or enrolling new fingers
with Touch ID
6. The passcode hasn’t been used to unlock
the device in the last 156 hours (6.5 days)
and Touch ID has not unlocked the device in
the last 4 hours
When is Passcode Required?
156 hours
4 hours
Passcode
Touch ID

Source: https://www.secureidnews.com/news-item/five-states-considering-bills-to-restrict-biometrics-use/ (February 2017)
“Entities may have to consider
changes to their notice and
consent practices, or decide to
not collect or store biometric
data at all.”
Jeffrey Neuburger
National Law Review

What is the impact of
the new EU directives
and regulations?
GDPR and PSD2

Source: https://www2.deloitte.com/lu/en/pages/banking-and-securities/articles/psd2-rts-on-authentication-and-communication.html
Timeline
• GDPR
ü May 2018
• PSD2 includes specific requirements for
biometric recognition for multi-factor
authentication, or what it terms, “Strong
Customer Authentication (SCA)”
ü SCA not until late 2018 at earliest
General Data Protection Regulation (GDPR) and
Second Payment Services Directive (PSD2)

General Data
Protection Regulation
(GDPR)

Source: https://www.whitecase.com/publications/article/chapter-4-territorial-application-unlocking-eu-general-data-protection
An organization based outside the
EU is subject to the GDPR if
• Offers goods or services to EU
data subjects
• Monitors the behavior of EU
data subjects
Does the GDPR Apply to US-Based Entities?
GDPR applies to EU/EEA citizens in the US
• EEA = EU + Norway, Iceland, Liechtenstein
• Brexit in future

Source: http://www.privacy-regulation.eu/en/4.htm
Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf
Source: http://midasalliance.org/externalnews/could-gdpr-need-strong-customer-authentication/
EU General Data Protection Regulation (GDPR)
GDPR
Existing Data
Protection Directive
Personal Data
• Name
• Photo
• E-mail address
• Phone number
• Address
• Personal identification
numbers
• IP address
• Mobile device identifiers
• Geo-location
• Biometric data
• Psychological identity
• Genetic identity
• Economic status
• Cultural identity
• Social identity
Organizations must
• Secure personal data
• Enable data subjects to see what
information is held about them

Source: https://www.scienceabc.com/innovation/lesser-known-methods-biometrics-identification-retinal-fingerprint-scan-gait-analysis-keystroke.html
Source: http://www.heritagedaily.com/2016/01/genetic-data-does-not-support-ancient-trans-atlantic-migration-professor-says-see-more-at-httpnews-ku-edu20151217genetic-data-does-not-support-ancient-trans-atlantic-migration-professor-say/109249
Personal data
• Any information relating to an identified or identifiable
natural person
Genetic data
• Inherited or acquired genetic characteristics
Biometric data
• Physical, physiological, or behavioral characteristics of a
person
• For example, facial images or dactyloscopic data

Source: https://dma.org.uk/event/webinar-the-ico-s-gdpr-consent-guidance
Processing of Genetic or Biometric Data
• Prohibited
• Exceptions include
ü Consent
Ø Person gives explicit consent to the
processing of those personal data
Ø For one or more specified purposes
ü Employment

Source: http://www.duhaime.org/LegalDictionary/L/Legalese.aspx
Need Consent to Process Personal Data
• Clear, plain language
• Freely given
• As easy to withdraw as to give consent
No Legalese

Second Payment
Services Directive
(PSD2)

EU PSD2 Requirements for Biometric Recognition for Authentication
Date: 23 February 2017
Source: https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf
Source: http://nordicapis.com/psd2-sanctions-access-to-personal-banking-data-amplifying-fintech-growth/
• Low False Acceptance Rate (FAR)
• Anti-spoofing measures
Convenience
Security

EU PSD2 Requirements for Biometric Recognition for Authentication
• Independence of factors in multi-factor
authentication
üThe breach of one of the factors does not
compromise the reliability of the other
factors
• Use of separated secure execution
environments
Know Have Are

Impact of EU Privacy
Legislation

Impact of EU Privacy Legislation on Biometric Systems (1 of 3)
Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Privacy_Legislation_on_Biometric_System_Deployment.pdf
Source: http://findbiometrics.com/cylab-honored-for-long-distance-iris-scanner-24272/
• Biometrics can reveal medical conditions
• Biometrics make it easier to gather personal
information
ü Ability to do so covertly
• Biometrics at a distance
ü Increased accuracy with which individuals can
be identified remotely
• Biometrics can be used to link databases that have
been anonymized
ü De-anonymization techniques
Long-Distance Iris Scanner

Doubt over whether
organizations can be trusted
to follow regulations

Even when organizations do not actively
attempt to abuse personal data, it is
difficult to ensure its privacy, as illustrated
by some of the well-publicized breaches.
OPM Breach
5.6 M Fingerprints
Biometrics are often used in situations where
there is a significant asymmetry of power
• Employers monitoring employees
• Governments monitoring those entering and
leaving the country

Will ISO/IEC define how
to evaluate anti-spoofing
for mobile devices?

Presentation Attack Detection (PAD), Emerging Standards
Source: https://www.iso.org/standard/53227.html
ISO/IEC DIS 30107-2
Information technology -- Biometric presentation attack
detection -- Part 2: Data formats
ISO/IEC FDIS 30107-3
Information technology -- Biometric presentation attack
detection -- Part 3: Testing and reporting
NEW: April 28, 2017, Part 4

Presentation Attack Detection (PAD) for Mobile Devices
Source: https://www.iso.org/standard/53227.html
Source: https://cacm.acm.org/magazines/2016/4/200169-multimodal-biometrics-for-enhanced-mobile-device-security/abstract
Source: http://www.planetbiometrics.com/article-details/i/5803/ (April 2017)
Source: http://profit.ndtv.com/news/life-and-careers/article-new-smartphone-from-infocus-to-support-aadhaar-authentication-1634102
ISO/IEC 30107-4
Biometric presentation attack detection – Profile for
evaluation of mobile devices
Address spoofing and presentation attacks against mobile
devices
Presentation Attack Detection (PAD) includes
• Fake fingerprints
• Video replays
• Voice recordings
Concern for commercial and government agencies
• Rely on mobile device authentication for transactions
and identity confirmation

Does NIST provide quantitative
anti-spoofing requirements?
Is it possible to measure the
strength of a biometric system?

Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.qafis.com/anti-spoofing
Presentation Attack Detection (PAD), Anti-Spoofing
Anti-Spoofing
Anti-Spoofing
• Active: user must participate, blink,
smile, turn head
• Passive: user participation is not needed,
hardware or software algorithms
NIST: PAD should detect spoofing 90% of the time

Source: https://pages.nist.gov/SOFA/
Source: https://www.secureidnews.com/news-item/sofa-b-enabling-organizations-to-measure-the-strength-of-biometric-technologies/?tag=biometrics
Strength of Function for Authenticators (SOFA) - Biometrics
Measurement of biometric system strength:
• Provide a level of quantitative assurance.
• Outline a process to support evaluation of
biometric authenticators.
NIST
ISO/IEC FIDO
SOFA Equation
• Level of Effort
• PAD Error Rate (PADER)
• False Match Rate (FMR)
• False Non-Match Rate (FNMR)

SOFA-B (NIST, April 2017)
Source: https://www.nist.gov/sites/default/files/documents/2016/11/21/sofa_discussiondraftoverview-v1_1.pdf (April 2017)
ZeroInfo case: No masquerade attempt, brute force, no knowledge.
Targeted case: Create a sample that resembles the individual biometric
characteristic.

Will FIDO offer
biometric certification
programs in the future?

Source: https://fidoalliance.org/about/overview/
Source: https://www.slideshare.net/FIDOAlliance/introduction-to-fido-alliance-66730790
The FIDO (Fast IDentity Online) Alliance
• July 2012
• 501(c)6 non-profit
• Address the lack of interoperability
among strong authentication
devices
• Address problems users face with
creating and remembering multiple
usernames and passwords
338+ Solutions
What is FIDO?

Store Biometrics on Personal Device or Server?
Source: Webinar by Forrester and Nok Nok Labs, February 1, 2017
Graphic: http://findbiometrics.com/topics/fido-alliance/
Graphic: https://www.carphonewarehouse.com/apple/iphone-6.html
Graphic: http://kryptostech.com/server-management/
Graphic: http://www.planetbiometrics.com/article-details/i/5463/desc/facebook-rolling-out-support-for-fido/
Enroll, biometrics only stored on personal
device (FIDO Alliance, others)
• Biometrics remain on the device, are not
transmitted
• Not susceptible to theft by insiders or
identity thieves who can access a server
repository
Enroll, biometrics stored on server
• No-password model
• Works if no mobile phone, works with land line
• Works if person calls in
• Privacy concerns
• Susceptible to theft, unwanted modification by
insiders or identity thieves

Trends

Multimodal Biometrics
Research from California State University, Fullerton
• Use ear plus face and fingerprint
• Multimodal biometrics adds layer of security to
the existing mobile device security
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3Dnews
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Graphic: http://www.rd.com/health/wellness/unique-body-parts/
Researchers claim some mobile
biometric authentication suffers from
• Poor quality mobile hardware
ü Camera
ü Microphone
• Environmental condition
ü Lighting
ü Background Noise
• User error
• Use of unimodal biometrics, less
secure

Multimodal: Google Trust API
Source: http://www.itshacking.xyz/good-bye-passwords-as-google-plans-a-different-verification-option/
Source: https://techcrunch.com/2015/05/29/googles-atap-wants-to-eliminate-passwords-for-good/
Get Rid of Password
• How you swipe
• How you move
• How you type
• How you talk
• Your face
• Combine for multimodal

Biometrics Forecast
Source: http://www.bpaybanter.com.au/news-views/facewallet-%E2%80%93-look-mum-no-phone-or-card
Source: http://www.acuity-mi.com/GBMR_Report.php
2020: Global mobile biometric market
revenues will reach $34.6 B annually
• 4.8 B biometrically-enabled mobile devices
generating $6.2 B in biometric sensor
revenue
• 5.4 B biometric app downloads generating
$21.7 B in annual revenues from direct
purchase and software development fees
• 807 B biometrically secured payment and
non-payment transactions generating $6.7
B in authentication fees

Contactless Biometric Authentication
Source: http://www.acuity-mi.com/FOB_Report.php
Source: https://www.youtube.com/watch?v=Yc_rVLb6zhk
Technology
• High resolution image capture
• Large-scale data management
• High-speed processing
• Pattern recognition and matching algorithms
Contactless
Capture technology will operate accurately regardless
of environmental conditions
• Biometric authentication that does not require the
user to do anything
ü Will be safer (no touch, no transmission of
germs)
• The technology will eventually disappear into the
essential components of everyday life

Master Key to Unlock Finger
Sensors?
Source: https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html?_r=2 (April 2017)
Computer simulations
• Similarities of partial prints
• Created Master Prints
• Matched prints 65% of time
Nasir Memon
Professor of Computer Science and Engineering
New York University

We Stand on the Shoulders of Giants
Source: https://alchetron.com/John-Daugman-489257-W
Source: http://www.idiap.ch/~marcel/professional/Welcome.html
Source: https://www.egr.msu.edu/people/profile/jain
Source: http://nislab.no/people/norwegian_information_security_laboratory/professors/christoph_busch
John Daugman
Sébastien Marcel
Anil Jain
Christoph Busch

Questions?
@Safe_SaaS
clare_nelson@clearmark.biz
Presentation Posted on SlideShare:
https://www.slideshare.net/eralcnoslen/edit_my_uploads

References

• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your
Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-scanner-flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication
(September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-
methods-taxonomy-abbie-barbir.html (2014)
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA)
Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA,
https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-
wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-
fingerprints/index.html (July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July
2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009,
published 2013)
• Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-
2014 (December 2014)
References

• Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf
(February 2014)
• Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device-
fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJ
xPr3GKtYNysBvRhXlDQ%3D%3D (September 2015)
• Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/
(August 2015)
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/.
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/.
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-
Identity-Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• Jankovich, Thomas; “Blockchain Makes Digital ID a Reality,” https://finxtech.com/2016/12/02/blockchain-makes-digital-id-reality/
(December 2016)
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• NSTIC Paper, http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8054.pdf (2015).
• MyData Identity Network based on User Managed Access (UMA),
https://docs.google.com/presentation/d/1j3aX8AQGdVtigF1WZouL8WccmYQzZQQje3wuaC2Zb1I/edit#slide=id.g1386e8a6aa_2_9
14
References

• Kunk, S.K., Biometric Authentication: A Machine Learning Approach, Prentice Hall (2005).
• Mikeh, Machine Learning and Biometrics, Neya Systems blog, http://neyasystems.com/machine-learning-biometrics/ (March 23,
2013).
References

Backup Slides

Source: http://aitegroup.com/report/biometrics-time-has-come
Source: http://www.aspire-security.eu/access-control.html
“Continuous authentication” is closer to becoming a reality by leveraging both
physical and behavioral biometrics.
• This could help reduce account-takeover fraud.
• Financial institutions need to balance usability and security as well as
privacy and disclosure to effectively implement biometrics.
• Financial institutions also need to consider model risk management and
vendor management when selecting solutions. In many cases, these can be
handled proactively through existing processes.
• Organizations need to think carefully about identity proofing and binding
when rolling out biometrics to ensure the correct biometric is bound to the
correct identity and the correct device
Continuous Authentication

• Austin InfraGard (partnership between the FBI and members of the private sector), February 9, 2017: Biometrics and Multi-Factor
Authentication, The Unleashed Dragon, https://www.slideshare.net/eralcnoslen/biometric-authentication-dragon-unleashed-v15-
71879058
• BSides Austin, May 5, 2017: Biometric Recognition for Multi-Factor Authentication, How Measure Strength? Which Modality is
Best? https://www.slideshare.net/eralcnoslen/biometric-recognition-for-authentication-bsides-austin-may-2017
Recent Talks on Biometrics for Multi-Factor Authentication

Source: http://ieeexplore.ieee.org/document/7192823/
EU Privacy Legislation
Three Use Cases
1. Border security
2. Online bank access control
3. Customer profiling in stores

Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.computer.org/csdl/trans/tp/2006/01/i0031.html
Face Spoofing
Matching 2.5D Face Scans to 3D Models

2D Fingerprint Hacks
• Starbug, aka Jan Krissler
• 2014: Cloned fingerprint of German Defense
Minister, Ursula Von der Leyen
ü From photographs1,2
• 2013: Hacked Apple Touch ID on iPhone 5S ~24
hours after release in Germany
ü Won IsTouchIDHackedYet.com competition3
• 2006: Published research on hacking fingerprint
recognition systems4
1Source: https://www.youtube.com/watch?v=vVivA0eoNGM
2Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/
3Source: http://istouchidhackedyet.com
4Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf

Starbug Faking Touch ID
Source: http://istouchidhackedyet.com

Fingerprint Risk
Security experts say peace sign selfies are a
fingerprint risk.
Source: http://www.planetbiometrics.com/article-details/i/5405/
Graphic: http://www.humintell.com/2011/03/the-complicated-world-of-gestures/dreamstime_15605744/

The Case for Behavioral Biometrics
Source: https://www.trusona.com/patented-anti-replay/
Source: https://en.wikipedia.org/wiki/Albert_Einstein
Adding any new static user
credentials like longer
passwords or [biological]
biometrics is futile.
– Trusona

Added Security or Risk?
Biometric Authentication, Convenience versus Security
False sense of security spreading on a gigantic scale.
– Hitoshi Kokumai
President at Mnemonic Security
“Fingerprint authentication is not being used to make phones
more secure but rather as a form of convenience.”
How Well Does Biometric Authentication Actually Work?
Biometric features are very difficult if not impossible to
change if they are stolen.
• If a password is compromised, it can be changed and
reset.
• If a Client Certificate is stolen, it can be revoked and a new
one issued.
• If an OTP device is stolen, it simply needs to be canceled
and reconfigured.
• Companies are limited in their choices if fingerprints or
vocals are breached.
Graphic: http://www.tomsitpro.com/articles/identity-access-management-solutions,2-813.html
Source: https://blog.digicert.com/biometric-authentication-methods/
We are often blinded by the “awe” factor of new technology.

Acoustic Ear-Shape Biometric Authentication
NEC
A microphone embedded within an
earphone analyzes the resonance of sounds
within the ear cavity in order to produce a
biometric profile.
Source: http://www.handsonlabs.org/nec-developing-acoustic-ear-shape-biometric-authentication-solution/
Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Requires earphones

Source: https://people.kth.se/~maguire/iPAQ-photos/iPAQ-with-stylus-cropped.gif
HP iPAQ Pocket PC
2003

Source: https://pages.nist.gov/800-63-3/
Did You Throw a NIST Party on February 7, 2017?
Updated Draft NIST Guidelines on Digital Identity
• Webinar
• Posted on github for comment: https://pages.nist.gov/800-
63-3/sp800-63-3.html
• Four new documents
1. SP 800-63-3, Digital Guidelines
2. SP 800-63A, Enrollment and Identity Proofing
Guidelines
3. SP 800-63B, Authentication and Lifecycle Management
ü Use of Biometrics
4. SP 800-63C, Federation and Assertions
Biometrics may be used to unlock multi-factor
authenticators and prevent repudiation of enrollment

NIST Update on Allowable Use of Biometrics
SP 800-63B, Authentication and Lifecycle Management
5.2.3. Use of Biometrics
Supports limited use of biometrics for authentication
• Biometric False Match Rates (FMR) and False Non-Match Rates (FNMR) do
not provide confidence in the authentication of the subscriber by
themselves. In addition, FMR and FNMR do not account for spoofing
attacks.
• Biometric matching is probabilistic, whereas the other authentication
factors are deterministic.
• Biometric template protection schemes provide a method for revoking
biometric credentials that are comparable to other authentication factors
(e.g., PKI certificates and passwords). However, the availability of such
solutions is limited, and standards for testing these methods are under
development.
• Biometric characteristics do not constitute secrets. They can be obtained
online or by taking a picture of someone with a camera phone (e.g., facial
images) with or without their knowledge, lifted from through objects
someone touches (e.g., latent fingerprints), or captured with high
resolution images (e.g., iris patterns).
ü While presentation attack detection (PAD) technologies such as
liveness detection can mitigate the risk of these types of attacks,
additional trust in the sensor is required to ensure that PAD is
operating properly in accordance with the needs of the CSP and
the subscriber.
Therefore, the use of biometrics for authentication is supported with
the following requirements and guidelines:
• Biometrics SHALL be used with another authentication factor
(something you have).
• An authenticated protected channel between sensor (or endpoint
containing a sensor that resists sensor replacement) and verifier
SHALL be established and the sensor or endpoint
authenticated prior to capturing the biometric sample from the
claimant.
• Empirical testing of the biometric system to be deployed SHALL
demonstrate an EER of 1 in 1000 or better with respect to
matching performance. The biometric system SHALL operate with
an FMR of 1 in 1000 or better.
• The biometric system SHOULD implement PAD. Testing of the
biometric system to be deployed SHOULD demonstrate at least
90% resistance to presentation attacks for each relevant attack
type (aka species), where resistance is defined as the number of
thwarted presentation attacks divided by the number of trial
presentation attacks.
PAD is being considered as a mandatory requirement in future
editions of this guideline.
PAD = Presentation Attack Detection

Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=52946
NIST Update on Allowable Use of Biometrics
SP 800-63B, Authentication and Lifecycle Management
5.2.3. Use of Biometrics (continued)
The biometric system SHALL allow no more than 5 consecutive failed
authentication attempts or 10 consecutive failed attempts provided PAD
meeting the above requirements is implemented. Once that limit has been
reached, the biometric authenticator SHALL either:
• Impose a delay of at least 30 seconds before the next attempt, increasing
exponentially with each successive attempt, e.g., 1 minute before the
following failed attempt, 2 minutes before the second following attempt,
etc.
OR
• Disable the biometric user verification and offer another factor (a
different biometric modality or a PIN/Passcode if it is not already a
required factor) if such an alternative method is already implemented.
Determination of sensor/endpoint performance, integrity, and authenticity
can be accomplished in several different ways, any of which are acceptable
under this guideline. These include but are not limited to: authentication of
the sensor or endpoint, certification by an approved accreditation authority,
or runtime interrogation of signed metadata (e.g., attestation) as described
in Section 5.2.4.
Biometric matching SHOULD be performed locally on claimant’s device or
MAY be performed at a central verifier.
ISO/IEC 24745 = Information technology – Security
techniques – Biometric information protection
If matching is performed centrally:
• Use of the biometric SHALL be limited to one or more specific devices
that are identified using approved cryptography.
• Biometric revocation, referred to as biometric template protection
in ISO/IEC 24745, SHALL be implemented.
• All transmission of biometrics shall be over the authenticated protected
channel.
Biometric samples collected in the authentication process MAY be used to
train matching algorithms or, with user consent, for other research
purposes. Biometric samples (and any biometric data derived from the
biometric sample such as a probe produced through signal processing)
SHALL be erased from memory immediately after any training or research
data has been derived.
Biometrics are also used in some cases to prevent repudiation of registration
and to verify that the same individual participates in all phases of the
registration process as described in SP 800-63A.

How determine the correct biometric is bound
to correct identity, and correct device?
• Perform identity proofing prior to
binding
• Depending on use cases and risk, re-
proof for account recovery, new device
enrollment
Mobile and Wearables
Source: http://tech.co/wearables-2014-09
Source: https://blog.kaspersky.com/same_security_threats_new_devices/6015/
Source: http://www.nyas.org/Publications/Ebriefings/Detail.aspx?cid=4ccb2744-08b3-47bf-ac49-b9c8e967d552

Source: http://i-hls.com/archives/74786
Source : https://www.idiap.ch/en/scientific-research/biometric-person-recognition
The Biometrics group at Idiap investigates and develops novel image-
processing and pattern-recognition algorithms for face recognition
(2D, 3D, and near-infrared), speaker recognition, anti-spoofing
(presentation attack detection), and emerging biometric modes (EEG
and vascular). The group is geared toward reproducible research and
technology transfer, using its own signal-processing and machine-
learning toolbox.

Source: http://www.americanbar.org/publications/blt/2016/05/08_claypoole.html
Maze of sectoral laws, state laws, pending cases, and
recommendations
• Patchwork of privacy laws and rules governing the use and
collection of biometric data
• Practitioners, technology developers, and privacy-conscious
individuals should watch this rapidly developing legal
landscape
• Companies employing technologies using biometric
identifiers may want to err on the side of caution and
ensure that their notification and consent processes are
clear and conspicuous
• For cautious businesses, employ an opt-in structure for your
technologies using biometric identifiers
• Look hard at your retention policies and look harder at your
disposal practices
CISO Concerns: Consent, Retention, Disposal

Graphic: https://iapp.org/
• Employee, Janice, is EU citizen
• Janice visits Austin
• You enroll Janice in physical security
system, capture and store her fingerprints
• You are processing sensitive personal data
• Need to get consent, but this consent is
not really freely given
• You may not be able to let Janice withdraw
• Provide clear instructions, not legalese
• Policies for processing sensitive personal
data, consult your general counsel
GDPR Applies to EU Citizens in US

Biggest Market is Asia Pacific
Source: http://press.trendforce.com/node/prints/2150
Market Value
• Biometric Solutions for
Financial Services Applications
• By Region

Clare Nelson, @Safe_SaaSSource: https://www.outsideonline.com/2157451/how-use-your-phone-intention
Environmental Challenges

Source: https://developer.xamarin.com/guides/ios/platform_features/introduction_to_touchid/
Fingerprint: Local Authentication with Touch ID
Touch ID
Introduced with iPhone 5S in September 2013
• Unlock phone
• Approve iTunes app store purchase
iOS 9+
• Use Local Authentication API
• Unlock keychain data
A10 Chip

How can you
tell if it’s a
bad guy?
Source: https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/
Source: https://realizethelies.com/tag/facial-recognition-software/
Source: https://www.iso.org/standard/55194.html (2017)
Biometric Verification Biometric Identification
Comparison 1-to-1 1-to-Many
Purpose Confirm or deny
claimed identity
Identity a specific
individual
Use Case
Example
Mobile app
authentication
Airport security
Biometric Recognition
Primary Focus: Biometric Recognition for Multi-Factor Authentication (MFA),
Mobile Use Case
Scope
(“Biometric Authentication” is deprecated)

(d) No private entity in possession of a biometric identifier or biometric
information may disclose, redisclose, or otherwise disseminate a person's or a
customer's biometric identifier or biometric information unless:
(1) the subject of the biometric identifier or biometric information or the
subject's legally authorized representative consents to the disclosure or
redisclosure;
(2) the disclosure or redisclosure completes a financial transaction
requested or authorized by the subject of the biometric identifier or the
biometric information or the subject's legally authorized representative;
(3) the disclosure or redisclosure is required by State or federal law or
municipal ordinance; or
(4) the disclosure is required pursuant to a valid warrant or subpoena
issued by a court of competent jurisdiction.
(e) A private entity in possession of a biometric identifier or biometric
information shall:
(1) store, transmit, and protect from disclosure all biometric identifiers
and biometric information using the reasonable standard of care within
the private entity's industry; and
(2) store, transmit, and protect from disclosure all biometric identifiers
and biometric information in a manner that is the same as or more
protective than the manner in which the private entity stores, transmits,
and protects other confidential and sensitive information.
Illinois Biometrics Information Privacy Act (BIPA)
Sec. 15. Retention; collection; disclosure; destruction.
(a) A private entity in possession of biometric identifiers or biometric information must
develop a written policy, made available to the public, establishing a retention schedule and
guidelines for permanently destroying biometric identifiers and biometric information when
the initial purpose for collecting or obtaining such identifiers or information has been
satisfied or within 3 years of the individual's last interaction with the private entity,
whichever occurs first.
(b) No private entity may collect, capture, purchase, receive through trade, or otherwise
obtain a person's or a customer's biometric identifier or biometric information, unless it first:
(1) informs the subject or the subject's legally authorized representative in writing
that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject's legally authorized representative in writing of
the specific purpose and length of term for which a biometric identifier or biometric
information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or
biometric information or the subject's legally authorized representative.
(c) No private entity in possession of a biometric identifier or biometric information may sell,
lease, trade, or otherwise profit from a person's or a customer's biometric identifier or
biometric information.
Policy, retention, destruction, notification, written consent, disclosure, secure storage, secure transmission

Source: http://codes.findlaw.com/tx/business-and-commerce-code/bus-com-sect-503-001.html
Source: http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.503.htm
Capture or Use of Biometric Identifier
(a) In this section, “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.
(b) A person may not capture a biometric identifier of an individual for a commercial purpose unless the person:
(1) informs the individual before capturing the biometric identifier; and
(2) receives the individual's consent to capture the biometric identifier.
(c) A person who possesses a biometric identifier of an individual that is captured for a commercial purpose:
(1) may not sell, lease, or otherwise disclose the biometric identifier to another person unless:
(A) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance
or death;
(B) the disclosure completes a financial transaction that the individual requested or authorized;
(C) the disclosure is required or permitted by a federal statute or by a state statute other than Chapter 552,
Government Code; or
(D) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a
warrant;
(2) shall store, transmit, and protect from disclosure the biometric identifier using reasonable care and in a manner that is the same
as or more protective than the manner in which the person stores, transmits, and protects any other confidential information the
person possesses; and
(3) shall destroy the biometric identifier within a reasonable time, but not later than the first anniversary of the date the purpose
for collecting the identifier expires, except as provided by Subsection (c-1).
(c-1) If a biometric identifier of an individual captured for a commercial purpose is used in connection with an instrument or
document that is required by another law to be maintained for a period longer than the period prescribed by Subsection
(c)(3), the person who possesses the biometric identifier shall destroy the biometric identifier within a reasonable time, but
not later than the first anniversary of the date the instrument or document is no longer required to be maintained by law.
(c-2) If a biometric identifier captured for a commercial purpose has been collected for security purposes by an employer,
the purpose for collecting the identifier under Subsection (c)(3) is presumed to expire on termination of the employment
relationship.
(d) A person who violates this section is subject to a civil penalty of not more than $25,000 for each violation. The attorney
general may bring an action to recover the civil penalty.
Texas Business and Commerce Code § 503.001
Consent, disclosure, secure
storage, secure
transmission, retention,
destruction

Article Article Title Term Definition
4 Definitions Personal
data
Any information relating to an identified or identifiable natural person ('data
subject'); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;
Genetic
data
Personal data relating to the inherited or acquired genetic characteristics of a
natural person which give unique information about the physiology or the health of
that natural person and which result, in particular, from an analysis of a biological
sample from the natural person in question;
Biometric
data
Personal data resulting from specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person, which allow or
confirm the unique identification of that natural person, such as facial images or
dactyloscopic data;

Article Article Title Definition Notes
7 Conditions
for Consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data
subject has consented to processing of his or her personal data.
Provability
2. If the data subject's consent is given in the context of a written declaration which also concerns
other matters, the request for consent shall be presented in a manner which is clearly
distinguishable from the other matters, in an intelligible and easily accessible form, using clear and
plain language. Any part of such a declaration which constitutes an infringement of this Regulation
shall not be binding.
Clear, plain language
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of
consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to
giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give
consent.
Right to withdraw
consent, easy to
withdraw
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter
alia, the performance of a contract, including the provision of a service, is conditional on consent to
the processing of personal data that is not necessary for the performance of that contract.
Freely given

Article Article Title Definition Notes
9 Processing of special
categories of personal
data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the
processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural
person's sex life or sexual orientation shall be prohibited.
Prohibited
2. Paragraph 1 shall not apply if one of the following applies: Exceptions:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member
State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
• Consent
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of
employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to
Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• Employment
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally
incapable of giving consent;
• Unable to give
consent
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit
body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members
of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body
without the consent of the data subjects;
• Foundation or non-
profit
(e) processing relates to personal data which are manifestly made public by the data subject; • Personal data is
public
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; • Legal defence
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim
pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the
interests of the data subject;
• Public interest
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical
diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or
Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
• Preventive medicine
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or
ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which
provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
• Public health
interest
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance
with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection
and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
• Archiving, scientific
or historical
research

EU PSD2 RTS SCA Requirements
Article 8
Article Requirements of devices and software linked to elements
categorised as inherence
1. Payment service providers shall adopt measures mitigating the risk
that the authentication elements categorised as inherence and read by
access devices and software provided to the payer are uncovered by
unauthorised parties. At a minimum, the access devices and software
shall ensure a very low probability of an unauthorised party being
authenticated as the payer.
2. The use by the payer of elements categorized as inherence shall be
subject to measures ensuring that the devices and the software
guarantee resistance against unauthorised use of the elements
through access to the devices and the software.
RTS = Regulatory Technical Standards
SCA = Strong Customer Authentication
PSD2 = Payment Services Directive

Article 9
Independence of the elements
1. Payment service providers shall ensure that the use of the elements of strong
customer authentication referred to in Articles 6, 7 and 8 shall be subject to
measures in terms of technology, algorithms and parameters, which ensure that
the breach of one of the elements does not compromise the reliability of the
other elements.
2. Where any of the elements of strong customer authentication or the
authentication code is used through a multi-purpose device including mobile
phones and tablets, payment service providers shall adopt security measures to
mitigate the risk resulting from the multi-purpose device being compromised.
3. For the purposes of paragraph 2, the mitigating measures shall include each of
the following:
(a) the use of separated secure execution environments through the software installed inside
the multi-purpose device;
(b) mechanisms to ensure that the software or device has not been altered by the payer or by
a third party or mechanisms to mitigate the consequences of such alteration where this has
taken place.
Source: https://www.vasco.com/data-security/psd2-compliance.html
EU PSD2 RTS SCA Requirements
RTS = Regulatory Technical Standards
SCA = Strong Customer Authentication
PSD2 = Payment Services Directive

Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf
iOS 10 Security Guide, March 2017
Secure Enclave
Touch ID
• Touch ID and Passcodes
• Other uses for Touch ID
• Touch ID security
• How Touch ID unlocks an iOS device
Keychain Data Protection
Black Hat 2016, Behind the Scenes of iOS Security:
https://www.youtube.com/watch?v=BLGFriOKz6U&t=11s

Example: Don’t Just Unlock Static Password in Keychain
Source: https://auth0.com/blog/how-fingerprint-auth-gives-you-security/
Auth0 Example
JWT = JSON Web Token
JSON = JavaScript Object Notation
(JSON Web Tokens are an open, industry standard RFC 7519 method for
representing claims securely between two parties)

Source: http://www.androidauthority.com/how-to-add-fingerprint-authentication-to-your-android-app-747304/
Source: http://www.androidcentral.com/bank-america-now-lets-you-sign-android-app-your-fingerprint
Source: http://www.androidcentral.com/bank-america-bring-fingerprint-sign-more-phones-marshmallow-api-support
Fingerprint Authentication Evolution
September 2015
Samsung only, Fingerprint for login
April 2016
Phone with finger sensor and Android 6.0

Source: https://www.theregister.co.uk/2017/02/23/judge_rejects_bulk_fingerprint_collection_in_case_iphones_are_found/ (February 2017)
Source: http://gorillascreenid.com/small-office-building-exterior-design/
Judge rejected warrant sought by US
government
• Force everyone in a given location
to apply fingerprints to device
Illinois Judge: No Mass Fingerprint Harvesting

Virginia v. Baust (October 2014)
Source: https://www.scribd.com/doc/245628784/Fingerprint-Unlocking-Ruling
Source: https://blog.secureideas.com/
Source: http://appleinsider.com/articles/13/09/24/ios-7-feature-focus-adding-fingerprints-enhancing-security-for-iphone-5s-touch-id
Government can compel an individual to unlock an
electronic device protected by a fingerprint reader
• For example, Apple's Touch ID sensor
Virginia’s Second Judicial Circuit
• 2014
• Judge ruled defendant could be forced to provide
a fingerprint but not a passcode
• A fingerprint is not testimonial whereas a
passcode is

What Every CISO, Product Strategist, or Consumer Needs to Know About Biometric Recognition for MFA

Recommended

Recommended

More Related Content

What's hot

What's hot (11)

Similar to What Every CISO, Product Strategist, or Consumer Needs to Know About Biometric Recognition for MFA

Similar to What Every CISO, Product Strategist, or Consumer Needs to Know About Biometric Recognition for MFA (20)

More from Clare Nelson, CISSP, CIPP-E

More from Clare Nelson, CISSP, CIPP-E (11)

Recently uploaded

Recently uploaded (20)

What Every CISO, Product Strategist, or Consumer Needs to Know About Biometric Recognition for MFA