Talk for Austin ISSA
What’s more accurate, face or iris?
What’s more secure, password or biometrics?
Is the US legal system up to the challenge?
Impact of EU GDPR and PSD2
Does NIST provide quantitative anti-spoofing requirements?
Will ISO/IEC define how to evaluate anti-spoofing for mobile devices?
4. Clare Nelson, @Safe_SaaS
Clare Nelson, CISSP, CIPP/E
Director, Office of the CTO at AllClear ID
Identity, Security, and Privacy
• Background
o Encrypted TCP/IP variants for NSA
o Product Management at DEC (HP), EMC2
o Director Global Alliances at Dell, Novell
o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security
o CEO ClearMark Consulting, MFA Technology and Architecture
• 2001-2014 CEO ClearMark Consulting
• 2014 Co-founder C1ph3r_Qu33ns
• Publications include:
o 2010 August, ISSA Journal, Security Metrics: An Overview
o 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For
• Talks: InfraGard, HackFormers; BSides Austin; LASCON; OWASP
AppSec USA, ISSA Austin; clients including Fortune 500
financial services, 2015 FTC Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html
5. Clare Nelson, @Safe_SaaS
Contents
• Introduction, You are an advanced
audience.
1. What’s more accurate, face or iris?
2. What’s more secure, password or
biometrics?
3. Is the US legal system up to the challenge?
4. Impact of EU GDPR and PSD2
5. Does NIST provide quantitative anti-
spoofing requirements?
6. Will ISO/IEC define how to evaluate anti-
spoofing for mobile devices?
7. Will FIDO have biometric certification
programs in the future?
8. Trends
Graphic: http://www.computerhope.com/jargon/h/hacker.htm
32. Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf (March 2017)
1. Device has just been turned on, or
restarted
2. Device hasn’t been unlocked for more than
48 hours
3. Device has received a remote lock
command
4. After 5 unsuccessful attempts to match a
fingerprint
5. When setting up or enrolling new fingers
with Touch ID
6. The passcode hasn’t been used to unlock
the device in the last 156 hours (6.5 days)
and Touch ID has not unlocked the device in
the last 4 hours
When is Passcode Required?
156 hours
4 hours
Passcode
Touch ID
68. Clare Nelson, @Safe_SaaS
• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your
Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-scanner-flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication
(September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-
methods-taxonomy-abbie-barbir.html (2014)
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA)
Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA,
https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-
wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-
fingerprints/index.html (July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July
2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009,
published 2013)
• Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-
2014 (December 2014)
References
76. Clare Nelson, @Safe_SaaS
2D Fingerprint Hacks
• Starbug, aka Jan Krissler
• 2014: Cloned fingerprint of German Defense
Minister, Ursula Von der Leyen
ü From photographs1,2
• 2013: Hacked Apple Touch ID on iPhone 5S ~24
hours after release in Germany
ü Won IsTouchIDHackedYet.com competition3
• 2006: Published research on hacking fingerprint
recognition systems4
1Source: https://www.youtube.com/watch?v=vVivA0eoNGM
2Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/
3Source: http://istouchidhackedyet.com
4Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
84. Source: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST Update on Allowable Use of Biometrics
SP 800-63B, Authentication and Lifecycle Management
5.2.3. Use of Biometrics
Supports limited use of biometrics for authentication
• Biometric False Match Rates (FMR) and False Non-Match Rates (FNMR) do
not provide confidence in the authentication of the subscriber by
themselves. In addition, FMR and FNMR do not account for spoofing
attacks.
• Biometric matching is probabilistic, whereas the other authentication
factors are deterministic.
• Biometric template protection schemes provide a method for revoking
biometric credentials that are comparable to other authentication factors
(e.g., PKI certificates and passwords). However, the availability of such
solutions is limited, and standards for testing these methods are under
development.
• Biometric characteristics do not constitute secrets. They can be obtained
online or by taking a picture of someone with a camera phone (e.g., facial
images) with or without their knowledge, lifted from through objects
someone touches (e.g., latent fingerprints), or captured with high
resolution images (e.g., iris patterns).
ü While presentation attack detection (PAD) technologies such as
liveness detection can mitigate the risk of these types of attacks,
additional trust in the sensor is required to ensure that PAD is
operating properly in accordance with the needs of the CSP and
the subscriber.
Therefore, the use of biometrics for authentication is supported with
the following requirements and guidelines:
• Biometrics SHALL be used with another authentication factor
(something you have).
• An authenticated protected channel between sensor (or endpoint
containing a sensor that resists sensor replacement) and verifier
SHALL be established and the sensor or endpoint
authenticated prior to capturing the biometric sample from the
claimant.
• Empirical testing of the biometric system to be deployed SHALL
demonstrate an EER of 1 in 1000 or better with respect to
matching performance. The biometric system SHALL operate with
an FMR of 1 in 1000 or better.
• The biometric system SHOULD implement PAD. Testing of the
biometric system to be deployed SHOULD demonstrate at least
90% resistance to presentation attacks for each relevant attack
type (aka species), where resistance is defined as the number of
thwarted presentation attacks divided by the number of trial
presentation attacks.
PAD is being considered as a mandatory requirement in future
editions of this guideline.
PAD = Presentation Attack Detection
89. Graphic: https://iapp.org/
• Employee, Janice, is EU citizen
• Janice visits Austin
• You enroll Janice in physical security
system, capture and store her fingerprints
• You are processing sensitive personal data
• Need to get consent, but this consent is
not really freely given
• You may not be able to let Janice withdraw
• Provide clear instructions, not legalese
• Policies for processing sensitive personal
data, consult your general counsel
GDPR Applies to EU Citizens in US
95. Source: http://codes.findlaw.com/tx/business-and-commerce-code/bus-com-sect-503-001.html
Source: http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.503.htm
Capture or Use of Biometric Identifier
(a) In this section, “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.
(b) A person may not capture a biometric identifier of an individual for a commercial purpose unless the person:
(1) informs the individual before capturing the biometric identifier; and
(2) receives the individual's consent to capture the biometric identifier.
(c) A person who possesses a biometric identifier of an individual that is captured for a commercial purpose:
(1) may not sell, lease, or otherwise disclose the biometric identifier to another person unless:
(A) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance
or death;
(B) the disclosure completes a financial transaction that the individual requested or authorized;
(C) the disclosure is required or permitted by a federal statute or by a state statute other than Chapter 552,
Government Code; or
(D) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a
warrant;
(2) shall store, transmit, and protect from disclosure the biometric identifier using reasonable care and in a manner that is the same
as or more protective than the manner in which the person stores, transmits, and protects any other confidential information the
person possesses; and
(3) shall destroy the biometric identifier within a reasonable time, but not later than the first anniversary of the date the purpose
for collecting the identifier expires, except as provided by Subsection (c-1).
(c-1) If a biometric identifier of an individual captured for a commercial purpose is used in connection with an instrument or
document that is required by another law to be maintained for a period longer than the period prescribed by Subsection
(c)(3), the person who possesses the biometric identifier shall destroy the biometric identifier within a reasonable time, but
not later than the first anniversary of the date the instrument or document is no longer required to be maintained by law.
(c-2) If a biometric identifier captured for a commercial purpose has been collected for security purposes by an employer,
the purpose for collecting the identifier under Subsection (c)(3) is presumed to expire on termination of the employment
relationship.
(d) A person who violates this section is subject to a civil penalty of not more than $25,000 for each violation. The attorney
general may bring an action to recover the civil penalty.
Texas Business and Commerce Code § 503.001
Consent, disclosure, secure
storage, secure
transmission, retention,
destruction
96. Source: http://www.privacy-regulation.eu/en/4.htm
Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf
EU General Data Protection Regulation (GDPR)
Article Article Title Term Definition
4 Definitions Personal
data
Any information relating to an identified or identifiable natural person ('data
subject'); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;
Genetic
data
Personal data relating to the inherited or acquired genetic characteristics of a
natural person which give unique information about the physiology or the health of
that natural person and which result, in particular, from an analysis of a biological
sample from the natural person in question;
Biometric
data
Personal data resulting from specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person, which allow or
confirm the unique identification of that natural person, such as facial images or
dactyloscopic data;
97. EU General Data Protection Regulation (GDPR)
Article Article Title Definition Notes
7 Conditions
for Consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data
subject has consented to processing of his or her personal data.
Provability
2. If the data subject's consent is given in the context of a written declaration which also concerns
other matters, the request for consent shall be presented in a manner which is clearly
distinguishable from the other matters, in an intelligible and easily accessible form, using clear and
plain language. Any part of such a declaration which constitutes an infringement of this Regulation
shall not be binding.
Clear, plain language
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of
consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to
giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give
consent.
Right to withdraw
consent, easy to
withdraw
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter
alia, the performance of a contract, including the provision of a service, is conditional on consent to
the processing of personal data that is not necessary for the performance of that contract.
Freely given
Source: http://www.privacy-regulation.eu/en/9.htm
98. EU General Data Protection Regulation (GDPR)
Article Article Title Definition Notes
9 Processing of special
categories of personal
data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the
processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural
person's sex life or sexual orientation shall be prohibited.
Prohibited
2. Paragraph 1 shall not apply if one of the following applies: Exceptions:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member
State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
• Consent
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of
employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to
Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• Employment
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally
incapable of giving consent;
• Unable to give
consent
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit
body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members
of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body
without the consent of the data subjects;
• Foundation or non-
profit
(e) processing relates to personal data which are manifestly made public by the data subject; • Personal data is
public
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; • Legal defence
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim
pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the
interests of the data subject;
• Public interest
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical
diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or
Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
• Preventive medicine
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or
ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which
provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
• Public health
interest
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance
with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection
and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
• Archiving, scientific
or historical
research
Source: http://www.privacy-regulation.eu/en/9.htm