IBG (International Biometrics Group) - CCC - Caretower

spotlessstareSecurity

Nov 29, 2013 (3 years and 6 months ago)

79 views

AuthenWare Reliability

Accuracy & Security







Tom Helou

President & COO

Agenda




International Biometrics Group Certification


What is it


Our performance results


Common Criteria Certification (CCC)


What is it


Where we are


Questions


Authenware
reliability


IBG Certification = AuthenWare Accuracy




Common Criteria Certification (ISO 15408)
= The product is safe


IBG provides technology

neutral, vendor


independent
biometrics services, strategy, and solutions to
government agencies, systems integrators,
high

technology firms, and financial services
organizations.



IBG’s Comparative Biometric Testing (CBT) is the
industry's longest

running benchmarking test,
complying with all published US and International
biometric performance standards.





International Biometric Group (IBG)

What was tested



IBG CBT’s objective is to evaluate the usability and accuracy of
biometric systems. In Terms of AuthenWare the following was
measured:


Match rates:
measures a systems’ ability to correctly
distinguish between genuine and impostor comparisons;


Enrollment and acquisition rates:
measures a systems’
ability to successfully enroll and acquire samples from Test
Subjects;


Level of effort:
measures a systems’ ability to successfully
enroll and acquire samples from Test Subjects with minimal
transaction durations and repeated attempts / transactions
.




7 laptops and workstations 11 storage and processing servers


184 separate test subjects


7,731 keystroke signatures were analyzed


4,851 genuine attempts and 2,880 hacking attempts


Four test type rules:



Testing Equipment and Subject Data

Accuracy and Performance findings…


Failure to Enroll Rate (FTE) = 0% GRANTED!

This means AuthenWare accepted ALL the users, even the poor performance users.



Transactional Failure to Acquire Rate (T
-
FTA) = 0% GRANTED!

AuthenWare has no failures catching the keystroke and environmental data.

All Test were conducted in security level 3

Accuracy and Performance findings…


Median Enrollment Transaction Duration = 80 seconds Certified!

Median time needed to complete the biometric pattern training or enrollment,
typing UserID and
Password 10 times.



Median Recognition Attempt Duration = 11 seconds Certified!

It was the time needed to have a biometric answer, including
the time needed to type UserID
and Password

Accuracy and Performance findings…


Transactional False Match Rate (T
-
FMR / FAR) = 3.26% GRANTED!



Transactional False Non
-
Match Rate (T
-
FNMR / FRR) = 3.20% GRANTED!

The

Effective

System

False

Rejection

Rate

is

defined

as

the

rate

of

false

rejections

that

result

after

executing

not

only

the

initial

biometric

test,

but

also

any

additional

attempts

managed

by

business

rules,

One

Time

Password

submissions

and

other

decision

mechanisms

provided

by

the

full

AuthenTest

system
.


Offering

the

user

a

second

opportunity

to

attempt

validation

reduces

the

FRR

to

2
.
459
%
.

If

this

second

authentication

attempt

is

also

rejected,

incorporating

a

third

validation

opportunity

reduces

the

FRR

even

further

to

that

of

0
.
738
%
.

Adding

a

one

time

password

(or

another

validation

check

such

as

requiring

the

user

to

enter

a

pin

number,

etc
.
)

would

lower

the

effective

System

FRR

to

a

worst

case

scenario

of

only

0
.
00738
%
.



99.9915% of valid user logins will be authenticated as valid users
without external support.

Effective System False Rejection Rate (S
-
FRR)

The

Effective

System

False

Acceptance

Rate

is

defined

as

the

rate

of

false

acceptance

that

results

after

executing

not

only

the

initial

biometric

test,

but

also

considering

a

probability

that

someone

else

knows

your

credentials
.


Since

AuthenWare

is

a

second

factor

authentication
,

only

people

that

actually

have

known

your

credentials

will

be

able

to

have

chances

(
3
.
20
%
)

to

enter

being

a

non

valid

user
.


Considering

1

in

10

persons

will

be

able

to

get

your

credentials,

the

S
-
FAR

will

be

0
.
32
%
,

in

this

case
:




99.68% of hacking attempts will be rejected (credentials don’t
match or AuthenWare technology stops!).

Effective System False Acceptance Rate (S
-
FAR)

“In

sum,

it

is

very

likely

that

real
-
world

performance

for

Authenware

will

be

more

robust

than

was

observed”

[in

the

CBT]
.





Accuracy

of

96
.
78
%
,

FTE=
0
%
,

T
-
FTA=
0
%

is

great

considering

that

users

couldn’t

choose

their

own

UserID

and

Password,

all

of

them

used

identical

hardware,

software

and

environment




Everything

was

taken

from

the

official

public

report

of

CBT

round

7

of

IBG
.

For

further

information,

visit

www
.
biometricgroup
.
com

or

contact

us

at

www
.
authenware
.
com



IBG Certification conclusion


The CCC provides a common set of requirements for
the security functionality of IT products and for
assurance measures applied to these IT products
during a security evaluation.




Based on a well known International Standard:


ISO/IEC 15408



The evaluation process establishes a level of
confidence that the security functionality of these IT
products and the assurance measures applied to
these IT products meet these requirements.





Common Criteria Certification (CCC)

Provides

you

and

your

customers

a

level

of

confidence

that

our

product

has

been

scrutinized

and

evaluated

properly

as

a

security

product
.

Common Criteria Certification GRANTED (May
-
2010)


International recognition of a security product


CCC EAL
-
2 + ALC_FLR.1 (latest version)


ELA
-
2 + Evaluation Assurance Level


ALC_FLR
-

Provides for Flaw Remediation Procedure



CCC conclusion


We have received an international and standard recognition for
our product


Our product (TOE) and the rest of the components have
improved much during the certification process


We received the official certificate on Sep
-
2010


Moving forward, every new component, functionality or
improvement at the LAB level follows the CCC