08-ISO-01 Information Security and Risk Management Biometric ...

Page
1

of
2

N
UMBER
:

0
8
-
ISO
-
01

I
SSUED
B
Y
:

D
EPUTY
CIO,

IT

C
USTOMER
D
EVELOPMENT AND
R
ELATIONSHIP
M
GT

Services

CUSTOMER

BULLETIN
—
(
I
NFORMATION
S
ECURITY AND
R
ISK
M
ANAGEMENT
)

T
ITLE
:

Biometric
Authentication

D
ATE
I
SSUED
:

1/
8
/200
8

Overview

Biometric authen
tication is
a method

employed
to authenticate users based on some
aspect of human biology.
E
xamples of biometric authentication products include
palm or
fingerprint identification, retinal scan, and voice recognition. Biometric authentication
is
meant to
e
liminate password sharing among users and reduce the number of credentials
a user is required to remember
.
At this time
, the Office for Technology (CIO/OFT) does
not accept biometrics for use as a dual authentication solution.
This
decision
is based
on
the

determination of the National Institute of Science and Technology (NIST
)
—
whic
h

has
yet to approve any biometric devices or approaches for dual authentication. In addition,
biometric technologies are
not

supported on the H
uman
S
ervices
E
nterprise
N
etwork

(
HSEN)
and
biometric

devices should not be
used to circumvent established
authentication methods for
State

operated

equipment. Some of the security concerns
with biometrics
,

and particularly fingerprint readers
,

are described
in the “Details” section
of thi
s Bulletin
.

Services Impacted

The
Office for Technology (CIO/OFT) does not accept biometrics for use as a dual
authentication solution where strong authentication is required (e.g., remotely accessing
restricted information).

Audience

Local Governme
nt Information Technology Directors,
HSE
N Local Security Administrators

and LAN Administrators

Assistance

For questions regarding this issue, please contact your appropriate Information Security
Office (ISO).

C
USTOMER
A
CTION
R
EQUIRED
:

YES



N
O



Page
2

of
2

o

For the
Office for Children and Family Serv
ices (OCFS)
Information
S
ecurity
O
ffice
email

ocfs.sm.committee.acceptable
-
use

o

For the
Office of Temporary and Disability (OTDA)
Information
Security Office

(ISO)

email
otda.sm.InfoSecOffice

Customer Action Required: No

No

Details

There are several se
curity concerns regarding biometrics.
Most biometric authentication
solutions use a form of “password vaulting
;
”

which is

where
a
user
’s

credentials (user IDs
and passwords) are stored in one location.
For example, w
hen the user presses a finger
to a finge
rprint reader, the appropriate sets of credentials are launched from the vault.
S
ecurity concerns with

such

“password vaulting”

includ
e
:



In
adequately protected
authentication data

that

is
not s
tored
in

a format that
meets

CIO/OFT’s
OFT
-
073
-
P Encryption St
andard (details available on request);
and



User credentials
sent
to the authenticating server in an unsecured format that does
not comply with
CIO/
OFT
-
approved methods and/or encryption algorithms.

Biometric devices have relatively high error rates that
c
an
result in false positives
(
where
an authorized user is mistakenly denied access
)

and false negatives
(
where an
unauthorized person is allowed access, resulting in a security bre
a
ch
)
. Error rates can be
as high as 10% for fingerprint readers and even hig
her for other biometric approaches.
Users have compensated for these high error rates by lowering the detection criteria on
fingerprint readers, which diminishes the technology’s security value. In addition,
biometrics, especially fingerprint recognition,

can be spoofed at an unacceptable rate
(e.g., through the capture of fingerprint impressions using as simple a material as play
-
dough or modeling clay).

For the reasons described above, current finger imaging products (and other biometrics)
are not accep
table
forms of

dual authentication
for

CIO/OFT managed
computer
applications and environments (e.g., HSEN). The security risks outweigh the advantages
of this technology. CIO/OFT and the HSEN agency ISOs regard
token
-
based two factor
authentication

as pro
viding the most feasible dual factor authentication solution and will
be
investigating

Identity and Access Management solutions that will incorporate
acceptable dual authentication technologies. CIO/OFT will also be monitoring
developments and improvements

in other authentication approaches including biometrics
and will inform customers if and when those approaches are acceptable for dual
authentication purposes.

08-ISO-01 Information Security and Risk Management Biometric ...

Comments 0

Document transcript

Core PDS - CIPS

OFFICE OF THE AUDITOR GENERAL

Study Report on Biometrics in E-Authentication - INCITS

Report of the Defense Science Board Task Force

Biometrics at the Frontiers: Assessing the Impact on Society

UK PASSPORT SERVICE

Guidelines for the Deployment of Biometrics Technology in Blekinge Health Care System with the Focus on Human Perceptions and Cost Factor

Visit the National Academies Press online and register for...

Continuous Biometric Authentication for Authorized Aircraft ...

Multimodal Biometric Authentication using Fingerprint and Iris Recognition in Identity Management

ENHANCING ASSISTIVE TECHNOLOGIES:

Verification of Secure Biometric Authentication Protocols

Smartphones and Biometrics

Working Paper 315 January 2013

Biometric Encryption:

A Positive-Sum Technology that Achieves Strong Authentication ...

Biometric Based User Authentication through

Stay in touch:

08-ISO-01 Information Security and Risk Management Biometric ...

Comments 0

Document transcript

More From superfluitysmackover

Related Content