Biometric Authentication

utterlypanoramicSecurity

Nov 30, 2013 (3 years and 10 months ago)

101 views

Biometric
Authentication




Presenter: Yaoyu, Zhang

Preface


We can authenticate an identity in three
ways: by something the user knows
(such as a password or personal
identification number), something the
user has (a security token) or something
the user is (a physical characteristic,
such as a fingerprint, called a biometric).

Abstract


Introduction to biometric authentication


Some related concepts


Biometric Methods


Can biometric authentication be fooled


Some issues about Access Control





Biometric Authentication


Biometric Authentication


Authentication based on body
measurements and motions


It is easy b
ecause you always bring your
body with you


Biometric Systems


Enrollment


Later access attempts


Acceptance or rejection


Biometric Authentication System


1. Initial Enrollment

2. Subsequent Access

User Lee

Scanning

Applicant

Scanning

Template Database

Brown


10010010

Lee


01101001

Chun


00111011

Hirota


1101110






3. Match Index

Decision Criterion

(Close Enough?)

Processing

(Key Feature Extraction)

A=01, B=101, C=001

User Lee

Template

(01101001)

User

Access Data

(
01111001
)

Processing

(Key Feature Extraction)

A=01, B=111, C=001

Biometric Authentication


Verification Versus Identification


Verification: Are applicants who they claim to be? (compare with
single template)


Identification: Who is the applicant? (compare with all templates)


More difficult than verification because must compare to many templates


Watch list: is this person a member of a specific group (e.g., known
terrorists)


Verification is good for replacing passwords in logins


Identification is good for door access and other situations where
entering a name would be difficult



FAR


Precision


False acceptance rates (FARs): Percentage
of unauthorized people allowed in


Person falsely accepted as member of a group


Person allowed through a door who should not
be allowed through it


Very bad for security


FRR


Precision


False rejection rates (FRRs): Percentage of
authorized people not recognized as being
members of the group


Valid person denied door access or server login because
not recognized


Can be reduced by allowing multiple access attempts


High FRRs will harm user acceptance because users are
angered by being falsely forbidden


Biometric Authentication


Precision


Vendor claims for FARs and FRRs tend to be
exaggerated because they often perform tests
under ideal circumstances


For instance, having only small numbers of users in
the database


For instance, by using perfect lighting, extremely
clean readers, and other conditions rarely seen in
the real world


Biometric Authentication


User Acceptance is Crucial


Strong user resistance can kill a system


Fingerprint recognition may have a criminal
connotation


Some methods are difficult to use, such as
iris recognition, which requires the eye to be
lined up carefully.


These require a disciplined group


Biometric Authentication


Biometric Methods


Fingerprint recognition


Dominates the biometric market today


Based on a finger’s distinctive pattern of whorls,
arches, and loops


Simple, inexpensive, well
-
proven


Weak security: can be defeated fairly easily with
copies


Useful in modest
-
security areas


Biometric Authentication


Biometric Methods


Iris recognition


Pattern in colored part of eye


Very low FARs


High FRR if eye is not lined up correctly can
harm acceptance


Reader is a camera

does not send light into the
eye!


Biometric Authentication


Biometric Methods


Face recognition


Can be put in public places for

surreptitious identification

(identification without citizen or

employee knowledge). More later.


Hand geometry: shape of hand


Voice recognition


High error rates


Easy to fool with recordings


Biometric Authentication


Biometric Methods


Keystroke recognition


Rhythm of typing


Normally restricted to passwords


Ongoing during session could allow continuous
authentication


Signature recognition


Pattern and writing dynamics


Biometric Standards


Almost no standardization


Worst for user data (fingerprint feature databases)


Get locked into single vendors



Biometric Authentication


Can Biometrics be Fooled?


Airport face recognition


Identification of people passing in front of a camera


False rejection rate: rate of not identifying person as being in the database


Fail to recognize a criminal, terrorist, etc.


FRRs are bad


4
-
week trial of face recognition at Palm Beach International Airport


Only 250 volunteers in the user database (unrealistically small)


Volunteers were scanned 958 times during the trial


Only recognized 455 times! (47%)


53% FRR


Biometric Authentication


Can Biometrics be Fooled?


Airport face recognition


Recognition rate fell if wore glasses (especially tinted), looked
away


Would be worse with larger database


Would be worse if photographs were not good


DOD
(
Department of Defense

)
Tests indicate poor acceptance
rates when subjects were not attempting to evade


270
-
person test


Face recognition recognized person only 51 percent of time


Even iris recognition only recognized the person 94 percent of the
time!


Biometrics Authentication


Can Biometrics be Fooled?


Other research has shown that evasion is
often successful for some methods


German c’t magazine fooled most face and
fingerprint recognition systems


Prof. Matsumoto fooled fingerprint scanners 80
percent of the time with a gelatin finger created
from a latent (invisible to the naked eye) print on
a drinking glass


Access Control


Access Control


Access control is the policy
-
driven limitation of
access to systems, data, and dialogs


Goals


Prevent attackers from gaining access, stopping them if
they do


Provide appropriate limitations on the access rights of
authorized users


Access Control


First Steps


Enumeration of Resources


Sensitivity of Each Resource


Next, who Should Have Access?


Can be made individual by individual


More efficient to define by roles (logged
-
in users,
system administrators, project team members, etc.)


Access Control


Policy
-
Based Access Control and Protection


Have a specific access control policy and an access protection
policy for each resource


For example, for a file on a server, for instance, limit
authorizations to a small group, harden the server against attack,
use a firewall to thwart external attackers, etc.


Focuses attention on each resource


Guides the selection and configuration of firewalls and other
protections


Guides the periodic auditing and testing of protection plans