The Quest to Measure Strength of Function for Authenticators: SOFA, So Good

Transcription

1 SESSION ID: IDY-F02 The Quest to Measure Strength of Function for Authenticators: SOFA, So Good Dr. Elaine Newton Deputy Standards Liaison NIST ITL Dr. Colin Soutar Senior Manager Deloitte & Touche LLP

2 The Power of Convenience In a briefing held by Apple Inc. software security engineers:... Prior to the introduction of Touch ID, only 49 percent of users protected their iphones with a passcode. After the introduction of Touch ID... this figure almost doubled to 89 percent

3 Increasing Transactional Risk 3

4 Purpose & Scope of SOFA-B NIST is exploring a framework around Strength of Function for Authenticators - Biometrics (SOFA-B) for measuring and evaluating the strength of a biometric authentication on mobile devices to: Determine how effectively they mitigate different levels of transactional risk Understand how such biometric factors can be combined with, or substituted for, other authentication factors 4

5 Why Mobile Devices are Different: No More Hand-Holding! Mobile devices offer new challenges because of their nature: Travel with its user Different form factor Unattended, providing potential for artefacts 5

6 What Do We Know Already? Starting point: What generally accepted measurements exist around strength of authenticators? Entropy and the strength of passwords/key length Strength of Function: Common Criteria Inherent strength based on discrimination capability False Match Rate (FMR) False Non-Match Rate (FNMR) Biometrics, unlike passwords, are not secrets 6

7 Targeted Zero-Information Attacks on Passwords and Biometrics Biometrics Password/PIN Sample size and complexity Length and complexity Create artefacts Computational complexity of matching Shoulder surf Obtain biometric sample Notepads Create artefact 7

8 System Diagram - Enrollment 8

9 System Diagram - Authentication 9

10 System and Attack Analysis Override Database FMR & FNMR Modify Biometric Reference Presentation Attack Override Capture Device Extract/Modify Biometric Sample 4 Modify Probe 6 Override Comparator Override Signal Processor 10 Modify Score 10 Override Decision Engine Modify Decision

11 Recommendation: Use Baseline Security to Mitigate Many Attacks Many attacks can be mitigated by core security controls: e.g., encryption, mutual authentication, limiting of unsuccessful attempts Override Database FMR & FNMR Modify Biometric Reference Presentation Attack Override Capture Device Extract/Modify Biometric Sample 4 Modify Probe 6 Override Comparator Override Signal Processor 11 Modify Score 10 Override Decision Engine Modify Decision

12 Analyze and Quantify Factors Specific to Biometric Systems Comparison 6 Override Comparator FMR & FNMR PAD (Presentation Attack Detection) Error Rate Probability of a successful presentation attack. FMR (Matching Performance) Probability of a false match occurring FNMR (Matching Performance) Probability of a false reject occurring 12

13 Differentiate Attack Types and Incorporate Effort Effort = Level of effort required to attack specific components of an authentication system. Included in the SOFA equation as a factor that may serve as a shared, level-setting metric between different authenticator types. May be a combination of the time, knowledge, and resources needed to: Access a biometric pattern or data (samples) + Replicate the pattern and create a biometric spoof 13 + Runtime of the algorithm for a biometric system

14 Effort Example 14

15 Quantify SOFA for Zero-information Attacks Goal is to move towards developing metrics that can be compared and combined to better understand authentication systems Ultimately, we would be able to determine the same type of measure for most authentication systems SOFA Zero Info (Biometrics) α Effort (Factor, Attack) FMR x PADER SOFA Zero Info (PIN/PW) α Effort (Factor, Attack) x N L 15

16 Strength of Function for Authenticators: Biometrics (SOFA-B) Incorporating the FMR, PAD, and Effort into a single measure of strength could look something like this: SOFA %&'()*+( Biometrics = min Effort (;<=>?@, B>><=C) FMR x PADER M<>N@O<P In the case of targeted attacks, the measure of strength may look like: SOFA QR'S&T&U Biometrics = min Effort (;<=>?@, B>><=C) (1 FNMR) x PADER M<>N@O<P 16

17 Recap The purpose of SOFA is to develop a framework for assessing the strength of biometrics so that: Relying parties can determine what level of transactional risk they are willing to accept in a transaction Biometric technologies can be mixed and matched among themselves OR with other authentication technologies 17

18 The SOFA Story: Applying the Framework Review the SOFA-B draft on GitHub for further details: The SOFA-B discussion draft document is available at: [This is case-sensitive.] Please provide comments and proposed changes via GitHub or to Consider Effort as a factor and let us know your thoughts (Time? Knowledge? Money? Consequences?) Think about your industry s unique authentication requirements (and how biometrics could play or already have played a major part) Review your organization s authentication solution(s) and consider the corresponding risk(s) 18

19 Contributors NIST Dr. Elaine Newton National Institute of Standards and Technology Kevin Mangold National Institute of Standards and Technology Paul Grassi National Institute of Standards and Technology Contract support to NIST Dr. Colin Soutar Deloitte & Touche LLP Cyber Risk Services Ryan Galluzzo Deloitte & Touche LLP Cyber Risk Services Raj Dinh Deloitte & Touche LLP Cyber Risk Services Burak Sahin Deloitte & Touche LLP Cyber Risk Services Special guest contributions to NIST Cathy Tilton CSRA Inc. 19

20 Bibliography 1) ISO/IEC :2016, Information technology -- Biometric presentation attack detection -- Part 1: Framework, 7-1_2016.zip 2) ANSI X , Biometric Information Management and Security for the Financial Services Industry, 3) FIDO Alliance, 4) Draft NIST Special Pub , Digital Identity Guidelines - Public comment period closes March 31, 2017, 20

21 Q&A Thank you! Presenters: Dr. Elaine Newton, Dr. Colin Soutar, 21

22 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the Deloitte name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see to learn more about our global network of member firms. 21