Role of Biometrics in Cybersecurity Sam Youness
Agenda Biometrics basics How it works Biometrics applications and architecture Biometric devices Biometrics Considerations The road ahead
The Basics Everyday we need to identify ourselves when we do things like: Use a bank automatic teller machine (PIN #) Use a personal or corporate computing devices Enter the office by scanning a badge, punching a code, or using key Use passwords to access online services (e.g. online banking, Netflix, Amazon) Use password to access our email Provide passport or drivers license as proof of identity And many more examples There is an essential need to accurately identify an individual to minimize the possibility of security breaches and threats
Why Biometrics? Traditional security guards (passwords, pins, etc.) have serious issues Security keys, such as, ID cards, keys, etc. also have their issues, such as getting lost, copied, etc. Is biometrics the answer? It is part of the person and not easily compromised through theft, collusion, or loss Simplifies user management leading to cost savings No need to remember passwords or pins User accounts cannot be shared Easy to use.
Biometrics Modalities Physiological (not likely to change over time): Fingerprints, Finger length Iris/Retina Facial image and geometry (2D and 3D) Hand geometry Vein pattern DNA Behavioral (may change over time): Voice Gait Odor Signature Keystroke and mouse moves dynamics
How Biometrics Work Enrollment Enrollment Template Extraction Template Storage Search/Match Biometric sample Distinguished features of the sample Template Extraction Digital template of the sample Template Comparison Live Capture Comparison Algorithm Biometric sample Distinguished features of the sample Digital template of the sample MATCH NO MATCH
Biometrics Processes Image Capture Feature Extraction Secure Storage Template Matching Secure Device Trusted Computer MATCH NO MATCH
Biometric System Accuracy ROC: receiver operating characteristic FMR: false match rate FNMR: false non-match rate Matching threshold T Higher quantities of data (e.g. more fingerprints) and higherquality (highly consistent) samples are required for one-tomany search processes as compared to one-to-one matching for verification.
Biometrics Application Categories Verification One-to-one biometric identification to provide physical or logical acces conrol Compares against a template stored locally (PC, smart phone, etc.) or on a server Acts as a passcode or PIN Identification One-to-many search to assess whether an individual s biometrics are present in a database or gallery that contains a very large number of biometric records More computing intensive to help identify a person Duplicate Checking Matching each and every template to all templates in a gallery Determines if individuals are represented more than once in a database Used to detect fraud enrollment in multiple social benefits programs, etc.
Example Biometric Applications Verification Logical access to devices (computer/network logon) Dumb terminals client server access Internet e-commerce Smart card access Identification Access to facility Border control identification Duplicate Checking Fraud detection
Devices and Sensors Mechanical or electronic systems that are used to enroll and capture raw biometric samples in a form that can be digitized and converted into a digital biometric template Examples include: Fingerprint sensors: Capacitive are based on silicon chips that detect electric currents when the finger ridges make contact. They can use full finger or swipe techniques Optical sensors use prism light source and light sensor Light emitting and multispectral sensors Digital cameras for facial recognition: consumer- grade digital SLRs, pocket cameras, and webcams 60 PPI are required for 1:1 matching and 90 PPI for 1:n matching Consistency is the most important factor Iris cameras for iris recognition: Requires an infrared image of the iris to optimize the image contrast so as to facilitate machine based analysis. Off-the-shelf cameras aren t yet used for iris image capture, and a special camera is required Microphones for voice recognition: used for 1:1 identification and consistency is very important for these scenarios
Standardization Building standards which all biometrics vendors adhere to is still a challenge despite the work of several national and international organizations over the past two decades Biometrics template extraction and comparison is typically proprietary to each vendor. This prevents using a product from one company to compare templates generated by products from another. One exception to this are MINEX-certified minutiae-based fingerprint template generator and matching algorithms. This category of templates and matching algorithms has been developed, tested, and certified by NIST to be interoperable for 1:1 verification to be used on compact cards and travel documents
Biometrics Standards ISO/IEC JTC 1/SC 37 119 published ISO standards 29 standards under development 29 participating members 13 observing members Different working groups addressing: Strategy Harmonized vocabulary Technical interfaces Data interchange formats Technical implementations of biometric systems Testing and reporting Cross-jurisdictional and societal aspects of biometrics National Institute of Standards and Technology (NIST) Research on the various biometric modalities: fingerprint, face, iris, voice, DNA, and multimodal Standards development at the national and international level Technology testing and evaluation, which leads to innovation NIST partners: DOJ/FBI, DOD, DOS, Intelligence Community
Biometrics Considerations Cost Security obfuscation of biometrics may occur Privacy/intrusiveness Size for storage (images and templates) Convenience Speed Accuracy Connectivity & compatibility
Questions?
Sam Youness Sam is a seasoned professional with more than 21 years of deep experience in business and IT, including architecture vision creation and building industry-wide strategies to achieve that vision. Sam has successfully delivered a large number of architectures, solutions and projects to better enable customer business. Sam is fluent in both languages of business and IT. He is a result driven technical leader with a passion for excellence. He is a relationship builder with outstanding communication skills. Technically minded but always commercially aware. Sam is an established author and contributor of several books and other publications covering different topics in areas of data management, programming languages, solution building, and security. He is a keynote speaker in high level industry conferences and end user events.