Your SlideShare is downloading. ×
Ben Rothke Aoa 2008   Biometrics
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ben Rothke Aoa 2008 Biometrics


Published on

Biometrics and Aviation: Opportunities and Challenges. From the 2008 AOA conference.

Biometrics and Aviation: Opportunities and Challenges. From the 2008 AOA conference.

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Biometrics and Aviation: Opportunities and Challenges Ben Rothke, CISSP, SITA Level 3 Senior Security Consultant BT Professional Services
  • 2. About Me
    • Ben Rothke, CISSP, CISM, SITA L3
    • Senior Security Consultant – BT Professional Services
    • Previously with AXA Equitable, Baltimore Technologies, Ernst & Young, Citibank.
    • Have worked in the information technology sector since 1988 and information security since 1994
    • Frequent writer and speaker
    • Author - Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006)
  • 3. Agenda
    • How to make biometrics work in the aviation sector
      • Not an introduction to biometrics
    • Overview of authentication
    • Starting point for biometric roll-out
    • Not a monologue
      • Ask a question, make a comment, etc.
  • 4. Key Biometrics Takeaways
    • Powerful and effective technology – must know:
      • What your specific security issues are
      • How you expect biometric technology to solve them
    • Not security silver bullet or plug and play
      • Project management and methodology essential
    • Successful deployments
      • Small-scale, closed-loop applications
      • Start small
      • Gain successes
      • Grow biometric rollout
  • 5. People, Processes and Technology
    • Successful implementation of biometric technology solution depends not just on performance but:
      • Operational processes that employ the technology
      • People who execute processes
    • Biometric technology just piece of overall decision support system
      • First decision: whether to issue ID
      • Second decision: whether to admit (made at entry point)
      • Biometrics can play role in both
  • 6. Biometrics
    • Standard definition:
      • Technology that confirms a person’s identity by comparing patterns of physical characteristics in real-time against enrolled computer records of those patterns.
    • Alternate definition:
      • A way to blow your budget on an ill-conceived and poorly defined authentication project
      • Security treadmill designed to gather dust
  • 7. Why Do We Need Authentication?
  • 8. Biometric Authentication, not Identification
    • Identification
      • One-to-many match
      • Used by law enforcement to identify criminals
      • Identify qualified recipients for benefit programs
      • Registration systems for voting, licensing drivers, etc.
    • Authentication
      • One-to-one match
      • Live biometric presented by user
      • Compared to stored sample previously given by that individual during enrollment
      • Match then confirmed or rejected
  • 9. Airport Biometric Success Story
    • Ben Gurion International Airport (TLV)
      • Technological upgrades can work wonders for efficiency and dramatically improve traveler’s moods
      • Israelis flying out of TLV undergo biometric handprint check that speeds them through passport control in five seconds.
      • Most airports can’t regulate behavior of passport control agents and security officers, who are usually not airport employees
      • Israel Airports Authority does, and invests a lot of time and money in keeping the security screening process short and courteous without sacrificing quality.
      • “ Security doesn't mean that you have to be rude to somebody” - Zeev Sarig, managing director at TLV.
      • 3Q06 - the first time TLV was surveyed, it placed first out of 40 European airports and fifth among 77 worldwide.
  • 10. Other airport biometric success stories
    • SFO & TOL
      • Hand geometry devices in conjunction with ID cards to protect secure areas of airport (tarmac and loading gates)
    • ORD
      • Fingerprint biometrics for increasing speed and security for cargo truck drivers
    • CLT
      • Pilot program using iris recognition to verify employees entering secure areas
    • TLV
      • Hand geometry to speed people through customs
    • KEF
      • Face recognition for surveillance applications
  • 11. Airport Biometric Horror Stories
    • Rash of airports/airfields hastily deployed biometrics
      • Especially post 9/11
      • Lack of evaluation methodology
      • Lack of integration
      • Lack of documentation
      • Lack of capability of the technology and/or vendor
    • Lots of congressmen creating bills
    • Airports, airlines, vendors, SI, government agencies contacting FAA to offer services for demonstrations/ installations of biometric technology
    • Budgets blown, projects terminated, nothing gained
  • 12. GAO on Biometrics in Aviation
    • Effective security cannot be achieved by relying on technology alone.
    • Technology and people must work together as part of an overall security process.
    • Weaknesses in any of these areas diminish the effectiveness of the security process.
    • Security process needs to account for limitations in biometric technology.
    • GAO Report: Aviation Security - Challenges in Using Biometric Technologies
  • 13. Using Biometrics for Aviation Security
    • FAA, DHS and TSA examining use of biometrics for aviation security for several years
      • 2001 - FAA and DoD Counterdrug Technology Development Program Office co-chaired the Aviation Security Biometrics Working Group (ASBWG)
      • Examined use of biometrics in 4 aviation security applications:
        • Identity verification of employees
        • Protection of public areas in and around airports
        • Identity verification of passengers boarding aircraft
        • Identity verification of flight crews prior to and during a flight.
  • 14. Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004
    • Title IV – Transportation Security, Section 4011 – Provision for the Use of Biometric or Other Technology , directs TSA to “issue, not later than March 31, 2005, guidance for use of biometric technology in airport access control systems.”
    • TSA encourages airport operators to use this guidance document to improve upon their existing access control systems by incorporating biometric technologies.
  • 15. IRTPA - section 4011(a)(5)
    • Directs TSA Asst. Secretary, with representatives of the aviation industry, biometric identifier industry and NIST to issue guidance to establish, at minimum:
      • (A) comprehensive technical & operational system requirements and performance standards for the use of biometric identifier technology in airport access control systems (including airport perimeter access control systems) to ensure that the biometric identifier systems are effective, reliable, and secure.
      • (B) list of products and vendors that meet the requirements and standards set forth in sub paragraph (A)
      • (C) procedures for implementing biometric identifier systems to ensure that individuals do not use an assumed identity to enroll in a biometric identifier system and to resolve failures to enroll, false matches, and false non-matches
      • (D) best practices for incorporating biometric identifier technology into airport access control systems in the most effective manner, including a process to best utilize existing airport access control systems, facilities, and equipment and existing data networks connecting airports.
  • 16. Regulations Governing Airport Security
    • Title 49 CFR Chapter 12, Part 1542: Airport Security - requires airport operators to:
      • Adopt and carry out security program approved by TSA
      • Include in its security program:
        • Establish secured area – Air Operations Area (AOA) and/or Security Identification Display Area (SIDA)
        • Control entry into the secure area via access control systems
        • Perform access control functions required and procedures to control movement within secured area, including identification media
    • Majority of US airports subject to Part 1542 regulations
    • Few have access control systems with biometrics, some of which were implemented through TSA pilot programs at a limited number of access points.
  • 17. Transportation Worker Identification Credential (TWIC)
    • Established by Congress via Maritime Transportation Security Act (MTSA)
      • Administered by the TSA and U.S. Coast Guard.
    • TWICs are tamper-resistant biometric credentials
      • Issued to workers who require unescorted access to secure areas of ports, vessels, outer continental shelf facilities and all credentialed merchant mariners.
      • Expect 750,000+ workers, including longshoremen, truckers, port employees and others, will be required to obtain TWIC.
  • 18. TWIC
    • Enrollment / issuance began at Port of Wilmington, DE October 2007 and will continue through 2008
    • Obtaining TWIC
      • Individual provides biographic and biometric information, digital photograph, successfully passes TSA security threat assessment
    • Pre-enrollment saves applicant time
      • Enables them to provide biographical information and make appointment for in-person enrollment.
    • Currently, no regulatory requirements pertaining to use of TWIC readers
      • Initial testing and evaluation of TWIC readers will begin in 2008 as part of TSA pilot phase
  • 19. Strategic Biometric Planning Legacy apps Risk Modeling Awareness Dev. Implementation Training Audit Define Drivers Regulatory Evaluation/ Testing Effective Biometric Deployment Strategy Deployment Requirements
  • 20. Biometric Requirements
    • Universality
      • Every person must have this characteristic
    • Uniqueness
      • Two people unlikely to share this characteristic
      • Height, weight, hair and eye color clearly not unique
    • Permanence
      • Characteristic must be available over long term
    • Collectability
      • Must be easy and unobtrusive to obtain
  • 21. Biometric Requirements, cont.
    • Performance
      • Accuracy, speed, and robustness of technology used
    • Non-circumvention
      • Inability to bypass
    • User acceptance
      • Degree of technology approval
      • Ensure in advance that user base is not offended
  • 22. Important Features of Biometric Technologies Source: Registered Traveler Program Policy and Implementation Issues Technology characteristic Fingerprint Iris Facial Hand How it works Captures and compares fingertip patterns Captures and compares iris patterns Captures and compares facial patterns Measures and compares dimensions of hand and Fingers Cost of device Low High Moderate Moderate Enrollment time 3 minutes, 30 Seconds 2 minutes, 15 seconds About 3 minutes About 1 minute Transaction time 9 to 19 seconds 12 seconds 10 seconds 6 to 10 seconds False non-match rate .2%–36% 1.9%–6% 3.3%–70% 0%–5% False match rate 0%–8% Less than 1% 0.3%–5% 0%–2.1% User acceptance issues Associated with law enforcement, hygiene concerns User resistance, usage Difficulty Potential for privacy misuse Hygiene concerns Factors affecting Performance Dirty, dry, or worn Fingertips Poor eyesight, glare, or Reflections Lighting, orientation of face, and sunglasses Hand injuries, arthritis, Swelling Demonstrated Vulnerability Artificial fingers, reactivated latent prints High-resolution picture of iris Notebook computer with digital photographs None Variability with age Stable Stable Affected by aging Stable Commercial availability since 1970s 1997 1990s 1970s
  • 23. Leading and Emerging Biometric Technologies
    • Leading
    • Facial recognition
    • Fingerprint recognition
    • Hand geometry
    • Iris recognition
    • Retina recognition
    • Signature recognition
    • Voice recognition
    • Emerging
    • Vein scan/vascular
    • Facial thermography
    • DNA matching
    • Odor sensing
    • Blood pulse measurement
    • Skin pattern recognition
    • Nailbed identification
    • Gait recognition
    • Ear shape recognition
  • 24. Risk Management and Biometrics
    • What am I protecting?
      • Identify assets that must be protected and the impact of their potential loss.
    • Who are my adversaries?
      • Intent/capability of adversary are principal criteria for establishing degree of threat to assets
    • How am I vulnerable?
      • Identifying/characterizing vulnerabilities that allow identified threats to be realized.
      • What weaknesses allow security breach?
    • What are my priorities?
      • Risk must be assessed and priorities determined for protecting assets.
      • Risk assessment examines the potential for the loss or damage to an asset.
      • Risk levels established by assessing impact of loss or damage, threats to asset, and vulnerabilities.
    • What can I do?
      • Identify countermeasures to reduce or eliminate risks.
      • Countermeasures advantages/disadvantages weighed against their disadvantages/costs
  • 25. Keep Asking Lots of Questions
    • Does the system have clearly and narrowly defined purpose?
    • Who will use the system?
    • Have the potential system capabilities been evaluated?
    • Has there been an evaluation of range of alternative choices?
    • What types of information will be available through biometric?
    • Will biometric information be used as universal unique identifier?
    • Will storage of biometric information include extraneous information?
    • Will the system store original biometric data?
  • 26. Biometric Reality
    • 10% technology; 90% policy and management
    • Must deploy with effective methodology
    • Project planning is key
  • 27. End-user Resistance
    • Most complaints are concerns over unknown
      • Privacy
      • Hygiene
      • Union / employee groups resisting change
      • Fingerprints taken only when accused of a crime
      • Consumer and end-user resistance can sink even best technology.
      • Be prepared!
  • 28. Many People Can’t be Fingerprinted
    • Thin skin, including those who have it as part of genetic makeup
    • Use cleaning chemicals extensively
    • Prescription drugs that slightly thin the skin while treating various autoimmune ailments.
    • Finger injuries, even a knife scrape, can result in prints becoming either unreadable or altered, and lead to system rejection
    • People whose fingers have limited movement
    • Elderly population / construction workers have difficulty enrolling
    • Faded fingerprints prevent man from working at nuclear power plant -
  • 29. End-User Education
    • Deployment most effective and flows smoothly when you educate users before roll-out
    • Users need clear instructions on how to log in
    • Encourage users to read online help
    • Let users know that their biometric images will not be stored
      • Only specific features of the biometric are obtained and stored
      • Data can’t be reverted to actual biometric images
  • 30. Why Biometric Roll-outs Fail
    • Not enough servers to support deployment
    • Lack of legacy support
    • Adequate response times not established
    • No pilot testing
    • No documentation, processes or procedures
    • Ineffective training
    • Attempting too large initial roll-out
    • BR/DRP not designed into program
    • Lack of project management/project manager
      • Especially around user enrollment
  • 31. Making Biometrics Work
    • Know what your problem is
      • What is specific security problem and how can biometric solution solve it?
      • Start with simple question: What is my objective?
      • If you can’t answer these questions, your biometric initiative will fail
    • Start small
      • Gain small victories
      • Grow the program
      • Don’t think of trying a huge enterprise rollout
  • 32. No Biometric is Suitable for Every Situation
    • Hand geometry requires least data storage
    • Fingerprint and iris recognition have lowest error rates
    • Facial recognition is easiest to use
    • Each technology has limitations:
      • 2%-5% of people cannot be easily fingerprinted
      • Facial recognition systems have not performed particularly well in independent testing.
      • Iris recognition is relatively new technology and has not been used in any large operational application
  • 33. Key Considerations
    • Decide how technology will be used
    • Conduct detailed cost-benefit analysis to determine that benefits gained outweigh costs
    • Conduct trade-off analysis between increased security, which biometrics provides, and effect privacy and convenience
  • 34. Business, not technology
    • Business, not technical challenges
      • Biometrics are for most part stable and mature
    • Real challenges are:
      • Meeting business requirements
      • Integrating into applications
      • Producing documentation to deliver trust
      • Management and reliability
      • Planning and deployment
      • Managing migration and scalability
  • 35. Effective Roll-out Methodology
    • Must be deployed in strict, methodical fashion
    • Take following items into consideration:
      • Authentication strategy
      • High-level direction and commitment
      • Technology architecture
      • Baseline controls
      • Standards
      • Policies
      • Processes
      • Budget
      • Political and cultural issues
      • Physiological vs. behavioral biometric requirements
      • Implementation details
      • Workflow
      • Practice statements
      • Mechanisms
      • Testing
      • Logging
      • Training
      • Roles and Responsibilities
      • Staff
      • Backup plans
  • 36. Biometric Success Metrics
    • Delivers real business benefits
    • Deployed in timely and cost-effectively manner
    • Secure and provides trust
    • Reliable and easy to use
    • Can be managed
    • Can evolve and scale
    • Cost effective
    • Support regulatory efforts
  • 37. TSA Qualified Products List (QPL)
    • TSA and NIST create standards to evaluate biometric sub-systems for inclusion on the QPL
    • In some cases a device that does not meet all the criteria and standards may be approved for placement on the list if TSA believes its performance will be comparable to devices that meet the criteria and standards.
  • 38. References
    • GAO Report Aviation Security - Challenges in Using Biometric Technologies
    • Aviation Security Biometrics Working Group
    • Recommended Security Guidelines for Airport Planning, Design and Construction
    • Using Biometrics for Border Security
  • 39. Resources
    • International Biometric Industry Association
    • International Biometric Group
    • Biometric Consortium
    • Biometric Technology Today
    • National Biometric Security Project
    • DigitalPersona Pro
    • Penflow
    • Fingerprint Vendor Technology
    • Biometrics Institute
    • NIST
    • Precise Biometrics
    • WISeKey
    • Biometric Time & Attendance
  • 40. Conclusions
    • Biometrics efficacy tied to how effectively deployed
    • Biometrics not security silver-bullet technology
      • Will solve some of, but not all, your aviation security problems
    • Biometrics not plug and play
      • Plan to expend appropriate time and money
  • 41. Q/A – Contact info
    • Ben Rothke, CISSP, QSA
    • Senior Security Consultant
    • BT Professional Services
    • [email_address]