2. Agenda
Gemalto introduction
Computer Authentication Solutions
Biometrics on Computers
Smart Card, Biometrics and Convenience
Reference, date
3. Making people’s everyday interactions with the
digital world secure and easy
Gemalto provides end-to-end solutions for digital security,
from the development of software applications,
through the design and production of secure personal devices
such as smart cards, e-passports and secure tokens,
to the deployment of managed services for our customers
Reference, date
4. Introducing Gemalto
World Leader: Key figures:
• World’s #1 for SIM (2) € 1.7 billion revenue 2008
• World’s #1 for chip payment cards (3) Innovation investment:
10 R&D sites worldwide
• World’s #1 reference for e-passports (4) 1,300 engineers
• World’s #1 install-base of over-the-air Global footprint:
(OTA) platforms for GSM networks (5) 19 production sites
31 personalization centers
• Pioneer and patent holder of high-speed 85 sales & marketing offices
SIM for mobile Internet, multimedia and
mobile contactless applications Experienced team:
10,000 employees
• Pioneer of the .NET card, the first
90 nationalities
Microsoft Vista compatible smart card
40 countries
solution
Source: (1) Gartner 2006; (2) Frost & Sullivan 2006; (3) The Nilson Report 2007; (4) Keesing Journal of Identity 2007; (5) Gemalto 2007
Reference, date
6. Agenda
Gemalto introduction
Computer Authentication Solutions
Biometrics on Computers
Smart Card, Biometrics and Convenience
Reference, date
7. Computer Authentication Solutions
There are many ways to authenticate to a computer:
Username/Password
Tokens storing credentials
Tokens storing digital certificates
Biometrics unlocking credentials or digital certificates stored on PC
Dynamic passwords (OTP), challenge & response
... to name a few
Multifactor is recognised as necessary
Something you know, something you are, something you own
Simplicity is key
Complex solutions lead users to look for shortcuts!
Strong link to users is necessary
Avoid credential passing/borrowing
Enables non-repudiation
Reference, date 7
8. The need for strong authentication
High profile cases
UK aide to Gordon Brown gets blackberry stolen
– http://www.timesonline.co.uk/tol/news/politics/article4364353.ece
– “Downing Street BlackBerrys are password-protected but security officials said
most are not encrypted”
FBI loses 3-4 laptops a month (2007)
– AP, http://www.msnbc.msn.com/id/17115660/
– “"Perhaps most troubling, the FBI could not determine in many cases whether
the lost or stolen laptop computers contained sensitive or classified information”
Regulatory compliance
Non repudiation
Strong Authentication is an enabler
High mobility
Home office
Trust management
Real Strong authentication is mutual!
Not only user to computer/network, but also the other way around
Reference, date 8
9. Strong Authentication on computers
What is “Strong Authentication” ?
Multifactor
Mutual
Secure
Digital certificates on smart cards/tokens enable all three
Only solution today
Remaining issues
Strong but not absolute binding with user (lending of smart card)
Potential day to day issues
– Lost cards
– Blocked cards
Enter biometrics
Enables 3rd factor if needed
Makes it more convenient!
Boosts user adoption
Reference, date 9
10. Agenda
Gemalto introduction
Computer Authentication Solutions
Biometrics on Computers
Smart Card, Biometrics and Convenience
Reference, date
11. Biometrics and Identity
“Any distinguishing element of a physical person/entity that can be
considered as unique”
Remains constant over time – mostly
Public – most of the time
Difficult to revoke
Sensitive – cultural bias
→ Needs to be considered carefully before using!
Principle of Psychological Acceptability:
A security mechanism should not make accessing a resource, or
taking some action more difficult than it would be if security
mechanism were not present.
Reference, date 11
12. What type of biometrics ?
Linked to
User acceptance
Technology maturity
Performance
Fingerprint recognition is the only prevalent type of biometrics
on regular computers
Does not mean other types won't catch up quickly!
Swipe readers are now common
Source: JF Mainguet
Reference, date 12
13. Fingerprint authentication
Good maturity – standards and evaluation campaigns
Large-scale deployments – National ID schemes
Good user acceptance
Can be achieved in “Match On Card” mode
Performance is a tradeoff between:
Quality (FAR) – Typical figures are well below 0.001%
Convenience (FRR) – Typical figures are below 2%
Accessibility (FTE) – Below 1%
Reference, date 13
14. Biometrics on computers
Almost all corporate notebook brands embed a fingerprint
reader either as option or standard
Mostly swipe readers, varying quality
Surface readers emerging
Government standards (FIPS201) as driver
61 Million fingerprint readers to be shipped in 2009
Cumulative 300 Million to date
(F&S WW Silicon Chip fingerprint market, 2007)
Reference, date 14
15. Biometrics and regulations
The use of biometrics needs to take local regulations into
account
CNIL in France
European data privacy directives (data protection working party Art 29)
UK Data Protection Act
Regulations mostly require
Justification of means
Appropriate protection of biometric data
Reference, date 15
16. Biometric Technologies : Reliability vs Convenience
+ Iris/Retina
Fingerprint
Hand
Face
Signature Voice
Gait
Keystroke -
+ User friendliness - - User friendliness +
Behavioral Physiological
16
17. Fingerprint Recognition
Strengths
Long experience
Good user acceptance
Good reliability
Easy to use
Weaknesses
Criminality-related image
Leaves traces (latent prints)
17
18. Agenda
Gemalto introduction
Computer Authentication Solutions
Biometrics on Computers
Smart Card, Biometrics and Convenience
Reference, date
19. Merging Biometrics & Smart Card
Mutual & Strong authentication
Using X509 certificates
Portable device
Personal, linked to user, “regulator friendly”
Biometrics establish a strong link to user
Multifactor security
Convenience
User adoption
Evolutivity
Can adapt to rapidly evolving technology
Reference, date 19
20. Existing implementations
Standalone Match On Card not linked to certificates
Used with ad hoc software
Standalone 3rd authentication factor
Can be used for identification purposes
Standalone Match On Card protecting PIN code and credential
storage
Enables biometric-protected credential storage
Enables biometric-protected PKI certificate usage by PIN replay
Match Off Card with fingerprints stored on card
Compatible with every existing PKI smart card
“Regulator-friendly”
Enables both credential storage & PKI cert usage by PIN replay
PKI Smart card accepting PIN and/or Match On Card
Most secure implementation
Enables card-enforced authentication policy (2 to 3 factor)
Reference, date 20
21. Current limitations and way forward
OS Architecture can lead to limitations
MS Crypto API was not written for anything else than PIN code
Even though there are openings in future Windows versions
Practical Workarounds are available
PKCS#11 API has better support for biometrics natively
Wrappers for ill-behaving applications are possible
Most important limitation
A lof of software assumes the use of PIN code for smart cards
Practical approach
Test and validation !
PIN or Fingerprint Authentication
Biometric Verification
Please swipe your finger OR enter your PIN
Biometric Authentication
SWIPE FINGER
PIN Authentication
PIN
Select Finger Click here for more information
OK Cancel
Reference, date 21
22. Why Smart Card with Biometrics?
Provides «Something you have» to the authentication scheme
& smart card PIN code provides «something you know»
Provides privacy
No centralized database
You carry your own biometric template
Provides trust between Authority & End User
Mutual authentication
Provides simplification of operations
One to one matching
23
25. Pin vs Bio
PinCode Biometrics
Secret
Public
Modifiable
Fixed (Template)
Delegation
No delegation
Exhaustive attacks
Not possible
Perso very easy Very
difficult
Match very
simple Match not
trivial
Very efficient counter measures
(for example against physical &
Not Yet
logical attacks)
27
26. Conclusion : Smart Cards / Biometrics ?
Smart-Card + PIN & Biometrics have to be considered as
complementary technologies.
Smart cards & pin-code need Biometrics
Card holder authentication
Non repudiable transaction
Biometrics need Smart cards & pin-code
Privacy
Large volume opportunity
Simplification : One to One matching
The ultimate solution :
Smart card & Pin-code + Biometrics + PKI
28