Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Biometrics and Multi-Factor
Authentication
The Unleashed Dragon
Biometrics and Multi-Factor Authentication:
The Unleashed Dragon
Clare Nelson, CISSP, CIPP/E
@Safe_SaaS
clare_nelson@clear...
Clare Nelson, @Safe_SaaS
Clare Nelson, CISSP, CIPP/E
CEO, Founder
ClearMark Consulting
Security, Privacy, Identity
• Backg...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Introduction
• Contents
• Scope
Clare Nelson, @Safe_SaaS
Contents
Biometric Recognition for Multi-Factor Authentication
1. Biological and Behavioral Biome...
Clare Nelson, @Safe_SaaS
How can you
tell if it’s a
bad guy?
Source: https://arstechnica.com/gadgets/2017/03/video-shows-g...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Definitions
• Multi-Factor Authentication...
Clare Nelson, @Safe_SaaS
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
Source: https:/...
Clare Nelson, @Safe_SaaS
Biometric Recognition
Automated recognition of individuals based on
their biological or behaviora...
Clare Nelson, @Safe_SaaS
What is Feature Extraction?
Source: https://www.security-audit.com/files/ratha.pdf (2001)
Digital...
Clare Nelson, @Safe_SaaS
Typically, Images Are Not Saved
Source: http://www.bioelectronix.com/what_is_biometrics.html
Digi...
Clare Nelson, @Safe_SaaS
Categories of Biometrics
Biological Biometrics
(Physical)
Behavioral Biometrics
Graphic: http://t...
Clare Nelson, @Safe_SaaS
Biological Biometrics
Finger
Face
Iris
Graphic: http://www.ibmsystemsmag.com/ibmi/trends/whatsnew...
Clare Nelson, @Safe_SaaS
Behavioral Biometrics
Graphics: https://www.scienceabc.com/innovation/lesser-known-methods-biomet...
Clare Nelson, @Safe_SaaS
Biometric Modes, Prolific Innovation
• Face 2D, 3D
• Fingerprints 2D, 3D via ultrasonic waves, in...
Clare Nelson, @Safe_SaaS
Behavioral Biometrics: Used in Passive, Continuous Authentication
500+ Metrics, Human-Device Inte...
Clare Nelson, @Safe_SaaS
Behavioral Biometrics: Used in Implicit Authentication
Passive sensor data. How you walk, type, a...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Benefits
Clare Nelson, @Safe_SaaS
Benefits of Biometrics
• Convenient
• No tokens, cards, or fobs to lose or misplace
• Reduces fri...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Issues
Source: http://www.pymnts.com/news/security-and-risk/2017/digital-identity-way-beyond-the-social-security-number/ (August ...
Clare Nelson, @Safe_SaaS
Issues with Biometrics
Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Priva...
Clare Nelson, @Safe_SaaS
Source: https://insights.samsung.com/2017/03/29/which-biometric-authentication-method-is-most-sec...
Clare Nelson, @Safe_SaaS
Issues with Biometrics: Security is Often Overestimated
Use biometrics with another method of aut...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
The Spoofing Problem
Clare Nelson, @Safe_SaaS
Samsung Galaxy S8
Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-rec...
Clare Nelson, @Safe_SaaS
iPhone X, Face ID
Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-i...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Biometrics Market Growth
Clare Nelson, @Safe_SaaS
Source: http://www.acuity-mi.com/hdfsjosg/euyotjtub/GBMRPreview.pdf
Graphic: https://www.stablein...
Clare Nelson, @Safe_SaaS
Source: Unnamed keynote speaker at Cloud Identity Summit, Chicago, June 2017
Graphic: https://www...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
What Every CISO Should Know
• Biometric R...
Clare Nelson, @Safe_SaaS
What CISOs Need To Know Before Adopting Biometrics
Before adopting biometric recognition
• Risk a...
Clare Nelson, @Safe_SaaS
Biometrics Recognition is not 100% Reliable
Every biometric recognition system must account
for s...
Clare Nelson, @Safe_SaaS
What CISOs Need To Know Before Adopting Biometrics
Biometric data is Personally Identifiable Info...
Clare Nelson, @Safe_SaaS
What CISOs Need To Know Before Adopting Biometrics
Privacy Act of 1974
• Applies to federal agenc...
Clare Nelson, @Safe_SaaS
Don’t Use as Single or Primary Factor
Source: https://www.nist.gov/sites/default/files/nstic-stre...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Is the US legal system
up to the challeng...
There is no federal law protecting
biometric information
Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adap...
US Biometric Information Protection Laws
2008 Illinois
Biometric
Information
Privacy Act
(BIPA)
2009 Texas
Texas Business
...
Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
Source: http://www.chicagotribune.com/blues...
Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/
Passcode versus Fingerprint or...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
NIST SP 800-63
• Update Published June 20...
Source: https://pages.nist.gov/800-63-3/
Did You Throw a NIST Party on June 22, 2017?
Contributors
Digital Identity Guidel...
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Graphic: http://www.oulu.fi/infotech/annual_report/2013/cmv
NIST Up...
Clare Nelson, @Safe_SaaS
Question: Store Biometrics on Device or Server, Cloud? Split?
Source: Webinar by Forrester and No...
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
What is the impact of
GDPR?
Source: http://www.privacy-regulation.eu/en/4.htm
Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-...
EU General Data Protection Regulation (GDPR)
Source: http://www.privacy-regulation.eu/en/9.htm
Article 9.1
…processing of ...
EU General Data Protection Regulation (GDPR)
Source: http://www.privacy-regulation.eu/en/9.htm
Source: https://dma.org.uk/...
Clare Nelson, @Safe_SaaSSource: https://www.facebook.com/jterstegge/posts/1857555150924472
Privacy
Right to be let alone
D...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
What is Multimodal Biometric
Recognition?
Clare Nelson, @Safe_SaaS
Multimodal Biometrics
Research from California State University, Fullerton
• Use ear plus face an...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
What is Continuous
Authentication with
Bi...
Machine learning offers the potential to authenticate
users based on multiple assessments, including
• Behavior
• Appearan...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Biometric Recognition is
Probabilistic
(n...
Clare Nelson, @Safe_SaaS
Convenience versus Security
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are...
FAR, need to know FRR plus number of attempts
Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-create...
Clare Nelson, @Safe_SaaS
FRR at Varying FAR
September 2015
Source: http://www.eyeverify.com/independent-accuracy-studies
E...
Clare Nelson, @Safe_SaaS
Not All FARs are Created Equal
• Synthetic versus real data
• Calculated versus claimed
Source: h...
Source: http://www.eyelock.com/
1 in 500
Voice Recognition
1 in 10,000
Fingerprint
1 in 50,000
Touch ID
1 in 100,000
Facia...
Source: http://blog.normshield.com/2017/01/machine-learning-in-cyber-security_31.html (January 2017)
Which Biometric Mode ...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
What is the Attack Model?
Clare Nelson, @Safe_SaaSSource: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pd...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Presentation Attack Detection
(PAD)
Anti-...
Clare Nelson, @Safe_SaaS
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.qafis.com...
Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_f...
Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_f...
Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
PAD for Finger: Implement in H...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Emerging Standard for
Presentation Attack...
Clare Nelson, @Safe_SaaS
Presentation Attack Detection (PAD), Emerging Standards
Source: https://www.iso.org/standard/5322...
Clare Nelson, @Safe_SaaS
Presentation Attack Detection (PAD) for Mobile Devices
Source: https://www.iso.org/standard/53227...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
How Measure the Strength of
Biometric Rec...
Clare Nelson, @Safe_SaaS
Source: https://pages.nist.gov/SOFA/
Source: https://www.secureidnews.com/news-item/sofa-b-enabli...
Clare Nelson, @Safe_SaaS
SOFA-B (NIST, April 2017)
Source: https://www.nist.gov/sites/default/files/documents/2016/11/21/s...
Clare Nelson, @Safe_SaaS
Source: https://pages.nist.gov/SOFA/
Source: http://www.theverge.com/2016/7/21/12247370/police-fi...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Face ID
Clare Nelson, @Safe_SaaS
Face ID: Demo Failed Twice
Source: https://www.youtube.com/watch?v=unIkqhB2nA0 (September 2017)
S...
Clare Nelson, @Safe_SaaS
Face ID: Attention Detection
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-fed...
Clare Nelson, @Safe_SaaS
Face ID: What About Sunglasses?
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-...
Clare Nelson, @Safe_SaaS
Face ID: Evil Twin Warning
Source: https://www.youtube.com/watch?v=unIkqhB2nA0
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
The Future
Clare Nelson, @Safe_SaaS
“Thought Auth”1
EEG Biosensor
• MindWave™ headset2
• Measures brainwave signals
• EEG monitor
• I...
Clare Nelson, @Safe_SaaS
When Does Law Enforcement
Demand to Read Your Data
Become a Demand to Read Your
Mind?
Source: htt...
Clare Nelson, @Safe_SaaS
Master Key to Unlock Finger
Sensors?
Source: https://www.nytimes.com/2017/04/10/technology/finger...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Gratitude
Clare Nelson, @Safe_SaaS
We Stand on the Shoulders of Giants
Source: https://alchetron.com/John-Daugman-489257-W
Source: h...
Clare Nelson, @Safe_SaaS
@Safe_SaaS
clare_nelson@clearmark.biz
Slides
posted:https://www.slideshare.net/eral
cnoslen
Quest...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Key Points
Clare Nelson, @Safe_SaaS
Key Points Summary
• In Multi-Factor Authentication (MFA), biometrics are a RESTRICTED factor
• B...
Clare Nelson, @Safe_SaaSSource: http://www.idtp.com/identity/
Terms
Biometric data processing
: biometric system data proc...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
References
Clare Nelson, @Safe_SaaS
• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; ...
Clare Nelson, @Safe_SaaS
• Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/ni...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Backup Slides
Clare Nelson, @Safe_SaaS
Artificial Dog Nose
It smells you once, and knows you forever.
Matt Staymates, a mechanical engin...
Clare Nelson, @Safe_SaaS
Presentation Attack Detection (PAD)
Source: https://www.iso.org/standard/53227.html
Clare Nelson, @Safe_SaaS
Types of Detection
Source: https://www.nist.gov/sites/default/files/documents/2016/11/30/401_newt...
Clare Nelson, @Safe_SaaSSource: https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:-37:ed-2:v1:en (2017)
Spoofing, Biometric...
Clare Nelson, @Safe_SaaSSource: http://livdet.org/index.php
Presentation Attack Detection, Liveness Detection Competition
...
Clare Nelson, @Safe_SaaS
IARPA Face Recognition Algorithm Contest
Source: https://www.challenge.gov/challenge/face-recogni...
Clare Nelson, @Safe_SaaS
Face Recognition Algorithm Evaluation
Source: https://www.nist.gov/programs-projects/face-recogni...
Clare Nelson, @Safe_SaaS
November 2016 NIST Algorithm Test Results, Finger
Source: https://www.innovatrics.com/awards/pft/...
Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Presentation Attack Detection ...
Clare Nelson, @Safe_SaaS
Quantum Biometrics (April 2017)
Human Eye Can Detect a Single Photon
Identify individuals by the ...
Clare Nelson, @Safe_SaaS
Source: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionI...
Clare Nelson, @Safe_SaaSSource: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionId...
Clare Nelson, @Safe_SaaS
Presentation Attack Detection (PAD) Algorithms
Source: https://www.researchgate.net/publication/3...
Clare Nelson, @Safe_SaaS
Behavioral Biometrics
Source: http://www.behaviosec.com
• Requires JavaScript
• Learning curve
• ...
Clare Nelson, @Safe_SaaS
Types of Spoofing
Source: https://www.iso.org/standard/53227.html .
Clare Nelson, @Safe_SaaS
Spoofing
The ability to fool a biometric system
into recognizing an illegitimate user as
a genuin...
Clare Nelson, @Safe_SaaS
Spoofing
Source: https://www.linkedin.com/pulse/biometric-spoofing-nadh-thota
Source: http://ieee...
Clare Nelson, @Safe_SaaS
Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Source: https://www.computer....
Clare Nelson, @Safe_SaaS
iPhone X, Face ID
Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-i...
Source: https://www.slideshare.net/centralohioissa/jamie-bowser-a-touchid-of-ios-security
Touch ID Architecture, Release 3...
Clare Nelson, @Safe_SaaS
Vocabulary, 2017 ISO/IEC 2382-37
Source: https://precisebiometrics.com/wp-content/uploads/2014/11...
Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf (March 2017)
1. Device has just been turned on, or
rest...
Clare Nelson, @Safe_SaaS
Source: https://www.facebook.com/jterstegge/posts/1857555150924472
Source: https://www.facebook.c...
Clare Nelson, @Safe_SaaS
Face ID False Acceptance Rate (FAR)
Source: https://arstechnica.com/gadgets/2017/09/face-id-on-th...
Minnesota Senator Raises Concerns over iPhone X, Face ID
Published letter:
https://www.franken.senate.gov/?p=press_release...
Iris more accurate than face
Source: https://www.youtube.com/watch?v=KyDoFrojEYk&list=PLrUBqh62arzt_Uf_UamHtRFDYl1tpRVCK
S...
Clare Nelson, @Safe_SaaSSource: https://twitter.com/G_ant (September 2017)
Are You Confused? Reference
Which biometrics ar...
Clare Nelson, @Safe_SaaS
FaceID Training
Apple trained on 1 billion plus faces, global, got permission
• Maintains this da...
Source: https://www.secureidnews.com/news-item/five-states-considering-bills-to-restrict-biometrics-use/ (February 2017)
“...
Source: http://www.americanbar.org/publications/blt/2016/05/08_claypoole.html
Maze of sectoral laws, state laws, pending c...
Clare Nelson, @Safe_SaaS
Homomorphic Encryption
VTT Technical Research Centre, Finland
• Biometric recognition for MFA
• R...
Clare Nelson, @Safe_SaaS
Face ID: Enroll, Can You Read Instructions without Glasses?
Source: http://www.idownloadblog.com/...
Clare Nelson, @Safe_SaaS
Face ID, Initial Use Cases
Source: http://www.idownloadblog.com/2017/09/15/face-id-overview/ (Sep...
Clare Nelson, @Safe_SaaS
Fingerprint Readers Eclipsed 1 Billion, Is Face the Next Wave?
Source: https://www2.deloitte.com/...
Clare Nelson, @Safe_SaaS
Lack of Common Vocabulary
Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-...
Clare Nelson, @Safe_SaaS
Issues with Biometrics
Even when organizations do not actively
attempt to abuse personal data, it...
Clare Nelson, @Safe_SaaS
Issues with Biometrics
• Not revocable, easy to reset password, not
easy to reset fingerprint
• I...
Source: https://www2.deloitte.com/lu/en/pages/banking-and-securities/articles/psd2-rts-on-authentication-and-communication...
EU General Data Protection Regulation (GDPR)
Source: http://www.privacy-regulation.eu/en/9.htm
Source: http://www.duhaime....
Source: https://www.whitecase.com/publications/article/chapter-4-territorial-application-unlocking-eu-general-data-protect...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Second Payment
Services Directive
(PSD2)
Clare Nelson, @Safe_SaaS
EU PSD2 Requirements for Biometric Recognition for Authentication
Date: 23 February 2017
Source: ...
Clare Nelson, @Safe_SaaS
EU PSD2 Requirements for Biometric Recognition for Authentication
Date: 23 February 2017
Source: ...
Clare Nelson, @Safe_SaaS
Contactless Biometric Recognition, Healthcare
Source: http://healthcare.fai.fujitsu.com/resource/...
Clare Nelson, @Safe_SaaSSource: https://www.semanticscholar.org/paper/Face-Spoof-Detection-With-Image-Distortion-Wen-Han/c...
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST Update on Allowable Use of Biometrics
SP 800-63B, Authenticati...
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue...
Clare Nelson, @Safe_SaaS
Face ID: What About Doppelgängers?
Graphics: https://www.linkedin.com/feed/update/urn:li:activity...
Clare Nelson, @Safe_SaaS
Issues with Biometrics
Facial recognition is prone to problems with lighting
conditions
• Vendor ...
Clare Nelson, @Safe_SaaS
Spoofing is Still Too Easy
Face Unlock
• Spoofed
• 2011 Galaxy Nexus
• 2017 Samsung S8
Source: ht...
Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
(d) No private entity in possession of a bi...
Diamond ordered to “provide a fingerprint or
thumbprint”
Diamond asked officers, “Which finger do you
want?”
• This requir...
Source: http://www.independent.co.uk/news/business/analysis-and-features/kfc-store-china-facial-recognition-pay-customers-...
Clare Nelson, @Safe_SaaS
iPhone X
Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-...
Clare Nelson, @Safe_SaaS
Issues with Biometrics: Not Safe for Payments
Samsung Galaxy S8: Contrary to Earlier
Reports:
Use...
Clare Nelson, @Safe_SaaS
Issues with Biometrics
Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Priva...
Source: http://www.privacy-regulation.eu/en/4.htm
Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-...
EU General Data Protection Regulation (GDPR)
Article Article Title Definition Notes
7 Conditions
for Consent
1. Where proc...
EU General Data Protection Regulation (GDPR)
Article Article Title Definition Notes
9 Processing of special
categories of ...
Source: http://www.chicagotribune.com/bluesky/originals/ct-biometric-illinois-privacy-whats-next-bsi-20170113-story.html
S...
Source: https://www.law360.com/technology/articles/923703/kroger-unit-sued-over-alleged-storage-of-worker-fingerprints?nl_...
Clare Nelson, @Safe_SaaS
Issues with Biometrics, NIST List
• The biometric False Match Rate (FMR) does not provide confide...
Clare Nelson, @Safe_SaaS
Issues with Biometrics
• Biometric recognition systems have error rates, biometric
samples are co...
Clare Nelson, @Safe_SaaS
Provide Choices, Biometric Recognition Preferences Vary
Source: http://www.paymentscardsandmobile...
Clare Nelson, @Safe_SaaS
Source: https://fidoalliance.org/how-fido-works/
Graphic: https://www.nist.gov/sites/default/file...
Clare Nelson, @Safe_SaaS
Acoustic Ear-Shaped Biometric Recognition
NEC
• Microphone embedded within earphone
• Analyzes th...
Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/
Second Payment
Services Directive
(PSD2)
Biological Biometrics
1. Exist in public domain, and elsewhere (5.6M+ fingerprints stolen
in 2015 OPM breach1)
2. May unde...
Clare Nelson, @Safe_SaaS
Source: http://www.planetbiometrics.com/article-details/i/1414/
“The move towards multi-factor
au...
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Upcoming SlideShare
Loading in …5
×

Biometrics and Multi-Factor Authentication, The Unleashed Dragon

Presentation for September 2017 ISC2 Security Congress

Biometric Recognition for Multi-Factor Authentication
- Biological and Behavioral Biometrics
- Benefits and Issues
- What Every CISO Should Know
- Laws, Standards, and Guidelines
- How to Measure Biometric Recognition
- Attack Vectors
- Multimodal Biometric Recognition
- Continuous Authentication with Biometrics
- Face ID Update
- The Future

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Biometrics and Multi-Factor Authentication, The Unleashed Dragon

  1. 1. Biometrics and Multi-Factor Authentication The Unleashed Dragon
  2. 2. Biometrics and Multi-Factor Authentication: The Unleashed Dragon Clare Nelson, CISSP, CIPP/E @Safe_SaaS clare_nelson@clearmark.biz Presentation Posted on SlideShare: https://www.slideshare.net/eralcnoslen September 25, 2017 Graphic: https://tomatosoup13.deviantart.com/art/Daenerys-and-Her-Dragon-Game-of-Thrones-640714812
  3. 3. Clare Nelson, @Safe_SaaS Clare Nelson, CISSP, CIPP/E CEO, Founder ClearMark Consulting Security, Privacy, Identity • Background o Encrypted TCP/IP variants for NSA o Product Management at DEC (HP), EMC2 o Director Global Alliances at Dell, Novell o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security • 2014 Co-founded C1ph3r_Qu33ns, mentor women in cybersecurity • Publications include: o 2010 August, ISSA Journal, Security Metrics: An Overview o 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For • Talks/Keynotes: Cloud Identity Summit 2017, InfraGard, HackFormers; BSides Austin; LASCON; OWASP AppSec USA, ISSA Austin; clients including Fortune 500 financial services, 2015 FTC Panel • B.S. Mathematics Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html
  4. 4. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Introduction • Contents • Scope
  5. 5. Clare Nelson, @Safe_SaaS Contents Biometric Recognition for Multi-Factor Authentication 1. Biological and Behavioral Biometrics 2. Benefits and Issues 3. What Every CISO Should Know • Laws, Standards, and Guidelines 4. How to Measure Biometric Recognition 5. Attack Vectors 6. Multimodal Biometric Recognition 7. Continuous Authentication with Biometrics 8. Face ID Update 9. The Future Graphic: http://www.computerhope.com/jargon/h/hacker.htm How can you tell if it’s a bad guy?
  6. 6. Clare Nelson, @Safe_SaaS How can you tell if it’s a bad guy? Source: https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/ Source: https://realizethelies.com/tag/facial-recognition-software/ Source: https://www.iso.org/standard/55194.html (2017) Biometric Verification Biometric Identification Comparison 1-to-1 1-to-Many Purpose Confirm or deny claimed identity Identify a specific individual Use Case Example Unlock device Airport security, identify a suspect Biometric Recognition Biometric Recognition for Multi-Factor Authentication (MFA), Mobile Use Case Scope (“Biometric Authentication” is deprecated)
  7. 7. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Definitions • Multi-Factor Authentication • Biometric Recognition
  8. 8. Clare Nelson, @Safe_SaaS Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf Source: https://www.securetechalliance.org/publications-mobile-identity-authentication/ Know Have Are Definition of Multi-Factor Authentication
  9. 9. Clare Nelson, @Safe_SaaS Biometric Recognition Automated recognition of individuals based on their biological or behavioral characteristics Source: http://biometrics.derawi.com/?page_id=101 Source: http://searchsecurity.techtarget.com/definition/biometric-authentication Graphic: http://www.aspire-security.eu/access-control.html Biometric Recognition Systems Compare sample to template • On device, or server • Template is established during enrollment, or updated later as part of adaptive machine learning (iPhone X neural engine) • If comparison score meets criteria, then recognition is confirmed Math model Digital image
  10. 10. Clare Nelson, @Safe_SaaS What is Feature Extraction? Source: https://www.security-audit.com/files/ratha.pdf (2001) Digital image of fingerprint • Includes ridge bifurcations and ridge endings • Collectively referred to as minutiae Algorithm, extract features • Each feature has (x, y) location and ridge direction at that location (ϴ) • Sensor noise and other variability in the imaging process • Feature extraction may miss some minutiae, and/or • Feature extraction may generate spurious minutiae • Due to the elasticity of the human skin, the relationship between minutiae may be randomly distorted from one impression to the next Dimensionality Reduction
  11. 11. Clare Nelson, @Safe_SaaS Typically, Images Are Not Saved Source: http://www.bioelectronix.com/what_is_biometrics.html Digital image Math modelFeature extraction Fingerprint image is not saved, only series of numbers (binary code), used for verification
  12. 12. Clare Nelson, @Safe_SaaS Categories of Biometrics Biological Biometrics (Physical) Behavioral Biometrics Graphic: http://thepeepspot.com/9-best-compliments-to-make-a-woman-smile/
  13. 13. Clare Nelson, @Safe_SaaS Biological Biometrics Finger Face Iris Graphic: http://www.ibmsystemsmag.com/ibmi/trends/whatsnew/Biometric-Authentication-101/
  14. 14. Clare Nelson, @Safe_SaaS Behavioral Biometrics Graphics: https://www.scienceabc.com/innovation/lesser-known-methods-biometrics-identification-retinal-fingerprint-scan-gait-analysis-keystroke.html
  15. 15. Clare Nelson, @Safe_SaaS Biometric Modes, Prolific Innovation • Face 2D, 3D • Fingerprints 2D, 3D via ultrasonic waves, in-display • Finger veins, Palm veins, Eye veins • Palms prints and/or the whole hand • Feet • Eyeprint, Iris, Retina, Features of eye movements • Face, head – its shape, specific movements • Ears, lip prints • Signature, Voice • How you sit, Gait, Odor, DNA • Keystroke, typing, mouse, touch pad • Electrocardiogram (ECG), Electroencephalogram (EEG)1 • Tests: Microchip in Pills, Digital Tattoos • Smartphone/behavioral: Authenticate based on g-sensor and gyroscope, how you write your signature in the air2 • Hand movement when answering the smartphone, use data from the smartphone’s accelerator, gyroscope, and light sensor3 1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf 2Source: http://www.airsig.com 3Source: http://www.biometricupdate.com/201703/mobile-app-uses-hand-movement-to-authenticate-smartphone-owner Source: http://www.cvphysiology.com/Arrhythmias/A009 Reference
  16. 16. Clare Nelson, @Safe_SaaS Behavioral Biometrics: Used in Passive, Continuous Authentication 500+ Metrics, Human-Device Interactions • Leverage gyroscope, touch screen, accelerometer • Cloud, monitors 2 billion sessions/month • Learns behavior patterns of fraudsters • Detects presence of malware • Invisible challenge • How find missing cursor Source: http://www.biocatch.com Source: https://www.extremetech.com/extreme/215170-artificial-neural-networks-are-changing-the-world-what-are-they
  17. 17. Clare Nelson, @Safe_SaaS Behavioral Biometrics: Used in Implicit Authentication Passive sensor data. How you walk, type, and sit. Source: https://blog.unify.id/2016/09/12/unifyid-technical-overview/
  18. 18. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Benefits
  19. 19. Clare Nelson, @Safe_SaaS Benefits of Biometrics • Convenient • No tokens, cards, or fobs to lose or misplace • Reduces friction in some cases • No memorization required • Low cognitive load once past learning curve • Difficult to delegate, difficult to lend your fingers or face to another person • A password is easily delegated or shared • User acceptance is growing • India Aadhaar • iPhone Touch ID, now Face ID • Secure enough if used as “Restricted Factor” • Use to unlock device, or authenticate to smartphone • Caution for some implementations for financial transactions, secure access Graphic: https://cardnotpresent.com/tag/biometric-authentication/ • Market growth and technology advancements • Feedback and training from earlier implementations improves solutions
  20. 20. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Issues
  21. 21. Source: http://www.pymnts.com/news/security-and-risk/2017/digital-identity-way-beyond-the-social-security-number/ (August 2017) Graphic: http://01greekmythology.blogspot.com/2015/02/panacea.html Biometrics offers no panacea in the quest for digital identities that prove foolproof and hack-proof Biometrics offer great promise, but • They are not all created equal • They are not a secret • They can be lifted • They can be forged • They can be compromised because they are not private Issues with Biometrics, No Panacea – Paul Grassi, senior standards and technology advisor of the Trusted Identities Group at the National Institute of Standards and Technology (NIST) Greek goddess of universal remedy
  22. 22. Clare Nelson, @Safe_SaaS Issues with Biometrics Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Privacy_Legislation_on_Biometric_System_Deployment.pdf Source: http://findbiometrics.com/cylab-honored-for-long-distance-iris-scanner-24272/ Biometrics can reveal medical conditions • Pregnancy • Diabetes • Heart disease • Parkinson’s Biometrics make it easier to gather personal information • Ability to do so covertly Biometrics can be collected at a distance • Increased accuracy with which individuals can be identified remotely • Iris at 43 feet Biometrics can be used to link databases that have been anonymized • De-anonymization techniques Long-Distance Iris Scanner
  23. 23. Clare Nelson, @Safe_SaaS Source: https://insights.samsung.com/2017/03/29/which-biometric-authentication-method-is-most-secure/ Source: https://www.cse.wustl.edu/~jain/cse571-11/ftp/biomet/ Source: https://www.cse.wustl.edu/~jain/cse571-11/ftp/biomet/#Rahul10 Samsung S8 • Iris recognition does not work for everyone • There are exceptions for every biometric modality Criteria for Biometric System Collect -ability How can you tell if it’s a bad guy? Universality Uniqueness Circumvention Permanence Acceptability Performance Issues with Biometrics: Failure to Enroll (FTE), Failure to Acquire (FTA) FTE FTA
  24. 24. Clare Nelson, @Safe_SaaS Issues with Biometrics: Security is Often Overestimated Use biometrics with another method of authentication • Biometrics are a complementary security control to make it easier for a human to interact with technology • Combine with an additional security control such as a passphrase or multi-factor authentication • Trust must be continuously challenged • Ensure person behind the device is really the person who they say they are Source: https://www.thestreet.com/story/14301038/1/iphonex-facial-biometrics-could-prevent-hackers-from-accessing-information.html – Joseph Carson, chief security scientist at Thycotic Will iPhone X support face and passcode, or just one or the other?
  25. 25. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ The Spoofing Problem
  26. 26. Clare Nelson, @Safe_SaaS Samsung Galaxy S8 Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017) Source: http://www.businessinsider.com/samsung-galaxy-s8-iris-scanner-fbi-fingerprint-tech-princeton-identity-2017-4 April 2017 Face spoofed May 2017 Iris spoofed
  27. 27. Clare Nelson, @Safe_SaaS iPhone X, Face ID Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-id/ Source: http://bgr.com/2017/09/12/iphone-x-price-specs-features/ Source: https://findbiometrics.com/apple-face-id-iphone-x-409125/ September 2017 Announced TBD Date Face ID spoofed
  28. 28. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Biometrics Market Growth
  29. 29. Clare Nelson, @Safe_SaaS Source: http://www.acuity-mi.com/hdfsjosg/euyotjtub/GBMRPreview.pdf Graphic: https://www.stableinvestor.com/2013/02/calculate-compound-annual-growth-rate.html 20222021202020192016 2017 2018 CAGR ~41% $50 billion Mobile Biometrics: Consumer Market Growth CAGR = [(Final Amount / Starting Amount) (1 / Number of Years)]-1
  30. 30. Clare Nelson, @Safe_SaaS Source: Unnamed keynote speaker at Cloud Identity Summit, Chicago, June 2017 Graphic: https://www.stableinvestor.com/2013/02/calculate-compound-annual-growth-rate.html Biometrics Growth Drivers “Financial services are in a race to the bottom to remove friction” – Keynote Speaker, Cloud Identity Summit, June 2017 “Take the F out of authentication”
  31. 31. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ What Every CISO Should Know • Biometric Recognition for Multi-Factor Authentication
  32. 32. Clare Nelson, @Safe_SaaS What CISOs Need To Know Before Adopting Biometrics Before adopting biometric recognition • Risk assessment, policy, compliance • Architectural decisions • E.g., Is a fingerprint reader installed on a workstation less risky than biometric authentication passed over a network? • Store and process biometric data securely • Encryption • Privileged access management • Other physical security measures Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905 Graphic: https://www.shrednations.com/2015/04/defining-protecting-personally-identifiable-information/
  33. 33. Clare Nelson, @Safe_SaaS Biometrics Recognition is not 100% Reliable Every biometric recognition system must account for some level of false negatives and false positives • In highly secure environments, false positives may present an unacceptable risk • False negatives require a fallback authentication mechanism Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905 Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations
  34. 34. Clare Nelson, @Safe_SaaS What CISOs Need To Know Before Adopting Biometrics Biometric data is Personally Identifiable Information (PII) • Biometric data presents an extra layer of complexity • User interactions • Compliance • Organizations with US government contracts may have to comply with Privacy Act of 1974 PII management practices Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905 Graphic: https://www.airloom.com/technology/security-as-a-service/
  35. 35. Clare Nelson, @Safe_SaaS What CISOs Need To Know Before Adopting Biometrics Privacy Act of 1974 • Applies to federal agencies • Safeguard individual privacy from the misuse of federal records • Governs the collection, maintenance, use, and dissemination of PII • Prohibits disclosure of information without written consent of the individual • Unless the disclosure is pursuant to one of 12 exceptions • Individuals can access and amend their records • Individuals can find out if their records have been disclosed and can make corrections Source: https://www.justice.gov/opcl/privacy-act-1974 Reference
  36. 36. Clare Nelson, @Safe_SaaS Don’t Use as Single or Primary Factor Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf Graphic: http://www.itproportal.com/2016/04/07/the-role-of-biometric-authentication-techniques-in-security/ Remote System Access Exclude biometrics as single or primary authentication factor • Biometric samples are not secrets • Biometric samples are different each time they are captured
  37. 37. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Is the US legal system up to the challenge?
  38. 38. There is no federal law protecting biometric information Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/
  39. 39. US Biometric Information Protection Laws 2008 Illinois Biometric Information Privacy Act (BIPA) 2009 Texas Texas Business and Commerce Code § 503.001 2017 Under Consideration: CT, NH, AK, WA, more Source: https://www.secureidnews.com/news-item/five-states-considering-bills-to-restrict-biometrics-use/ (February 2017) Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57 Source: http://www.drinkerbiddle.com/insights/publications/2017/02/four-more-states-propose-biometrics-legislation
  40. 40. Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57 Source: http://www.chicagotribune.com/bluesky/originals/ct-biometric-illinois-privacy-whats-next-bsi-20170113-story.html Illinois Biometrics Information Privacy Act (BIPA) L.A. Tan Enterprises • December 2016 settlement • $1.5 million to class of customers • Failed to collect written consent • Shared fingerprint scans with software vendor Document Policy • Retention • Collection • Disclosure • Destruction • Notification • Consent in Writing, Signed
  41. 41. Source: https://iapp.org/news/a/can-the-u-s-legal-system-can-adapt-to-biometric-technology/ Passcode versus Fingerprint or Face Law Enforcement Request Must You Comply? Testimonial or Non-Testimonial? Protection from Government, Law Enforcement Passcode No Testimonial, personal knowledge Fifth Amendment right against self incrimination Fingerprint Yes Non-Testimonial, like a key Undetermined, Fourth Amendment does not protect fingerprints. Power off to disable. Face (Face ID) Yes, Depends Non-Testimonial. However, law officer can simply hold phone up to your face. Disable Face ID
  42. 42. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ NIST SP 800-63 • Update Published June 2017 • New Biometrics Guidelines
  43. 43. Source: https://pages.nist.gov/800-63-3/ Did You Throw a NIST Party on June 22, 2017? Contributors Digital Identity Guidelines, Four Documents
  44. 44. Source: https://pages.nist.gov/800-63-3/sp800-63b.html Graphic: http://www.oulu.fi/infotech/annual_report/2013/cmv NIST Update on Allowable Use of Biometrics SP 800-63B, Authentication and Lifecycle Management Supports only limited use of biometrics for authentication • False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself • FMR does not account for spoofing attacks • Biometrics SHALL be used only as part of MFA with a physical authenticator (something you have) • Biometric characteristics do not constitute secrets • They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge • Lifted from objects someone touches (e.g., latent fingerprints) • Captured with high resolution images (e.g., iris patterns) Implement Presentation Attack Detection (PAD) • Demonstrate at least 90% resistance to presentation attacks PAD may be mandatory requirement in the future
  45. 45. Clare Nelson, @Safe_SaaS Question: Store Biometrics on Device or Server, Cloud? Split? Source: Webinar by Forrester and Nok Nok Labs, February 1, 2017 Graphic: http://findbiometrics.com/topics/fido-alliance/ Graphic: https://www.carphonewarehouse.com/apple/iphone-6.html Graphic: http://kryptostech.com/server-management/ Graphic: http://www.planetbiometrics.com/article-details/i/5463/desc/facebook-rolling-out-support-for-fido/ Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017) Biometrics only stored on personal device (FIDO Alliance, others) • Biometrics remain on the device, are not transmitted • Not susceptible to theft by insiders or identity thieves who can access a server repository Biometrics stored on server • Works if no mobile phone, works with land line • Works if person calls in • Privacy concerns • Need consent, was it freely given? • Server access, how secure? • Susceptible to theft, unwanted modification by insiders or identity thieves
  46. 46. Source: https://pages.nist.gov/800-63-3/sp800-63b.html Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=52946 Graphic: https://fidoalliance.org/approach-vision/ Answer from NIST SP 800-63B, Authentication and Lifecycle Management The potential for attacks on a larger scale is greater at central verifiers (servers), local device comparison is preferred Example from Fast IDentity Online (FIDO) Alliance
  47. 47. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ What is the impact of GDPR?
  48. 48. Source: http://www.privacy-regulation.eu/en/4.htm Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf EU General Data Protection Regulation (GDPR) GDPR Starts May 25, 2018 Data Protection Directive Since 1995 Personal Data • Name • Photo • E-mail address • Phone number • Address • Personal identification numbers • IP address • Mobile device identifiers • Geo-location • Biometric data • Psychological identity • Genetic identity • Economic status • Cultural identity • Social identity Expanding definition of personal data
  49. 49. EU General Data Protection Regulation (GDPR) Source: http://www.privacy-regulation.eu/en/9.htm Article 9.1 …processing of biometric data for the purpose of uniquely identifying a natural person…shall be prohibited But there are many exceptions
  50. 50. EU General Data Protection Regulation (GDPR) Source: http://www.privacy-regulation.eu/en/9.htm Source: https://dma.org.uk/event/webinar-the-ico-s-gdpr-consent-guidance Source: http://www.privacy-regulation.eu/en/9.htm Processing of Biometric Data (GDPR, Article 9) • Prohibited • 10+ exceptions • Consent • Person gives explicit consent to the processing of those personal data • For one or more specified purposes • Employment Consent (GDPR, Article 7) • Freely given • Prove it was given • Clear, plain language, no legalese • Right to withdraw consent, easy to withdraw
  51. 51. Clare Nelson, @Safe_SaaSSource: https://www.facebook.com/jterstegge/posts/1857555150924472 Privacy Right to be let alone Data Protection Right to NOT have data collected and used in ways that impact your rights and freedoms GDPR Privacy is a Fundamental Human Right GDPR and Facial Recognition GDPR Exceptions Reasons of substantial public interest CCTV Captures • Face • Location • Time • How you walk • People around you
  52. 52. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ What is Multimodal Biometric Recognition?
  53. 53. Clare Nelson, @Safe_SaaS Multimodal Biometrics Research from California State University, Fullerton • Use ear plus face and fingerprint • Multimodal biometrics adds layer of security to the existing mobile device security Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3Dnews Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf Graphic: http://www.rd.com/health/wellness/unique-body-parts/ Researchers claim some mobile biometric recognition for authentication suffers from: • Poor quality mobile hardware • Camera • Microphone • Environmental condition • Lighting • Background noise • User error • Use of unimodal biometrics, less secure
  54. 54. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ What is Continuous Authentication with Biometrics?
  55. 55. Machine learning offers the potential to authenticate users based on multiple assessments, including • Behavior • Appearance • Voice • Speed at which they type A user’s device can constantly calculate a trust score that the user is who they claim to be • Verify device, not pwned, same device Together these factors are • 10 times safer than fingerprints • 100 times safer than four-digit PINs Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017) Source: https://www.safaribooksonline.com/library/view/continuous-authentication-using/9781613501290/ Continuous Authentication with Biometrics Ahmed Awad E. Ahmed, Issa Traore September 2011
  56. 56. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Biometric Recognition is Probabilistic (not Deterministic)
  57. 57. Clare Nelson, @Safe_SaaS Convenience versus Security Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal Source: http://www.descartesbiometrics.com/wp-content/uploads/2014/11/HELIX-Whitepaper.pdf Convenience Security False Acceptance Rate (FAR) • Ratio of the number of false acceptances divided by the number of identification attempts False Reject Rate (FRR) • Ratio of the number of false recognitions divided by the number of identification attempts Equal Error Rate (EER) • Proportion of false acceptances is equal to the proportion of false rejections
  58. 58. FAR, need to know FRR plus number of attempts Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal Source: http://www.goodeintelligence.com/press-releases/multi-modal-mobile-biometric-authentication-drives-revenues-to-over-6-2-billion-by-2022/ (April 2017) Apple claims a FAR of 1/50,000 for Touch ID • Out of 50,000 imposter comparisons, up to one will be accepted as genuine • 1/50,000 = 0.002% Android • Similar • Requires FAR not more than 0.002% • Recommends FRR no more than 10% What is the associated FRR?
  59. 59. Clare Nelson, @Safe_SaaS FRR at Varying FAR September 2015 Source: http://www.eyeverify.com/independent-accuracy-studies EyeVerify: Two Studies for Eyeprint ID, Mobile
  60. 60. Clare Nelson, @Safe_SaaS Not All FARs are Created Equal • Synthetic versus real data • Calculated versus claimed Source: http://www.eyeverify.com/blog/biometrics-101-not-all-fars-are-created-equal iPhone X, Face ID False acceptance rate of 1 in 1,000,000
  61. 61. Source: http://www.eyelock.com/ 1 in 500 Voice Recognition 1 in 10,000 Fingerprint 1 in 50,000 Touch ID 1 in 100,000 Facial Recognition 1 in 500,000 Single Iris 1 in 800,000,000,000,000 DNA General Ranking, It Depends, Many Variables 1 in 1,000,00,000
  62. 62. Source: http://blog.normshield.com/2017/01/machine-learning-in-cyber-security_31.html (January 2017) Which Biometric Mode is Best? Not an Exact Science to Compare Iris is more unique than face, even among twins
  63. 63. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ What is the Attack Model?
  64. 64. Clare Nelson, @Safe_SaaSSource: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf Biometric System Attack Diagram (Ratha 2001, ISO 2006, NIST 2015) Demonstrate at least 90% resistance to presentation attacks. Presentation Attack Modify Decision Data Storage Process Signal Compare Decision Override Decision Engine Data Capture Override Comparator Extract/Modify Biometric Sample Modify Probe Modify Score Modify Biometric Reference Override Capture Device Override Signal Processor Override Database
  65. 65. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Presentation Attack Detection (PAD) Anti-Spoofing
  66. 66. Clare Nelson, @Safe_SaaS Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726 Source: https://www.qafis.com/anti-spoofing Presentation Attack Detection (PAD), Anti-Spoofing Anti-Spoofing Anti-Spoofing • Active: user must participate, blink, smile, turn head • Passive: user participation is not needed, hardware or software algorithms 3D Mask
  67. 67. Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey Presentation Attack Detection (PAD), Using Algorithms (a) Bona fide image (b) Laser printer artefact (c) Inkjet printer artefact (d) Display attack using iPad Using Local Binary Patterns (LBPs) as PAD
  68. 68. Clare Nelson, @Safe_SaaSSource: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey Presentation Attack Detection (PAD), Using Algorithms (a) Bona fide image (b) Laser printer artefact (c) Inkjet printer artefact (d) Display attack using iPad Using Local Binary Patterns (LBP) as PAD
  69. 69. Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726 PAD for Finger: Implement in Hardware, Software, or Both Software: Assess characteristics of sample: sharpness of lines, presence of pores. • Easier to implement. • Easier to update, including over the air (OTA) as anti-spoofing techniques improve. • Leverage machine learning. Hardware: Requires additional capabilities in fingerprint scanner: ability to sense pulse, temperature, and capacitance; none of which can be done in software alone. • Greater ability to detect “liveness” of finger being scanned. • More expensive. • Consumes more power. • May introduce latency if, for example, there is a need to sense multiple heartbeats.
  70. 70. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Emerging Standard for Presentation Attack Detection (PAD)
  71. 71. Clare Nelson, @Safe_SaaS Presentation Attack Detection (PAD), Emerging Standards Source: https://www.iso.org/standard/53227.html ISO/IEC DIS 30107-2 Information technology -- Biometric presentation attack detection -- Part 2: Data formats ISO/IEC FDIS 30107-3 Information technology -- Biometric presentation attack detection -- Part 3: Testing and reporting NEW: ISO/IEC 30107-4
  72. 72. Clare Nelson, @Safe_SaaS Presentation Attack Detection (PAD) for Mobile Devices Source: https://www.iso.org/standard/53227.html Source: https://cacm.acm.org/magazines/2016/4/200169-multimodal-biometrics-for-enhanced-mobile-device-security/abstract Source: http://www.planetbiometrics.com/article-details/i/5803/ (April 2017) Source: http://profit.ndtv.com/news/life-and-careers/article-new-smartphone-from-infocus-to-support-aadhaar-authentication-1634102 ISO/IEC 30107-4 Biometric presentation attack detection – Profile for evaluation of mobile devices. Address spoofing and presentation attacks against mobile devices. Presentation Attack Detection (PAD) includes: • Fake fingerprints. • Video replays. • Voice recordings. Concern for commercial and government agencies: • Rely on mobile device authentication for transactions and identity confirmation.
  73. 73. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ How Measure the Strength of Biometric Recognition for Authentication?
  74. 74. Clare Nelson, @Safe_SaaS Source: https://pages.nist.gov/SOFA/ Source: https://www.secureidnews.com/news-item/sofa-b-enabling-organizations-to-measure-the-strength-of-biometric-technologies/?tag=biometrics Strength of Function for Authenticators (SOFA) - Biometrics Measurement of biometric system strength: • Provide a level of quantitative assurance. • Outline a process to support evaluation of biometric authenticators. NIST ISO/IEC FIDO SOFA Equation • Level of Effort • PAD Error Rate (PADER) • False Match Rate (FMR) • False Non-Match Rate (FNMR)
  75. 75. Clare Nelson, @Safe_SaaS SOFA-B (NIST, April 2017) Source: https://www.nist.gov/sites/default/files/documents/2016/11/21/sofa_discussiondraftoverview-v1_1.pdf (April 2017) ZeroInfo case: No masquerade attempt, brute force, no knowledge. Targeted case: Create a sample that resembles the individual biometric characteristic. Reference
  76. 76. Clare Nelson, @Safe_SaaS Source: https://pages.nist.gov/SOFA/ Source: http://www.theverge.com/2016/7/21/12247370/police-fingerprint-3D-printing-unlock-phone-murder (2016) Presentation attacks based on: • Time • Expertise • Equipment Level of Effort Police 3D-printed a murder victim's finger to unlock his phone.
  77. 77. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Face ID
  78. 78. Clare Nelson, @Safe_SaaS Face ID: Demo Failed Twice Source: https://www.youtube.com/watch?v=unIkqhB2nA0 (September 2017) Source: http://www.nydailynews.com/news/national/apple-reveals-iphone-x-new-face-id-tech-fails-demo-article-1.3491125 (September 2017) We all experience demo failures • Craig Federighi, SVP Software Engineering • Face ID failed twice • Why did Federighi wipe his face afterward? • Stock dipped from $163 a share to $159 • Closed at $161
  79. 79. Clare Nelson, @Safe_SaaS Face ID: Attention Detection Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017) “Attention” feature Won’t work for everyone • Blind • Vision impaired • Cannot stare directly at phone to communicate intent In those cases, where a face is recognized, but it can’t see eyes, just turn off the “attention detection” feature • Still get Face ID, but at a lower level of overall security because cannot ensure user’s eyes are directly focused on it Face ID requires that it be able to see: • Eyes • Nose • Mouth There are scenarios where it just won’t work
  80. 80. Clare Nelson, @Safe_SaaS Face ID: What About Sunglasses? Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017) Graphic: http://www.businessinsider.com/apple-suppliers-iphone-x-sales-shipments-2017-9 Graphic: http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/nightvision1.htm • Polarized lenses are no problem • Some lenses block infrared (IR) radiation • Use passcode • Take off sunglasses
  81. 81. Clare Nelson, @Safe_SaaS Face ID: Evil Twin Warning Source: https://www.youtube.com/watch?v=unIkqhB2nA0
  82. 82. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ The Future
  83. 83. Clare Nelson, @Safe_SaaS “Thought Auth”1 EEG Biosensor • MindWave™ headset2 • Measures brainwave signals • EEG monitor • International Conference on Financial Cryptography and Data Security (2013)3 1Source: Clare Nelson, March 2015 2Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/ 3Source: http://www.technewsworld.com/story/77762.html Facebook telepathy
  84. 84. Clare Nelson, @Safe_SaaS When Does Law Enforcement Demand to Read Your Data Become a Demand to Read Your Mind? Source: https://cacm.acm.org/magazines/2017/9/220420-when-does-law-enforcements-demand-to-read-your-data-become-a-demand-to-read-your-mind/fulltext (September 2017) – Andrew Conway, Peter Eckersley Communications of the ACM, September 2017 “That gadget in your hand is not a phone, it is a prosthetic part of your mind, which happens to make telephone calls. • We need to ask which parts of our thoughts should be categorically shielded against prying by the state.”
  85. 85. Clare Nelson, @Safe_SaaS Master Key to Unlock Finger Sensors? Source: https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html?_r=2 (April 2017) Computer simulations • Similarities of partial prints • Created “Master Prints” • Matched prints 65% of time Nasir Memon Professor of Computer Science and Engineering New York University
  86. 86. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Gratitude
  87. 87. Clare Nelson, @Safe_SaaS We Stand on the Shoulders of Giants Source: https://alchetron.com/John-Daugman-489257-W Source: http://www.idiap.ch/~marcel/professional/Welcome.html Source: https://www.egr.msu.edu/people/profile/jain Source: http://nislab.no/people/norwegian_information_security_laboratory/professors/christoph_busch John Daugman Sébastien Marcel Anil Jain Christoph Busch
  88. 88. Clare Nelson, @Safe_SaaS @Safe_SaaS clare_nelson@clearmark.biz Slides posted:https://www.slideshare.net/eral cnoslen Questions?
  89. 89. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Key Points
  90. 90. Clare Nelson, @Safe_SaaS Key Points Summary • In Multi-Factor Authentication (MFA), biometrics are a RESTRICTED factor • Biometric systems have error rates, FAR, FRR; they are probabilistic • Biometrics are not secrets • NIST SP 800-63B, Authentication and Lifecycle Management, Allowable use of Biometrics (new from June 2017) • Biometrics may be used to • Unlock multi-factor authenticators • Prevent repudiation of enrollment • Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have). • Biometric comparison can be performed locally device or central server • NIST: Since the potential for attacks on a larger scale is greater at central servers, local device comparison is preferred • The biometric system SHOULD implement Presentation Attack Detection (PAD) • Testing of the biometric system SHOULD demonstrate at least 90% resistance to presentation attacks • PAD is being considered as a mandatory requirement in the future • SOFA-B, measure strength of biometric recognition system • ISO/IEC 30107 Presentation Attack Detection (PAD) guidelines • Part 4 coming: Biometric presentation attack detection – Profile for evaluation of mobile devices • United States biometrics laws vary by state, only in IL and TX, more coming • Require written consent from consumers • GDPR • Prohibits processing of biometrics • Many exceptions: consumer gives consent, is an employee, or done for Reasons of substantial public interest • Mobile biometrics consumer market growth: 41% CAGR 2016-2022, reaching $50B in 2022 • Future solutions, for some use cases: • Combine multimodal, behavioral biometrics with machine learning (if applicable, use continuous authentication) • Machine learning offers the potential to authenticate users based on multiple assessments, including • Behavior • Appearance • Voice • Speed at which they type • Verify device, not pwned, same device • A user’s device can constantly calculate a trust score that the user is who they claim to be Reference
  91. 91. Clare Nelson, @Safe_SaaSSource: http://www.idtp.com/identity/ Terms Biometric data processing : biometric system data processing including capture, quality assessment, presentation attack (spoof) detection, feature extraction, database enrollment, fusion, matching, and decision processes Biometric sensors and hardware : variation and types of biometric sensors and technology (e.g. capacitive, thermal, optical, infrared, multi-spectrum) required to capture high-quality samples for various modalities and applications Biometric system integration : the hardware and software interfacing necessary to produce a functioning biometric system optimized for a specific application, including proper utilization of biometric software development kits Biometric system performance : system performance and metrics including Equal Error Rate (EER), False Accept Rate (FAR), False Reject Rate (FRR), False Match Rate (FMR), False Non-Match Rate (FNMR), detection error tradeoff (DET) and receiver operating characteristic (ROC) curves, Genuine and Impostor score histograms, and considerations for threshold optimization for population, operating environment, and application requirements Biometric standards : NIST, ISO, FIDO standards Enrollment and capture processes : considerations for enrollment and live capture processes and errors such as failure to acquire (FTA) and failure to enroll (FTE) Sample quality : biometric sample quality has a direct measurable impact on the performance of the system; proper quality assessment algorithms and thresholds ensure the integrity of enrolled biometric templates Spoofing and presentation attack detection : recognizing and preventing attempts to use manufactured or fake biometric samples (also known as liveness detection) Verification and Identification : verification processes require a one-to-one comparison between biometric samples to make a matching decision, while identification processes require one-to-many matching, where a sample (probe) is compared to a database (gallery) to obtain a ranked candidate list Physiological and behavioral modalities : biometric traits (i.e. fingerprint, face, iris, voice, vascular, DNA) and their characteristics of universality, uniqueness, permanence, measurability, performance, acceptability, and circumvention Soft biometrics : height, weight, skin color, scars, marks, tattoos Multimodal biometrics : combining (or fusing) biometric traits to improve decision accuracy, hinder spoofing, and account for unavailability of biometric traits
  92. 92. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ References
  93. 93. Clare Nelson, @Safe_SaaS • Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015) • Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint- scanner-flaw/ (April 2015) • IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication (September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium • Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-methods-taxonomy- abbie-barbir.html (2014) • Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA) Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015) • Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA, https://www.blackhat.com/docs/us- 15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-wp.pdf (August 2015) • Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack- fingerprints/index.html (July 2015) • Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July 2015) • White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009, published 2013) • Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-2014 (December 2014) References, 1 of 2
  94. 94. Clare Nelson, @Safe_SaaS • Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf (February 2014) • Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device- fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhX lDQ%3D%3D (September 2015) • Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/ (August 2015) • Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/. • AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/. • Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems, https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-Identity-Whitepaper- v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite] • Jankovich, Thomas; “Blockchain Makes Digital ID a Reality,” https://finxtech.com/2016/12/02/blockchain-makes-digital-id-reality/ (December 2016) • Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age, http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013). • MyData Identity Network based on User Managed Access (UMA), https://docs.google.com/presentation/d/1j3aX8AQGdVtigF1WZouL8WccmYQzZQQje3wuaC2Zb1I/edit#slide=id.g1386e8a6aa_2_914 • Kunk, S.K., Biometric Authentication: A Machine Learning Approach, Prentice Hall (2005). • mikeh, Machine Learning and Biometrics, Neya Systems blog, http://neyasystems.com/machine-learning-biometrics/ (March 23, 2013). References, 2 of 2
  95. 95. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Backup Slides
  96. 96. Clare Nelson, @Safe_SaaS Artificial Dog Nose It smells you once, and knows you forever. Matt Staymates, a mechanical engineer at NIST. • Schlieren imaging system, visualizes flow of vapors into an explosives detection device fitted with an artificial dog nose, mimics "active sniffing" of a dog. • Artificial dog nose developed by Staymates and colleagues at NIST, MIT Lincoln Laboratory, FDA. • Improves trace chemical detection as much as 16-fold. Source: http://phys.org/news/2016-12-scientists-artificial-dog-nose-mimics.html Photo: http://dogs.petbreeds.com/l/95/Labrador-Retriever
  97. 97. Clare Nelson, @Safe_SaaS Presentation Attack Detection (PAD) Source: https://www.iso.org/standard/53227.html
  98. 98. Clare Nelson, @Safe_SaaS Types of Detection Source: https://www.nist.gov/sites/default/files/documents/2016/11/30/401_newton.pdf Vendor ID, Algorithm ID, and Sensor ID
  99. 99. Clare Nelson, @Safe_SaaSSource: https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:-37:ed-2:v1:en (2017) Spoofing, Biometric Presentation Attack Biometric Presentation Attack Presentation to the biometric capture system with the goal of interfering with the operation of the biometric system.
  100. 100. Clare Nelson, @Safe_SaaSSource: http://livdet.org/index.php Presentation Attack Detection, Liveness Detection Competition Hosts: University, Notre Dame University, West Virginia University, and Warsaw University of Technology This will be held as part of the IJCB 2017. The competition has two sub-competitions: • Part I: Software-based • Part II: System-based Test International Joint Conference on Biometrics
  101. 101. Clare Nelson, @Safe_SaaS IARPA Face Recognition Algorithm Contest Source: https://www.challenge.gov/challenge/face-recognition-prize-challenge/ (April 2017) Face Identification and Face Verification • 1-to-1 compare. • 1-to-many compare. • “Face recognition is hard.” • Algorithms commit false negative and false positive errors.  Head pose, illumination, and facial expression. Looking for advancements in face recognition accuracy.
  102. 102. Clare Nelson, @Safe_SaaS Face Recognition Algorithm Evaluation Source: https://www.nist.gov/programs-projects/face-recognition-vendor-test-frvt-ongoing Source: http://www.planetbiometrics.com/article-details/i/5406/desc/nist-to-hold-new-round-of-face-recognition-algorithm-evaluation/ Face Recognition Algorithm Evaluation • Includes verification of:  Visa images.  De-duplication of passports.  Recognition across photojournalism images.  Identification of child exploitation victims. • Part of the Face Recognition Vendor Test (FRVT). • Results will be posted to the NIST website.
  103. 103. Clare Nelson, @Safe_SaaS November 2016 NIST Algorithm Test Results, Finger Source: https://www.innovatrics.com/awards/pft/ • FMR = Fail Match Rate • FNMR = Fail Non-Match Rate • POEBVA = Point of Entry BVA (Data used for compliance testing)  BVA = German Federal Office of Administration Assess the core algorithmic capability to perform one-to-one verification.
  104. 104. Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726 Presentation Attack Detection (PAD), Techniques Liveness detection: Facial thermogram, blood pressure, fingerprint sweat, or specific reflection properties of the eye, pulse, perspiration, pupillary unrest (hippus), brain wave signals (EEG), or electric heart signals. Protect the system against the injection of reconstructed or synthetic samples into the communication channel between the sensor and the feature extractor. Fusion strategies to increase resistance. Multimodal, use more than one biometric, or combine unimodal with an anti-spoofing technique. The score reflects more than one input, unknown to the bad guy.
  105. 105. Clare Nelson, @Safe_SaaS Quantum Biometrics (April 2017) Human Eye Can Detect a Single Photon Identify individuals by the way their eyes detect photons. • Beam a random pattern of flashes into the eye. • Vary the intensity of light in each flash. It is detected as a recognizable pattern by a person with a specific alpha map but seems random to anyone else. Source: https://www.technologyreview.com/s/604266/quantum-biometrics-exploits-the-human-eyes-ability-to-detect-single-photons/?utm_campaign=add_this&utm_source=twitter&utm_medium=post
  106. 106. Clare Nelson, @Safe_SaaS Source: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf Source: http://www.iphonehacks.com/2017/01/synaptics-launches-multi-factor-facial-fingerprint-recognition-engine-smartphones-tablets.html Fusion Strategies: Example of Face and Finger Better accuracy • Bimodal biometric system using face and fingerprint. • Salient features of the face and fingerprint were extracted, and fused/combined.
  107. 107. Clare Nelson, @Safe_SaaSSource: http://biometrics.cse.msu.edu/Publications/Multibiometrics/SudhishJainCao_AdaptiveFusionIdentityDeduplication_PRL2016.pdf Existing and Emerging Methods and Standards, Increased Synergy Determine How Well Biometric Recognition Solutions Work • Measure strength, use NIST SOFA-B  NIST creating synergy with ISO/IEC and FIDO • Test face or finger recognition algorithms with NIST • In future, FIDO certification for biometrics • ISO/IEC standards for PAD, for mobile • PAD algorithms • Increased understanding of FAR, FRR, EER • Accredited, third-party testing of all or part of the biometric recognition system  iBeta • Usability research and testing • Contests, e.g., LivDet, IARPA • If store biometrics only on device, then provide a free version to test accuracy and usability. Otherwise, difficult to get feedback. • Research Institutes, e.g., IDIAP Research Institute in Switzerland
  108. 108. Clare Nelson, @Safe_SaaS Presentation Attack Detection (PAD) Algorithms Source: https://www.researchgate.net/publication/312937243_Presentation_Attack_Detection_Methods_for_Face_Recognition_Systems_-_A_Comprehensive_Survey
  109. 109. Clare Nelson, @Safe_SaaS Behavioral Biometrics Source: http://www.behaviosec.com • Requires JavaScript • Learning curve • Privacy impact from constant monitoring • Varies Injury to hand Intoxicated
  110. 110. Clare Nelson, @Safe_SaaS Types of Spoofing Source: https://www.iso.org/standard/53227.html .
  111. 111. Clare Nelson, @Safe_SaaS Spoofing The ability to fool a biometric system into recognizing an illegitimate user as a genuine one by means of presenting a synthetic or forged version of the original biometric trait to the sensor. Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726 Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf Source: https://www.slideshare.net/SBAResearch/31c3-in20min
  112. 112. Clare Nelson, @Safe_SaaS Spoofing Source: https://www.linkedin.com/pulse/biometric-spoofing-nadh-thota Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726 Types of Fake Fingerprints Fake Eye Images, Contact Lens etc., enable hackers to fake Iris sample Real Fake
  113. 113. Clare Nelson, @Safe_SaaS Source: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726 Source: https://www.computer.org/csdl/trans/tp/2006/01/i0031.html Face Spoofing Matching 2.5D Face Scans to 3D Models
  114. 114. Clare Nelson, @Safe_SaaS iPhone X, Face ID Source: https://venturebeat.com/2017/09/12/iphone-x-ditches-touch-id-for-face-id/ Source: http://bgr.com/2017/09/12/iphone-x-price-specs-features/
  115. 115. Source: https://www.slideshare.net/centralohioissa/jamie-bowser-a-touchid-of-ios-security Touch ID Architecture, Release 3 With iOS 9, third-party apps could use security Local Authentication Touch ID Sensor Fingerprint Map Local Authentication Security Framework Secure Enclave 3rd Party Applications Apple Applications
  116. 116. Clare Nelson, @Safe_SaaS Vocabulary, 2017 ISO/IEC 2382-37 Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf Source, Domain Associated Terms Biometrics Text Books FAR FRR Type II Type I ISO/IEC More, detailed More, detailed NIST FMR FNMR Risk False Positive False Negative, False Reject, Insult Rate Equal Error Rate (EER), also known as Crossover Error Rate (CER) Reference
  117. 117. Source: https://www.apple.com/business/docs/iOS_Security_Guide.pdf (March 2017) 1. Device has just been turned on, or restarted 2. Device hasn’t been unlocked for more than 48 hours 3. Device has received a remote lock command 4. After 5 unsuccessful attempts to match a fingerprint 5. When setting up or enrolling new fingers with Touch ID 6. The passcode hasn’t been used to unlock the device in the last 156 hours (6.5 days) and Touch ID has not unlocked the device in the last 4 hours When is Passcode Required? 156 hours 4 hours Passcode Touch ID
  118. 118. Clare Nelson, @Safe_SaaS Source: https://www.facebook.com/jterstegge/posts/1857555150924472 Source: https://www.facebook.com/TheEconomist/videos/10155826328554060/?hc_ref=ARShy0cXkxwBhuFfrsnXCc9Usugj0-XSVLv7sVcTsDVF6PlWhH_tD99BTsYW50qoMmA&pnref=story Face recognition in CCTV Example of the link between: • Privacy (the right to be let alone) AND • Data protection (the right not to have data collected and used in ways that impact people's rights and freedoms) This technology, especially it's pervasiveness, is very very worrying..... GDPR has put biometrics in the 'special data' category • It is prohibited to process face recognition data, except for some very limited purposes Serious flaw in GDPR Artic;e 9(2)(g) GDPR • Allows governments to use of this technology "for reasons of substantial public interest" and "subject to suitable safeguards to protect people's rights and freedoms” Reference Jeroen Terstegge CIPP E-US Partner at Privacy Management Partners Utrecht Area, Netherlands Face Recognition, GDPR Privacy Concerns
  119. 119. Clare Nelson, @Safe_SaaS Face ID False Acceptance Rate (FAR) Source: https://arstechnica.com/gadgets/2017/09/face-id-on-the-iphone-x-is-probably-going-to-suck/ (September 2017) The Face ID claim of false acceptance rate (FAR) of 1 in 1,000,000 • Verified by third party, independent testing? • Touch ID FAR is 1 in 50,000 • Just because they project 30,000 dots on a face and does not make it more accurate, it still has all the problems every other face recognition system has • Neural networks, neural engine Other issues include awkward ergonomics and time to perform successful face capture and compare • How hold phone • Get out of bright sunlight? • Take off sunglasses? • How many retries before Failure to Acquire (FTA)? Many people may simply use their passcode Surgeons and people who wear a garment that covers their face (i.e. women in some Muslim countries are required to wear a niqab in public) will need to use the passcode instead What is FRR for iPhone X?
  120. 120. Minnesota Senator Raises Concerns over iPhone X, Face ID Published letter: https://www.franken.senate.gov/?p=press_release&id=37 59 Security and Privacy concerns with iPhone X, Face ID Source: http://money.cnn.com/2017/09/14/technology/al-franken-iphone-x-face-id/index.html (September 2017)
  121. 121. Iris more accurate than face Source: https://www.youtube.com/watch?v=KyDoFrojEYk&list=PLrUBqh62arzt_Uf_UamHtRFDYl1tpRVCK Source: https://pages.nist.gov/800-63-3/sp800-63b.html Iris versus Face
  122. 122. Clare Nelson, @Safe_SaaSSource: https://twitter.com/G_ant (September 2017) Are You Confused? Reference Which biometrics are static, which are dynamic?
  123. 123. Clare Nelson, @Safe_SaaS FaceID Training Apple trained on 1 billion plus faces, global, got permission • Maintains this database “We do not gather customer data when you enroll in Face ID, it stays on your device, we do not send it to the cloud for training data” There is an adaptive feature of Face ID that allows it to continue to recognize your changing face as you change hair styles, grow a beard or have plastic surgery. • This adaptation is done completely on device by applying re-training and deep learning in the redesigned Secure Enclave. • None of that training or re-training is done in Apple’s cloud. • Apple has stated that it will not give access to that data to anyone, for any price. When you train the data it gets immediately stored in the Secure Enclave as a mathematical model that cannot be reverse-engineered back into a “model of a face.” • Any re-training also happens there. • It’s on your device, in your secure enclave, period. Face ID Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017) Secure Enclave, Updated with Secure Enclave Processor Truly no reverse engineering? - Anonymization? Reference
  124. 124. Source: https://www.secureidnews.com/news-item/five-states-considering-bills-to-restrict-biometrics-use/ (February 2017) “Entities may have to consider changes to their notice and consent practices, or decide to not collect or store biometric data at all.” – Jeffrey Neuburger National Law Review
  125. 125. Source: http://www.americanbar.org/publications/blt/2016/05/08_claypoole.html Maze of sectoral laws, state laws, pending cases, and recommendations • Patchwork of privacy laws and rules governing the use and collection of biometric data • Practitioners, technology developers, and privacy-conscious individuals should watch this rapidly developing legal landscape • Companies employing technologies using biometric identifiers may want to err on the side of caution and ensure that their notification and consent processes are clear and conspicuous • For cautious businesses, employ an opt-in structure for your technologies using biometric identifiers • Look hard at your retention policies and look harder at your disposal practices CISO Concerns: Consent, Retention, Disposal
  126. 126. Clare Nelson, @Safe_SaaS Homomorphic Encryption VTT Technical Research Centre, Finland • Biometric recognition for MFA • Risk that a person's biometric identifiers leak out of the database • Protect biological or behavioral biometric data • Uses homomorphic encryption Source: http://www.vttresearch.com/media/news/vtts-encryption-method-takes-authentication-to-a-new-level
  127. 127. Clare Nelson, @Safe_SaaS Face ID: Enroll, Can You Read Instructions without Glasses? Source: http://www.idownloadblog.com/2017/09/15/face-id-overview/ (September 2017) • Settings • Face ID & Passcode • Enroll Face • Get Started • Follow Onscreen Instructions (Read without Glasses?) • Gently move your head while looking at the screen to complete the circle
  128. 128. Clare Nelson, @Safe_SaaS Face ID, Initial Use Cases Source: http://www.idownloadblog.com/2017/09/15/face-id-overview/ (September 2017) • iPhone unlock—Unlock your phone with a glance • Auto-Lock—Keep the screen lit when reading • iTunes and App Store—Approve app and media purchases • Apple Pay—Check out with just a glance • Safari Autofill—Unlock saved Safari passwords for use on websites and in apps • Animoji—Animate emoji using your voice and facial expressions • Messages—Reveal messages when looking at the Lock screen • Notifications—Display protected notifications on the Lock screen • Alarms/ringers—Lower the alarm/ringer volume with a glance
  129. 129. Clare Nelson, @Safe_SaaS Fingerprint Readers Eclipsed 1 Billion, Is Face the Next Wave? Source: https://www2.deloitte.com/nl/nl/pages/technologie-media-telecom/articles/tmt-predictions-2017.html
  130. 130. Clare Nelson, @Safe_SaaS Lack of Common Vocabulary Source: https://precisebiometrics.com/wp-content/uploads/2014/11/White-Paper-Understanding-Biometric-Performance-Evaluation.pdf Graphic: https://www.britannica.com/topic/Tower-of-Babel Source, Domain Associated Terms Biometrics Text Books FAR FRR Type II Type I NIST FMR FNMR ISO/IEC More, detailed More, detailed Risk False Positive False Negative, False Reject, Insult Rate Equal Error Rate (EER), also known as Crossover Error Rate (CER) Vocabulary Updates 2017 ISO/IEC 2382-37
  131. 131. Clare Nelson, @Safe_SaaS Issues with Biometrics Even when organizations do not actively attempt to abuse personal data, it is difficult to ensure its privacy, as illustrated by some of the well-publicized breaches OPM Breach 5.6 M Fingerprints Biometrics are often used in situations where there is a significant asymmetry of power • Employers monitoring employees • Governments monitoring those entering and leaving the country Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Privacy_Legislation_on_Biometric_System_Deployment.pdf Consent to process biometrics is not freely given if asymmetry of power
  132. 132. Clare Nelson, @Safe_SaaS Issues with Biometrics • Not revocable, easy to reset password, not easy to reset fingerprint • In MFA, biometrics are a restricted factor • No two biometrics scans are the same, each one is unique (Ratha 2001) • If there is a perfect match, then you know something is wrong, impostor, or malfunction • Algorithms commit false negative and false positive errors • Head pose, illumination, and facial expression Source: https://www.slideshare.net/eralcnoslen/who-will-win-the-biometrics-race-v10 • Privacy issues • Religious, head covering, need private place for face recognition • GDPR, biometrics are sensitive personal data, need consent tied to specific purpose, must be easy to withdraw consent • Consent must be freely given • United States Biometric Information Privacy Act (BIPA) laws in IL, TX; • Vary by state, need written consent, document purpose, retention • Anti-spoofing technology still evolving • Targeted attacks, mass attacks on horizon (Dr. Memon)
  133. 133. Source: https://www2.deloitte.com/lu/en/pages/banking-and-securities/articles/psd2-rts-on-authentication-and-communication.html Timeline • GDPR • May 2018 • PSD2 includes specific requirements for biometric recognition for multi-factor authentication, or what it terms, “Strong Customer Authentication (SCA)” • SCA not until 2019 • Still in revision process • Final document not published • Many drafts published, indicates possible guidelines General Data Protection Regulation (GDPR) and Second Payment Services Directive (PSD2)
  134. 134. EU General Data Protection Regulation (GDPR) Source: http://www.privacy-regulation.eu/en/9.htm Source: http://www.duhaime.org/LegalDictionary/L/Legalese.aspx If Collect Consent to Process Biometrics • Clear, plain language • Freely given • As easy to withdraw as to give consent No Legalese
  135. 135. Source: https://www.whitecase.com/publications/article/chapter-4-territorial-application-unlocking-eu-general-data-protection An organization based outside the EU is subject to the GDPR if • Offers goods or services to EU data subjects • Monitors the behavior of EU data subjects Does the GDPR Apply to US-Based Entities? GDPR applies to EU/EEA citizens in the US • EEA = EU + Norway, Iceland, Liechtenstein • Brexit in future
  136. 136. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Second Payment Services Directive (PSD2)
  137. 137. Clare Nelson, @Safe_SaaS EU PSD2 Requirements for Biometric Recognition for Authentication Date: 23 February 2017 Source: https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf Source: http://nordicapis.com/psd2-sanctions-access-to-personal-banking-data-amplifying-fintech-growth/ • Low False Acceptance Rate (FAR) • Anti-spoofing measures Convenience Security
  138. 138. Clare Nelson, @Safe_SaaS EU PSD2 Requirements for Biometric Recognition for Authentication Date: 23 February 2017 Source: https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf Source: http://nordicapis.com/psd2-sanctions-access-to-personal-banking-data-amplifying-fintech-growth/ • Independence of factors in multi-factor authentication • The breach of one of the factors does not compromise the reliability of the other factors • Use of separated secure execution environments Know Have Are
  139. 139. Clare Nelson, @Safe_SaaS Contactless Biometric Recognition, Healthcare Source: http://healthcare.fai.fujitsu.com/resource/essentials-to-achieve-optimal-clinical-workflow.pdf Source: http://www.amfastech.com/2013/03/a-seminar-on-palm-vein-technology.html Solution • Palm vein • Capture palm vein pattern with near-infrared rays • Works with clinician, surgeon gloves • Fujitsu data sheet • FAR (false accept rate) = 0.00001% • FRR (false reject rate) = 1.0%
  140. 140. Clare Nelson, @Safe_SaaSSource: https://www.semanticscholar.org/paper/Face-Spoof-Detection-With-Image-Distortion-Wen-Han/cdac436dcebe8b2c90a8de5479bd3bbd8d9a087f Presentation Attack Detection (PAD), Genuine or Spoof? Reference
  141. 141. Source: https://pages.nist.gov/800-63-3/sp800-63b.html NIST Update on Allowable Use of Biometrics SP 800-63B, Authentication and Lifecycle Management For a variety of reasons, this document supports only limited use of biometrics for authentication. These reasons include: • The biometric False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself. • In addition, FMR does not account for spoofing attacks. • Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. • Biometric template protection schemes provide a method for revoking biometric credentials that is comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development. • Biometric characteristics do not constitute secrets. • They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). • While presentation attack detection (PAD) technologies (e.g., liveness detection) can mitigate the risk of these types of attacks, additional trust in the sensor or biometric processing is required to ensure that PAD is operating in accordance with the needs of the CSP and the subscriber. Therefore, the limited use of biometrics for authentication is supported with the following requirements and guidelines: • Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have). • The biometric system SHALL operate with an FMR [ISO/IEC 2382- 37] of 1 in 1000 or better. • This FMR SHALL be achieved under conditions of a conformant attack (i.e., zero-effort impostor attempt) as defined in [ISO/IEC 30107-1]. • The biometric system SHOULD implement PAD. • Testing of the biometric system to be deployed SHOULD demonstrate at least 90% resistance to presentation attacks for each relevant attack type (i.e., species), where resistance is defined as the number of thwarted presentation attacks divided by the number of trial presentation attacks. • Testing of presentation attack resistance SHALL be in accordance with Clause 12 of [ISO/IEC 30107-3]. • The PAD decision MAY be made either locally on the claimant’s device or by a central verifier. PAD = Presentation Attack Detection PAD is being considered as a mandatory requirement in future editions of this guideline. 5.2.3. Use of Biometrics
  142. 142. Source: https://pages.nist.gov/800-63-3/sp800-63b.html Source: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=52946 NIST Update on Allowable Use of Biometrics SP 800-63B, Authentication and Lifecycle Management ISO/IEC 24745 = Information technology – Security techniques – Biometric information protection The biometric system SHALL allow no more than 5 consecutive failed authentication attempts or 10 consecutive failed attempts if PAD meeting the above requirements is implemented. Once that limit has been reached, the biometric authenticator SHALL either: • Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt (e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt), or • Disable the biometric user authentication and offer another factor (e.g., a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already available. The verifier SHALL make a determination of sensor and endpoint performance, integrity, and authenticity. Acceptable methods for making this determination include, but are not limited to: • Authentication of the sensor or endpoint. • Certification by an approved accreditation authority. • Runtime interrogation of signed metadata (e.g., attestation) as described in Section 5.2.4. 5.2.3. Use of Biometrics Biometric comparison can be performed locally on claimant’s device or at a central verifier. • Since the potential for attacks on a larger scale is greater at central verifiers, local comparison is preferred. If comparison is performed centrally: • Use of the biometric as an authentication factor SHALL be limited to one or more specific devices that are identified using approved cryptography. • Since the biometric has not yet unlocked the main authentication key, a separate key SHALL be used for identifying the device. Biometric revocation, referred to as biometric template protection in ISO/IEC 24745, SHALL be implemented. All transmission of biometrics SHALL be over the authenticated protected channel. Biometric samples collected in the authentication process MAY be used to train comparison algorithms or — with user consent — for other research purposes. • Biometric samples and any biometric data derived from the biometric sample such as a probe produced through signal processing SHALL be zeroized immediately after any training or research data has been derived. Reference
  143. 143. Clare Nelson, @Safe_SaaS Face ID: What About Doppelgängers? Graphics: https://www.linkedin.com/feed/update/urn:li:activity:6309838132355432448/ Graphics: http://www.thedailybeast.com/these-people-are-strangers-doppelgangers-around-the-world-photos
  144. 144. Clare Nelson, @Safe_SaaS Issues with Biometrics Facial recognition is prone to problems with lighting conditions • Vendor evaluation • Face recognition did not work in outdoor Austin sunshine, or in an office, standing near window • Vendor response: “Go inside” Voice recognition is prone to environmental background noise • Unnamed financial services market leader • User experience • In car, with some background noise • Call, and use voice: “At Unnamed, my voice is my password” • Failed after multiple attempts, due to background noise • Works at home, in quiet office Graphic: http://www.securitysales.com/tag/biometrics/ Fingerprint recognition is prone to moisture, dirty reader • At unnamed employer • Use fingerprint reader • Touch with a registered finger • Fails if finger is slightly damp, or reader is dirty • Guard recommended: ridge builder (liquid with no ingredients listed, nor provided by manufacturer) Reference
  145. 145. Clare Nelson, @Safe_SaaS Spoofing is Still Too Easy Face Unlock • Spoofed • 2011 Galaxy Nexus • 2017 Samsung S8 Source: http://www.dailystar.co.uk/tech/news/601633/Samsung-Galaxy-S8-face-recognition-privacy-security-warning Source: http://www.androidpolice.com/2011/11/16/still-not-convinced-that-face-unlock-is-easily-fooled-by-a-photo-heres-another-video-showing-face-programming-and-photo-unlocking-from-start-to-end/ Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments Emerging standard method for measuring strength, or comparing solutions.
  146. 146. Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57 (d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction. (e) A private entity in possession of a biometric identifier or biometric information shall: (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information. Illinois Biometrics Information Privacy Act (BIPA) Sec. 15. Retention; collection; disclosure; destruction. (a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first. (b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative. (c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information. Reference Policy, retention, destruction, notification, written consent, disclosure, secure storage, secure transmission
  147. 147. Diamond ordered to “provide a fingerprint or thumbprint” Diamond asked officers, “Which finger do you want?” • This requirement compelled a testimonial communication Source: http://www.twincities.com/2017/09/12/can-you-be-ordered-to-unlock-your-cell-phone-mn-supreme-court-tackles-issue/amp/ (September 2017) Minnesota Supreme Court: Case about Unlocking Mobile Phone Diamond argued that the government violated his Fifth Amendment rights • Made him select which finger to use
  148. 148. Source: http://www.independent.co.uk/news/business/analysis-and-features/kfc-store-china-facial-recognition-pay-customers-fast-food-a7923876.html China KFC, Pay with Smile Hangzhou Concept Store • Customers use “Smile to Pay” facial recognition
  149. 149. Clare Nelson, @Safe_SaaS iPhone X Source: https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-answers-some-burning-questions-about-face-id/ (September 2017)
  150. 150. Clare Nelson, @Safe_SaaS Issues with Biometrics: Not Safe for Payments Samsung Galaxy S8: Contrary to Earlier Reports: Users cannot use facial recognition to authenticate payments • Camera and deep learning technology still evolving for facial recognition • Iris and fingerprint are more secure Source: https://www.finextra.com/newsarticle/30479/samsung-galaxy-s8-facial-recognition-software-not-ready-for-payments (April 2017) Source: http://www.economist.com/blogs/economist-explains/2015/06/economist-explains-12
  151. 151. Clare Nelson, @Safe_SaaS Issues with Biometrics Source: http://pure.qub.ac.uk/portal/files/16553923/The_Impact_of_EU_Privacy_Legislation_on_Biometric_System_Deployment.pdf Graphic: https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html Doubt over whether organizations can be trusted to follow regulations • Obtain user consent before processing biometrics • Secure and protect biometrics “The ISO has decided not to approve two NSA-designed block encryption algorithms: Speck and Simon. • It's because the NSA is not trusted to put security ahead of surveillance.” (September 21, 2017)
  152. 152. Source: http://www.privacy-regulation.eu/en/4.htm Source: https://britishlegalitforum.com/wp-content/uploads/2017/02/GDPR-Whitepaper-British-Legal-Technology-Forum-2017-Sponsor.pdf EU General Data Protection Regulation (GDPR) Article Article Title Term Definition 4 Definitions Personal data Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Genetic data Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; Biometric data Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; Reference
  153. 153. EU General Data Protection Regulation (GDPR) Article Article Title Definition Notes 7 Conditions for Consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. Provability 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. Clear, plain language 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. Right to withdraw consent, easy to withdraw 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Freely given Source: http://www.privacy-regulation.eu/en/9.htm Reference
  154. 154. EU General Data Protection Regulation (GDPR) Article Article Title Definition Notes 9 Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. Prohibited 2. Paragraph 1 shall not apply if one of the following applies: Exceptions: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; • Consent (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; • Employment (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; • Unable to give consent (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; • Foundation or non- profit (e) processing relates to personal data which are manifestly made public by the data subject; • Personal data is public (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; • Legal defence (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; • Public interest (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; • Preventive medicine (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; • Public health interest (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. • Archiving, scientific or historical research Source: http://www.privacy-regulation.eu/en/9.htm Reference
  155. 155. Source: http://www.chicagotribune.com/bluesky/originals/ct-biometric-illinois-privacy-whats-next-bsi-20170113-story.html Source: https://www.pattishall.com/pdf/2016-01%20Pattishall%20Insights.pdf L.A. Tan Enterprises • December 2016 settlement • $1.5 million to class of customers • Failed to collect written consent • Shared fingerprint scans with software vendor Facebook • Ongoing • 3 men against Facebook, tagging lawsuit • Facebook collection, storage, use of biometric information without informed consent Illinois at Forefront of Active Court Cases
  156. 156. Source: https://www.law360.com/technology/articles/923703/kroger-unit-sued-over-alleged-storage-of-worker-fingerprints?nl_pk=65afb77a-0e17-49b2-b31e-5e6346836849&utm_source=newsletter&utm_medium=email&utm_campaign=technology (May 2017) Source: http://www.thenewstribune.com/news/business/article150218582.html Source: http://www.americanbar.org/publications/blt/2016/05/08_claypoole.html No Consent An Illinois and Wisconsin supermarket chain owned by Kroger • Class action • Stored employee fingerprint information without consent Illinois: Storage Of Employee Fingerprints
  157. 157. Clare Nelson, @Safe_SaaS Issues with Biometrics, NIST List • The biometric False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself • FMR does not account for spoofing attacks • Biometric comparison is probabilistic, whereas the other authentication factors are deterministic • Biometric template protection schemes provide a method for revoking biometric credentials that is comparable to other authentication factors (e.g., PKI certificates and passwords). • However, the availability of such solutions is limited, and standards for testing these methods are under development. • Biometric characteristics do not constitute secrets. • They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While presentation attack detection (PAD) technologies (e.g., liveness detection) can mitigate the risk of these types of attacks, additional trust in the sensor or biometric processing is required to ensure that PAD is operating in accordance with the needs of the Credential Service Provider (CSP) and the subscriber. Source: https://pages.nist.gov/800-63-3/sp800-63b.html FMR is also known as FAR Touch ID • 1 in 50,000 Face ID • 1 in 1,000,000 Biometrics may be used to • Unlock multi-factor authenticators • Prevent repudiation of enrollment Reference
  158. 158. Clare Nelson, @Safe_SaaS Issues with Biometrics • Biometric recognition systems have error rates, biometric samples are compared with a template, probabilistic • Biometric recognition systems have False Acceptance Rates (FARs) and False Reject Rates (FRRs), the comparison yields a probability of a match • Biometrics can be collected without user knowledge, or consent • Unique enough? • For now, until mass scale attacks (Memon’s work, end of this presentation) • Exceptions for twins, doppelgängers • Universal enough? • Exceptions in human population • Example: Fingerprint sampling does not work for everyone, ridge builder solution sometimes applied, in other cases need an alternative to biometrics Source: http://www.biometricupdate.com/201611/cmu-researchers-develop-glasses-that-dupe-facial-recognition • Stable enough? • Fingerprints don’t change as much as face or voice • Update periodically, Face ID neural engine • Research: can spoof face based on neural network recognition (CMU 2016), use colorful glasses • Overreliance on mobile device • Mobile biometrics use case • Mobile device may be compromised, mobile attack surface includes browser, OS, device • OWASP Mobile Top 10 references these and more • Keylogger installed • Man-in-the-Middle (MiTM) attack • Rooted, Jailbroken devices may be less secure • Full control of device from iOS or Android vulnerabilities, hardware vulnerabilities • Social engineering Reference
  159. 159. Clare Nelson, @Safe_SaaS Provide Choices, Biometric Recognition Preferences Vary Source: http://www.paymentscardsandmobile.com/banks-trusted-deliver-biometric-future/ Consumer Preference Consumers don’t know what this is
  160. 160. Clare Nelson, @Safe_SaaS Source: https://fidoalliance.org/how-fido-works/ Graphic: https://www.nist.gov/sites/default/files/documents/2016/12/06/10_ibpc-prez-fido-ssanden-v5.pdf Graphiic: https://findbiometrics.com/solutions/facial-recognition/ Mobile Biometrics: Fast Identity Online (FIDO) Example Use biometrics to unlock smartphone, use device and encryption for online authentication Biometrics Encryption
  161. 161. Clare Nelson, @Safe_SaaS Acoustic Ear-Shaped Biometric Recognition NEC • Microphone embedded within earphone • Analyzes the resonance of sounds within the ear cavity • Produces a biometric profile Source: http://www.handsonlabs.org/nec-developing-acoustic-ear-shape-biometric-authentication-solution/ Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf Requires earphones
  162. 162. Graphic: http://www.idownloadblog.com/2013/08/05/biometric-expert-talks-fingers/ Second Payment Services Directive (PSD2)
  163. 163. Biological Biometrics 1. Exist in public domain, and elsewhere (5.6M+ fingerprints stolen in 2015 OPM breach1) 2. May undermine privacy, make identity theft more likely2 3. Persist in government and private databases, accreting information whether we like it or not3 4. User acceptance or preference varies by geography, demographic. 5. Unique, permanent biological identifiers can’t be changed or replaced in the event of a breach, so they are very dangerous if they end up in the wrong hands4 6. September 2017 Minnesota Senator letter about Face ID, voices privacy and security concerns Biometric Backlash 1Source: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html 2Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl 3Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/ Graphic: http://www.rineypackard.com/facial-recognition.php 4Source: https://www.finextra.com/blogposting/14480/are-we-safe-to-bank-on-biometrics (September 2017) Given these, plus other biometrics issues detailed in this presentation, the ability to opt out of biometrics may prevail in some market segments
  164. 164. Clare Nelson, @Safe_SaaS Source: http://www.planetbiometrics.com/article-details/i/1414/ “The move towards multi-factor authentication opens a door for biometrics as part of these solutions. Combining that with mobile platforms is a winning combination.” Cathy Tilton, Daon

    Be the first to comment

    Login to see the comments

  • BrianRutledgeMBACISS

    Sep. 26, 2017
  • qconner

    Sep. 27, 2017
  • donweena

    Nov. 12, 2017
  • lostgravity

    Mar. 9, 2018
  • MahtabAlam52

    Mar. 25, 2018
  • Piergiacomo

    Jun. 13, 2018
  • raistlinkong

    Dec. 21, 2018
  • AdamPreis

    Dec. 22, 2019
  • thasleembegam

    Mar. 9, 2021
  • dholakia

    Jul. 13, 2021

Presentation for September 2017 ISC2 Security Congress Biometric Recognition for Multi-Factor Authentication - Biological and Behavioral Biometrics - Benefits and Issues - What Every CISO Should Know - Laws, Standards, and Guidelines - How to Measure Biometric Recognition - Attack Vectors - Multimodal Biometric Recognition - Continuous Authentication with Biometrics - Face ID Update - The Future

Views

Total views

2,074

On Slideshare

0

From embeds

0

Number of embeds

16

Actions

Downloads

131

Shares

0

Comments

0

Likes

10

×