SlideShare a Scribd company logo

Biometric Authentication: Can We Rely On

Narudom Roongsiriwong, CISSP
Narudom Roongsiriwong, CISSP

- NIST guidelines support limited use of biometrics for authentication and recommend it only be used as part of multi-factor authentication along with a physical authenticator. Biometrics have limitations including probabilistic matching and inability to easily revoke templates. - When biometrics are used, NIST requires a false match rate of 1 in 1000 or better, implementation of liveness detection, and preference for local rather than central matching to mitigate attacks. - For AAL2 authentication on mobile, NIST recommends using multi-factor cryptographic software authenticators activated by a second factor like biometrics. Examples include FIDO protocols and Android's CryptoObject for authenticating to remote servers. - Behavioral biometrics analyzing user

Technology
1 of 21
Download to read offline
Biometric Authentication: Can We Rely On? Narudom Roongsiriwong CISSP, CCSK June 10, 2023
WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● SVP, Global Architecture and Cyber Security, Banpu Public Company Limited ● Security and Risk Committee at National Digital ID Co.,Ltd. ● Cloud Security Alliance Fellow ● OWASP Bangkok Chapter Leader ● APAC Research Advisory Council Member, Cloud Security Alliance Asia Pacific ● CISO of the Year 2017, NetworkWorld Asia ● Contact: narudom@owasp.org
Disclaimer ● This presentation will focus on using biometrics for authentication not for identity proofing. ● Biometrics in “Enrollment and Identity Proofing” is not in this discussion because it takes an essential role. See NIST SP800- 63A ● Reference to any entities is for design and usage examples, not to blame.
Identity Proofing vs Authentication http://narudomr.blogspot.com/2018/02/identity-proofing-authentication.html
Traditional Means of Authentication Something You Know Something You Have Something You Are cryptographic keys, electronic keycards, smart cards, mobile phone, and physical keys. This type of authenticator is referred to as a token a password, a personal identification number (PIN), or answers to a prearranged set of questions static biometrics such as facial, fingerprint, hand geometry, retina pattern, iris, signature, and voice
● Authenticate user based on one of their physical characteristics: – Facial – Fingerprint – Hand Geometry – Retina Pattern – Iris – Signature – Voice Static Biometric Authentication Hand Facial Fingerprint Voice Retina Iris Signature Accuracy Cost
Verification Identification vs
Biometric Error Rate ● False Acceptance Rate (FAR): the percentage of identification instances in which unauthorized persons are incorrectly accepted. ● False Rejection Rate (FRR): the percentage of identification instances in which authorized persons are incorrectly rejected. ● Crossover Error Rate (CER), also known as the Equal Error Rate (EER).
Why the authentication Why the authentication mean that has known mean that has known error is required for high error is required for high value transactions? value transactions? It does not make sense. It does not make sense.
NIST Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management Paul A. Grassi James L. Fenton Elaine M. Newton Ray A. Perlner Andrew R. Regenscheid William E. Burr Justin P. Richer Privacy Authors: Naomi B. Lefkovitz Jamie M. Danker
NIST SP800-63B: Biometrics Restriction 5.2.3 Use of Biometrics The use of biometrics (something you are) in authentication includes both measurement of physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral characteristics (e.g., typing cadence). Both classes are considered biometric modalities, although different modalities may differ in the extent to which they establish authentication intent as described in Section 5.2.9. For a variety of reasons, this document supports only limited use of biometrics for authentication. These reasons include: • The biometric False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself. In addition, FMR does not account for spoofing attacks. • Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. • Biometric template protection schemes provide a method for revoking biometric credentials that is comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development.
NIST SP800-63B Supports Limited Use of Biometrics ● The biometric False Match Rate (FMR) does not provide confidence in the authentication ● Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. ● Biometric template revokation is limited. ● Biometric characteristics do not constitute secrets. While presentation attack detection (PAD) technologies (e.g., liveness detection) can mitigate the risk, additional trust in the sensor or biometric processing is required.
NIST SP800-63B Biometric Requirement & Guideline ● Used only as part of multi-factor authentication with a physical authenticator (something you have). ● Operate with an FMR (False Match Rate) [ISO/IEC 2382-37] of 1 in 1000 or better. ● Implement presentation attack detection (PAD) as defined in [ISO/IEC 30107-1]. ● Biometric comparison can be performed locally on claimant’s device or at a central verifier. Since the potential for attacks on a larger scale is greater at central verifiers, local comparison is preferred.
Facial Authentication on Mobile Implementation What Are the Problems? Phone Camera Ambient/Environment Verification Liveness on Phone Facial on Server
What Should Biometric Authentication Be Used? AAL2 for Mobile Devices 23 5.1.8 Multi-Factor Cryptographic Software A multi-factor software cryptographic authenticator is a cryptographic key stored on disk or some other "soft" media that requires activation through a second factor of authentication. Authentication is accomplished by proving possession and control of the key. The authenticator output is highly dependent on the specific cryptographic protocol, but it is generally some type of signed message. The multi-factor software cryptographic authenticator is something you have, and it SHALL be activated by either something you know or something you are.
Multi-Factor Cryptographic Software (AAL2) FIDO Protocol is one of this pattern implementation But we can implement our own way
Android Authenticating to Remote Servers BiometricPrompt.CryptoObject https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html Andoid API Level 28 (Android 9) and later
4th Mean of Authentication: Behavioral Biometrics https://www.biocatch.com/blog/what-is-behavioral-biometrics
Biometric Authentication: Can We Rely On
Biometric Authentication: Can We Rely On

Recommended

FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & MicrosoftFIDO Alliance
 
Public private key
Public private keyPublic private key
Public private keyStudsPlanet.com
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication ServiceSwathy T
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionEng Teong Cheah
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemesravik09783
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software DevelopmentNarudom Roongsiriwong, CISSP
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 

Recommended

FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & MicrosoftFIDO Alliance
 
Public private key
Public private keyPublic private key
Public private keyStudsPlanet.com
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication ServiceSwathy T
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionEng Teong Cheah
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemesravik09783
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software DevelopmentNarudom Roongsiriwong, CISSP
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptographyPrabhat Goel
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transactionNishant Pahad
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Email security
Email securityEmail security
Email securityBaliram Yadav
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key CryptosystemDevakumar Kp
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoTFIDO Alliance
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based EncryptionUT, San Antonio
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion DetectionGregory Hanis
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithmstrilokchandra prakash
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
Substitution cipher and Its Cryptanalysis
Substitution cipher and Its CryptanalysisSubstitution cipher and Its Cryptanalysis
Substitution cipher and Its CryptanalysisSunil Meena
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptographyRutvik Mehta
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationFIDO Alliance
 
Biometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security IssuesBiometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security Issuesijtsrd
 

More Related Content

What's hot

Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptographyPrabhat Goel
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transactionNishant Pahad
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key CryptosystemDevakumar Kp
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoTFIDO Alliance
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based EncryptionUT, San Antonio
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
Substitution cipher and Its Cryptanalysis
Substitution cipher and Its CryptanalysisSubstitution cipher and Its Cryptanalysis
Substitution cipher and Its CryptanalysisSunil Meena
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptographyRutvik Mehta
 

What's hot (20)

Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptography
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
 
IP Security
IP SecurityIP Security
IP Security
 
Email security
Email securityEmail security
Email security
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipher
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methods
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoT
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based Encryption
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its Uses
 
Substitution cipher and Its Cryptanalysis
Substitution cipher and Its CryptanalysisSubstitution cipher and Its Cryptanalysis
Substitution cipher and Its Cryptanalysis
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptography
 

Similar to Biometric Authentication: Can We Rely On

NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationFIDO Alliance
 
Biometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security IssuesBiometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security Issuesijtsrd
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
IRJET- End to End Message Encryption using Biometrics
IRJET- End to End Message Encryption using BiometricsIRJET- End to End Message Encryption using Biometrics
IRJET- End to End Message Encryption using BiometricsIRJET Journal
 
Ranjith_Bm
Ranjith_BmRanjith_Bm
Ranjith_Bmbranjith
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...Sagara Gunathunga
 
Biometric security using cryptography
Biometric security using cryptographyBiometric security using cryptography
Biometric security using cryptographySampat Patnaik
 
Behavioral biometrics
Behavioral biometricsBehavioral biometrics
Behavioral biometricsnishiyath
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...WSO2
 
Continuous User Identity Verification through Secure Login Session
Continuous User Identity Verification through Secure Login Session Continuous User Identity Verification through Secure Login Session
Continuous User Identity Verification through Secure Login SessionIRJET Journal
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper ExampleKayla Perry
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More UsableJim Fenton
 
Ecrime Practical Biometric
Ecrime Practical BiometricEcrime Practical Biometric
Ecrime Practical BiometricJorge Sebastiao
 
A secure Crypto-biometric verification protocol
A secure Crypto-biometric verification protocol A secure Crypto-biometric verification protocol
A secure Crypto-biometric verification protocol Nishmitha B
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
An in-depth review on Contactless Fingerprint Identification using Deep Learning
An in-depth review on Contactless Fingerprint Identification using Deep LearningAn in-depth review on Contactless Fingerprint Identification using Deep Learning
An in-depth review on Contactless Fingerprint Identification using Deep LearningIRJET Journal
 

Similar to Biometric Authentication: Can We Rely On (20)

NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
 
Biometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security IssuesBiometric System and Recognition Authentication and Security Issues
Biometric System and Recognition Authentication and Security Issues
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
BSI Biometrics Standards Presentation
BSI Biometrics Standards PresentationBSI Biometrics Standards Presentation
BSI Biometrics Standards Presentation
 
IRJET- End to End Message Encryption using Biometrics
IRJET- End to End Message Encryption using BiometricsIRJET- End to End Message Encryption using Biometrics
IRJET- End to End Message Encryption using Biometrics
 
Ranjith_Bm
Ranjith_BmRanjith_Bm
Ranjith_Bm
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...
 
Biometric security using cryptography
Biometric security using cryptographyBiometric security using cryptography
Biometric security using cryptography
 
Behavioral biometrics
Behavioral biometricsBehavioral biometrics
Behavioral biometrics
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
 
Bg24375379
Bg24375379Bg24375379
Bg24375379
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Continuous User Identity Verification through Secure Login Session
Continuous User Identity Verification through Secure Login Session Continuous User Identity Verification through Secure Login Session
Continuous User Identity Verification through Secure Login Session
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper Example
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More Usable
 
Ecrime Practical Biometric
Ecrime Practical BiometricEcrime Practical Biometric
Ecrime Practical Biometric
 
A secure Crypto-biometric verification protocol
A secure Crypto-biometric verification protocol A secure Crypto-biometric verification protocol
A secure Crypto-biometric verification protocol
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
 
An in-depth review on Contactless Fingerprint Identification using Deep Learning
An in-depth review on Contactless Fingerprint Identification using Deep LearningAn in-depth review on Contactless Fingerprint Identification using Deep Learning
An in-depth review on Contactless Fingerprint Identification using Deep Learning
 

More from Narudom Roongsiriwong, CISSP

How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19Narudom Roongsiriwong, CISSP
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryNarudom Roongsiriwong, CISSP
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard ProjectNarudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 

More from Narudom Roongsiriwong, CISSP (20)

Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
 
Blockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for DummiesBlockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for Dummies
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical Forum
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and Privacy
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 

Biometric Authentication: Can We Rely On

  • 1. Biometric Authentication: Can We Rely On? Narudom Roongsiriwong CISSP, CCSK June 10, 2023
  • 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● SVP, Global Architecture and Cyber Security, Banpu Public Company Limited ● Security and Risk Committee at National Digital ID Co.,Ltd. ● Cloud Security Alliance Fellow ● OWASP Bangkok Chapter Leader ● APAC Research Advisory Council Member, Cloud Security Alliance Asia Pacific ● CISO of the Year 2017, NetworkWorld Asia ● Contact: narudom@owasp.org
  • 3.
  • 4. Disclaimer ● This presentation will focus on using biometrics for authentication not for identity proofing. ● Biometrics in “Enrollment and Identity Proofing” is not in this discussion because it takes an essential role. See NIST SP800- 63A ● Reference to any entities is for design and usage examples, not to blame.
  • 5. Identity Proofing vs Authentication http://narudomr.blogspot.com/2018/02/identity-proofing-authentication.html
  • 6. Traditional Means of Authentication Something You Know Something You Have Something You Are cryptographic keys, electronic keycards, smart cards, mobile phone, and physical keys. This type of authenticator is referred to as a token a password, a personal identification number (PIN), or answers to a prearranged set of questions static biometrics such as facial, fingerprint, hand geometry, retina pattern, iris, signature, and voice
  • 7. ● Authenticate user based on one of their physical characteristics: – Facial – Fingerprint – Hand Geometry – Retina Pattern – Iris – Signature – Voice Static Biometric Authentication Hand Facial Fingerprint Voice Retina Iris Signature Accuracy Cost
  • 9. Biometric Error Rate ● False Acceptance Rate (FAR): the percentage of identification instances in which unauthorized persons are incorrectly accepted. ● False Rejection Rate (FRR): the percentage of identification instances in which authorized persons are incorrectly rejected. ● Crossover Error Rate (CER), also known as the Equal Error Rate (EER).
  • 10. Why the authentication Why the authentication mean that has known mean that has known error is required for high error is required for high value transactions? value transactions? It does not make sense. It does not make sense.
  • 11. NIST Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management Paul A. Grassi James L. Fenton Elaine M. Newton Ray A. Perlner Andrew R. Regenscheid William E. Burr Justin P. Richer Privacy Authors: Naomi B. Lefkovitz Jamie M. Danker
  • 12. NIST SP800-63B: Biometrics Restriction 5.2.3 Use of Biometrics The use of biometrics (something you are) in authentication includes both measurement of physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral characteristics (e.g., typing cadence). Both classes are considered biometric modalities, although different modalities may differ in the extent to which they establish authentication intent as described in Section 5.2.9. For a variety of reasons, this document supports only limited use of biometrics for authentication. These reasons include: • The biometric False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself. In addition, FMR does not account for spoofing attacks. • Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. • Biometric template protection schemes provide a method for revoking biometric credentials that is comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development.
  • 13. NIST SP800-63B Supports Limited Use of Biometrics ● The biometric False Match Rate (FMR) does not provide confidence in the authentication ● Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. ● Biometric template revokation is limited. ● Biometric characteristics do not constitute secrets. While presentation attack detection (PAD) technologies (e.g., liveness detection) can mitigate the risk, additional trust in the sensor or biometric processing is required.
  • 14. NIST SP800-63B Biometric Requirement & Guideline ● Used only as part of multi-factor authentication with a physical authenticator (something you have). ● Operate with an FMR (False Match Rate) [ISO/IEC 2382-37] of 1 in 1000 or better. ● Implement presentation attack detection (PAD) as defined in [ISO/IEC 30107-1]. ● Biometric comparison can be performed locally on claimant’s device or at a central verifier. Since the potential for attacks on a larger scale is greater at central verifiers, local comparison is preferred.
  • 15. Facial Authentication on Mobile Implementation What Are the Problems? Phone Camera Ambient/Environment Verification Liveness on Phone Facial on Server
  • 16. What Should Biometric Authentication Be Used? AAL2 for Mobile Devices 23 5.1.8 Multi-Factor Cryptographic Software A multi-factor software cryptographic authenticator is a cryptographic key stored on disk or some other "soft" media that requires activation through a second factor of authentication. Authentication is accomplished by proving possession and control of the key. The authenticator output is highly dependent on the specific cryptographic protocol, but it is generally some type of signed message. The multi-factor software cryptographic authenticator is something you have, and it SHALL be activated by either something you know or something you are.
  • 17. Multi-Factor Cryptographic Software (AAL2) FIDO Protocol is one of this pattern implementation But we can implement our own way
  • 18. Android Authenticating to Remote Servers BiometricPrompt.CryptoObject https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html Andoid API Level 28 (Android 9) and later
  • 19. 4th Mean of Authentication: Behavioral Biometrics https://www.biocatch.com/blog/what-is-behavioral-biometrics