1) Biometrics are increasingly being used for security identification but have limitations related to the quality of analog data capture, digital processing, and potential to recreate biometric data from public images. 2) While biometrics can be more convenient than passwords, passwords stored securely with randomization and brute force protections are often more secure than biometrics. 3) The best approach is a risk-based multi-factor authentication combining biometrics, passwords, and other identifiers depending on the specific threat profile and balancing convenience with security.

1. 1
UL and the UL logo are trademarks of UL LLC © 2016
Biohazard! Biometric Security
Auscert2017 v1.1 (For PDF)
Andrew Jamieson
Innovation Group
andrew.jamieson@ul.com
@AndrewRJamieson

2. 2
‘Passwords were dead to begin with. There is no doubt
whatever about that … This must be distinctly
understood, or nothing wonderful can come of the story I
am going to relate.’
(slight re-phrase of Dickens, “A Christmas Carol”)

3. 3
Who are you? Who am I?
What are the three factors we commonly reference?

4. 4
What you know
What you are What you have

5. 5
What you are

6. 6
Odour
Vien
Gait
DNA
Signature
Typing
Voice
Retina
Iris
Facial
Ear shape
Fingergeometry
Fingerprint
Hand geometry
- Physical
- Biological
- Behavioural

7. 7

8. 8
Collect
Process Store
Enrollment
Forms ‘Template’ Stores ‘Template’

9. 9
Collect
Process Store
Compare
Report
Identification
What could possibly
go wrong?
Compares capture against
stored template

10. 10
You are not a unique snowflake!

11. 11
≡
Does that mean we
can create biometric
‘skeleton keys’?
Biometric matches are 1:many

12. 12
http://ieeexplore.ieee.org/document/7893784/

13. 13
FMR vs FRR – Facial attacks with (funky) glasses
https://www.cs.cmu.edu/~sbhagava/papers/face-rec-ccs16.pdf

14. 14
-3.40E+382.23079 0.7229213.72453 1.05006
Threshold:
1.2Genuine Impostors
FMR vs FRR – False negatives

15. 15
Image resolution is important

16. 16
Enhance!

17. 17
Biometric security is limited by:
1) Quality of analog capture
2) Digital processing and security
3) Report output
Or is it?

18. 18
Enhance! Seriously!
What are these
pixelated
images?
https://arxiv.org/pdf/1702.00783.pdf

19. 19
Enhance! Seriously!
Faces!
Enahanced
using big data
and AI – but do
they look like
the originals?
https://arxiv.org/pdf/1702.00783.pdf

20. 20
Enhance! Seriously!
Yup, pretty
close.
https://arxiv.org/pdf/1702.00783.pdf

21. 21
Enhance! Seriously!
How else does
‘big data’
influence or
impact
biometrics?
https://arxiv.org/pdf/1702.00783.pdf

22. 22

23. 23

24. 24

25. 25

26. 26

27. 27
Two years later …
So, it’s possible … But is it really a
concern? That’s got to be hard, right?

28. 28
Fingerprint replication clean room

29. 29
Acquisition phase: Photograph

30. 30
Creating a fake finger from a photograph in < 10h
Does it work?

31. 31
• 1
Video evidence. What about other biometrics?

32. 32
•
Video evidence. What about iris scanning?

33. 33
So …..
Are biometrics better than passwords?

34. 34
Passwords were dead to begin with.
… and biometric data was public to begin with.

35. 35
What’s your threat profile?
Are passwords enough? Are they random? Is
there domain brute-force protection?

36. 36
What’s your threat profile?
Sometimes biometrics are easier to bypass than
passwords …

37. 37
What’s your threat profile?
But password entry can be insecure too

38. 38
What’s your threat profile?
In many ways

39. 39
What you know
What you are What you have
Where you are
Your history
What you can do
I, for one, welcome our biometric overlords…
Risk based authentication with multi-factors can be good

40. 40
… with some caveats:
1) Store templates in a (very) secure location
2) Use as one of multiple factors
3) Don’t confuse identification with intent
4) Validate vendor assertions/promises
5) A random password with domain brute-force
protections will usually be better
(or; threat profile, threat profile, threat profile)

41. 41
THANK YOU.
Andrew Jamieson
Innovation Group
andrew.jamieson@ul.com
@AndrewRJamieson