- NIST guidelines support limited use of biometrics for authentication and recommend it only be used as part of multi-factor authentication along with a physical authenticator. Biometrics have limitations including probabilistic matching and inability to easily revoke templates. - When biometrics are used, NIST requires a false match rate of 1 in 1000 or better, implementation of liveness detection, and preference for local rather than central matching to mitigate attacks. - For AAL2 authentication on mobile, NIST recommends using multi-factor cryptographic software authenticators activated by a second factor like biometrics. Examples include FIDO protocols and Android's CryptoObject for authenticating to remote servers. - Behavioral biometrics analyzing user

1. Biometric Authentication:
Can We Rely On?
Narudom Roongsiriwong
CISSP, CCSK
June 10, 2023

2. WhoAmI
● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
● Information Security since 1995
● Web Application Development since 1998
● SVP, Global Architecture and Cyber Security, Banpu Public Company Limited
● Security and Risk Committee at National Digital ID Co.,Ltd.
● Cloud Security Alliance Fellow
● OWASP Bangkok Chapter Leader
● APAC Research Advisory Council Member, Cloud Security Alliance Asia
Pacific
● CISO of the Year 2017, NetworkWorld Asia
● Contact: narudom@owasp.org

4. Disclaimer
● This presentation will focus on using biometrics for
authentication not for identity proofing.
● Biometrics in “Enrollment and Identity Proofing” is not in this
discussion because it takes an essential role. See NIST SP800-
63A
● Reference to any entities is for design and usage examples,
not to blame.

5. Identity Proofing vs Authentication
http://narudomr.blogspot.com/2018/02/identity-proofing-authentication.html

6. Traditional Means of Authentication
Something You Know Something You Have Something You Are
cryptographic keys,
electronic keycards, smart
cards, mobile phone, and
physical keys. This type of
authenticator is referred to
as a token
a password, a personal
identification number
(PIN), or answers to a
prearranged set of
questions
static biometrics such as
facial, fingerprint, hand
geometry, retina pattern,
iris, signature, and voice

7. ● Authenticate user based on one of their physical
characteristics:
– Facial
– Fingerprint
– Hand Geometry
– Retina Pattern
– Iris
– Signature
– Voice
Static Biometric Authentication
Hand
Facial Fingerprint
Voice
Retina
Iris
Signature
Accuracy
Cost

8. Verification
Identification
vs

9. Biometric Error Rate
● False Acceptance Rate (FAR):
the percentage of identification
instances in which
unauthorized persons are
incorrectly accepted.
● False Rejection Rate (FRR): the
percentage of identification
instances in which authorized
persons are incorrectly
rejected.
● Crossover Error Rate (CER),
also known as the Equal Error
Rate (EER).

10. Why the authentication
Why the authentication
mean that has known
mean that has known
error is required for high
error is required for high
value transactions?
value transactions?
It does not make sense.
It does not make sense.

11. NIST Special Publication 800-63B
Digital Identity Guidelines
Authentication and Lifecycle Management
Paul A. Grassi
James L. Fenton
Elaine M. Newton
Ray A. Perlner
Andrew R. Regenscheid
William E. Burr
Justin P. Richer
Privacy Authors:
Naomi B. Lefkovitz
Jamie M. Danker

12. NIST SP800-63B: Biometrics Restriction
5.2.3 Use of Biometrics
The use of biometrics (something you are) in authentication includes both measurement of
physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral
characteristics (e.g., typing cadence). Both classes are considered biometric modalities, although
different modalities may differ in the extent to which they establish authentication intent as
described in Section 5.2.9.
For a variety of reasons, this document supports only limited use of biometrics for
authentication. These reasons include:
• The biometric False Match Rate (FMR) does not provide confidence in the authentication
of the subscriber by itself. In addition, FMR does not account for spoofing attacks.
• Biometric comparison is probabilistic, whereas the other authentication factors are
deterministic.
• Biometric template protection schemes provide a method for revoking biometric
credentials that is comparable to other authentication factors (e.g., PKI certificates and
passwords). However, the availability of such solutions is limited, and standards for
testing these methods are under development.

13. NIST SP800-63B Supports Limited Use of Biometrics
● The biometric False Match Rate (FMR) does not provide
confidence in the authentication
● Biometric comparison is probabilistic, whereas the other
authentication factors are deterministic.
● Biometric template revokation is limited.
● Biometric characteristics do not constitute secrets. While
presentation attack detection (PAD) technologies (e.g.,
liveness detection) can mitigate the risk, additional trust in
the sensor or biometric processing is required.

14. NIST SP800-63B Biometric Requirement & Guideline
● Used only as part of multi-factor authentication with a
physical authenticator (something you have).
● Operate with an FMR (False Match Rate) [ISO/IEC 2382-37] of
1 in 1000 or better.
● Implement presentation attack detection (PAD) as defined in
[ISO/IEC 30107-1].
● Biometric comparison can be performed locally on claimant’s
device or at a central verifier. Since the potential for attacks
on a larger scale is greater at central verifiers, local
comparison is preferred.

15. Facial Authentication on Mobile Implementation
What Are the Problems?
Phone Camera Ambient/Environment
Verification
Liveness on Phone
Facial on Server

16. What Should Biometric Authentication Be Used?
AAL2 for Mobile Devices
23
5.1.8 Multi-Factor Cryptographic Software
A multi-factor software cryptographic authenticator is a cryptographic key
stored on disk or some other "soft" media that requires activation through a
second factor of authentication. Authentication is accomplished by proving
possession and control of the key. The authenticator output is highly dependent
on the specific cryptographic protocol, but it is generally some type of signed
message. The multi-factor software cryptographic authenticator is something
you have, and it SHALL be activated by either something you know or something you are.

17. Multi-Factor Cryptographic Software (AAL2)
FIDO Protocol is one of this pattern implementation
But we can implement our own way

18. Android Authenticating to Remote Servers
BiometricPrompt.CryptoObject
https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html
Andoid API Level 28 (Android 9) and later

19. 4th
Mean of Authentication: Behavioral Biometrics
https://www.biocatch.com/blog/what-is-behavioral-biometrics