Downloaded 45 times
![NIST SP800-63B Biometric Requirement & Guideline
● Used only as part of multi-factor authentication with a
physical authenticator (something you have).
● Operate with an FMR (False Match Rate) [ISO/IEC 2382-37] of
1 in 1000 or better.
● Implement presentation attack detection (PAD) as defined in
[ISO/IEC 30107-1].
● Biometric comparison can be performed locally on claimant’s
device or at a central verifier. Since the potential for attacks
on a larger scale is greater at central verifiers, local
comparison is preferred.](https://image.slidesharecdn.com/biometricauthentication-230615110351-071e45b2/85/Biometric-Authentication-pdf-14-320.jpg)
Uploaded byNarudom Roongsiriwong, CISSP
Biometric Authentication.pdf
- NIST guidelines support limited use of biometrics for authentication and recommend it only be used as part of multi-factor authentication along with a physical authenticator. Biometrics have limitations including probabilistic matching and inability to easily revoke templates. - When biometrics are used, NIST requires a false match rate of 1 in 1000 or better, implementation of liveness detection, and preference for local rather than central matching to mitigate attacks. - For AAL2 authentication on mobile, NIST recommends using multi-factor cryptographic software authenticators activated by a second factor like biometrics. Examples include FIDO protocols and Android's CryptoObject for authenticating to remote servers. - Behavioral biometrics analyzing user
More Related Content
Similar to Biometric Authentication.pdf
Biometric Authentication.pdf
- 1. Biometric Authentication: Can WeRely On? Narudom Roongsiriwong CISSP, CCSK June 10, 2023
- 2. WhoAmI ● Lazy Blogger –Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● SVP, Global Architecture and Cyber Security, Banpu Public Company Limited ● Security and Risk Committee at National Digital ID Co.,Ltd. ● Cloud Security Alliance Fellow ● OWASP Bangkok Chapter Leader ● APAC Research Advisory Council Member, Cloud Security Alliance Asia Pacific ● CISO of the Year 2017, NetworkWorld Asia ● Contact: narudom@owasp.org
- 4. Disclaimer ● This presentationwill focus on using biometrics for authentication not for identity proofing. ● Biometrics in “Enrollment and Identity Proofing” is not in this discussion because it takes an essential role. See NIST SP800- 63A ● Reference to any entities is for design and usage examples, not to blame.
- 5. Identity Proofing vsAuthentication http://narudomr.blogspot.com/2018/02/identity-proofing-authentication.html
- 6. Traditional Means ofAuthentication Something You Know Something You Have Something You Are cryptographic keys, electronic keycards, smart cards, mobile phone, and physical keys. This type of authenticator is referred to as a token a password, a personal identification number (PIN), or answers to a prearranged set of questions static biometrics such as facial, fingerprint, hand geometry, retina pattern, iris, signature, and voice
- 7. ● Authenticate userbased on one of their physical characteristics: – Facial – Fingerprint – Hand Geometry – Retina Pattern – Iris – Signature – Voice Static Biometric Authentication Hand Facial Fingerprint Voice Retina Iris Signature Accuracy Cost
- 8.
- 9. Biometric Error Rate ●False Acceptance Rate (FAR): the percentage of identification instances in which unauthorized persons are incorrectly accepted. ● False Rejection Rate (FRR): the percentage of identification instances in which authorized persons are incorrectly rejected. ● Crossover Error Rate (CER), also known as the Equal Error Rate (EER).
- 10. Why the authentication Whythe authentication mean that has known mean that has known error is required for high error is required for high value transactions? value transactions? It does not make sense. It does not make sense.
- 11. NIST Special Publication800-63B Digital Identity Guidelines Authentication and Lifecycle Management Paul A. Grassi James L. Fenton Elaine M. Newton Ray A. Perlner Andrew R. Regenscheid William E. Burr Justin P. Richer Privacy Authors: Naomi B. Lefkovitz Jamie M. Danker
- 12. NIST SP800-63B: BiometricsRestriction 5.2.3 Use of Biometrics The use of biometrics (something you are) in authentication includes both measurement of physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral characteristics (e.g., typing cadence). Both classes are considered biometric modalities, although different modalities may differ in the extent to which they establish authentication intent as described in Section 5.2.9. For a variety of reasons, this document supports only limited use of biometrics for authentication. These reasons include: • The biometric False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself. In addition, FMR does not account for spoofing attacks. • Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. • Biometric template protection schemes provide a method for revoking biometric credentials that is comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development.
- 13. NIST SP800-63B SupportsLimited Use of Biometrics ● The biometric False Match Rate (FMR) does not provide confidence in the authentication ● Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. ● Biometric template revokation is limited. ● Biometric characteristics do not constitute secrets. While presentation attack detection (PAD) technologies (e.g., liveness detection) can mitigate the risk, additional trust in the sensor or biometric processing is required.
- 14. NIST SP800-63B BiometricRequirement & Guideline ● Used only as part of multi-factor authentication with a physical authenticator (something you have). ● Operate with an FMR (False Match Rate) [ISO/IEC 2382-37] of 1 in 1000 or better. ● Implement presentation attack detection (PAD) as defined in [ISO/IEC 30107-1]. ● Biometric comparison can be performed locally on claimant’s device or at a central verifier. Since the potential for attacks on a larger scale is greater at central verifiers, local comparison is preferred.
- 15. Facial Authentication onMobile Implementation What Are the Problems? Phone Camera Ambient/Environment Verification Liveness on Phone Facial on Server
- 16. What Should BiometricAuthentication Be Used? AAL2 for Mobile Devices 23 5.1.8 Multi-Factor Cryptographic Software A multi-factor software cryptographic authenticator is a cryptographic key stored on disk or some other "soft" media that requires activation through a second factor of authentication. Authentication is accomplished by proving possession and control of the key. The authenticator output is highly dependent on the specific cryptographic protocol, but it is generally some type of signed message. The multi-factor software cryptographic authenticator is something you have, and it SHALL be activated by either something you know or something you are.
- 17. Multi-Factor Cryptographic Software(AAL2) FIDO Protocol is one of this pattern implementation But we can implement our own way
- 18. Android Authenticating toRemote Servers BiometricPrompt.CryptoObject https://android-developers.googleblog.com/2015/10/new-in-android-samples-authenticating.html Andoid API Level 28 (Android 9) and later
- 19. 4th Mean of Authentication:Behavioral Biometrics https://www.biocatch.com/blog/what-is-behavioral-biometrics