The document discusses biometrics, which is the automated identification of humans based on physical or behavioral traits that are unique to each individual. Biometrics can be used for authentication through something the user is (e.g. fingerprints, facial recognition) and includes both physiological (fingerprints, iris scans) and behavioral (gait, typing rhythm) methods. While biometrics provide strong authentication, issues relate to accuracy, privacy, revocation if biometrics are compromised, costs, and user acceptance.

1. Franck Franchin
1

2. Franck Franchin - © 2013
 Automated process to identity and authenticate
humans based on one or more physical or
behavioral traits
 Based on assessment that each human being is
unique and that this uniqueness allows
identification
2

3. Franck Franchin - © 2013
 You have to prove who you are ?
◦ Something you know: PIN, password...
◦ Something you have: key, token, card...
◦ Something you are: a biometric…
 Biometrics encompass:
◦ Voice
◦ Fingerprint & Palmprint
◦ Facial Recognition
◦ Eye (iris, retinal patterns)
◦ Vein
 Because it can be fooled, it should be implemented into
2-factor or 3-factor authentication
3

4. Franck Franchin - © 2013
 Unique ID
 Third Authentication Factor
 Hard to forge by basic hackers
 Forget, Loss, Stealth and Borrow most difficult…
 Allows to know WHO did WHAT, WHERE and
WHEN
 Unequivocally link to acting person
(accountability)
4

5. Franck Franchin - © 2013
 Success Rate Issue (dirt for finger, diabete for
eye, flu for voice)
 Privacy
 Revocation
 Cost
 Permanence risk (resistance to ageing)
 Acceptability by people
5

6. Franck Franchin - © 2013
 Physiological
◦ fingerprint recognition
◦ palm print recognition
◦ palm geometry
◦ facial recognition
◦ voice recognition
◦ retinal scans
◦ iris scans
 Behavorial
◦ typing rhythm/patterns (keystroke)
◦ accents and speaking rhythms
◦ gait (locomotion behavior)
◦ writing speed and pressure (signature matching)
6

7. Franck Franchin - © 2013
 Not two fingerprints are alike
 High level of acceptance by people
 Template easily generated from minutiae points
and/or ridges and/or valleys
 Different types of sensors : thermal, optical,
capacitance, minutiae-based
7

8. Franck Franchin - © 2013
 Ability of discriminating identical twins with same
DNA
 Low level of acceptance by people
 Relatively expensive (processing power and
storage)
8

9. Franck Franchin - © 2013
 Police
 Immigration
 ATM
 School (library, lunch, …)
 Payment in Stores
 Site Access Control
9

10. Franck Franchin - © 2013
 Enrollment
◦ Samples of the biometric are captured and processed
◦ Unique features of these samples are extracted and
computed which generates a ‘template’
◦ From this template, it’s not possible to go back to the
original biometric
 Authentication or Identification
◦ The biometrics system captures the biometric of the ’live
biometric’ and searches for a match against its database
of templates
 Revocation
10

11. Franck Franchin - © 2013
 Biometrics matching process is based on
threshold detection - False acceptances/rejections
 Sensor tolerance
 Anonymation information loss (for some
algorythms)
 Some people categories always rejected (twins,
aged people) ?
 Attended or unattended system (fake/dead
finger) ?
11

12. Franck Franchin - © 2013
 Aside IT regular vulnerabilities and risks,
biometrics solutions are sensitive to specific
threats :
◦ Attack to the biometric sensor
◦ Spoofing (cutoff finger, gummy finger, photography of iris
pattern)
◦ Mimicry (signature and voice)
◦ Eavesdropping or man-in-the middle between the sensor
and the template repository
◦ Template insertion using compromise IT or admin !
12

13. Franck Franchin - © 2013
 How to protect the biometric template ?
◦ Hashing : template are protected, revokable and rewable
◦ But one has to prove it’s impossible to get back to the original key
(one-way function cyphering)
◦ The best solution : public-key encryption which cyphers templates
and deciphers only during access control
◦ Mix architectures involve session keys too (public-key and private
key schemes)
 Innovative ways
◦ During the enrollment process, combining the biometric image
with a digital key to create a secure block of data. Key can be
then retrieved using the biometric ! (but the key is independent of
the biometric, mathematically speaking !)
13

14. Franck Franchin - © 2013
 Once compromise, a biometric trait wouldn’t be reused –
hence if someone copy your finger, the only way to
revoke your finger would be to cut it ? Hum…
 Physical biometric is different from store template !
 If your password is lost or compromised, you have to
change your password AND the password access
control storage…
 In biometrics, you can’t change your ‘pwd’ (aka your
biometric) but you can revoke the stored encrypted
template
14