10 th cacr information security workshop
1 / 24

10 th CACR Information Security Workshop - PowerPoint PPT Presentation

  • Uploaded on

10 th CACR Information Security Workshop. Biometrics—The Foundation of Quick & Positive Authentication 8 May 2002 Dario Stipisic Senior Consultant 212-809-9491 [email protected] Biometrics: Definition.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' 10 th CACR Information Security Workshop' - koren

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
10 th cacr information security workshop

10th CACR Information Security Workshop

Biometrics—The Foundation of Quick & Positive Authentication

8 May 2002

Dario Stipisic

Senior [email protected]

Biometrics definition
Biometrics: Definition

  • Biometrics: the automatedmeasurement of physiological or behavioral characteristics to determine or authenticate identity

  • Leading technologies in public sector

    • AFIS (large-scale identification through fingerprints)

    • Finger-scan

    • Facial-scan

  • Other technologies

    • Iris-scan

    • Signature-scan

    • Hand-scan

Why are biometrics used
Why Are Biometrics Used?

  • Security

    • Protect sensitive data

    • High degree of identity certainty in transactions

    • Create databases with singular identities

  • Accountability

    • Improve auditing / reporting / record keeping

  • Convenience

    • Reduce password-related problems

    • Simplified access to controlled areas


  • Questions no longer asked:

    • Should we consider looking at biometrics?

    • Are biometrics a viable security solution?

  • Questions now asked:

    • Which biometric technology and which vendor can address specific security issues?

    • What is the business case behind a biometric implementation?

      • Decrease losses due to fraud

      • Increase employee accountability

      • Increase customer convenience

Behavioral and physiological biometrics
Behavioral and Physiological Biometrics

  • Behavioral - Voice, Signature, Keystroke

    • Easier to use, often less expensive, less accurate, more subject to day-to-day fluctuation

    • Appropriate for relatively low-security, low-risk applications where acquisition devices are already in place (camera, telephone, signature pad)

  • Physiological - Finger, Hand, Iris, Retina, Face

    • Higher accuracy, stable, require slightly more effort

  • Biometric usage is both behavioral and physiological

    • Finger-scan, for example, requires the appropriate “behavior” – placing finger on device correctly

    • Voice patterns are based, to some degree, on physiological characteristics

Biometrics vs other authentication methods
Biometrics Vs. Other Authentication Methods

  • Pros

    • Biometrics cannot be lost, shared, stolen, forgotten, or easily repudiated

    • Biometrics enable strong auditing and reporting capabilities

    • Can alter security requirements on a transactional basis

    • Only technology capable of identifying non-cooperative individuals

  • Cons

    • Biometrics do not provide 100% accuracy

    • Percentage of users cannot use some technologies

    • Characteristics can change over time

Typical biometric applications
Typical Biometric Applications

  • Large-scale government identification

    • Drivers license (IL, WV, GA, possibly CA, MD, MA)

    • Voter registration (throughout Latin America)

    • Public benefits (CA, NY, TX, South Africa, Philippines)

    • National ID (Nigeria, Argentina, possibly China)

    • Tens of millions of individuals enrolled

  • Time and attendance, access control

    • Hand geometry, finger-scan

    • Hundreds of thousands of individuals enrolled

  • Network Security

    • Windows NT Login, Intranets

    • Tens of thousands of users enrolled

Identification vs verification
Identification vs. Verification

  • Verification: Am I who I claim to be?

    • Faster, more accurate, less expensive

    • The more common method for IT security

    • More accountability

    • Requires that users enter a unique username or present a card/token

  • Identification: Who am I?

    • Used to locate duplicate identities in databases

    • Used when entering a username/ID is not feasible

    • Privacy challenges

Biometric templates
Biometric Templates

  • Definition

    • Distinctive, encoded files derived and encoded from the unique features of a biometric sample

  • A basic element of biometric systems

    • Templates, not samples, are used in biometric matching

    • Created during enrollment and verification

    • Much smaller amount of data than sample (1/100th, 1/1000th)

    • Cannot reverse-engineer sample from template

    • Size facilitates encryption, storage on various tokens

    • Vendor templates are not interchangeable

    • Different templates are generated each time an individual provides a biometric sample


  • Biometric systems do not provide a 100% match

  • Comparing strings of binary data (templates)

  • Result of match (“score”) compared to pre-determined threshold – system indicates “match” or “no match”

Verification data1011010100101

Enrollment data0010100100111

Vendor Algorithm



Match / No Match Decision

Real world accuracy
Real-World Accuracy

  • Vendor claims (1/1000, 1/1000000) are not always based on experience in real-world deployments

  • System accuracy defined through three metrics

    • False match (imposter breaks in)

    • False non-match (correct user locked out)

    • Failure to enroll (user cannot register in system)

  • Comparative testing shows that some devices and technologies provide very high accuracy, others very low accuracy

  • Regardless of technology, some small percentage will be unable to enroll

Biometric market size
Biometric Market Size

  • 2001 Total Revenue: $524m USD

  • Projected 2003 Revenue: $1.05b USD

  • Most revenues today from law enforcement / public sector identification

  • Revenues for IT-oriented technologies

    • Finger-scan: $99.37m

    • Middleware: $24.2m

    • Less than $20m: voice-scan, signature-scan, iris-scan

Source: Biometric Market Report 2000-2005

Major developments in the marketplace
Major Developments in the Marketplace

  • Large-scale ID systems for travel, licensing being developed

  • Finger-scan devices manufactured by Infineon, ST, Fujitsu, Sony, Motorola

  • Compaq, Dell, Toshiba shipping biometric devices with PCs

  • 1m users of facial-scan for ATM check-cashing

  • Microsoft, Intel to incorporate biometric functionality in future versions of OS

  • Increased adoption of standards – file formats, encryption, APIs

  • Convergence with smart card technology

Growth of the biometric market
Growth of the Biometric Market

* Source: Biometric Market Report 2000-2005

Biometric technologies
Biometric Technologies

* Source: Biometric Market Report 2000-2005

Comparative technology growth
Comparative Technology Growth

* Source: Biometric Market Report 2000-2005

Future market trends
Future Market Trends

  • PC/Network security, e-commerce will drive growth

    • From less than 20% of total biometric revenue to over 40% by 2005

  • Emergence of Retail – ATM - Point of Sale sector

    • From $10m today to $131m by 2005

  • Biometric revenue models based on transactional authentication, not device sales

  • Larger firms will absorb or eliminate many/most of today’s biometric players

Source: Biometric Market Report 2000-2005

Privacy protection privacy erosion
Privacy Protection, Privacy Erosion

  • Biometric Protection of Privacy

    • Limiting access to sensitive data

    • Individual control over personal information

    • Potential weapon against identity fraud / theft

  • Biometric Erosion of Privacy

    • If used for broader purposes than originally intended (linking disparate data, tracking behavior)

    • If captured without informed consent

Privacy fears
Privacy Fears

  • Informational Privacy

    • Function creep

    • Use as unique identifier

    • Associating unrelated data

    • Use by law enforcement agencies without oversight

    • Generally based on misuse of technology as opposed to intended uses

  • Personal Privacy

    • Inherent discomfort with or opposition to biometrics

    • Perception of invasiveness

Mitigating factors
Mitigating Factors

  • Most biometrics incapable of identification

  • Substantial amount of biometric data required for large-scale identification

  • Very few shared public or private sector systems aside from law enforcement

  • Core matching algorithms not cross-compatible

  • Deployers can implement operational and design-oriented protections against system abuse

  • Technology not infallible or foolproof

  • Legislation accompanies public sector deployment to protect against misuse

  • Biometric usage has been closely monitored

Ibg s bioprivacy initiative
IBG’s BioPrivacy™ Initiative

  • Analysis of biometric applications

    • BioPrivacy Impact Framework Not all biometric deployments bear the same privacy risks: specific features of biometric deployments increase or decrease the likelihood of misuse

  • Analysis of core biometric technologies

    • BioPrivacy Technology Risk Ratings Certain technologies are more prone to be misused than others and require extra precautions

  • Steps towards a privacy-sympathetic system

    • BioPrivacy Best Practices Ensure that deployers adhere to privacy principles regarding consent, use limitation, storage limitation, and accountability

Bioprivacy impact framework
BioPrivacy Impact Framework

  • Overt vs. Covert

  • Opt-in vs. Mandatory

  • Verification vs. Identification

  • Fixed Duration vs. Indefinite Duration

  • Private Sector vs. Public Sector

  • Individual / Customer vs. Employee / Citizen

  • User Ownership vs. Institutional Ownership

  • Personal Storage vs. Template Database

  • Behavioral vs. Physiological

  • Templates vs. Identifiable Data

Technology risk rating criteria
Technology Risk Rating Criteria

  • Verification/Identification

  • Overt/Covert

  • Behavioral/Physiological

  • Give/Grab

    • Technologies in which the user "gives" biometric data are rated “lower-risk”

    • Technologies in which the system "grabs" user data without the user initiating a sequence are rated “higher-risk”

Bioprivacy 25 best practices
BioPrivacy 25 Best Practices

  • Implement as many Best Practices as possible without undermining the basic operations of the biometric system

  • Few deployers will be able to adhere to all BioPrivacy Best Practices

  • Inability to comply with certain Best Practices is balanced by adherence to others

  • Four Categories

    • Scope and Capabilities

    • Data Protection

    • User Control Of Personal Data

    • Disclosure, Auditing and Accountability