10 th cacr information security workshop
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

10 th CACR Information Security Workshop PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

10 th CACR Information Security Workshop. Biometrics—The Foundation of Quick & Positive Authentication 8 May 2002 Dario Stipisic Senior Consultant 212-809-9491 [email protected] Biometrics: Definition.

Download Presentation

10 th CACR Information Security Workshop

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


10 th cacr information security workshop

10th CACR Information Security Workshop

Biometrics—The Foundation of Quick & Positive Authentication

8 May 2002

Dario Stipisic

Senior [email protected]


Biometrics definition

Biometrics: Definition

  • Biometrics: the automatedmeasurement of physiological or behavioral characteristics to determine or authenticate identity

  • Leading technologies in public sector

    • AFIS (large-scale identification through fingerprints)

    • Finger-scan

    • Facial-scan

  • Other technologies

    • Iris-scan

    • Signature-scan

    • Hand-scan


Why are biometrics used

Why Are Biometrics Used?

  • Security

    • Protect sensitive data

    • High degree of identity certainty in transactions

    • Create databases with singular identities

  • Accountability

    • Improve auditing / reporting / record keeping

  • Convenience

    • Reduce password-related problems

    • Simplified access to controlled areas


Questions

Questions…

  • Questions no longer asked:

    • Should we consider looking at biometrics?

    • Are biometrics a viable security solution?

  • Questions now asked:

    • Which biometric technology and which vendor can address specific security issues?

    • What is the business case behind a biometric implementation?

      • Decrease losses due to fraud

      • Increase employee accountability

      • Increase customer convenience


Behavioral and physiological biometrics

Behavioral and Physiological Biometrics

  • Behavioral - Voice, Signature, Keystroke

    • Easier to use, often less expensive, less accurate, more subject to day-to-day fluctuation

    • Appropriate for relatively low-security, low-risk applications where acquisition devices are already in place (camera, telephone, signature pad)

  • Physiological - Finger, Hand, Iris, Retina, Face

    • Higher accuracy, stable, require slightly more effort

  • Biometric usage is both behavioral and physiological

    • Finger-scan, for example, requires the appropriate “behavior” – placing finger on device correctly

    • Voice patterns are based, to some degree, on physiological characteristics


Biometrics vs other authentication methods

Biometrics Vs. Other Authentication Methods

  • Pros

    • Biometrics cannot be lost, shared, stolen, forgotten, or easily repudiated

    • Biometrics enable strong auditing and reporting capabilities

    • Can alter security requirements on a transactional basis

    • Only technology capable of identifying non-cooperative individuals

  • Cons

    • Biometrics do not provide 100% accuracy

    • Percentage of users cannot use some technologies

    • Characteristics can change over time


Typical biometric applications

Typical Biometric Applications

  • Large-scale government identification

    • Drivers license (IL, WV, GA, possibly CA, MD, MA)

    • Voter registration (throughout Latin America)

    • Public benefits (CA, NY, TX, South Africa, Philippines)

    • National ID (Nigeria, Argentina, possibly China)

    • Tens of millions of individuals enrolled

  • Time and attendance, access control

    • Hand geometry, finger-scan

    • Hundreds of thousands of individuals enrolled

  • Network Security

    • Windows NT Login, Intranets

    • Tens of thousands of users enrolled


Identification vs verification

Identification vs. Verification

  • Verification: Am I who I claim to be?

    • Faster, more accurate, less expensive

    • The more common method for IT security

    • More accountability

    • Requires that users enter a unique username or present a card/token

  • Identification: Who am I?

    • Used to locate duplicate identities in databases

    • Used when entering a username/ID is not feasible

    • Privacy challenges


Biometric templates

Biometric Templates

  • Definition

    • Distinctive, encoded files derived and encoded from the unique features of a biometric sample

  • A basic element of biometric systems

    • Templates, not samples, are used in biometric matching

    • Created during enrollment and verification

    • Much smaller amount of data than sample (1/100th, 1/1000th)

    • Cannot reverse-engineer sample from template

    • Size facilitates encryption, storage on various tokens

    • Vendor templates are not interchangeable

    • Different templates are generated each time an individual provides a biometric sample


Matching

Matching

  • Biometric systems do not provide a 100% match

  • Comparing strings of binary data (templates)

  • Result of match (“score”) compared to pre-determined threshold – system indicates “match” or “no match”

Verification data1011010100101

Enrollment data0010100100111

Vendor Algorithm

Scoring

Threshold

Match / No Match Decision


Real world accuracy

Real-World Accuracy

  • Vendor claims (1/1000, 1/1000000) are not always based on experience in real-world deployments

  • System accuracy defined through three metrics

    • False match (imposter breaks in)

    • False non-match (correct user locked out)

    • Failure to enroll (user cannot register in system)

  • Comparative testing shows that some devices and technologies provide very high accuracy, others very low accuracy

  • Regardless of technology, some small percentage will be unable to enroll


Biometric market size

Biometric Market Size

  • 2001 Total Revenue: $524m USD

  • Projected 2003 Revenue: $1.05b USD

  • Most revenues today from law enforcement / public sector identification

  • Revenues for IT-oriented technologies

    • Finger-scan: $99.37m

    • Middleware: $24.2m

    • Less than $20m: voice-scan, signature-scan, iris-scan

Source: Biometric Market Report 2000-2005


Major developments in the marketplace

Major Developments in the Marketplace

  • Large-scale ID systems for travel, licensing being developed

  • Finger-scan devices manufactured by Infineon, ST, Fujitsu, Sony, Motorola

  • Compaq, Dell, Toshiba shipping biometric devices with PCs

  • 1m users of facial-scan for ATM check-cashing

  • Microsoft, Intel to incorporate biometric functionality in future versions of OS

  • Increased adoption of standards – file formats, encryption, APIs

  • Convergence with smart card technology


Growth of the biometric market

Growth of the Biometric Market

* Source: Biometric Market Report 2000-2005


Biometric technologies

Biometric Technologies

* Source: Biometric Market Report 2000-2005


Comparative technology growth

Comparative Technology Growth

* Source: Biometric Market Report 2000-2005


Future market trends

Future Market Trends

  • PC/Network security, e-commerce will drive growth

    • From less than 20% of total biometric revenue to over 40% by 2005

  • Emergence of Retail – ATM - Point of Sale sector

    • From $10m today to $131m by 2005

  • Biometric revenue models based on transactional authentication, not device sales

  • Larger firms will absorb or eliminate many/most of today’s biometric players

Source: Biometric Market Report 2000-2005


Privacy protection privacy erosion

Privacy Protection, Privacy Erosion

  • Biometric Protection of Privacy

    • Limiting access to sensitive data

    • Individual control over personal information

    • Potential weapon against identity fraud / theft

  • Biometric Erosion of Privacy

    • If used for broader purposes than originally intended (linking disparate data, tracking behavior)

    • If captured without informed consent


Privacy fears

Privacy Fears

  • Informational Privacy

    • Function creep

    • Use as unique identifier

    • Associating unrelated data

    • Use by law enforcement agencies without oversight

    • Generally based on misuse of technology as opposed to intended uses

  • Personal Privacy

    • Inherent discomfort with or opposition to biometrics

    • Perception of invasiveness


Mitigating factors

Mitigating Factors

  • Most biometrics incapable of identification

  • Substantial amount of biometric data required for large-scale identification

  • Very few shared public or private sector systems aside from law enforcement

  • Core matching algorithms not cross-compatible

  • Deployers can implement operational and design-oriented protections against system abuse

  • Technology not infallible or foolproof

  • Legislation accompanies public sector deployment to protect against misuse

  • Biometric usage has been closely monitored


Ibg s bioprivacy initiative

IBG’s BioPrivacy™ Initiative

  • Analysis of biometric applications

    • BioPrivacy Impact Framework Not all biometric deployments bear the same privacy risks: specific features of biometric deployments increase or decrease the likelihood of misuse

  • Analysis of core biometric technologies

    • BioPrivacy Technology Risk Ratings Certain technologies are more prone to be misused than others and require extra precautions

  • Steps towards a privacy-sympathetic system

    • BioPrivacy Best Practices Ensure that deployers adhere to privacy principles regarding consent, use limitation, storage limitation, and accountability


Bioprivacy impact framework

BioPrivacy Impact Framework

  • Overt vs. Covert

  • Opt-in vs. Mandatory

  • Verification vs. Identification

  • Fixed Duration vs. Indefinite Duration

  • Private Sector vs. Public Sector

  • Individual / Customer vs. Employee / Citizen

  • User Ownership vs. Institutional Ownership

  • Personal Storage vs. Template Database

  • Behavioral vs. Physiological

  • Templates vs. Identifiable Data


Technology risk rating criteria

Technology Risk Rating Criteria

  • Verification/Identification

  • Overt/Covert

  • Behavioral/Physiological

  • Give/Grab

    • Technologies in which the user "gives" biometric data are rated “lower-risk”

    • Technologies in which the system "grabs" user data without the user initiating a sequence are rated “higher-risk”


Bioprivacy 25 best practices

BioPrivacy 25 Best Practices

  • Implement as many Best Practices as possible without undermining the basic operations of the biometric system

  • Few deployers will be able to adhere to all BioPrivacy Best Practices

  • Inability to comply with certain Best Practices is balanced by adherence to others

  • Four Categories

    • Scope and Capabilities

    • Data Protection

    • User Control Of Personal Data

    • Disclosure, Auditing and Accountability


  • Login