AuthenWare Reliability Accuracy & Security Tom Helou President & COO
Agenda • International Biometrics Group Certification • What is it • Our performance results • Common Criteria Certification (CCC) • What is it • Where we are • Questions
Authenware reliability • IBG Certification = AuthenWare Accuracy • Common Criteria Certification (ISO 15408) = The product is safe
International Biometric Group (IBG) IBG provides technology‐neutral, vendor‐ independent biometrics services, strategy, and solutions to government agencies, systems integrators, high‐technology firms, and financial services organizations. IBG’s Comparative Biometric Testing (CBT) is the industry's longest‐running benchmarking test, complying with all published US and International biometric performance standards.
What was tested • IBG CBT’s objective is to evaluate the usability and accuracy of biometric systems. In Terms of AuthenWare the following was measured: • Match rates: measures a systems’ ability to correctly distinguish between genuine and impostor comparisons; • Enrollment and acquisition rates: measures a systems’ ability to successfully enroll and acquire samples from Test Subjects; • Level of effort: measures a systems’ ability to successfully enroll and acquire samples from Test Subjects with minimal transaction durations and repeated attempts / transactions.
Testing Equipment and Subject Data • 7 laptops and workstations 11 storage and processing servers • 184 separate test subjects • 7,731 keystroke signatures were analyzed • 4,851 genuine attempts and 2,880 hacking attempts • Four test type rules:
Accuracy and Performance findings… • All Test were conducted in security level 3 • Failure to Enroll Rate (FTE) = 0% GRANTED! This means AuthenWare accepted ALL the users, even the poor performance users. • Transactional Failure to Acquire Rate (T-FTA) = 0% GRANTED! AuthenWare has no failures catching the keystroke and environmental data.
Accuracy and Performance findings… • Median Enrollment Transaction Duration = 80 seconds Certified! Median time needed to complete the biometric pattern training or enrollment, typing UserID and Password 10 times. • Median Recognition Attempt Duration = 11 seconds Certified! It was the time needed to have a biometric answer, including the time needed to type UserID and Password
Accuracy and Performance findings… • Transactional False Match Rate (T-FMR / FAR) = 3.26% GRANTED! • Transactional False Non-Match Rate (T-FNMR / FRR) = 3.20% GRANTED!
Effective System False Rejection Rate (S-FRR) The Effective System False Rejection Rate is defined as the rate of false rejections that result after executing not only the initial biometric test, but also any additional attempts managed by business rules, One Time Password submissions and other decision mechanisms provided by the full AuthenTest system. Offering the user a second opportunity to attempt validation reduces the FRR to 2.459%. If this second authentication attempt is also rejected, incorporating a third validation opportunity reduces the FRR even further to that of 0.738%. Adding a one‐time password (or another validation check such as requiring the user to enter a pin number, etc.) would lower the effective System FRR to a worst‐case scenario of only 0.00738%. 99.9915% of valid user logins will be authenticated as valid users without external support.
Effective System False Acceptance Rate (S-FAR) The Effective System False Acceptance Rate is defined as the rate of false acceptance that results after executing not only the initial biometric test, but also considering a probability that someone else knows your credentials. Since AuthenWare is a second factor authentication, only people that actually have known your credentials will be able to have chances (3.20%) to enter being a non valid user. Considering 1 in 10 persons will be able to get your credentials, the S-FAR will be 0.32%, in this case: 99.68% of hacking attempts will be rejected (credentials don’t match or AuthenWare technology stops!).
IBG Certification conclusion • “In sum, it is very likely that real-world performance for Authenware will be more robust than was observed” [in the CBT].” • Accuracy of 96.78%, FTE=0%, T-FTA=0% is great considering that users couldn’t choose their own UserID and Password, all of them used identical hardware, software and environment • Everything was taken from the official public report of CBT round 7 of IBG. For further information, visit www.biometricgroup.com or contact us at www.authenware.com
Common Criteria Certification (CCC) The CCC provides a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. Based on a well known International Standard: ISO/IEC 15408 The evaluation process establishes a level of confidence that the security functionality of these IT products and the assurance measures applied to these IT products meet these requirements.
Common Criteria Certification GRANTED (May-2010) Provides you and your customers a level of confidence that our product has been scrutinized and evaluated properly as a security product. • International recognition of a security product • CCC EAL-2 + ALC_FLR.1 (latest version) • ELA-2 + Evaluation Assurance Level • ALC_FLR - Provides for Flaw Remediation Procedure
CCC conclusion • We have received an international and standard recognition for our product • Our product (TOE) and the rest of the components have improved much during the certification process • We received the official certificate on Sep-2010 • Moving forward, every new component, functionality or improvement at the LAB level follows the CCC