10 th cacr information security workshop n.
Skip this Video
Loading SlideShow in 5 Seconds..
10 th CACR Information Security Workshop PowerPoint Presentation
Download Presentation
10 th CACR Information Security Workshop

Loading in 2 Seconds...

play fullscreen
1 / 24

10 th CACR Information Security Workshop - PowerPoint PPT Presentation

  • Uploaded on

10 th CACR Information Security Workshop. Biometrics—The Foundation of Quick & Positive Authentication 8 May 2002 Dario Stipisic Senior Consultant 212-809-9491 DStipisic@biometricgroup.com. Biometrics: Definition.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

10 th CACR Information Security Workshop

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
10 th cacr information security workshop

10th CACR Information Security Workshop

Biometrics—The Foundation of Quick & Positive Authentication

8 May 2002

Dario Stipisic

Senior Consultant212-809-9491DStipisic@biometricgroup.com

biometrics definition
Biometrics: Definition
  • Biometrics: the automatedmeasurement of physiological or behavioral characteristics to determine or authenticate identity
  • Leading technologies in public sector
    • AFIS (large-scale identification through fingerprints)
    • Finger-scan
    • Facial-scan
  • Other technologies
    • Iris-scan
    • Signature-scan
    • Hand-scan
why are biometrics used
Why Are Biometrics Used?
  • Security
    • Protect sensitive data
    • High degree of identity certainty in transactions
    • Create databases with singular identities
  • Accountability
    • Improve auditing / reporting / record keeping
  • Convenience
    • Reduce password-related problems
    • Simplified access to controlled areas
  • Questions no longer asked:
    • Should we consider looking at biometrics?
    • Are biometrics a viable security solution?
  • Questions now asked:
    • Which biometric technology and which vendor can address specific security issues?
    • What is the business case behind a biometric implementation?
      • Decrease losses due to fraud
      • Increase employee accountability
      • Increase customer convenience
behavioral and physiological biometrics
Behavioral and Physiological Biometrics
  • Behavioral - Voice, Signature, Keystroke
    • Easier to use, often less expensive, less accurate, more subject to day-to-day fluctuation
    • Appropriate for relatively low-security, low-risk applications where acquisition devices are already in place (camera, telephone, signature pad)
  • Physiological - Finger, Hand, Iris, Retina, Face
    • Higher accuracy, stable, require slightly more effort
  • Biometric usage is both behavioral and physiological
    • Finger-scan, for example, requires the appropriate “behavior” – placing finger on device correctly
    • Voice patterns are based, to some degree, on physiological characteristics
biometrics vs other authentication methods
Biometrics Vs. Other Authentication Methods
  • Pros
    • Biometrics cannot be lost, shared, stolen, forgotten, or easily repudiated
    • Biometrics enable strong auditing and reporting capabilities
    • Can alter security requirements on a transactional basis
    • Only technology capable of identifying non-cooperative individuals
  • Cons
    • Biometrics do not provide 100% accuracy
    • Percentage of users cannot use some technologies
    • Characteristics can change over time
typical biometric applications
Typical Biometric Applications
  • Large-scale government identification
    • Drivers license (IL, WV, GA, possibly CA, MD, MA)
    • Voter registration (throughout Latin America)
    • Public benefits (CA, NY, TX, South Africa, Philippines)
    • National ID (Nigeria, Argentina, possibly China)
    • Tens of millions of individuals enrolled
  • Time and attendance, access control
    • Hand geometry, finger-scan
    • Hundreds of thousands of individuals enrolled
  • Network Security
    • Windows NT Login, Intranets
    • Tens of thousands of users enrolled
identification vs verification
Identification vs. Verification
  • Verification: Am I who I claim to be?
    • Faster, more accurate, less expensive
    • The more common method for IT security
    • More accountability
    • Requires that users enter a unique username or present a card/token
  • Identification: Who am I?
    • Used to locate duplicate identities in databases
    • Used when entering a username/ID is not feasible
    • Privacy challenges
biometric templates
Biometric Templates
  • Definition
    • Distinctive, encoded files derived and encoded from the unique features of a biometric sample
  • A basic element of biometric systems
    • Templates, not samples, are used in biometric matching
    • Created during enrollment and verification
    • Much smaller amount of data than sample (1/100th, 1/1000th)
    • Cannot reverse-engineer sample from template
    • Size facilitates encryption, storage on various tokens
    • Vendor templates are not interchangeable
    • Different templates are generated each time an individual provides a biometric sample
  • Biometric systems do not provide a 100% match
  • Comparing strings of binary data (templates)
  • Result of match (“score”) compared to pre-determined threshold – system indicates “match” or “no match”

Verification data1011010100101

Enrollment data0010100100111

Vendor Algorithm



Match / No Match Decision

real world accuracy
Real-World Accuracy
  • Vendor claims (1/1000, 1/1000000) are not always based on experience in real-world deployments
  • System accuracy defined through three metrics
    • False match (imposter breaks in)
    • False non-match (correct user locked out)
    • Failure to enroll (user cannot register in system)
  • Comparative testing shows that some devices and technologies provide very high accuracy, others very low accuracy
  • Regardless of technology, some small percentage will be unable to enroll
biometric market size
Biometric Market Size
  • 2001 Total Revenue: $524m USD
  • Projected 2003 Revenue: $1.05b USD
  • Most revenues today from law enforcement / public sector identification
  • Revenues for IT-oriented technologies
    • Finger-scan: $99.37m
    • Middleware: $24.2m
    • Less than $20m: voice-scan, signature-scan, iris-scan

Source: Biometric Market Report 2000-2005

major developments in the marketplace
Major Developments in the Marketplace
  • Large-scale ID systems for travel, licensing being developed
  • Finger-scan devices manufactured by Infineon, ST, Fujitsu, Sony, Motorola
  • Compaq, Dell, Toshiba shipping biometric devices with PCs
  • 1m users of facial-scan for ATM check-cashing
  • Microsoft, Intel to incorporate biometric functionality in future versions of OS
  • Increased adoption of standards – file formats, encryption, APIs
  • Convergence with smart card technology
growth of the biometric market
Growth of the Biometric Market

* Source: Biometric Market Report 2000-2005

biometric technologies
Biometric Technologies

* Source: Biometric Market Report 2000-2005

comparative technology growth
Comparative Technology Growth

* Source: Biometric Market Report 2000-2005

future market trends
Future Market Trends
  • PC/Network security, e-commerce will drive growth
    • From less than 20% of total biometric revenue to over 40% by 2005
  • Emergence of Retail – ATM - Point of Sale sector
    • From $10m today to $131m by 2005
  • Biometric revenue models based on transactional authentication, not device sales
  • Larger firms will absorb or eliminate many/most of today’s biometric players

Source: Biometric Market Report 2000-2005

privacy protection privacy erosion
Privacy Protection, Privacy Erosion
  • Biometric Protection of Privacy
    • Limiting access to sensitive data
    • Individual control over personal information
    • Potential weapon against identity fraud / theft
  • Biometric Erosion of Privacy
    • If used for broader purposes than originally intended (linking disparate data, tracking behavior)
    • If captured without informed consent
privacy fears
Privacy Fears
  • Informational Privacy
    • Function creep
    • Use as unique identifier
    • Associating unrelated data
    • Use by law enforcement agencies without oversight
    • Generally based on misuse of technology as opposed to intended uses
  • Personal Privacy
    • Inherent discomfort with or opposition to biometrics
    • Perception of invasiveness
mitigating factors
Mitigating Factors
  • Most biometrics incapable of identification
  • Substantial amount of biometric data required for large-scale identification
  • Very few shared public or private sector systems aside from law enforcement
  • Core matching algorithms not cross-compatible
  • Deployers can implement operational and design-oriented protections against system abuse
  • Technology not infallible or foolproof
  • Legislation accompanies public sector deployment to protect against misuse
  • Biometric usage has been closely monitored
ibg s bioprivacy initiative
IBG’s BioPrivacy™ Initiative
  • Analysis of biometric applications
    • BioPrivacy Impact Framework Not all biometric deployments bear the same privacy risks: specific features of biometric deployments increase or decrease the likelihood of misuse
  • Analysis of core biometric technologies
    • BioPrivacy Technology Risk Ratings Certain technologies are more prone to be misused than others and require extra precautions
  • Steps towards a privacy-sympathetic system
    • BioPrivacy Best Practices Ensure that deployers adhere to privacy principles regarding consent, use limitation, storage limitation, and accountability
bioprivacy impact framework
BioPrivacy Impact Framework
  • Overt vs. Covert
  • Opt-in vs. Mandatory
  • Verification vs. Identification
  • Fixed Duration vs. Indefinite Duration
  • Private Sector vs. Public Sector
  • Individual / Customer vs. Employee / Citizen
  • User Ownership vs. Institutional Ownership
  • Personal Storage vs. Template Database
  • Behavioral vs. Physiological
  • Templates vs. Identifiable Data
technology risk rating criteria
Technology Risk Rating Criteria
  • Verification/Identification
  • Overt/Covert
  • Behavioral/Physiological
  • Give/Grab
    • Technologies in which the user "gives" biometric data are rated “lower-risk”
    • Technologies in which the system "grabs" user data without the user initiating a sequence are rated “higher-risk”
bioprivacy 25 best practices
BioPrivacy 25 Best Practices
  • Implement as many Best Practices as possible without undermining the basic operations of the biometric system
  • Few deployers will be able to adhere to all BioPrivacy Best Practices
  • Inability to comply with certain Best Practices is balanced by adherence to others
  • Four Categories
    • Scope and Capabilities
    • Data Protection
    • User Control Of Personal Data
    • Disclosure, Auditing and Accountability