1 / 24

10 th CACR Information Security Workshop

10 th CACR Information Security Workshop. Biometrics—The Foundation of Quick & Positive Authentication 8 May 2002 Dario Stipisic Senior Consultant 212-809-9491 DStipisic@biometricgroup.com. Biometrics: Definition.

koren
Download Presentation

10 th CACR Information Security Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 10th CACR Information Security Workshop Biometrics—The Foundation of Quick & Positive Authentication 8 May 2002 Dario Stipisic Senior Consultant212-809-9491DStipisic@biometricgroup.com

  2. Biometrics: Definition • Biometrics: the automatedmeasurement of physiological or behavioral characteristics to determine or authenticate identity • Leading technologies in public sector • AFIS (large-scale identification through fingerprints) • Finger-scan • Facial-scan • Other technologies • Iris-scan • Signature-scan • Hand-scan

  3. Why Are Biometrics Used? • Security • Protect sensitive data • High degree of identity certainty in transactions • Create databases with singular identities • Accountability • Improve auditing / reporting / record keeping • Convenience • Reduce password-related problems • Simplified access to controlled areas

  4. Questions… • Questions no longer asked: • Should we consider looking at biometrics? • Are biometrics a viable security solution? • Questions now asked: • Which biometric technology and which vendor can address specific security issues? • What is the business case behind a biometric implementation? • Decrease losses due to fraud • Increase employee accountability • Increase customer convenience

  5. Behavioral and Physiological Biometrics • Behavioral - Voice, Signature, Keystroke • Easier to use, often less expensive, less accurate, more subject to day-to-day fluctuation • Appropriate for relatively low-security, low-risk applications where acquisition devices are already in place (camera, telephone, signature pad) • Physiological - Finger, Hand, Iris, Retina, Face • Higher accuracy, stable, require slightly more effort • Biometric usage is both behavioral and physiological • Finger-scan, for example, requires the appropriate “behavior” – placing finger on device correctly • Voice patterns are based, to some degree, on physiological characteristics

  6. Biometrics Vs. Other Authentication Methods • Pros • Biometrics cannot be lost, shared, stolen, forgotten, or easily repudiated • Biometrics enable strong auditing and reporting capabilities • Can alter security requirements on a transactional basis • Only technology capable of identifying non-cooperative individuals • Cons • Biometrics do not provide 100% accuracy • Percentage of users cannot use some technologies • Characteristics can change over time

  7. Typical Biometric Applications • Large-scale government identification • Drivers license (IL, WV, GA, possibly CA, MD, MA) • Voter registration (throughout Latin America) • Public benefits (CA, NY, TX, South Africa, Philippines) • National ID (Nigeria, Argentina, possibly China) • Tens of millions of individuals enrolled • Time and attendance, access control • Hand geometry, finger-scan • Hundreds of thousands of individuals enrolled • Network Security • Windows NT Login, Intranets • Tens of thousands of users enrolled

  8. Identification vs. Verification • Verification: Am I who I claim to be? • Faster, more accurate, less expensive • The more common method for IT security • More accountability • Requires that users enter a unique username or present a card/token • Identification: Who am I? • Used to locate duplicate identities in databases • Used when entering a username/ID is not feasible • Privacy challenges

  9. Biometric Templates • Definition • Distinctive, encoded files derived and encoded from the unique features of a biometric sample • A basic element of biometric systems • Templates, not samples, are used in biometric matching • Created during enrollment and verification • Much smaller amount of data than sample (1/100th, 1/1000th) • Cannot reverse-engineer sample from template • Size facilitates encryption, storage on various tokens • Vendor templates are not interchangeable • Different templates are generated each time an individual provides a biometric sample

  10. Matching • Biometric systems do not provide a 100% match • Comparing strings of binary data (templates) • Result of match (“score”) compared to pre-determined threshold – system indicates “match” or “no match” Verification data1011010100101 Enrollment data0010100100111 Vendor Algorithm Scoring Threshold Match / No Match Decision

  11. Real-World Accuracy • Vendor claims (1/1000, 1/1000000) are not always based on experience in real-world deployments • System accuracy defined through three metrics • False match (imposter breaks in) • False non-match (correct user locked out) • Failure to enroll (user cannot register in system) • Comparative testing shows that some devices and technologies provide very high accuracy, others very low accuracy • Regardless of technology, some small percentage will be unable to enroll

  12. Biometric Market Size • 2001 Total Revenue: $524m USD • Projected 2003 Revenue: $1.05b USD • Most revenues today from law enforcement / public sector identification • Revenues for IT-oriented technologies • Finger-scan: $99.37m • Middleware: $24.2m • Less than $20m: voice-scan, signature-scan, iris-scan Source: Biometric Market Report 2000-2005

  13. Major Developments in the Marketplace • Large-scale ID systems for travel, licensing being developed • Finger-scan devices manufactured by Infineon, ST, Fujitsu, Sony, Motorola • Compaq, Dell, Toshiba shipping biometric devices with PCs • 1m users of facial-scan for ATM check-cashing • Microsoft, Intel to incorporate biometric functionality in future versions of OS • Increased adoption of standards – file formats, encryption, APIs • Convergence with smart card technology

  14. Growth of the Biometric Market * Source: Biometric Market Report 2000-2005

  15. Biometric Technologies * Source: Biometric Market Report 2000-2005

  16. Comparative Technology Growth * Source: Biometric Market Report 2000-2005

  17. Future Market Trends • PC/Network security, e-commerce will drive growth • From less than 20% of total biometric revenue to over 40% by 2005 • Emergence of Retail – ATM - Point of Sale sector • From $10m today to $131m by 2005 • Biometric revenue models based on transactional authentication, not device sales • Larger firms will absorb or eliminate many/most of today’s biometric players Source: Biometric Market Report 2000-2005

  18. Privacy Protection, Privacy Erosion • Biometric Protection of Privacy • Limiting access to sensitive data • Individual control over personal information • Potential weapon against identity fraud / theft • Biometric Erosion of Privacy • If used for broader purposes than originally intended (linking disparate data, tracking behavior) • If captured without informed consent

  19. Privacy Fears • Informational Privacy • Function creep • Use as unique identifier • Associating unrelated data • Use by law enforcement agencies without oversight • Generally based on misuse of technology as opposed to intended uses • Personal Privacy • Inherent discomfort with or opposition to biometrics • Perception of invasiveness

  20. Mitigating Factors • Most biometrics incapable of identification • Substantial amount of biometric data required for large-scale identification • Very few shared public or private sector systems aside from law enforcement • Core matching algorithms not cross-compatible • Deployers can implement operational and design-oriented protections against system abuse • Technology not infallible or foolproof • Legislation accompanies public sector deployment to protect against misuse • Biometric usage has been closely monitored

  21. IBG’s BioPrivacy™ Initiative • Analysis of biometric applications • BioPrivacy Impact Framework Not all biometric deployments bear the same privacy risks: specific features of biometric deployments increase or decrease the likelihood of misuse • Analysis of core biometric technologies • BioPrivacy Technology Risk Ratings Certain technologies are more prone to be misused than others and require extra precautions • Steps towards a privacy-sympathetic system • BioPrivacy Best Practices Ensure that deployers adhere to privacy principles regarding consent, use limitation, storage limitation, and accountability

  22. BioPrivacy Impact Framework • Overt vs. Covert • Opt-in vs. Mandatory • Verification vs. Identification • Fixed Duration vs. Indefinite Duration • Private Sector vs. Public Sector • Individual / Customer vs. Employee / Citizen • User Ownership vs. Institutional Ownership • Personal Storage vs. Template Database • Behavioral vs. Physiological • Templates vs. Identifiable Data

  23. Technology Risk Rating Criteria • Verification/Identification • Overt/Covert • Behavioral/Physiological • Give/Grab • Technologies in which the user "gives" biometric data are rated “lower-risk” • Technologies in which the system "grabs" user data without the user initiating a sequence are rated “higher-risk”

  24. BioPrivacy 25 Best Practices • Implement as many Best Practices as possible without undermining the basic operations of the biometric system • Few deployers will be able to adhere to all BioPrivacy Best Practices • Inability to comply with certain Best Practices is balanced by adherence to others • Four Categories • Scope and Capabilities • Data Protection • User Control Of Personal Data • Disclosure, Auditing and Accountability

More Related