560 likes | 716 Views
Emerging Biometric Applications. Expectations meet Reality. An Emerging Technology. What are Biometrics?. The term biometrics refers to a science involving the standard analysis of biological characteristics.
E N D
Emerging BiometricApplications Expectations meet Reality
What are Biometrics? The term biometrics refers to a science involving the standard analysis of biological characteristics. A biometric is a unique, measurable characteristic or trait of a human being for automatically recognising or verifying identity.
Who are you? No, who are you, really???
Authentication Methods in Network & Internet Security • Something you know • Passwords • PINs • Mother’s maiden name • Something you have • ATM card • Smart card • Digital certificate • Something you are • Biometrics • Positive identification • Never lost or stolen
Biometric Techniques Identification of all the biometric methods, both mainstream and ‘esoteric,’ known to the group. Consider methods that relate to non-humans and also combinations of methods.
Innate Iris Retina Ear Fingerprint Palm / hand Face (visual & heat) Skin detail / veins DNA / Blood / Saliva / anti-bodies Heart rhythm Footprint Lips Behavioral Gait Signature Typing style Mixed Voice Body odour Biometrics
Why Biometrics? “Biometric identification (e.g., fingerprints, face and voice) will emerge as the only way to truly authenticate an individual, which will become increasingly important as security and privacy concerns grow.” - Gartner Group 26th April 2000
Store Present biometric Capture Process IDENTIFIED Compare Match No Match DENIED Present biometric Capture Process How do Biometrics Work? Enrollment: Add a biometric identifier to a database Fingerprint, Voice, Facial or Iris Verification: Match against an enrolled record
Fingerprint Image Identification
Accuracy v. Affordability v. Acceptability 0 1 Affordability >> 2 3 4 Accuracy >> Courtesy, Veridicom Corp.
Benefits of Biometrics Biometrics link a particular event to a particular individual, not just to a password or token, which may be used by someone other than the authorized user
Business Scenarios • The password problem • Remote access • Who is using our fee-based web-site? • Challenge-response tokens • Too many physical-access devices • Protecting the single-sign-on vault
The Password Problem • They’re either too easy or they’re written down somewhere! • Users forget them! • Help Desk has to sort out the mess!
Password Survey • Every user requesting password reset received survey • 50% response • “No recriminations” policy • Source - CCH
The Password Problem Good passwords are bad for users
The Password ProblemWrite it Down 47 28 8 16 % of respondents Never Occasionally Often Always
The Password Problem User Overload No of 57 36 7 Pswds % 1-3 4-6 7-9
The Password Problem User Impact Password 4 62 29 5 Resets % Zero 1-2 3-6 > 6
The Password Problem Wait Time
The Password Problem Impact on Productivity
The Password Problem Who Knows your Password?
The Password Problem How Many Passwords do you Know?
4 62 29 5 % of respondents Zero 1-2 3-6 > 6 The Password ProblemResets per Year Source: CCH
The Password Problem • Identifiable costs • Lost productivity • Flow-on productivity losses • Support team • Management and infrastructure • US research - $340 per incident* • Anecdotal – some incidents over $AU10,000 *BioNetrix Corp - www.bionetrix.com/inserts.pdf
Privacy Concerns and Ethics • Criminal stigma • 3rd party use of data • Sold or given for other than intended purpose • Provided to law enforcement • Unauthorized access • Identity theft • “Tracking” of actions through biometrics • Religious objections - “Mark of the Beast”
Australian Privacy Act NPP 4 – Data Security An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
Privacy Policy Recommendations • 5 basic principles • Notice – disclose ALL data captured • Access –anyone can view their stored data • Correction Mechanism • Informed Consent – no 3rd-party involvement • Reliability & Safeguarding
Who would use Biometrics • Strong identification and authentication • Medium – high data security • Non-repudiation (I didn’t do it!)
Who would use Biometrics • The last metre • Fee-for-service web sites • e-Commerce transaction verification
Selecting Biometric Technologies • User / environment considerations • Cooperative/non-cooperative users • Overt/covert capture • Habituated/non-habituated • Attended/unattended • Public/private • Indoor/outdoor • Possible interference • User lifestyle/occupation • Compatibility with existing/legacy systems
Selecting Biometric Technologies • Technology factors • Cost • Accuracy • Ease of use • Public acceptance • Long term stability • Existence/use of standards • Barriers to attack • Track record of vendor/product • Availability of alternate sources • Scalability
Iris Face Finger Signature Voice Accuracy Very High Medium High High Medium Ease of Use Medium Medium High High High Barrier to Very High Medium High Medium Medium Attack User Medium Medium Medium Very High High Acceptability Long Term High Medium High Medium Medium Stability Interference Coloured Lighting Dryness Changing Noise, Contacts Aging, Dirt, Signatures Colds, Glasses, Age, Weather Hair Race Technology Comparison
Accuracy • False rejection rate • Measures how often an authorized user, who should be recognized by the system, is not recognized. • I am not recognised as me! • False acceptance rate • Measures how often a non-authorized user, who should not be recognized by the system, is falsely recognized. • You are pretending to be me!
d Non-matching prints Matching Threshold Matching prints False non-matches False matches Matching vs. Non-Matching Prints
FRR Error Rate FAR Threshold FRR vs. FAR • FAR / FRR are loosely inverse • FAR = FER = Equal Error Rate • Failure to enroll rate (FER) • Measures how often users are unable to enroll a biometric record
Biometrics Institute • Recently incorporated • Impartial tester • Education source • Government & industry funded • www.biomet.org • support@biomet.org • “Introduction to Biometrics” 1-day course September 25th
What problem are we solving? • If biometrics is the answer, what’s the question?
Health Health Technologies (Australia) Patient Records Capital Coast Health (NZ) Access security & SSO e-Commerce (Australia) e-Contracts Big Sky Contracting SocialSecurity States of New Jersey, Virginia,Connecticut Social Welfare systems Banking & Finance ING Direct (Canada) On-line banking ABN AMRO (Australia) Network Security Pt Makindo (Indonesia) Network Security On-line Trading Government Network Security and ID systems Defence – Stratcom US GSA – Govt-wide Smart Card Program Reference Sites
Biometric Scanning Devices PC Video Camera Secugen EyeD Mouse II Scanner Sensar Iris Scanner Veridicom 5th Sense Fingerprint Scanner Phoenix Keyboards Veridicom ‘Combo’ Fingerprint & SmartCard Scanner Telex Microphones
SAF/2000 • SAF/NT • System requirements • Versions • Hardware • Client environment
2. Client accepts username passed to SAFserver 3. SAFserver advises login method 4. Client collects biometric 5. Summarized biometric passed to SAFserver for confirmation 7. If user is valid, SAFserver passes user password to client 8. Client passes username and password to login server to complete the login Data Flow During Login SAFserver 1. Client displays NRIgina.dll Biometric device 9x/NT client BSP 6. SAFserver determines validity of biometric Login Server
NMAS • Modular interface to NDS • Choice of biometric method & supplier • Multiple & graded authentication • Free starter pack • Enterprise Edition