90 likes | 302 Views
IDTrust 2011: Privacy and Security Research Challenges for Biometric Authentication . Moderator: Elaine Newton, PhD NIST elaine.newton@nist.gov. A Generic Biometric System.
E N D
IDTrust 2011:Privacy and Security Research Challenges for Biometric Authentication Moderator: Elaine Newton, PhD NIST elaine.newton@nist.gov
A Generic Biometric System Image from: Newton, Elaine. Biometrics and Surveillance: Identification, De-Identification, and Strategies for Protection of Personal Data. PhD Dissertation, Carnegie Mellon University, Dept of Engineering and Public Policy, ProQuest UMI, May 2009.
Notional Histogram of Genuines (Blue) and Imposters (Red) Frequency False Matches False Non-Matches Similarity Scores
NIST Biometric Testing • Fingerprint • Ongoing Proprietary Fingerprint Test (PFTII) and MINEX (MINutiae EXchange) testing using various databases of 120K+ subjects • Software development kit (SDKs) –based testing • Face • Data from grand challenges and vendor tests • DOS Database of 37K subjects • Algorithm-based testing • Iris • Data from grand challenges and vendor tests • Algorithm-based testing
Authentication Use Case Comparison For law enforcement, immigration, etc. For online transactions, e.g. banking, health, etc. Enrollment Less controlled Probably not in person Subsequent recognition attempts Unattended Successful recognition Answers the question, “How confident am I that this is the actual claimant?” Is a tamper-proof rendering of a distinctive pattern • Enrollment and subsequent recognition attempts • highly controlled • Supervised / Attended • Successful recognition • Answers the question, “Has this person been previously encountered?” • Is a unique pattern
Passwords v. Biometric Data • P: Known only to the end-user • B: Potentially known by anyone who can encounter the individual in-person or virtually • P: Can be (easily) changed if compromised and periodically renewed to mitigate risk • Can be lengthened to increase security • B: A pattern with some degree of robustness over time that can be used to distinguish individuals • P: Many possibilities for users to choose different credentials for different domains, which could be randomly generated or otherwise have no personally identifying information • B: A presentation of the same biometrics for any application, and many can be used for identification • P: Deterministic • B: Probabilistic
Biometric Security Issues Figure by Nalini Ratha, IBM
Thank youAnd now for our panel: Ross Micheals, PhD Terry Boult, PhD Stephanie Schuckers, PhD