Biometrics101

You are the Key

A Need for Better Security

• One person can have a greater negative impact on society than ever before.

• More individuals have more diverse items and data to secure than ever before.

Society is Demanding

We want access to our

Money

Data

Communication Channels

We want it to be

Convenient

Easy Access

• ATM’s in Gas Stations

• Growing Wireless Internet Access

• Cellular Phone Service

Easy Access

You have the ability to access your services and money from anywhere.

So Does Everyone Else.

Proof of Identity

To be effectiveit must be

Convenient

Current Authentication Methods

What you HaveSometimes called a “Token”

– XON Card– Car or House Keys– Photo ID*

What You Know

– Lock Combination– PIN (Personal ID Number)– Password

Current Authentication Methods

“12-31-7” “Ro$ebuD254”

“7-3-6-9”

Combining MethodsATM Card + PIN

House Key + Home Address

8-7-6-5

Weaknesses and Vulnerabilities

Tokens – What You Have

• Token can be lost or stolen.

• Cards can be swiped or cloned.– Restaurants– Stores– Internet

Weaknesses and Vulnerabilities

Passwords and PINS – What You Know

• Passwords can be forgotten.

• Users can be “shoulder surfed”.

• Weak passwords can be guessed.

• Strong passwords are often written down.

Ro$ebuD25

4

Biometrics is the Oldest Form of Identification.

Simplest Form:

“Let me see your face”.

Who You Are

• Current Methods– Photo ID*

• Driver’s License• Kent ID

– Currently a person has to make the comparison between the Photo ID and your face.

A Human Must Recognize You.

Getting Answers

• Identification– “Who are you?”

• Authentication or Verification– “Are you who you claim to be?”

Manual Biometric System

The current system has some vulnerabilities.

The Problem

• The subject who needs to prove identity has complete access to the identifying device.

• Close examination will reveal many forged ID’s, but you are dealing with variables known as human beings.

The Human Factor

• People are the biggest security risk.

• Confirmation of ID is usually a repetitive task, one that can allow for mistakes or intentional failures to occur

• Social Engineering– People can be manipulated.

• The Art of Deception ~ Kevin D. Mitnick

Biometrics

From the Greek

Bios = “Life”

Metron = “Measurement”

Authentication and Identification are basedon the automated measurement and comparison of the biological factors

that are unique to an individual.

A Few Terms…

• Test Template – a.k.a. Enrollment Sample– Digitized file (usually encrypted ) that contains

biometric data.

• Enrollment – The process that creates the Test Template when the

new subject is added to the system.

A Few Terms…

• Challenge Sample– The object or information presented for comparison to

the Test Template to gain access.

• Sensor– Device used to capture the biometric data at both the

enrollment and challenge stages.

Sample Examples

Test

Template

• Door Lock• Password File• Driver’s License

Challenge

Sample

• House Key• Password• Your Face

Current Biometric Systems

• Fingerprint

• Facial Geometry

• Iris Scan

• Vein Pattern Identification– Hand/Wrist/Face– Retina

Finger Print• One of the first biometrics methods.

– Patented by Randall Fowler, the founder of “Identix” in 1978.

• Test template describes geometries of the finger print. These details are called “minutia”.

Finger Print Minutia

A template usually contains several types of minutia and records how they relate to each other. The actual print image is usually NOT saved for low security applications such as company time clocks or home systems.

Fingerprint Advantages

• Fingerprints are easy to use.

• Most systems require little space.

• Test templates can be made from finger print cards.

• Fingerprints stay consistent throughout life.

• System is as inexpensive as $50.00 at Wal-Mart.

Fingerprint Disadvantages

• Users may have concerns regarding touching a sensor touched by other people.

• An individual’s age and occupation may cause some sensors difficulty in capturing a complete and accurate image.

• Users may have religious concerns.

Facial Geometry• Compares measurements of various facial

landmarks such as the distance from nose to chin, distance between the eyes

• A functional test template can be generated from a photograph

• Currently used in airports to identify terrorists and other “Persons of Interest”

• 2001 Super Bowl

Super Bowl XXXV

• Baltimore Ravens Vs. New York Giants• Baltimore won the game 34–7• 19 individuals with outstanding warrants

were identified by a face recognition system from over 100,000 other individuals.

• Tampa Police and ACLU Court Battle.• Tampa Police currently use a facial

recognition system in the downtown area.

Facial Geometry Advantages

• No contact required

• Sensors are high quality video cameras

• With a telephoto lens the camera can be a distance from the subject

• Can be used without the subject’s knowledge

• Test Template can be made from a photo– Drivers License photos are now stored with

the rest of your DMV data

Facial Geometry Disadvantages

• Sensitive to changes in lighting, expression, and facial position

• Faces change over time

• Face can be obscured by hats, hair, etc.

Iris Scan

• Records the unique pattern and colors that make up the area surrounding the pupil

Iris Scan Advantages

• No contact with sensor required

• Protected organ less prone to injury and scarring

• Believed to be highly stable over lifetime

• As unique as a fingerprint

Iris Scan Disadvantages

• Public concerns related to scanning the eye with a light source

• Acquisition of an iris image requires more training and skill than most biometrics

• Can be affected by contact lenses

Vein Pattern Identification

• This technology uses a combination of thermal imaging and visible light scanning.

• Various body areas can be used to create the test template. Face, hands, and retina are common sources for biometric data.

Vein Pattern Advantages

• Considered as unique as finger prints

• Easy to implement a robust liveliness aspect to the sensor

• Fewer of the biological limitations associated with fingerprints

Vein Pattern Disadvantages

• Use of this method requires some training.• This is believed to

be stable over adultlifespan, but changes occur as children grow.

• Scanning device takes up a larger space than other biometric sensors.

Liveliness

• Liveliness systems detect the signs of a living biometric sample.

No Life - No Access.

• Pulse, temperature, and moisture are some of the aspects that are detected.

Liveliness

• This aspect authenticates the Challenge Sample.

• Public awareness of liveliness requirements protects users.– 2005 Malaysia, Mercedes owner lost finger to

car thieves.

Challenge Sample Processing

• Challenge Sample is collected.• Tests for liveliness, if available, are done. • Challenge Sample is then compared to the

enrollment test template.• Some variance is expected.

– A true “perfect match” can cause a system to disallow access.

• If the match score is above the threshold, access is granted.

A Few More Terms…

• Threshold– Level required for an acceptable match

• Higher threshold requires a better match score.• Lower threshold requires a lower match score.

A Few More Terms…

• False Rejection– System denies access when Test Template

and Challenge Sample that SHOULD match do not, due to:

• Bad challenge sample• Sensor problem• Match criteria requirement too high• Inconvenient

A Few More Terms…

• False Acceptance– System allows access when Test Template

and Challenge Sample that should NOT match do, due to:

• User’s defeat of the system• Match criteria requirement too low• System malfunction

Additional Security

• Implementing a PIN or Token with a biometric system is common.

• Recorded video surveillance: full-time or event-triggered by a failed challenge

• Duress systems

• Mantraps

Duress Systems

• Those desperate for access might try to steal the biometric key, that is - You!

• Implemented to keep the biometric key, also know as a person, safe while maintaining security.

Duress Systems

• Allows access but also set off alarms or initializes other countermeasures.– Right index finger lets you in.– Right middle finger lets you in and

calls for help.– Right ring finger lets

you in, calls for help, and locks down more sensitive areas ofthe building.

Mantraps• Usually used in very high security areas

• Can be combined with duress systems

• One at a time through the trap

• Contains subjects who have failed the security challenge

Mantraps• This system uses an open format to allow

security personal to identify the person in the trap; these are usually used to control access inside of a facility.

Systems in Development

• Body Odor Identification– An Electronic Nose

• Body Salinity Identification– Exploits natural level of salt

in the body.

Resources

www.personal.kent.edu/~kstates/index.htm

Biometrics

You are the Key