RoleofBiometricsinCybersecurity

SamYouness

Agenda

• Biometricsbasics• Howitworks• Biometricsapplicationsandarchitecture• Biometricdevices• BiometricsConsiderations• Theroadahead

TheBasics• Everydayweneedtoidentifyourselveswhenwedothingslike:• Useabankautomatictellermachine(PIN#)• Useapersonalorcorporatecomputingdevices• Entertheofficebyscanningabadge,punchingacode,orusingkey• Usepasswordstoaccessonlineservices(e.g.onlinebanking,Netflix,Amazon)• Usepasswordtoaccessouremail• Providepassportordriverslicenseasproofofidentity• Andmanymoreexamples

• Thereisanessentialneedtoaccuratelyidentifyanindividualtominimizethepossibilityofsecuritybreachesandthreats

WhyBiometrics?• Traditionalsecurityguards(passwords,pins,etc.)haveseriousissues• Securitykeys,suchas,IDcards,keys,etc.alsohavetheirissues,suchasgettinglost,copied,etc.• Isbiometricstheanswer?• Itispartofthepersonandnoteasilycompromisedthroughtheft,collusion,orloss• Simplifiesusermanagementleadingtocostsavings• Noneedtorememberpasswordsorpins• Useraccountscannotbeshared• Easytouse.

BiometricsModalities• Physiological(notlikelytochangeovertime):

• Fingerprints,Fingerlength• Iris/Retina• Facialimageandgeometry(2Dand3D)• Handgeometry• Veinpattern• DNA

• Behavioral(maychangeovertime):• Voice• Gait• Odor• Signature• Keystrokeandmousemovesdynamics

HowBiometricsWork

Enrollment

Biometricsample Distinguishedfeaturesofthesample

Digitaltemplateofthesample

Enrollment TemplateExtraction TemplateStorage

Biometricsample Distinguishedfeaturesofthesample

Digitaltemplateofthesample

LiveCapture

TemplateExtraction TemplateComparisonSearch/Match

ComparisonAlgorithm

MATCH NOMATCH

BiometricsProcessesSecureDevice

TrustedCo

mpu

ter

ImageCapture FeatureExtraction SecureStorage TemplateMatching

MATCH NOMATCH

BiometricSystemAccuracy

• ROC:receiveroperatingcharacteristic• FMR:falsematchrate• FNMR:falsenon-matchrate• Matchingthreshold– T• Higherquantitiesofdata(e.g.morefingerprints)andhigher-quality(highlyconsistent)samplesarerequiredforone-to-manysearchprocessesascomparedtoone-to-onematchingforverification.

BiometricsApplicationCategories• Verification

• One-to-onebiometricidentificationtoprovidephysicalorlogicalacces conrol• Comparesagainstatemplatestoredlocally(PC,smartphone,etc.)oronaserver• ActsasapasscodeorPIN

• Identification• One-to-manysearchtoassesswhetheranindividual’sbiometricsarepresentinadatabaseorgallerythatcontainsaverylargenumberofbiometricrecords

• Morecomputingintensive tohelpidentifyaperson• DuplicateChecking

• Matchingeachandeverytemplatetoalltemplatesinagallery• Determinesifindividualsarerepresentedmorethanonceinadatabase• Usedtodetectfraud– enrollmentinmultiplesocialbenefitsprograms,etc.

ExampleBiometricApplications• Verification• Logicalaccesstodevices(computer/networklogon)• Dumbterminals– clientserveraccess• Internete-commerce• Smartcardaccess

• Identification• Accesstofacility• Bordercontrolidentification

• DuplicateChecking• Frauddetection

DevicesandSensors• Mechanicalorelectronicsystemsthatareusedtoenrollandcapturerawbiometricsamplesinaformthatcanbedigitizedandconvertedintoadigitalbiometrictemplate• Examplesinclude:

• Fingerprintsensors:• Capacitivearebasedonsiliconchipsthatdetectelectriccurrentswhenthefingerridgesmakecontact.Theycanusefullfingerorswipetechniques

• Opticalsensorsuseprismlightsourceandlightsensor• Lightemittingandmultispectralsensors

• Digitalcameras– forfacialrecognition:• consumer- gradedigitalSLRs,pocketcameras,andwebcams• 60PPIarerequiredfor1:1matchingand90PPIfor1:nmatching• Consistencyisthemostimportantfactor

• Iriscameras– foririsrecognition:• Requiresaninfraredimageoftheiristooptimizetheimagecontrastsoastofacilitatemachinebasedanalysis.

• Off-the-shelfcamerasaren’tyetusedforirisimagecapture,andaspecialcameraisrequired• Microphones– forvoicerecognition:usedfor1:1identificationandconsistencyisveryimportantforthesescenarios

Standardization

• Buildingstandardswhichallbiometricsvendorsadheretoisstillachallengedespitetheworkofseveralnationalandinternationalorganizationsoverthepasttwodecades• Biometricstemplateextractionandcomparisonistypicallyproprietarytoeachvendor.Thispreventsusingaproductfromonecompanytocomparetemplatesgeneratedbyproductsfromanother.• OneexceptiontothisareMINEX-certifiedminutiae-basedfingerprinttemplategeneratorandmatchingalgorithms.Thiscategoryoftemplatesandmatchingalgorithmshasbeendeveloped,tested,andcertifiedbyNISTtobeinteroperablefor1:1verificationtobeusedoncompactcardsandtraveldocuments

BiometricsStandards• ISO/IECJTC1/SC37

• 119publishedISOstandards• 29standardsunderdevelopment• 29participatingmembers• 13observingmembers• Differentworkinggroupsaddressing:

• Strategy• Harmonizedvocabulary• Technicalinterfaces• Datainterchangeformats• Technicalimplementationsofbiometricsystems• Testingandreporting• Cross-jurisdictionalandsocietalaspectsofbiometrics

• NationalInstituteofStandardsandTechnology(NIST)• Researchonthevariousbiometricmodalities:fingerprint,face,iris,voice,DNA,andmultimodal

• Standardsdevelopmentatthenationalandinternationallevel• Technologytestingandevaluation,whichleadstoinnovation• NISTpartners:DOJ/FBI,DOD,DOS,IntelligenceCommunity

BiometricsConsiderations

• Cost• Security– obfuscationofbiometricsmayoccur• Privacy/intrusiveness• Sizeforstorage(imagesandtemplates)• Convenience• Speed• Accuracy• Connectivity&compatibility

Questions?

SamYounessSamisaseasonedprofessionalwithmorethan21yearsofdeepexperienceinbusinessandIT,includingarchitecturevisioncreationandbuildingindustry-widestrategiestoachievethatvision.Samhassuccessfullydeliveredalargenumberofarchitectures,solutionsandprojectstobetterenablecustomerbusiness. SamisfluentinbothlanguagesofbusinessandIT.Heisaresultdriventechnicalleaderwithapassionforexcellence.Heisarelationshipbuilderwithoutstandingcommunicationskills.Technicallymindedbutalwayscommerciallyaware.Samisanestablishedauthorandcontributorofseveralbooksandotherpublicationscoveringdifferenttopicsinareasofdatamanagement,programminglanguages,solutionbuilding,andsecurity.Heisakeynotespeakerinhighlevelindustryconferencesandenduserevents.