Embed Size (px)
Citation preview
Authentication IIAuthentication II
Going beyond passwordsGoing beyond passwords
AgendaAgenda
AnnouncementsAnnouncements BiometricsBiometrics Physical devicesPhysical devices General authenticationGeneral authentication
BiometricsBiometrics
Biometrics is the comparison of live Biometrics is the comparison of live anatomical, physiological, or behavior anatomical, physiological, or behavior characteristics to the stored template characteristics to the stored template of a person.of a person.
Physiological:Physiological:– Fingerprint, hand or finger geometryFingerprint, hand or finger geometry– Patterns of retina, veins, irises, facesPatterns of retina, veins, irises, faces
Behavioral:Behavioral:– SignatureSignature– VoiceVoice– keypresseskeypresses
See http://www.biometrics.org/biomvendors.htm for lists of vendors
Potential AdvantagesPotential Advantages
Eliminates certain password Eliminates certain password problems – difficult to share, problems – difficult to share, misplace, and forgemisplace, and forge
Convenient and potentially easy to Convenient and potentially easy to useuse– no rememberingno remembering– nothing physical to forget or misplacenothing physical to forget or misplace
Improve access speedImprove access speed
AuthenticationAuthentication
IdentificationIdentification
vs.vs. VerificationVerification
Question: what’s the difference?Question: what’s the difference?
Biometrics processBiometrics process
EnrollmentEnrollment– AcquisitionAcquisition– Creation of templateCreation of template– Storage of templateStorage of template
UseUse– Acquisition(s)Acquisition(s)– ComparisonComparison– DecisionDecision
Performance metricsPerformance metrics
FTE – Failure To EnrollFTE – Failure To Enroll FTA – Failure To AcceptFTA – Failure To Accept FAR – False Acceptance RatesFAR – False Acceptance Rates FRR – False Reject RatesFRR – False Reject Rates
Common goal: FAR = FRR. Why?Common goal: FAR = FRR. Why?
FingerprintsFingerprints
Traditionally used in law Traditionally used in law enforcement and border control enforcement and border control for identificationfor identification
Many usesMany uses– Walt Disney WorldWalt Disney World– Payment systems – example: Payment systems – example: BioPayBioPay
in North Carolinain North Carolina Variety of cheap devices availableVariety of cheap devices available
RecognitionRecognition
Current technologyCurrent technology– OpticalOptical– UltrasonicUltrasonic– CapacitanceCapacitance
Identify patternsIdentify patterns– Loops, whirlsLoops, whirls
Or Identify minutaeOr Identify minutae– Ridge endings, etc.Ridge endings, etc.
FingerprintsFingerprints
AdvantagesAdvantages– Long history of useLong history of use– Unique and Unique and
permanentpermanent– Variety of cheap Variety of cheap
technologiestechnologies– Reasonable Reasonable
performanceperformance
DisadvantagesDisadvantages– Association with law Association with law
enforcementenforcement– Quality of prints vary Quality of prints vary
with race, age, with race, age, environmental environmental factorsfactors
– Dirt & grimeDirt & grime– Placement of finger Placement of finger
can be importantcan be important– Can be easy to Can be easy to
circumventcircumvent
Face recognitionFace recognition
Select facial features from images Select facial features from images and compareand compare
Variety of environmentsVariety of environments– Search for criminals in crowds Search for criminals in crowds
(airports, large events)(airports, large events)– Border control & passportsBorder control & passports– CasinosCasinos
Face recognitionFace recognition
AdvantagesAdvantages– UniversalUniversal– More acceptable?More acceptable?– Indoor and Indoor and
outdoor use outdoor use reasonablereasonable
– Easy to perform Easy to perform without without awarenessawareness
DisadvantagesDisadvantages– Requires straight Requires straight
on, neutral on, neutral expressionexpression
– Photos can Photos can circumventcircumvent
– Accuracy is still a Accuracy is still a problemproblem
Iris RecognitionIris Recognition
Unique patterns in the iris – iris Unique patterns in the iris – iris codecode
Currently lowest false accept ratesCurrently lowest false accept rates Can be used in Can be used in
variety of variety of environmentsenvironments
BUTBUT Requires good Requires good
image from image from cooperative usercooperative user
Voice RecognitionVoice Recognition
Speech input Speech input – FrequencyFrequency– Duration Duration – CadenceCadence
Easy deploymentEasy deployment– Microphones easy to installMicrophones easy to install– Gathering voice can be done Gathering voice can be done
unobtrusivelyunobtrusively
Voice recognitionVoice recognition
Background and ambient noise is Background and ambient noise is a huge problema huge problem
Templates are large compared to Templates are large compared to other biometricsother biometrics
Longer enrollment time (training)Longer enrollment time (training) Recording may be an issueRecording may be an issue
Keystroke biometricsKeystroke biometrics
Keypress timings or pressureKeypress timings or pressure Advantages:Advantages:
– Easily used in conjunction with computer-Easily used in conjunction with computer-based passwordsbased passwords
– Can be gathered automaticallyCan be gathered automatically Disadvantages:Disadvantages:
– Not very unique or permanentNot very unique or permanent– Can listen to keyboard typing to determineCan listen to keyboard typing to determine– Can be used to infer passwordCan be used to infer password
Other techniquesOther techniques
Hand geometryHand geometry Retinal scansRetinal scans SignatureSignature
Hand veinsHand veins OdorOdor GaitGait Ear Ear DNADNA
General requirementsGeneral requirements
UniversalityUniversality DistinctivenessDistinctiveness PermanencePermanence CollectabilityCollectability PerformancePerformance AcceptabilityAcceptability CircumventionCircumvention
Question: What other usability Question: What other usability requirements?requirements?
ComparisonComparison
FaceFace FingerprinFingerprintt
IrisIris VoicVoicee
KeyboardKeyboard
UniversalityUniversality
DistinctivenessDistinctiveness
CollectabilityCollectability
PerformancePerformance
AcceptabilityAcceptability
CircumventionCircumvention
Security Security ConsiderationsConsiderations
Biometrics are not secrets and Biometrics are not secrets and are therefore susceptible to are therefore susceptible to modified or spoofed modified or spoofed measurementsmeasurements
There is no recourse for revoking There is no recourse for revoking a compromised identifiera compromised identifier
Strategic SolutionsStrategic Solutions– Liveness testingLiveness testing– Multi-biometricsMulti-biometrics
Privacy ConsiderationsPrivacy Considerations
A reliable biometric system provides an A reliable biometric system provides an irrefutable proof of identityirrefutable proof of identity
Threatens individuals right to Threatens individuals right to anonymityanonymity– Cultural or religious concernsCultural or religious concerns– Violates civil libertiesViolates civil liberties
Strategic SolutionsStrategic Solutions– Biometric cryptosystemsBiometric cryptosystems– TransparencyTransparency
Other issuesOther issues
Exception handlingException handling Time consuming enrollmentTime consuming enrollment Sociological concernsSociological concerns
– Cause personal harm or endangerment?Cause personal harm or endangerment?– Cultural or religious oppositionCultural or religious opposition
Comparing systems in the real worldComparing systems in the real world User training User training
– Comfort with technology and methodsComfort with technology and methods– Experience of specific deviceExperience of specific device
QuestionsQuestions
Where would you like to see Where would you like to see biometrics used?biometrics used?
In what situations would it be In what situations would it be inappropriate?inappropriate?
How and when to offer user How and when to offer user training?training?
Physical devicesPhysical devices
““What you have…” piece of the What you have…” piece of the puzzlepuzzle
Typical example:Typical example:– ATM cardsATM cards– Public transportation cardsPublic transportation cards
TechnologiesTechnologies
Smart cardsSmart cards USBUSB Cell phonesCell phones OTP tokensOTP tokens
http://www.rsa.com/
ComparisonsComparisons
Advantages?Advantages? Disadvantages?Disadvantages?
User issues:User issues:– Acquiring the device (expense, time)Acquiring the device (expense, time)– Installing and connecting it properlyInstalling and connecting it properly– Loss or failure of deviceLoss or failure of device
Usability studyUsability study
Motivation: compare alternative forms Motivation: compare alternative forms of cryptographic smart cardsof cryptographic smart cards
Question: which device is faster and Question: which device is faster and easier to use in a mobile setting?easier to use in a mobile setting?
Method: Method: – Within subjects user study with 3 devicesWithin subjects user study with 3 devices– task adapted from Johnny Can’t Encrypttask adapted from Johnny Can’t Encrypt– Testing mobility by changing computersTesting mobility by changing computers– Debriefing questionnaire for user Debriefing questionnaire for user
impressionsimpressions
ResultsResults
USB tokens faster to useUSB tokens faster to use USB token users made fewer errorsUSB token users made fewer errors Smart card has poor feedback for Smart card has poor feedback for
inserting cardinserting card USB token means no separate USB token means no separate
installation – device already plugged installation – device already plugged inin
Added value helps users care about Added value helps users care about them morethem more
QuestionsQuestions
Is it possible to have authorization Is it possible to have authorization without identification?without identification?
How would you increase acceptance of How would you increase acceptance of biometric systems?biometric systems?
Are there any current password Are there any current password systems that you would like to replace systems that you would like to replace with a biometric or hardware scheme? with a biometric or hardware scheme? Why?Why?
How would you design a study to test How would you design a study to test the usability and utility of a laptop the usability and utility of a laptop fingerprint reader?fingerprint reader?
Let’s compareLet’s compare
Paypal:Paypal:– Email (user id) + strong password, Email (user id) + strong password,
challenge questions + email for challenge questions + email for password recoverypassword recovery
– Email + OTP, defaults to password if Email + OTP, defaults to password if token losttoken lost
– Email + fingerprint, defaults to Email + fingerprint, defaults to password if reader unavailablepassword if reader unavailable
EvaluationEvaluation
AccessibilityAccessibility MemorabilityMemorability
– Depth of processing, retrieval, meaningfulnessDepth of processing, retrieval, meaningfulness SecuritySecurity
– Predictability, abundance, disclosure, Predictability, abundance, disclosure, crackability, confidentialitycrackability, confidentiality
CostCost Environmental considerationsEnvironmental considerations
– Range of users, frequency of use, type of Range of users, frequency of use, type of access, etc.access, etc.
