Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang

Biometric Biometric AuthenticationAuthentication

Presenter: Yaoyu, ZhangPresenter: Yaoyu, Zhang

PrefacePreface

We can authenticate an identity in three We can authenticate an identity in three ways: by something the user knows ways: by something the user knows (such as a password or personal (such as a password or personal identification number), something the identification number), something the user has (a security token) or something user has (a security token) or something the user is (a physical characteristic, the user is (a physical characteristic, such as a fingerprint, called a biometric). such as a fingerprint, called a biometric).

AbstractAbstract

Introduction to biometric authenticationIntroduction to biometric authentication Some related concepts Some related concepts Biometric MethodsBiometric Methods Can biometric authentication be fooledCan biometric authentication be fooled Some issues about Access ControlSome issues about Access Control

Biometric AuthenticationBiometric Authentication

Biometric AuthenticationBiometric Authentication Authentication based on body Authentication based on body

measurements and motionsmeasurements and motions It is easy bIt is easy because you always bring your ecause you always bring your

body with youbody with you Biometric Systems Biometric Systems

EnrollmentEnrollment Later access attemptsLater access attempts

Acceptance or rejectionAcceptance or rejection

Biometric Authentication SystemBiometric Authentication System

1. Initial Enrollment

2. Subsequent Access

User LeeScanning

ApplicantScanning

Template DatabaseBrown 10010010Lee 01101001Chun 00111011Hirota 1101110… …

3. Match IndexDecision Criterion(Close Enough?)

Processing(Key Feature Extraction)

A=01, B=101, C=001

User LeeTemplate(01101001)

UserAccess Data(01111001)

Processing(Key Feature Extraction)

A=01, B=111, C=001


Verification Versus IdentificationVerification Versus Identification

Verification: Are applicants who they claim to be? (compare with Verification: Are applicants who they claim to be? (compare with single template)single template)

Identification: Who is the applicant? (compare with all templates)Identification: Who is the applicant? (compare with all templates) More difficult than verification because must compare to many templatesMore difficult than verification because must compare to many templates

Watch list: is this person a member of a specific group (e.g., known Watch list: is this person a member of a specific group (e.g., known terrorists)terrorists)

Verification is good for replacing passwords in loginsVerification is good for replacing passwords in logins

Identification is good for door access and other situations where Identification is good for door access and other situations where entering a name would be difficultentering a name would be difficult

FARFAR

PrecisionPrecision False acceptance rates (FARs): Percentage False acceptance rates (FARs): Percentage

of unauthorized people allowed inof unauthorized people allowed in

Person falsely accepted as member of a groupPerson falsely accepted as member of a group

Person allowed through a door who should not Person allowed through a door who should not be allowed through itbe allowed through it

Very bad for securityVery bad for security

FRRFRR

PrecisionPrecision False rejection rates (FRRs): Percentage of False rejection rates (FRRs): Percentage of

authorized people not recognized as being authorized people not recognized as being members of the groupmembers of the group

Valid person denied door access or server login because Valid person denied door access or server login because not recognizednot recognized

Can be reduced by allowing multiple access attemptsCan be reduced by allowing multiple access attempts

High FRRs will harm user acceptance because users are High FRRs will harm user acceptance because users are angered by being falsely forbiddenangered by being falsely forbidden


PrecisionPrecision Vendor claims for FARs and FRRs tend to be Vendor claims for FARs and FRRs tend to be

exaggerated because they often perform tests exaggerated because they often perform tests under ideal circumstancesunder ideal circumstances

For instance, having only small numbers of users in For instance, having only small numbers of users in the databasethe database

For instance, by using perfect lighting, extremely For instance, by using perfect lighting, extremely clean readers, and other conditions rarely seen in clean readers, and other conditions rarely seen in the real worldthe real world


User Acceptance is CrucialUser Acceptance is Crucial

Strong user resistance can kill a systemStrong user resistance can kill a system Fingerprint recognition may have a criminal Fingerprint recognition may have a criminal

connotationconnotation Some methods are difficult to use, such as Some methods are difficult to use, such as

iris recognition, which requires the eye to be iris recognition, which requires the eye to be lined up carefully.lined up carefully.

These require a disciplined groupThese require a disciplined group


Biometric MethodsBiometric Methods Fingerprint recognitionFingerprint recognition

Dominates the biometric market todayDominates the biometric market today

Based on a finger’s distinctive pattern of whorls, Based on a finger’s distinctive pattern of whorls, arches, and loopsarches, and loops

Simple, inexpensive, well-provenSimple, inexpensive, well-proven

Weak security: can be defeated fairly easily with Weak security: can be defeated fairly easily with copiescopies

Useful in modest-security areasUseful in modest-security areas


Biometric MethodsBiometric Methods Iris recognitionIris recognition

Pattern in colored part of eyePattern in colored part of eye

Very low FARsVery low FARs

High FRR if eye is not lined up correctly can High FRR if eye is not lined up correctly can harm acceptanceharm acceptance

Reader is a camera—does not send light into the Reader is a camera—does not send light into the eye!eye!


Biometric MethodsBiometric Methods Face recognitionFace recognition

Can be put in public places for Can be put in public places for surreptitious identification surreptitious identification (identification without citizen or (identification without citizen or employee knowledge). More later.employee knowledge). More later.

Hand geometry: shape of handHand geometry: shape of hand Voice recognitionVoice recognition

High error ratesHigh error rates Easy to fool with recordingsEasy to fool with recordings


Biometric MethodsBiometric Methods Keystroke recognitionKeystroke recognition

Rhythm of typingRhythm of typing Normally restricted to passwordsNormally restricted to passwords Ongoing during session could allow continuous Ongoing during session could allow continuous

authenticationauthentication Signature recognitionSignature recognition

Pattern and writing dynamicsPattern and writing dynamics Biometric StandardsBiometric Standards

Almost no standardizationAlmost no standardization Worst for user data (fingerprint feature databases)Worst for user data (fingerprint feature databases) Get locked into single vendorsGet locked into single vendors


Can Biometrics be Fooled?Can Biometrics be Fooled? Airport face recognitionAirport face recognition

Identification of people passing in front of a cameraIdentification of people passing in front of a camera

False rejection rate: rate of not identifying person as being in the databaseFalse rejection rate: rate of not identifying person as being in the database

Fail to recognize a criminal, terrorist, etc.Fail to recognize a criminal, terrorist, etc.

FRRs are badFRRs are bad

4-week trial of face recognition at Palm Beach International Airport4-week trial of face recognition at Palm Beach International Airport

Only 250 volunteers in the user database (unrealistically small)Only 250 volunteers in the user database (unrealistically small)

Volunteers were scanned 958 times during the trialVolunteers were scanned 958 times during the trial

Only recognized 455 times! (47%)Only recognized 455 times! (47%)

53% FRR53% FRR


Can Biometrics be Fooled?Can Biometrics be Fooled? Airport face recognitionAirport face recognition

Recognition rate fell if wore glasses (especially tinted), looked Recognition rate fell if wore glasses (especially tinted), looked awayaway

Would be worse with larger databaseWould be worse with larger database

Would be worse if photographs were not goodWould be worse if photographs were not good DOD DOD ((Department of DefenseDepartment of Defense ))Tests indicate poor acceptance Tests indicate poor acceptance

rates when subjects were not attempting to evaderates when subjects were not attempting to evade 270-person test270-person test

Face recognition recognized person only 51 percent of timeFace recognition recognized person only 51 percent of time

Even iris recognition only recognized the person 94 percent of the Even iris recognition only recognized the person 94 percent of the time!time!

Biometrics Biometrics AuthenticationAuthentication

Can Biometrics be Fooled?Can Biometrics be Fooled? Other research has shown that evasion is Other research has shown that evasion is

often successful for some methodsoften successful for some methods

German c’t magazine fooled most face and German c’t magazine fooled most face and fingerprint recognition systemsfingerprint recognition systems

Prof. Matsumoto fooled fingerprint scanners 80 Prof. Matsumoto fooled fingerprint scanners 80 percent of the time with a gelatin finger created percent of the time with a gelatin finger created from a latent (invisible to the naked eye) print on from a latent (invisible to the naked eye) print on a drinking glassa drinking glass

Access ControlAccess Control


Access control is the policy-driven limitation of Access control is the policy-driven limitation of access to systems, data, and dialogsaccess to systems, data, and dialogs

GoalsGoals

Prevent attackers from gaining access, stopping them if Prevent attackers from gaining access, stopping them if they dothey do

Provide appropriate limitations on the access rights of Provide appropriate limitations on the access rights of authorized usersauthorized users


First StepsFirst Steps

Enumeration of ResourcesEnumeration of Resources

Sensitivity of Each ResourceSensitivity of Each Resource

Next, who Should Have Access?Next, who Should Have Access?

Can be made individual by individualCan be made individual by individual

More efficient to define by roles (logged-in users, More efficient to define by roles (logged-in users, system administrators, project team members, etc.)system administrators, project team members, etc.)


Policy-Based Access Control and ProtectionPolicy-Based Access Control and Protection

Have a specific access control policy and an access protection Have a specific access control policy and an access protection policy for each resourcepolicy for each resource

For example, for a file on a server, for instance, limit For example, for a file on a server, for instance, limit authorizations to a small group, harden the server against attack, authorizations to a small group, harden the server against attack, use a firewall to thwart external attackers, etc.use a firewall to thwart external attackers, etc.

Focuses attention on each resourceFocuses attention on each resource

Guides the selection and configuration of firewalls and other Guides the selection and configuration of firewalls and other protectionsprotections

Guides the periodic auditing and testing of protection plansGuides the periodic auditing and testing of protection plans

Documents

Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang