biometric authentication, dragon unleashed, v1.5
TRANSCRIPT
Biometrics and Multi-Factor Authentication
The Unleashed Dragon
Clare Nelson, CISSP@Safe_SaaS
February 9, 2017
Graphic: https://www.pinterest.com/pin/77687162294922726/
Graphic: https://www.airloom.com/technology/security-as-a-service/
Introduction• Disclaimer• Biography• Contents
Clare Nelson, @Safe_SaaS
The views presented herein, expressed in any form, represent my personal views, and do not reflect the views of my employer.
Graphic: http://rununcensored.com/wp-content/uploads/2013/06/disclaimer.jpg
Clare Nelson, @Safe_SaaS
Clare Nelson, CISSPDirector, Office of the CTO at AllClear IDIdentity, Security, and Privacy
• Background• Encrypted TCP/IP variants for NSA• Product Management at DEC (HP), EMC2
• Director Global Alliances at Dell, Novell• VP Business Development, Mi3 Security• CEO ClearMark, MFA Technology and Architecture
• 2001 CEO ClearMark Consulting • 2014 Co-founder C1ph3r_Qu33ns• 2015 April, publication in ISSA Journal, Multi-Factor
Authentication: What to Look For• Talks: HackFormers; BSides Austin; LASCON; AppSec;
clients including Fortune 500 financial services, Identity Management, 2015 FTC Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html
Clare Nelson, @Safe_SaaS
Contents
Biometrics and Multi-Factor Authentication1. Definitions2. Categories of Biometrics3. How Well Does it Work?4. How to Measure Biometric Authentication5. FBI Biometrics Center of Excellence6. What CISOs Need to Know7. Trends8. Preferences9. Are Biometrics Good Secrets?10. Spoofing11. The Future
Graphic: http://www.computerhope.com/jargon/h/hacker.htm
How can you tell if it’s a bad guy?
Graphic: https://www.airloom.com/technology/security-as-a-service/
Definitions• Multi-Factor Authentication• Biometric Authentication
Clare Nelson, @Safe_SaaS
Origin of definition? 1
NIST: it might be Gene Spafford, or “ancient lore.”2
• @TheRealSpaf, “Nope — that's even older than me!”3
• 1970s? NSA? Academia?
1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf 2Source: February 26, 2015 email response from a NIST SP 800-63-2 author3Source: February 27, 2015 response from @TheRealSpaf (Gene Spafford)
Know Have Are
Definition of Multi-Factor Authentication
Clare Nelson, @Safe_SaaS
Definition of Biometric Authentication
Biometric AuthenticationSecurity process that relies on the unique biological characteristics of an individual to verify that he is who is says he is.
Source: http://searchsecurity.techtarget.com/definition/biometric-authenticationGraphic: http://www.aspire-security.eu/access-control.html
Biometric Authentication Systems Compare biometric data capture to stored, confirmed authentic data on device, or on server. • If both samples of biometric data
match, authentication is confirmed. • Used to manage access to physical or
digital resources such as buildings, rooms, and computing devices.
Clare Nelson, @Safe_SaaS
Definition of Biometric Authentication
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST: Automated recognition of individuals based on their behavioral and biological
characteristics.
Clare Nelson, @Safe_SaaS
Something You Are
Physiological Biometrics
Behavioral Biometrics
Graphic: http://thepeepspot.com/9-best-compliments-to-make-a-woman-smile/
Clare Nelson, @Safe_SaaS
Physiological Biometrics
Iris
Finger
Graphic: http://www.ibmsystemsmag.com/ibmi/trends/whatsnew/Biometric-Authentication-101/
Clare Nelson, @Safe_SaaS
Behavioral Biometrics
Graphics: https://www.scienceabc.com/innovation/lesser-known-methods-biometrics-identification-retinal-fingerprint-scan-gait-analysis-keystroke.html
Graphic: https://www.airloom.com/technology/security-as-a-service/
Biometric Authentication: How Well Does it Work?
Clare Nelson, @Safe_SaaS
Measuring the Strength of Biometric Authentication (NIST)
Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdfGraphic: http://www.aspire-security.eu/access-control.html
1. Biometric samples are different each time they are captured.• No direct matching can occur in the cryptographic space.
2. Biometric samples are not secrets.Template protection schemes must create application-specific templates to allow revocation of the templates if compromised.
Biometric technologies.• Consumer market growing.• Primary authentication factor for access of remote, online services.• Measurement science has not reached the same degree of maturity
as cryptographic systems. • Exclusion of biometrics as a single or primary authentication
factor in NIST guidance for accessing remote federal systems.
Real life dopplegängers
Source: http://indianexpress.com/article/lifestyle/life-style/real-life-doppelgangers/
Face Recognition
Photographs of François Brunelle’s look-alike pairs.
Clare Nelson, @Safe_SaaS
Face Recognition Algorithm Evaluation
Source: https://www.nist.gov/programs-projects/face-recognition-vendor-test-frvt-ongoing Source: http://www.planetbiometrics.com/article-details/i/5406/desc/nist-to-hold-new-round-of-face-recognition-algorithm-evaluation/
NIST New Round of Vendor Face Recognition Algorithm Evaluation.• Started February 2017.• For civil, law enforcement, and homeland security applications.• Includes verification of
Visa images De-duplication of passports Recognition across photojournalism images Identification of child exploitation victims.
• Part of the Face Recognition Vendor Test (FRVT). • Results will be posted to the NIST website.
Clare Nelson, @Safe_SaaS
November 2016 NIST Results, Finger
Source: https://www.innovatrics.com/awards/pft/
FMR = Fail Match RateFNMR = Fail Non-Match RatePOEBVA = Data used for compliance testing
Assess the core algorithmic capability to perform one-to-one verification.
Graphic: https://www.airloom.com/technology/security-as-a-service/
FBI Biometrics Center of Excellence
Clare Nelson, @Safe_SaaS
FBI Biometrics Center of Excellence (BCOE)
Source: https://www.fbi.gov/services/cjis/fingerprints-and-other-biometrics/biometric-center-of-excellence
Not one biometric modality is best for all implementations.• Many factors must be taken into
account Location Security risks task (identification or
verification) Number of users User circumstances Existing data
Emerging• Facial recognition, iris recognition, and palm print matching into large-scale federal
government biometric systems. Footprint and hand geometry, gait recognition, etc.
• Support the multimodal fusion of numerous biometrics to result in a significantly more accurate and comprehensive identity management system.
Clare Nelson, @Safe_SaaS
FBI Collaboration with Clarkson University
Source: http://www.clarkson.edu/citer/
Mission Advance the state of the art in human identification capabilities.
Curated Research, Mobile Biometrics Challenges• Power consumption.• Algorithmic complexity.• Device memory limitations.• Frequent changes in.
operational environment.• Security.• Durability.• Reliability.• Connectivity.
Clare Nelson, @Safe_SaaS
FBI Collaboration with Clarkson University
Source: http://www.ourdigitalmags.com/publication/?i=295931&ver=html5&p=50#"{“
Fingerprint Challenges• Fingerprints do not change, but they
can get worn.• Some people have poor-quality
fingerprints Mason doing brickwork. Person handling chemicals.
• There will always be some individuals who cannot be recognized with fingerprints.
Rise of the Criminal Element• More countries adopting fingerprints for national ID.• Fingerprints being used to unlock mobile phones.• Raises the potential for a criminal finding a way around that.
Spoofing, mimic the fingerprint with wood glue, fake Touch ID on mobile phone.
People are committing fraud with fingerprints, faking a biometric device by trying to become someone else or to hide their own identity.
Commercial defenses against spoofing are emerging, but problem remains.
Cost of the fingerprint reader in mobile phone only a couple of dollars. Tradeoff between better sensors and lowering cost of mobile phone.
Clare Nelson, @Safe_SaaS
Multimodal Biometrics
Research from California State University, Fullerton• Use ear plus face and fingerprint.• Multimodal biometrics adds layer of security to
the existing mobile device security.
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3DnewsSource: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf Graphic: http://www.rd.com/health/wellness/unique-body-parts/
Researchers claim some mobile biometric authentication suffers from:• Poor quality mobile hardware.
Camera. Microphone.
• Environmental condition. Lighting. Background Noise.
• User error.• Use of unimodal biometrics, less secure.
Clare Nelson, @Safe_SaaS
Acoustic Ear-Shape Biometric Authentication
NEC A microphone embedded within an earphone analyzes the resonance of sounds within the ear cavity in order to produce a biometric profile.
Source: http://www.handsonlabs.org/nec-developing-acoustic-ear-shape-biometric-authentication-solution/ Source: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Requires earphones
Clare Nelson, @Safe_SaaS
4-Finger Biometrics
Veridium• Unlike facial recognition, it won’t fail
under bright lights or in dim rooms. • In noisy areas, it’s better than voice.• More secure than using a single
thumbprint.• Capturing all four fingerprints at once
increases the complexity of the data collected.
• Enhances overall security well beyond partial prints, like those captured by sensor-based mobile fingerprint solutions.
• Just need 5MP camera and LED flash.
Source: https://campustechnology.com/articles/2016/11/29/multimodal-biometrics-strengthen-mobile-security.aspx?admgarea%3DnewsSource: http://www.fullerton.edu/cybersecurity/_resources/pdfs/securityday2015.pdf
Graphic: https://www.airloom.com/technology/security-as-a-service/
What CISOs Need to Know
Clare Nelson, @Safe_SaaS
What CISOs Need To Know Before Adopting BiometricsBiometric data is PIIBiometric authentication data presents an extra layer of complexity. • Biometric data used to access sensitive or confidential resources• Is valuable in its own right. • Organizations that contract with the U.S. government are often
required to submit to the PII management practices outlined in the Privacy Act of 1974.
Before adopting biometric authentication, consider how PII will be stored and used.
• A fingerprint reader installed on a workstation is less risky than biometric authentication passed over a network.
• Organizations should focus on securing devices that will store biometric data through measures including:
Encryption. Trusted platform modules in client machines to prevent data
theft. Other physical security measures.
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905Graphic: https://www.airloom.com/technology/security-as-a-service/
Clare Nelson, @Safe_SaaS
What CISOs Need To Know Before Adopting Biometrics
Biometric authentication isn't 100% reliable.• No modern system will reject a correct password.• Every biometric authentication configuration must account for
some level of false negatives and positives. • In highly secure environments, false positives may present an
unacceptable risk.• False negatives require a fallback authentication mechanism.
Source: http://www.darkreading.com/endpoint/what-cisos-need-to-know-before-adopting-biometrics/a/d-id/1327905Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations
Iris more accurate than face
Source: https://www.youtube.com/watch?v=KyDoFrojEYk&list=PLrUBqh62arzt_Uf_UamHtRFDYl1tpRVCKSource: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST: Face versus Iris Recognition, Factor of 100,000 in Accuracy
What CISOs Need To Know Before Adopting Biometrics
Source: https://pages.nist.gov/800-63-3/
What CISOs Need To Know Before Adopting Biometrics
Updated Draft NIST Guidelines on Digital Identity• Posted on github for comment:
https://pages.nist.gov/800-63-3/sp800-63-3.html • Four documents
1. SP 800-63-3, Digital Guidelines2. SP 800-63A, Enrollment and Identity Proofing
Guidelines3. SP 800-63B, Authentication and Lifecycle Management
Allowable use of Biometrics4. SP 800-63C, Federation and Assertions
Source: https://pages.nist.gov/800-63-3/sp800-63b.html
NIST Update on Allowable Use of Biometrics (1 of 2)SP 800-63B, Authentication and Lifecycle Management
5.2.3. Use of Biometrics
Supports limited use of biometrics for authentication• Biometric False Match Rates (FMR) and False Non-Match Rates (FNMR) do
not provide confidence in the authentication of the subscriber by themselves. In addition, FMR and FNMR do not account for spoofing attacks.
• Biometric matching is probabilistic, whereas the other authentication factors are deterministic.
• Biometric template protection schemes provide a method for revoking biometric credentials that are comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development.
• Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns).
While presentation attack detection (PAD) technologies such as liveness detection can mitigate the risk of these types of attacks, additional trust in the sensor is required to ensure that PAD is operating properly in accordance with the needs of the CSP and the subscriber.
Therefore, the use of biometrics for authentication is supported with the following requirements and guidelines:• Biometrics SHALL be used with another authentication factor
(something you have).• An authenticated protected channel between sensor (or endpoint
containing a sensor that resists sensor replacement) and verifier SHALL be established and the sensor or endpoint authenticated prior to capturing the biometric sample from the claimant.
• Empirical testing of the biometric system to be deployed SHALL demonstrate an EER of 1 in 1000 or better with respect to matching performance. The biometric system SHALL operate with an FMR of 1 in 1000 or better.
• The biometric system SHOULD implement PAD. Testing of the biometric system to be deployed SHOULD demonstrate at least 90% resistance to presentation attacks for each relevant attack type (aka species), where resistance is defined as the number of thwarted presentation attacks divided by the number of trial presentation attacks.
PAD is being considered as a mandatory requirement in future editions of this guideline.
PAD = Presentation Attack Detection
Source: https://pages.nist.gov/800-63-3/sp800-63b.htmlSource: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=52946
NIST Update on Allowable Use of Biometrics (2 of 2)SP 800-63B, Authentication and Lifecycle Management
5.2.3. Use of Biometrics (continued)
The biometric system SHALL allow no more than 5 consecutive failed authentication attempts or 10 consecutive failed attempts if PAD meeting the above requirements is implemented. Once that limit has been reached, the biometric authenticator SHALL either:• Impose a delay of at least 30 seconds before the next attempt, increasing
exponentially with each successive attempt, e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt, etc.
OR• Disable the biometric user verification and offer another factor (a
different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already implemented.
Determination of sensor/endpoint performance, integrity, and authenticity can be accomplished in several different ways, any of which are acceptable under this guideline. These include but are not limited to: authentication of the sensor or endpoint, certification by an approved accreditation authority, or runtime interrogation of signed metadata (e.g., attestation) as described in Section 5.2.4.
Biometric matching SHOULD be performed locally on claimant’s device or MAY be performed at a central verifier.
ISO/IEC 24745 = Information technology – Security techniques – Biometric information protection
If matching is performed centrally:• Use of the biometric SHALL be limited to one or more specific devices
that are identified using approved cryptography.• Biometric revocation, referred to as biometric template protection in
ISO/IEC 24745, SHALL be implemented.• All transmission of biometrics shall be over the authenticated protected
channel.
Biometric samples collected in the authentication process MAY be used to train matching algorithms or, with user consent, for other research purposes. Biometric samples (and any biometric data derived from the biometric sample such as a probe produced through signal processing) SHALL be erased from memory immediately after any training or research data has been derived.
Biometrics are also used in some cases to prevent repudiation of registration and to verify that the same individual participates in all phases of the registration process as described in SP 800-63A.
Clare Nelson, @Safe_SaaS
Store Biometrics on Personal Device or Server?
Source: Webinar by Forrester and Nok Nok Labs, February 1, 2017Graphic: http://findbiometrics.com/topics/fido-alliance/ Graphic: https://www.carphonewarehouse.com/apple/iphone-6.html Graphic: http://kryptostech.com/server-management/ Graphic: http://www.planetbiometrics.com/article-details/i/5463/desc/facebook-rolling-out-support-for-fido/
Enroll, biometrics only stored on personal device (FIDO Alliance, others).• Biometrics remain on the device, are not
transmitted.• Not susceptible to theft by insiders or
identity thieves who can access a server repository.
Enroll, biometrics stored on server.• No password model.• Works if no mobile phone, works with land line.• Works if person calls in. • Privacy concerns.• Susceptible to theft, unwanted modification by
insiders or identity thieves.
Clare Nelson, @Safe_SaaS
Added Security or Risk?Biometric Authentication, Convenience versus Security False sense of security spreading on a gigantic scale. – Hitoshi Kokumai President at Mnemonic Security
• “Fingerprint authentication is not being used to make phones more secure but rather as a form of convenience.”
How Well Does Biometric Authentication Actually Work?Biometric features are very difficult if not impossible to change if they are stolen.• If a password is compromised, it can be changed and
reset.• If a Client Certificate is stolen, it can be revoked and a new
one issued.• If an OTP device is stolen, it simply needs to be canceled
and reconfigured. • Companies are limited in their choices if fingerprints or
vocals are breached.
Graphic: http://www.tomsitpro.com/articles/identity-access-management-solutions,2-813.html
We are often blinded by the “awe” factor of new technology.
Graphic: https://www.airloom.com/technology/security-as-a-service/
Trends
Clare Nelson, @Safe_SaaS
Google Trust API
Source: http://www.itshacking.xyz/good-bye-passwords-as-google-plans-a-different-verification-option/ Source: https://techcrunch.com/2015/05/29/googles-atap-wants-to-eliminate-passwords-for-good/
Get Rid of Password• How you swipe• How you move• How you type• How you talk• Your face• Combine all above for Multi-Modal
Timeline• First announced as project Abacus• Now called Trust API
Source: https://www.biometricupdate.com/201702/tractica-report-projects-global-biometrics-market-revenue-to-hit-15-1b-by-2025Source: http://247latestnews.com/mastercard-tries-out-selfie-pay-for-online-purchases/ Source: http://pocketnow.com/2015/09/15/bank-of-america-apple-watch-app
Biometrics Growth, Driven by Use Cases
“While there has traditionally been a demarcation between consumer and enterprise use cases, this dynamic is starting to change, as seen in financial institutions’ use of biometrics to allow consumer and corporate users to authenticate to online banking systems with their voices or with their eyes, in place of keying a personal identification number (PIN), to name just one example.”
–Tractica principal analyst Keith Kirkpatrick
Clare Nelson, @Safe_SaaS
Contactless Biometric Authentication
Source: http://www.acuity-mi.com/FOB_Report.php
Technology• High resolution image capture.• Large-scale data management and high-speed processing.• Pattern recognition and matching algorithms.
ContactlessCapture technology will operate accurately regardless of environmental conditions. 1. Biometric authentication that does not require the user to
do anything.• Will be safer (no touch, no transmission of germs).
2. The technology will disappear into the essential components of everyday life.
Clare Nelson, @Safe_SaaS
Contactless Biometric Authentication
Graphic: https://www.youtube.com/watch?v=Yc_rVLb6zhkSource: http://www.morpho.com/en/biometric-terminals/access-control-terminals/facial-terminals/morpho-3d-face-reader
Captures 4 fingers
Scan in less than 1 second
3D Face Reader• Airport, seaport • Government facilities• Mines, power and petrochemical plants• Banking and financial institutions• Hospitals and laboratories• Stadiums and entertainment facilities• Corporate buildings• Datacenters• Prisons
Juniper Research:• By 2019, 770 million apps that use biometric authentication will be
downloaded annually.- Up from 6 million in 2015.
• Fingerprint authentication will account for an overwhelming majority- Driven by increase of fingerprint scanners in smartphones.
Samsung Pay
Source: http://www.nfcworld.com/2015/01/22/333665/juniper-forecasts-biometric-authentication-market/
Irrational Exuberance of Biometric Adoption
Graphic: https://www.airloom.com/technology/security-as-a-service/
Biometric Authentication Spoofing, and More
Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Spoofing Timeline
1903 car
SpoofingThe ability to fool a biometric system into recognizing an illegitimate user as a genuine one by means of presenting a synthetic forged version of the original biometric trait to the sensor.
Clare Nelson, @Safe_SaaS
Spoofing
Source: https://www.linkedin.com/pulse/biometric-spoofing-nadh-thotaSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Types of Fake Fingerprints
Fake Eye Images, Contact Lens etc., enable hackers to fake Iris sample
‘‘Fingerprints cannot lie, but liars can make fingerprints.’’
Real Fake
Clare Nelson, @Safe_SaaSSource: https://www.youtube.com/watch?v=q3ymzRYXezI
Apple Touch ID: Cat Demo
Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726
Anti-Spoofing Techniques
Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726Source: https://www.computer.org/csdl/trans/tp/2006/01/i0031.html
Face Spoofing
Matching 2.5D Face Scans to 3D Models
Clare Nelson, @Safe_SaaSSource: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726Source: https://www.idiap.ch/dataset/replayattack
Replay Attack Database Controlled Scenario Adverse Scenario
Real
Fake(Print)
Fake(Mobile)
Fake(High Def)
IDIAP Research Institute, SwitzerlandVideo clips of photo and video attack attempts to 50 clients.• Under different lighting conditions.
IEEE Paper, “Biometric Antispoofing Methods: A Survey in Face Recognition.”
Source: http://www.dw.de/image/0,,18154223_303,00.jpg
Clare Nelson, @Safe_SaaS
2D Fingerprint Hacks
• Starbug, aka Jan Krissler• 2014: Cloned fingerprint of German Defense
Minister, Ursula Von der Leyen From photographs1,2
• 2013: Hacked Apple Touch ID on iPhone 5S ~24 hours after release in Germany
Won IsTouchIDHackedYet.com competition3
• 2006: Published research on hacking fingerprint recognition systems4
1Source: https://www.youtube.com/watch?v=vVivA0eoNGM 2Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/ 3Source: http://istouchidhackedyet.com4Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Clare Nelson, @Safe_SaaS
Starbug Faking Touch ID
Source: http://istouchidhackedyet.com
Clare Nelson, @Safe_SaaS
Fingerprint Risk
Security experts say peace sign selfies are a fingerprint risk.
Source: http://www.planetbiometrics.com/article-details/i/5405/
Graphic: http://www.humintell.com/2011/03/the-complicated-world-of-gestures/dreamstime_15605744/
Clare Nelson, @Safe_SaaS
Hackers can remotely steal fingerprints without the owner of the device ever knowing about it.Even more dangerous, this can be done on a “large scale.”2
1Source: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking-wp.pdfSource: https://www.youtube.com/watch?v=7NkojB9gLXM 2Source: http://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-galaxy-s5-fingerprint-attacks/
Hardware
User Space
Kernel Space
Android Remote Fingerprint Theft at Scale1
Clare Nelson, @Safe_SaaSSource: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
Biometric System Attack Diagram (NIST)
Demonstrate at least 90% resistance to presentation attacks.
Clare Nelson, @Safe_SaaS
Score Calculation (NIST)
Source: https://www.nist.gov/sites/default/files/nstic-strength-authentication-discussion-draft.pdf
C = Weighting systemV = Vulnerability point
A weighted combination of individual scores can result in a final strength score. • Weighted scores from analysis of strategies implemented to mitigate risk and
attacks.• Requires evaluation to determine the appropriate weights.
Strength of function relates to the amount of effort required to defeat a security component.
Clare Nelson, @Safe_SaaS
Ask for a threat model.
Photo: http://www.huffingtonpost.co.uk/2015/08/09/parents-reveal-why-question-woes_n_7963152.html
How Do You Stump a Biometric Authentication Vendor?
Graphic: https://www.airloom.com/technology/security-as-a-service/
Behavioral Biometrics
Clare Nelson, @Safe_SaaS
Behavioral Biometrics
Source: http://www.behaviosec.com
Issues• Requires JavaScript.• Learning curve.• Privacy impact from constant
monitoring.• Varies.
Injury to hand.“Highly intoxicated.”Now has whitelist
capability.
Clare Nelson, @Safe_SaaS
Behavioral Biometrics: Invisible Challenge
Analyze 100s of bio-behavioral, cognitive and physiological parameters.
• Invisible challenge.• No user interaction for step-up
authentication.• How you find missing cursor.
1Source: http://www.biocatch.com
Graphic: https://www.airloom.com/technology/security-as-a-service/
Biometrics in Use Today
Clare Nelson, @Safe_SaaS
eID and Biometric Authentication
Source: http://www.morpho.com/en/media/fido-certifies-safrans-biometric-authentication-solutions-eid-electronic-id-cards-20160913
Citizens can use their eID card to locally store authentication information, thus reinforcing personal data protection.
• The eID cards contain a chip which enables the card to store information in addition to what is already printed on the card, such a biometric data.
• The user authentication is based on facial recognition, through a "selfie" which is then sent to the contactless electronic Identity card using NFC (Near Field Communication) technology.
• A "Match on Card" algorithm matches the selfie against the user photo inside the electronic ID card, enabling users to forego the use of passwords.
Clare Nelson, @Safe_SaaS
Biometrics
• Fingerprints 2D, 3D via ultrasonic waves.• Palms, its prints and/or the whole hand.• Feet.• Signature.• Keystroke, art of typing, mouse, touch pad.• Voice.• Iris, retina, features of eye movements.• Face, head – its shape, specific movements.• Ears, lip prints.• Gait, Odor, DNA.• ECG (Bionym’s Nymi wristband, smartphone, laptop, car, home).• EEG.1
• Tests: Microchip in Pills, Digital Tattoos.• Smartphone/behavioral: AirSig authenticates based on g-sensor and gyroscope,
how you write your signature in the air.2
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf 2Source: http://www.airsig.comDigital Tattoo: http://motorola-blog.blogspot.com/2014/07/-unlock-your-moto-x-with-a-digital-tattoo.html
Graphic: https://www.airloom.com/technology/security-as-a-service/
Are Biometrics Good Secrets?
Clare Nelson, @Safe_SaaS
“… biometrics cannot, and absolutely must not, be used to authenticate an identity”
– Dustin Kirkland, Ubuntu Cloud Solutions Product Manager and Strategist at Canonical
“Fingerprints are Usernames, Not Passwords”
Clare Nelson, @Safe_SaaS
Krissler versus Riccio
“Don't use fingerprint recognition systems for security relevant applications!”1
– Jan Krissler (Starbug)
“Fingerprints are one of the best passwords in the world.”2
– Dan Riccio
SVP, Apple Hardware Engineering
1Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf 2Source: http://www.imore.com/how-touch-id-worksPhoto: http://www.mirror.co.uk/news/world-news/revealed-fbi-believed-legendary-fight-3181991
Graphic: https://www.airloom.com/technology/security-as-a-service/
Biometric Backlash
@drfuture on Biometrics
Source: https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them.pdf Diagram: http://security.stackexchange.com/questions/57589/determining-the-accuracy-of-a-biometric-system
Hidden Risks• Biometric reliability and the perception of it. • Lack of discussion of the consequences of
errors.• Biometric data’s irreversibility and the
implications.• Our biometrics can be grabbed without our
consent.• Our behavior can rat us out – sometimes
incorrectly.• Giving our biometric and behavioral data may
be (de facto) mandatory.• Biometric data thieves and aggregators.
Threshold
Biometrics1. Difficult to reset, revoke.2. Exist in public domain, and elsewhere
(5.6M+ fingerprints stolen in 2015 OPM breach1).
3. May undermine privacy, make identity theft more likely.2
4. Persist in government and private databases, accreting information whether we like it or not.3
5. User acceptance or preference varies by geography, demographic.
What Will Cause the Biometric Backlash?
1Source: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html 2Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl 3Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/ Photo: http://www.rineypackard.com/facial-recognition.php
Clare Nelson, @Safe_SaaSSource: https://www.idiap.ch/the-institute/news/swiss-distance-university-training
Europe, Privacy Concerns
• Fingerprint scanners on your smartphone, face or iris detection at your company’s gate, biometric passport for travelling.
• New applications using biometric technologies are launched every day.
• They change our vision of society and pose challenging questions regarding citizens’ identities and the end of privacy.
• Where is the data stored? • Who can access it for what purpose?
Could it be hacked and misused?
Graphic: https://www.airloom.com/technology/security-as-a-service/
The Future
Clare Nelson, @Safe_SaaS
“Thought Auth”1
EEG Biosensor• MindWave™ headset.2
• Measures brainwave signals.• EEG monitor.• International Conference on
Financial Cryptography and Data Security.3
1Source: Clare Nelson, March 20152Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/3Source: http://www.technewsworld.com/story/77762.html
Clare Nelson, @Safe_SaaS
Artificial Dog Nose
It smells you once, and knows you forever.
Matt Staymates, a mechanical engineer at NIST.• Schlieren imaging system, visualizes flow of
vapors into an explosives detection device fitted with an artificial dog nose, mimics "active sniffing" of a dog.
• Artificial dog nose developed by Staymates and colleagues at NIST, MIT Lincoln Laboratory, FDA.
• Improves trace chemical detection as much as 16-fold.
Source: http://phys.org/news/2016-12-scientists-artificial-dog-nose-mimics.htmlPhoto: http://dogs.petbreeds.com/l/95/Labrador-Retriever
Graphic: https://www.airloom.com/technology/security-as-a-service/
Can Biometric Authentication Mitigate Identity Theft?
Clare Nelson, @Safe_SaaSSource: Ori Eisen, CEO Trusona
Graphic: https://www.airloom.com/technology/security-as-a-service/
Questions?
Clare Nelson, CISSP
@Safe_SaaS
Graphic: https://www.airloom.com/technology/security-as-a-service/
References
Clare Nelson, @Safe_SaaS
• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-scanner-flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication (September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-methods-taxonomy-abbie-barbir.html (2014)
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA) Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA, https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them-wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html (July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July 2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009, published 2013)
• Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-2014 (December 2014)
References
Clare Nelson, @Safe_SaaS
• Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf (February 2014)
• Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device-fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ%3D%3D (September 2015)
• Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/ (August 2015)
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/.
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/.
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems, https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-Identity-Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• Jankovich, Thomas; “Blockchain Makes Digital ID a Reality,” https://finxtech.com/2016/12/02/blockchain-makes-digital-id-reality/ (December 2016)
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age, http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• NSTIC Paper
• MyData Identity Network based on User Managed Access (UMA), https://docs.google.com/presentation/d/1j3aX8AQGdVtigF1WZouL8WccmYQzZQQje3wuaC2Zb1I/edit#slide=id.g1386e8a6aa_2_914
References
Graphic: https://www.airloom.com/technology/security-as-a-service/
Biometric Preferences
Clare Nelson, @Safe_SaaS
Biometric Authentication Preference
Source: http://www.paymentscardsandmobile.com/banks-trusted-deliver-biometric-future/
Visa European Study• 2/3 want to use
biometrics when making payments.
• 3/4 see two-factor authentication, where a form of biometrics is used in conjunction with a payment device, as secure.
• 1/2 think payments will be faster and easier with biometrics.
• Fingerprint recognition is the most popular form of biometric.
Consumer Preference (2016)