mul$factor iden$ty verificaon without prior ... - pomcor
TRANSCRIPT
![Page 1: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/1.jpg)
Mul$factorIden$tyVerifica$onwithoutPriorRela$onship
October18,2016
TheworkreportedherewassponsoredbyaSBIRPhaseIgrantfromtheUSDepartmentofHomelandSecurity.Itdoesnotnecessarilyreflecttheposi$onorpolicyoftheUSGovernment.
1
FiveTechniquesforRemoteIden5tyProofing
![Page 2: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/2.jpg)
In-Personvs.RemoteIden$tyProofing
• Typicallyin-personiden$typroofingrelieson– Primaryevidence:pictureID
• Driver’slicense,passport– Secondaryevidencefromotheriden$tysources:
• Ownershipofu$lity,financial,mobile,orsocialnetworkaccounts• Addressverifica$on
• Noproblemwithremotepresenta$onofsecondaryevidence
• Goal:replacepictureIDwithprimaryevidencethatcanbepresentedremotely
• Wecandothatwithhigheriden5tyassurancethanprovidedbyapictureID
October18,2016 2
![Page 3: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/3.jpg)
Mul$factorIden$tyVerifica$onwithoutPriorRela$onship
• Iden$typroofingisharderthanauthen$ca$on– Nopriorrela$onshipbetweensubjectandverifier
• Authen$ca$ongoldstandard:provide3verifica$onfactors– Somethingyouhave:devicecontainingprivatekey– Somethingyouknow:password– Somethingyouare:oneormorebiometricfeatures
• Butiniden$typroofing,withoutpriorrela$onship:– Thesubjectcannothavepreviouslyregisteredapassword,norenrolledabiometricsamplewiththeverifier
October18,2016 3
![Page 4: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/4.jpg)
RichCreden$al
• Achievesthegoldstandardwithoutpriorrela$onshipbycer$fyingbiometricandpasswordverifica$ondataunderasignaturebytheissuer
• Allowsmul5plebiometricmodali5es– Bothrevocableandnon-revocable
• Anditprovidesselec5vedisclosureofaDributesandselec5vepresenta5onofverifica5onfactors– …usingatypedhashtreethatprovidesomission-tolerantintegrityprotec5on
October18,2016 4
![Page 5: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/5.jpg)
Remotebiometrics
• Arichcreden$alsupports:– Remotebiometricpresenta5ontoaverifier
• Ratherthantoadeviceownedbythesubjectthatmaybecompromised
– Withspoofingdetec5onbytheverifier
October18,2016 5
![Page 6: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/6.jpg)
Remotespoofingdetec$onwitharichcreden$al
• Verifierreceivesanaudio-visualstreamofthesubjectreadingpromptedtextselectedatrandomwithhighentropy
• Usesfacerecogni5ontomatchafaceinthestreamtoafacialimageintherichcreden$al
• Usesspeechrecogni5ontoverifythatthesubjectisreadingthepromptedtext
• Verifiesaudio-visualsynchronybytrackinglipmovementandmatchingdis$nguishablevisemestophonemes
• Op5onallyusesspeakerrecogni5onagainstavoiceprintintherichcreden$al– Possiblebecausearichcreden$alsupportsmul$plebiometricmodali$es
October18,2016 6
![Page 7: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/7.jpg)
OverviewoftheFiveSolu$ons
October18,2016 7
Solu5on1 Solu5on2 Solu5on3 Solu5on4 Solu5on5
Iden5tySource
DMV Bank Creditcardissuer
Medicareormedicalinsuranceprovider
StateDepartment
Creden5al Richcreden$alwithfacialimage
Richcer$ficateassertedonablockchain
ContactlessEMVchipcard
MedicalIDsmartcardwithsignedfacialimage
PassportwithsignedfacialimageinRFIDchip
![Page 8: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/8.jpg)
Richcer$ficatewithfacialimage
Solu5on1:RichCreden5alIssuedbyaDMV
October18,20168
Subject’scompu$ngdevice
Webbrowser
DMVserviceworker
Localstorage
Richcreden$al
Privatekey
Secretsalt
Camera
Microphone
Na$veapp
Video
Audio
Password
Richcreden$alverifica$on
Facialimageextrac$on
andpresenta$on
abackdetec$on
Hashofpasswordandsecretsalt
Richcer$ficate
Audio-visualstreamofsubjectreadingpromptedtext
Verifier
Proofofknowledgeofprivatekey
![Page 9: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/9.jpg)
Solu5on2:UnsignedRichCer5ficateAssertedbyaBankonaBlockchain
• Bankassertscer$ficatebyplacinghashofcer$ficateinastorageloca$onthatitcontrolswithintheblockchain
• Bankrevokescer$ficatebyplacinghashinanotherstorageloca$on– BigimprovementoverCRLsandOCSP
• Three-factorverifica$onasinSolu$on1• Biometrics:– Speakerrecogni$on,leveragingvoiceprintusedforcustomerauthen$ca$on
– Op$onal:facerecogni$onasinSolu$on1,todefeatvoicemorphing
October18,2016 9
![Page 10: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/10.jpg)
October18,2016 10
Solu5on3:RemoteProofofPossessionofaContactlessEMVChipCard
Hypervisor
VirtualPOS
Verifier’swebappAcquiring
bank
Verifier
2AllocateVPOS
3VPOSID
9Abributes
7
Authoriza$onrequest
8
Issuance
Paymentnetwork
Issuingbank
Webbrowser
Contactlesscard
6
6APDUs
NFCTap
1Begin
4
5
Authoriza$onresponse
Na$veapp
![Page 11: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/11.jpg)
Solu$on3Enhancements
• Asdescribedabove,Solu$on3providesonlyoneverifica$onfactor:– PossessionofcontactlessEMVcard
• An“indirect”factorcanbeadded– Byaskingthesubjecttodemonstrateownershipoftheaccountbyrepor$ngtheamountsofthetransac$ons
• Theissuingbankcouldaddafacerecogni$onfactorbyplacingasignedfacialimageinthecard
October18,2016 11
![Page 12: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/12.jpg)
NFC
October18,2016 12
Solu5on4:MedicalIDSmartCardwithSignedFacialImage
Issuance
Medicareormedicalinsuranceprovider
Webbrowser
MedicalIDsmartcard
4
4
APDUstransmihngsigned
facialimageandproofofknowledge
ofprivatekey
Tap
1
Begin
3
Verifier
2Launchapp
5
Audio-visualstreamof
subject’sfacereading
promptedtext
Na$veapp
![Page 13: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/13.jpg)
NFC
October18,2016 13
Solu5on5:PassportwithSignedFacialImageinRFIDchip
Webbrowser
4
Fileupload
Tap
1
Begin
3
Verifier
2Launchapp
5
Audio-visualstreamof
subject’sfacereading
promptedtext
Na$veappSignedbiodataandfacialimage
RFIDchip
PASSPO
RT
Signedbiodataandfacialimage
4
![Page 14: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/14.jpg)
Solu$on5Enhancements
• Asdescribedabove,Solu$on5providesonlyoneverifica$onfactor:– Facerecogni$on
• AstrongproofofpossessioncouldbeaddedbystoringakeypairintheRFID– AsspecifiedbyICAODoc9303Part11,butnotimplementedinUSpassports
• Aweakerproofofpossessioncanbeaddedbyaskingsubjecttoshowpassportdatapageinaudio-visualstream– Nextgenera$onpassportswilladdmorephysicalsecurityfeatures(butnoprivatekey?!)
October18,2016 14
![Page 15: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/15.jpg)
RecapofVerifica$onFactorsProvidedbytheFiveSolu$ons
October18,2016 15
Solu5on1 Solu5on2 Solu5on3 Solu5on4 Solu5on5
Iden5tysource
DMV Bank Creditcardissuer
Medicareormedicalinsuranceprovider
StateDepartment
Creden5al Richcreden$alwithfacialimage
Richcer$ficateassertedonablockchain
ContactlessEMVchipcard
MedicalIDsmartcardwithsignedfacialimage
PassportwithsignedfacialimageinRFIDchip
Verifica5onfactors
3strong 3strong 1strong+
1indirect
2strong 1strong+
1weak
![Page 16: Mul$factor Iden$ty Verificaon without Prior ... - Pomcor](https://reader033.vdocuments.us/reader033/viewer/2022042614/6263e6263fe8a66dff17cc54/html5/thumbnails/16.jpg)
Thankyouforyouraben$on!
October18,2016
Formoreinforma$on:Website:pomcor.comBlog:pomcor.com/blog/
Paper:hbps://pomcor.com/techreports/RichCreden$als.pdf
16
Anyques$ons?