Transcript Biometric Authentication

Biometric
Authentication
Presenter: Yaoyu, Zhang
Preface
 We can authenticate an identity in three
ways: by something the user knows
(such as a password or personal
identification number), something the
user has (a security token) or something
the user is (a physical characteristic,
such as a fingerprint, called a biometric).
Abstract





Introduction to biometric authentication
Some related concepts
Biometric Methods
Can biometric authentication be fooled
Some issues about Access Control
Biometric Authentication
 Biometric Authentication
 Authentication based on body
measurements and motions
 It is easy because you always bring your
body with you
 Biometric Systems
 Enrollment
 Later access attempts
 Acceptance or rejection
Biometric Authentication System
1. Initial Enrollment
User Lee
Scanning
User Lee
Template
Processing
(Key Feature Extraction) (01101001)
A=01, B=101, C=001
2. Subsequent Access
Applicant
Scanning
3. Match Index
Decision Criterion
(Close Enough?)
User
Access Data
Processing
(Key Feature Extraction) (01111001)
A=01, B=111, C=001
Template Database
Brown
10010010
Lee
01101001
Chun
00111011
Hirota
1101110
…
…
Biometric Authentication
 Verification Versus Identification
 Verification: Are applicants who they claim to be? (compare with
single template)
 Identification: Who is the applicant? (compare with all templates)
 More difficult than verification because must compare to many templates
 Watch list: is this person a member of a specific group (e.g., known
terrorists)
 Verification is good for replacing passwords in logins
 Identification is good for door access and other situations where
entering a name would be difficult
FAR
 Precision
 False acceptance rates (FARs): Percentage
of unauthorized people allowed in
 Person falsely accepted as member of a group
 Person allowed through a door who should not
be allowed through it
 Very bad for security
FRR
 Precision
 False rejection rates (FRRs): Percentage of
authorized people not recognized as being
members of the group
 Valid person denied door access or server login because
not recognized
 Can be reduced by allowing multiple access attempts
 High FRRs will harm user acceptance because users are
angered by being falsely forbidden
Biometric Authentication
 Precision
 Vendor claims for FARs and FRRs tend to be
exaggerated because they often perform tests
under ideal circumstances
 For instance, having only small numbers of users in
the database
 For instance, by using perfect lighting, extremely
clean readers, and other conditions rarely seen in
the real world
Biometric Authentication
 User Acceptance is Crucial
 Strong user resistance can kill a system
 Fingerprint recognition may have a criminal
connotation
 Some methods are difficult to use, such as
iris recognition, which requires the eye to be
lined up carefully.
 These require a disciplined group
Biometric Authentication
 Biometric Methods
 Fingerprint recognition
 Dominates the biometric market today
 Based on a finger’s distinctive pattern of whorls,
arches, and loops
 Simple, inexpensive, well-proven
 Weak security: can be defeated fairly easily with
copies
 Useful in modest-security areas
Biometric Authentication
 Biometric Methods
 Iris recognition
 Pattern in colored part of eye
 Very low FARs
 High FRR if eye is not lined up correctly can
harm acceptance
 Reader is a camera—does not send light into the
eye!
Biometric Authentication
 Biometric Methods
 Face recognition
 Can be put in public places for
surreptitious identification
(identification without citizen or
employee knowledge). More later.
 Hand geometry: shape of hand
 Voice recognition
 High error rates
 Easy to fool with recordings
Biometric Authentication
 Biometric Methods
 Keystroke recognition
 Rhythm of typing
 Normally restricted to passwords
 Ongoing during session could allow continuous
authentication
 Signature recognition
 Pattern and writing dynamics
 Biometric Standards
 Almost no standardization
 Worst for user data (fingerprint feature databases)
 Get locked into single vendors
Biometric Authentication

Can Biometrics be Fooled?
 Airport face recognition
 Identification of people passing in front of a camera
 False rejection rate: rate of not identifying person as being in the database
 Fail to recognize a criminal, terrorist, etc.
 FRRs are bad
 4-week trial of face recognition at Palm Beach International Airport
 Only 250 volunteers in the user database (unrealistically small)
 Volunteers were scanned 958 times during the trial
 Only recognized 455 times! (47%)
 53% FRR
Biometric Authentication
 Can Biometrics be Fooled?
 Airport face recognition
 Recognition rate fell if wore glasses (especially tinted), looked
away
 Would be worse with larger database
 Would be worse if photographs were not good
 DOD (Department of Defense )Tests indicate poor acceptance
rates when subjects were not attempting to evade
 270-person test
 Face recognition recognized person only 51 percent of time
 Even iris recognition only recognized the person 94 percent of the
time!
Biometrics Authentication
 Can Biometrics be Fooled?
 Other research has shown that evasion is
often successful for some methods
 German c’t magazine fooled most face and
fingerprint recognition systems
 Prof. Matsumoto fooled fingerprint scanners 80
percent of the time with a gelatin finger created
from a latent (invisible to the naked eye) print on
a drinking glass
Access Control
 Access Control
 Access control is the policy-driven limitation of
access to systems, data, and dialogs
 Goals
 Prevent attackers from gaining access, stopping them if
they do
 Provide appropriate limitations on the access rights of
authorized users
Access Control
 First Steps
 Enumeration of Resources
 Sensitivity of Each Resource
 Next, who Should Have Access?
 Can be made individual by individual
 More efficient to define by roles (logged-in users,
system administrators, project team members, etc.)
Access Control
 Policy-Based Access Control and Protection
 Have a specific access control policy and an access protection
policy for each resource
 For example, for a file on a server, for instance, limit
authorizations to a small group, harden the server against attack,
use a firewall to thwart external attackers, etc.
 Focuses attention on each resource
 Guides the selection and configuration of firewalls and other
protections
 Guides the periodic auditing and testing of protection plans