Biometric Authentication
Download
Report
Transcript Biometric Authentication
Biometric
Authentication
Presenter: Yaoyu, Zhang
Preface
We can authenticate an identity in three
ways: by something the user knows
(such as a password or personal
identification number), something the
user has (a security token) or something
the user is (a physical characteristic,
such as a fingerprint, called a biometric).
Abstract
Introduction to biometric authentication
Some related concepts
Biometric Methods
Can biometric authentication be fooled
Some issues about Access Control
Biometric Authentication
Biometric Authentication
Authentication based on body
measurements and motions
It is easy because you always bring your
body with you
Biometric Systems
Enrollment
Later access attempts
Acceptance or rejection
Biometric Authentication System
1. Initial Enrollment
User Lee
Scanning
User Lee
Template
Processing
(Key Feature Extraction) (01101001)
A=01, B=101, C=001
2. Subsequent Access
Applicant
Scanning
3. Match Index
Decision Criterion
(Close Enough?)
User
Access Data
Processing
(Key Feature Extraction) (01111001)
A=01, B=111, C=001
Template Database
Brown
10010010
Lee
01101001
Chun
00111011
Hirota
1101110
…
…
Biometric Authentication
Verification Versus Identification
Verification: Are applicants who they claim to be? (compare with
single template)
Identification: Who is the applicant? (compare with all templates)
More difficult than verification because must compare to many templates
Watch list: is this person a member of a specific group (e.g., known
terrorists)
Verification is good for replacing passwords in logins
Identification is good for door access and other situations where
entering a name would be difficult
FAR
Precision
False acceptance rates (FARs): Percentage
of unauthorized people allowed in
Person falsely accepted as member of a group
Person allowed through a door who should not
be allowed through it
Very bad for security
FRR
Precision
False rejection rates (FRRs): Percentage of
authorized people not recognized as being
members of the group
Valid person denied door access or server login because
not recognized
Can be reduced by allowing multiple access attempts
High FRRs will harm user acceptance because users are
angered by being falsely forbidden
Biometric Authentication
Precision
Vendor claims for FARs and FRRs tend to be
exaggerated because they often perform tests
under ideal circumstances
For instance, having only small numbers of users in
the database
For instance, by using perfect lighting, extremely
clean readers, and other conditions rarely seen in
the real world
Biometric Authentication
User Acceptance is Crucial
Strong user resistance can kill a system
Fingerprint recognition may have a criminal
connotation
Some methods are difficult to use, such as
iris recognition, which requires the eye to be
lined up carefully.
These require a disciplined group
Biometric Authentication
Biometric Methods
Fingerprint recognition
Dominates the biometric market today
Based on a finger’s distinctive pattern of whorls,
arches, and loops
Simple, inexpensive, well-proven
Weak security: can be defeated fairly easily with
copies
Useful in modest-security areas
Biometric Authentication
Biometric Methods
Iris recognition
Pattern in colored part of eye
Very low FARs
High FRR if eye is not lined up correctly can
harm acceptance
Reader is a camera—does not send light into the
eye!
Biometric Authentication
Biometric Methods
Face recognition
Can be put in public places for
surreptitious identification
(identification without citizen or
employee knowledge). More later.
Hand geometry: shape of hand
Voice recognition
High error rates
Easy to fool with recordings
Biometric Authentication
Biometric Methods
Keystroke recognition
Rhythm of typing
Normally restricted to passwords
Ongoing during session could allow continuous
authentication
Signature recognition
Pattern and writing dynamics
Biometric Standards
Almost no standardization
Worst for user data (fingerprint feature databases)
Get locked into single vendors
Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition
Identification of people passing in front of a camera
False rejection rate: rate of not identifying person as being in the database
Fail to recognize a criminal, terrorist, etc.
FRRs are bad
4-week trial of face recognition at Palm Beach International Airport
Only 250 volunteers in the user database (unrealistically small)
Volunteers were scanned 958 times during the trial
Only recognized 455 times! (47%)
53% FRR
Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition
Recognition rate fell if wore glasses (especially tinted), looked
away
Would be worse with larger database
Would be worse if photographs were not good
DOD (Department of Defense )Tests indicate poor acceptance
rates when subjects were not attempting to evade
270-person test
Face recognition recognized person only 51 percent of time
Even iris recognition only recognized the person 94 percent of the
time!
Biometrics Authentication
Can Biometrics be Fooled?
Other research has shown that evasion is
often successful for some methods
German c’t magazine fooled most face and
fingerprint recognition systems
Prof. Matsumoto fooled fingerprint scanners 80
percent of the time with a gelatin finger created
from a latent (invisible to the naked eye) print on
a drinking glass
Access Control
Access Control
Access control is the policy-driven limitation of
access to systems, data, and dialogs
Goals
Prevent attackers from gaining access, stopping them if
they do
Provide appropriate limitations on the access rights of
authorized users
Access Control
First Steps
Enumeration of Resources
Sensitivity of Each Resource
Next, who Should Have Access?
Can be made individual by individual
More efficient to define by roles (logged-in users,
system administrators, project team members, etc.)
Access Control
Policy-Based Access Control and Protection
Have a specific access control policy and an access protection
policy for each resource
For example, for a file on a server, for instance, limit
authorizations to a small group, harden the server against attack,
use a firewall to thwart external attackers, etc.
Focuses attention on each resource
Guides the selection and configuration of firewalls and other
protections
Guides the periodic auditing and testing of protection plans