INTRODUCING BSI MANAGEMENT SYSTEMS

Download Report

Transcript INTRODUCING BSI MANAGEMENT SYSTEMS 

Biometric standards
An overview of biometrics and identity management
February 2010
2
The need to identify
• Every day we are required to identify ourselves
 Using a bank card with a PIN at a cash machine
 A password to log on to a computer
 Using a key to open a door
 Punching a code into a keypad to enter the workplace
 Using passwords on the Internet
 Providing a passport and driving licence as proof of
identity
• We need to be able to accurately IDENTIFY an
individual to minimize current issues and threats
3
Current attributes used to identify
• Name
• Mother’s maiden name
• Address
• Passport
• Postcode
• Birth certificate
• Date of Birth
• Driving licence
• Account no.
• Credit cards
• Passwords
• Utility bills
• PINs
• Membership cards
• Phone no.
• Salary slip
4
Is biometrics the answer?
• A biometric is part of the person and is not easily
compromised through:
 Theft
 Collusion
 Loss
• Simplifies user management resulting in cost savings
• Users do not need to remember passwords
• Users do not need to remember PINs
• User accounts cannot be shared
• Easy to use
5
Biometric definition
• The automated recognition of individuals based on
their behavioural and biological characteristics
 The general meaning of biometrics encompasses
counting, measuring and statistical analysis of any kind of
data in the biological sciences including the relevant
medical sciences
• The term is derived from the Greek words “bios”
meaning life and “metron” meaning measure
6
Biological and behavioural
• Biological
 Fingerprint
 Face (2D & 3D)
 Iris
 Vein pattern
 Hand geometry
 DNA
• Behavioural
 Signature
 Gait
 Voice
 Keystroke dynamics
7
Iris
• Captures the pattern of flecks on the iris
• Uses conventional cameras
• Average 2 seconds for identification
• No physical contact between user and reader
8
Face
• Based upon the geometric shape and position of
features of the face
• Resistant to changes in skin tone, facial hair, hair
style, and eyeglasses
• No active user involvement required in order to
perform identification/verification
• Limited success in practical applications
9
Voice
• Analyses voice patterns and characteristics of
speech e.g. pitch, tone, etc.
• High user acceptance – perceived as least
intrusive biometric technology
• Easy for end users to implement
• Ideal for telephone systems/mobile environments
10
Hand geometry
• Measures the physical characteristics of the user’s
hand and fingers
• Low level infrared light and camera used to capture an
image
• Suited to applications where there is a large user base
or users access the system infrequently
• Systems are easy to use and robust
11
Signature
• Based on analysis of the dynamics of a handwritten
signature e.g. shape, speed, stroke order, pen
pressure
• Generally use pressure sensitive tablets or wired pens
• User friendly
• Non intrusive – minimal public acceptance issues
• Captured signature can be used for digitally signing
documents
12
Keystroke dynamics
• Monitors rate of typing and intervals between letters
• Verification based on typing rhythm – intruders may
guess password but fail to key in with correct rhythm
• Neither enrolment nor verification disturbs the regular
flow of work
• Low cost – only hardware required is keyboard
13
Fingerprint
• Variety of fingerprint devices available (silicon and
optical)
• Template constructed by analysing patterns that make
the fingerprint (minutiae)
14
DNA
• Forensic genetics use deoxyribonucleic acid (DNA) profiling in a number
of important human identity applications
• 0.01% of a person's entire genome is unique to each individual
 This represents 3 million base pairs of DNA
 95% of the human genome are non-coding sequences (called junk DNA)
• Standard profiling systems only exploit the junk DNA to maintain the
privacy and civil rights of the donor
15
Multimodal
• Combination of one or more
biometrics
 Algorithmic level
 Results level
• Multimodal is the fusion of
results with logic applied
16
Key multimodal facts
Can be used to:
• Improve reliability
• Make forgery more difficult
• Make systems more flexible to
user characteristics
(decreases failure to enrol)
• Make systems more complex
Input
Device
Fusion
Input
Device
Matching
Fusion
Matching
Result
Fusion
Result
• Promote inclusivity
17
Verification versus Identification
“Who are you?”
“Are you who you say
you are?”
NOT
18
Verification and Identification
• Verification
 Involves confirming or
denying a person’s claimed
identity – Are you who you
claim to be?
 Biometric sample captured
and compared with the
previously stored template
for that user
 One-to-one comparison
 Are you who you say you
are?
 “I am who I say I am”
• Identification
 Means establishing a
person’s identity from an
already established list –
Who are you from this
list?
 Biometric sample
presented to a system
which searches the
existing (enrolled)
subjects
 One-to-many comparison
 Do I know you?
 “I am not known to you
already”
19
Identification before verification
• To establish a ‘clean’ database of individuals each
individual first needs to be identified
 One-to-many match is performed against the central
database to ensure the individual does not already exist
under correct name or any other aliases
• Once identity is established it can be sufficient to
verify the individual as proof of identity only
 One-to-one match is performed at the point of interface
without the need to check back to the central database
20
Key Consideration in a biometric system
Current &
Future
Technology
Accuracy &
Throughput
Performance
Risk &
Requirement
Analysis
Research &
Development
Strategy
User
Perception
Integration
Business
Process
21
Considerations of adding a biometric system
• Not all biometrics technologies suit all people
• In many cases additional hardware is required
• User co-operation is usually necessary
• Privacy concerns must be addressed
• Cost of personal devices in large systems can be
significant
• User education is required
• Biometric revocation must be considered as
biometric data is not secret
22
Capture the legal and political imperatives
• Ask what additional considerations are there with a
biometric application as opposed to any other IT
deliverable
 Privacy?
 Data access considerations (who and why)?
 Sensitivity of data?
 Legislative limitations?
 User acceptance?
 Standards compliance?
23
ISO/IEC JTC1 SC 37 Biometrics
•
Currently 25 participating countries and 7 observer countries
•
Liaisons with:

JTC 1/SC 17 Cards and Personal Identification.

JTC 1/SC 24 Computer Graphics and Imaging

JTC 1/SC 27 Information Technology Security Techniques.

JTC 1/SC 29 Coding of Audio, Picture and Multimedia and Hypermedia Information.

JTC 1/SC 31 Automatic Identification and Data Capture Techniques

JTC 1/SC 32 Data Management and Interchange

JTC 1/SC 36 Information Technology for Learning, Education and Training.

ITU-T SG17 Telecommunication Standardization Sector Study Group on Data
Networks and Telecommunications Software.

BioAPI Consortium

IBIA International Biometrics Industry Association (IBIA)

ILO International Labour Office of the UN
24
The benefits of standards for biometrics
• They foster wide spread utilization of the
technology
• They are a sign of industry maturity
• They reduce time-to-market
• They facilitate interchange and/or interoperability
• They reduce risk to integrators and end users
• They reduce vendor “lock-in” effect
25