BiometricsBiometrics

The Password You’ll Never ForgetThe Password You’ll Never Forget

Shadi Azoum & Roy DonaldsonShadi Azoum & Roy Donaldson

CIS 4360 – Introduction to Computer SecurityCIS 4360 – Introduction to Computer Security

What Is Biometrics?What Is Biometrics?

The automated identification or verification of human The automated identification or verification of human identity through physiological and behavioral traitsidentity through physiological and behavioral traits

History of BiometricsHistory of Biometrics

The first known example of biometrics was fingerprinting in China The first known example of biometrics was fingerprinting in China in the 14in the 14thth century, used to distinguish young children from one century, used to distinguish young children from one another.another.

In the past three decades, it has moved from solely fingerprinting In the past three decades, it has moved from solely fingerprinting to more than ten discreet methods.to more than ten discreet methods.

Laws and regulations continue to be drafted and standards are Laws and regulations continue to be drafted and standards are beginning to be developed. No biometric has yet reached the beginning to be developed. No biometric has yet reached the breadth of fingerprinting.breadth of fingerprinting.

Uses of BiometricsUses of Biometrics

IdentificationIdentification determines who a person is. determines who a person is. Take the measured characteristic and try to find a match in a Take the measured characteristic and try to find a match in a

database containing records of people and that characteristic.database containing records of people and that characteristic. Can require a large amount of processing power and some Can require a large amount of processing power and some

time if the database is largetime if the database is large VerificationVerification determines if a person is who they say they determines if a person is who they say they

really are.really are. Take the measured characteristic and compare it to the Take the measured characteristic and compare it to the

previously recorded data for that personpreviously recorded data for that person Requires less processing power and timeRequires less processing power and time

How Does Biometrics Work?How Does Biometrics Work?

All biometric systems operate the same way in a four-step process All biometric systems operate the same way in a four-step process that is automated and computerized.that is automated and computerized.

Capture – Capture – a physical or behavioral sample is captured by the system a physical or behavioral sample is captured by the system during enrollmentduring enrollment

ExtractionExtraction – unique data are extracted from the sample and a – unique data are extracted from the sample and a template is created; unique features are then extracted by the template is created; unique features are then extracted by the system and converted into a mathematical code (biometric data); this system and converted into a mathematical code (biometric data); this sample is then stored as the biometric template for that person.sample is then stored as the biometric template for that person.

ComparisonComparison – template is then compared with a new sample; a – template is then compared with a new sample; a computer algorithm normalizes the captured biometric signature so computer algorithm normalizes the captured biometric signature so that it is in the same format as an individual’s signature stored in the that it is in the same format as an individual’s signature stored in the database; biometric data are then stored as the biometric template database; biometric data are then stored as the biometric template for that personfor that person

Match/Non-matchMatch/Non-match – the system decides whether the features – the system decides whether the features extracted from the new sample are a match or a non-match with the extracted from the new sample are a match or a non-match with the template; if so, the person’s identity is confirmedtemplate; if so, the person’s identity is confirmed

Why Use Biometrics?Why Use Biometrics?

PINs, passwords, and physical tokens, are popular present-day PINs, passwords, and physical tokens, are popular present-day methods used for authentication and verification. However, there methods used for authentication and verification. However, there are a number of problems associated with these types of are a number of problems associated with these types of identification.identification.

People forget, reuse, and write down passwords.People forget, reuse, and write down passwords. People loose tokens or they may be stolen.People loose tokens or they may be stolen. Recognition of passwords or tokens does not ensure the identity of the Recognition of passwords or tokens does not ensure the identity of the

person providing it.person providing it. There is little “work” on the part of the user to authenticate or There is little “work” on the part of the user to authenticate or

verify themselves.verify themselves. No memorization of passwordsNo memorization of passwords No misplacing of tokensNo misplacing of tokens

Problems with Implementing Problems with Implementing BiometricsBiometrics

Cultural and Social IssuesCultural and Social Issues People would think that there are hidden cameras everywherePeople would think that there are hidden cameras everywhere People believe biometrics is used only for criminals (i.e. People believe biometrics is used only for criminals (i.e.

fingerprint biometrics)fingerprint biometrics) Some cultures do not allow taking photographsSome cultures do not allow taking photographs

Biometric systems are not 100% accurate 100% of the Biometric systems are not 100% accurate 100% of the time.time. Humans are inconsistent: both our physical and behavioral Humans are inconsistent: both our physical and behavioral

characteristics can change over time.characteristics can change over time. TechnologyTechnology is still more is still more expensiveexpensive

FingerprintingFingerprinting

BasicsBasics Takes an image (using ink or a digital scan) of a person’s Takes an image (using ink or a digital scan) of a person’s

fingerprints and records the characteristics.fingerprints and records the characteristics. This information is usually not stored as an image. Instead, it is This information is usually not stored as an image. Instead, it is

encoded as a character string. This helps to prevent reverse encoded as a character string. This helps to prevent reverse engineering of a person’s fingerprint, as well as decreasing engineering of a person’s fingerprint, as well as decreasing lookup time.lookup time.

How It WorksHow It Works User presses his/her finger gently against a smaller reader User presses his/her finger gently against a smaller reader

surface.surface. The reader scans the finger (usually about 5 seconds) and The reader scans the finger (usually about 5 seconds) and

sends the information to a database.sends the information to a database. This is then compared to the information within.This is then compared to the information within. To prevent fake or detached fingers from being used, many To prevent fake or detached fingers from being used, many

systems also measure blood flow, temperature, or check for systems also measure blood flow, temperature, or check for correctly arrayed ridges at the edges of the finger.correctly arrayed ridges at the edges of the finger.

FingerprintingFingerprinting

EvaluationEvaluation AccurateAccurate PowerfulPowerful Small storageSmall storage Highly developed and researchedHighly developed and researched SecureSecure Requires a bit of management – scanner must be kept cleanRequires a bit of management – scanner must be kept clean

Retinal ScanningRetinal Scanning

BasicsBasics Analyzes the layers of the blood vessels at the back of the eye Analyzes the layers of the blood vessels at the back of the eye

using a low-intensity light source and an optical coupler which using a low-intensity light source and an optical coupler which can read the patterns at a greater level of accuracycan read the patterns at a greater level of accuracy

How It WorksHow It Works User looks through a small opening in the device at a small User looks through a small opening in the device at a small

green light, and must keep their head still and eye focused on green light, and must keep their head still and eye focused on the light for several seconds during which time the device will the light for several seconds during which time the device will verify the identity. verify the identity.

The process takes about 10 to 15 seconds in total.The process takes about 10 to 15 seconds in total. EvaluationEvaluation

Most accurate biometric available todayMost accurate biometric available today Extremely difficult to fool the deviceExtremely difficult to fool the device ExpensiveExpensive Users think it is harmful to the eye and discomforting.Users think it is harmful to the eye and discomforting.

Iris ScanningIris Scanning

BasicsBasics Analyzes the features that exist in the colored tissue surrounding the Analyzes the features that exist in the colored tissue surrounding the

pupilpupil How It WorksHow It Works

User positions themselves such that he/she can see their own eye User positions themselves such that he/she can see their own eye reflection in the device (can be done at a slight distance)reflection in the device (can be done at a slight distance)

Uses a regular video cameraUses a regular video camera Can be done even through glassesCan be done even through glasses Light varied to watch for pupil dilationLight varied to watch for pupil dilation

EvaluationEvaluation Likelihood of a false positive very low, due to uniqueness of eyes even Likelihood of a false positive very low, due to uniqueness of eyes even

between right and left eyes.between right and left eyes. Takes a bit more memory to storeTakes a bit more memory to store

Speaker RecognitionSpeaker Recognition

BasicsBasics Analyzes the acoustic features of speech that are unique to each Analyzes the acoustic features of speech that are unique to each

individualindividual Acoustic patterns reflect both the anatomy (size and shape of throat Acoustic patterns reflect both the anatomy (size and shape of throat

and mouth) and learned behavioral patterns (voice pitch and speaking and mouth) and learned behavioral patterns (voice pitch and speaking style).style).

How It WorksHow It Works User speaks into microphone his/her password or access phrase.User speaks into microphone his/her password or access phrase. Verification time is approximately 5 seconds.Verification time is approximately 5 seconds. Most devices require the high and low frequencies of the sound to Most devices require the high and low frequencies of the sound to

match to prevent recorded voice use.match to prevent recorded voice use. EvaluationEvaluation

Low Cost – very little hardware is required (a microphone on a standard Low Cost – very little hardware is required (a microphone on a standard PC with software to analyze unique characteristics.PC with software to analyze unique characteristics.

Ideally suited for telephone-based applicationsIdeally suited for telephone-based applications Difficult to analyze speechDifficult to analyze speech

Using Biometrics Without Ruining Using Biometrics Without Ruining Its FunctionalityIts Functionality

Use with a combination of other security mechanismsUse with a combination of other security mechanisms Fingerprinting in combination with a passwordFingerprinting in combination with a password

Use with a combination of other biometricsUse with a combination of other biometrics Fingerprinting with iris scanningFingerprinting with iris scanning

Future of BiometricsFuture of Biometrics

Biometrics will grow!Biometrics will grow! It will be present in areas that really need security.It will be present in areas that really need security. It will be integrated into our daily lives.It will be integrated into our daily lives.

IBM has shipped 3 million ThinkPads that have an embedded security IBM has shipped 3 million ThinkPads that have an embedded security chip and the ability to authenticate by fingerprint to get on the system.chip and the ability to authenticate by fingerprint to get on the system.

Door locks (with knob and handle) that contain a fingerprint sensorDoor locks (with knob and handle) that contain a fingerprint sensor CarsCars SafesSafes USB Flash DrivesUSB Flash Drives WeaponryWeaponry