1. Biometrics The Password You’ll Never Forget Shadi Azoum & Roy Donaldson CIS 4360 – Introduction to Computer Security

2. What Is Biometrics? The automated identification or verification of human identity through physiological and behavioral traits The automated identification or verification of human identity through physiological and behavioral traits

3. History of Biometrics The first known example of biometrics was fingerprinting in China in the 14 th century, used to distinguish young children from one another. The first known example of biometrics was fingerprinting in China in the 14 th century, used to distinguish young children from one another. In the past three decades, it has moved from solely fingerprinting to more than ten discreet methods. In the past three decades, it has moved from solely fingerprinting to more than ten discreet methods. Laws and regulations continue to be drafted and standards are beginning to be developed. No biometric has yet reached the breadth of fingerprinting. Laws and regulations continue to be drafted and standards are beginning to be developed. No biometric has yet reached the breadth of fingerprinting.

4. Uses of Biometrics Identification determines who a person is. Identification determines who a person is. Take the measured characteristic and try to find a match in a database containing records of people and that characteristic. Take the measured characteristic and try to find a match in a database containing records of people and that characteristic. Can require a large amount of processing power and some time if the database is large Can require a large amount of processing power and some time if the database is large Verification determines if a person is who they say they really are. Verification determines if a person is who they say they really are. Take the measured characteristic and compare it to the previously recorded data for that person Take the measured characteristic and compare it to the previously recorded data for that person Requires less processing power and time Requires less processing power and time

5. How Does Biometrics Work? All biometric systems operate the same way in a four-step process that is automated and computerized. All biometric systems operate the same way in a four-step process that is automated and computerized. Capture – a physical or behavioral sample is captured by the system during enrollment Capture – a physical or behavioral sample is captured by the system during enrollment Extraction – unique data are extracted from the sample and a template is created; unique features are then extracted by the system and converted into a mathematical code (biometric data); this sample is then stored as the biometric template for that person. Extraction – unique data are extracted from the sample and a template is created; unique features are then extracted by the system and converted into a mathematical code (biometric data); this sample is then stored as the biometric template for that person. Comparison – template is then compared with a new sample; a computer algorithm normalizes the captured biometric signature so that it is in the same format as an individual’s signature stored in the database; biometric data are then stored as the biometric template for that person Comparison – template is then compared with a new sample; a computer algorithm normalizes the captured biometric signature so that it is in the same format as an individual’s signature stored in the database; biometric data are then stored as the biometric template for that person Match/Non-match – the system decides whether the features extracted from the new sample are a match or a non-match with the template; if so, the person’s identity is confirmed Match/Non-match – the system decides whether the features extracted from the new sample are a match or a non-match with the template; if so, the person’s identity is confirmed

7. Why Use Biometrics? PINs, passwords, and physical tokens, are popular present-day methods used for authentication and verification. However, there are a number of problems associated with these types of identification. PINs, passwords, and physical tokens, are popular present-day methods used for authentication and verification. However, there are a number of problems associated with these types of identification. People forget, reuse, and write down passwords. People forget, reuse, and write down passwords. People loose tokens or they may be stolen. People loose tokens or they may be stolen. Recognition of passwords or tokens does not ensure the identity of the person providing it. Recognition of passwords or tokens does not ensure the identity of the person providing it. There is little “work” on the part of the user to authenticate or verify themselves. There is little “work” on the part of the user to authenticate or verify themselves. No memorization of passwords No memorization of passwords No misplacing of tokens No misplacing of tokens

8. Problems with Implementing Biometrics Cultural and Social Issues Cultural and Social Issues People would think that there are hidden cameras everywhere People would think that there are hidden cameras everywhere People believe biometrics is used only for criminals (i.e. fingerprint biometrics) People believe biometrics is used only for criminals (i.e. fingerprint biometrics) Some cultures do not allow taking photographs Some cultures do not allow taking photographs Biometric systems are not 100% accurate 100% of the time. Biometric systems are not 100% accurate 100% of the time. Humans are inconsistent: both our physical and behavioral characteristics can change over time. Humans are inconsistent: both our physical and behavioral characteristics can change over time. Technology is still more expensive Technology is still more expensive

9. Fingerprinting Basics Basics Takes an image (using ink or a digital scan) of a person’s fingerprints and records the characteristics. Takes an image (using ink or a digital scan) of a person’s fingerprints and records the characteristics. This information is usually not stored as an image. Instead, it is encoded as a character string. This helps to prevent reverse engineering of a person’s fingerprint, as well as decreasing lookup time. This information is usually not stored as an image. Instead, it is encoded as a character string. This helps to prevent reverse engineering of a person’s fingerprint, as well as decreasing lookup time. How It Works How It Works User presses his/her finger gently against a smaller reader surface. User presses his/her finger gently against a smaller reader surface. The reader scans the finger (usually about 5 seconds) and sends the information to a database. The reader scans the finger (usually about 5 seconds) and sends the information to a database. This is then compared to the information within. This is then compared to the information within. To prevent fake or detached fingers from being used, many systems also measure blood flow, temperature, or check for correctly arrayed ridges at the edges of the finger. To prevent fake or detached fingers from being used, many systems also measure blood flow, temperature, or check for correctly arrayed ridges at the edges of the finger.

12. Fingerprinting Evaluation Evaluation Accurate Accurate Powerful Powerful Small storage Small storage Highly developed and researched Highly developed and researched Secure Secure Requires a bit of management – scanner must be kept clean Requires a bit of management – scanner must be kept clean

13. Retinal Scanning Basics Basics Analyzes the layers of the blood vessels at the back of the eye using a low-intensity light source and an optical coupler which can read the patterns at a greater level of accuracy Analyzes the layers of the blood vessels at the back of the eye using a low-intensity light source and an optical coupler which can read the patterns at a greater level of accuracy How It Works How It Works User looks through a small opening in the device at a small green light, and must keep their head still and eye focused on the light for several seconds during which time the device will verify the identity. User looks through a small opening in the device at a small green light, and must keep their head still and eye focused on the light for several seconds during which time the device will verify the identity. The process takes about 10 to 15 seconds in total. The process takes about 10 to 15 seconds in total. Evaluation Evaluation Most accurate biometric available today Most accurate biometric available today Extremely difficult to fool the device Extremely difficult to fool the device Expensive Expensive Users think it is harmful to the eye and discomforting. Users think it is harmful to the eye and discomforting.

14. Iris Scanning Basics Basics Analyzes the features that exist in the colored tissue surrounding the pupil Analyzes the features that exist in the colored tissue surrounding the pupil How It Works How It Works User positions themselves such that he/she can see their own eye reflection in the device (can be done at a slight distance) User positions themselves such that he/she can see their own eye reflection in the device (can be done at a slight distance) Uses a regular video camera Uses a regular video camera Can be done even through glasses Can be done even through glasses Light varied to watch for pupil dilation Light varied to watch for pupil dilation Evaluation Evaluation Likelihood of a false positive very low, due to uniqueness of eyes even between right and left eyes. Likelihood of a false positive very low, due to uniqueness of eyes even between right and left eyes. Takes a bit more memory to store Takes a bit more memory to store

15. Speaker Recognition Basics Basics Analyzes the acoustic features of speech that are unique to each individual Analyzes the acoustic features of speech that are unique to each individual Acoustic patterns reflect both the anatomy (size and shape of throat and mouth) and learned behavioral patterns (voice pitch and speaking style). Acoustic patterns reflect both the anatomy (size and shape of throat and mouth) and learned behavioral patterns (voice pitch and speaking style). How It Works How It Works User speaks into microphone his/her password or access phrase. User speaks into microphone his/her password or access phrase. Verification time is approximately 5 seconds. Verification time is approximately 5 seconds. Most devices require the high and low frequencies of the sound to match to prevent recorded voice use. Most devices require the high and low frequencies of the sound to match to prevent recorded voice use. Evaluation Evaluation Low Cost – very little hardware is required (a microphone on a standard PC with software to analyze unique characteristics. Low Cost – very little hardware is required (a microphone on a standard PC with software to analyze unique characteristics. Ideally suited for telephone-based applications Ideally suited for telephone-based applications Difficult to analyze speech Difficult to analyze speech

16. Using Biometrics Without Ruining Its Functionality Use with a combination of other security mechanisms Use with a combination of other security mechanisms Fingerprinting in combination with a password Fingerprinting in combination with a password Use with a combination of other biometrics Use with a combination of other biometrics Fingerprinting with iris scanning Fingerprinting with iris scanning

17. Future of Biometrics Biometrics will grow! Biometrics will grow! It will be present in areas that really need security. It will be present in areas that really need security. It will be integrated into our daily lives. It will be integrated into our daily lives. IBM has shipped 3 million ThinkPads that have an embedded security chip and the ability to authenticate by fingerprint to get on the system. IBM has shipped 3 million ThinkPads that have an embedded security chip and the ability to authenticate by fingerprint to get on the system. Door locks (with knob and handle) that contain a fingerprint sensor Door locks (with knob and handle) that contain a fingerprint sensor Cars Cars Safes Safes USB Flash Drives USB Flash Drives Weaponry Weaponry