Biometrics and secondary authentication. Victoria Cepeda March 11, - - PowerPoint PPT Presentation

Biometrics and secondary authentication.

Victoria Cepeda

March 11, 2015

Some slides adapted from Michelle Mazurek, Lorrie Cranor,Blase Ur, Chandrasekhar Bhagavatula and Stephen Siena

Authentication in simple terms

• Positive verification of identity (man or machine)
• Verification of a person’s claimed identity
• Categories:
• What you know
• What you have
• Who you are

Authentication Categories

• What you know
• Password
• PIN
• What you have
• e-Token
• ATM Cards
• Who you are
• Biometrics

Desired properties of Authentication Methods

• Widely (universally) applicable
• Easy to use
• Easy to remember, match and change
• Quick to use
• Should be consistent over time
• Hard to guess (large search space)
• Can be revoked

What is Biometrics?

• “Biometrics are automated methods of recognizing a person

based on a physiological or behavioral characteristic.” – The Biometric Consortium

• In other words: Characteristics of the human body can be

used to identify or authenticate.

Image from http://www.sciencedaily.com Image from http://www.economist.com

Types of Biometrics

“Physiological”

• Face
• Iris
• Fingerprint
• Ear
• Teeth
• DNA
• Heartbeat
• Vein pattern
• Hand and finger geometry

Types of Biometrics

“Behavioral”

• Gait
• Keystrokes
• Mouse movements
• Voice
• Signature

What is the goal of biometrics?

Biometrics Process

No Yes

Biometric Data Collection

Transmission Quality Sufficient?

Yes

Template Match

Signal Processing, Feature Extraction, Representation

Database

Decision Confidence?

new biometric sample is requested. No

database

Comparison between some biometric techniques

Performance Metrics

False Rejection/Acceptance Errors:

• FAR (False Acceptance Rate) : percent of invalid inputs that are incorrectly

accepted.

• FTA (Failure to acquire): occur when trying to enter new samples into a system for

verification.

• FTE (Fail to Enroll): This occurs if a person is unable to enroll in a system.
• FNM (False non-match). A FNM occurs when a system rejects an authorized user.
• FM (False match): A FM occurs when a system accepts an unauthorized user as an

authorized user.

• FRR (False Reject Rate) : percent of valid inputs that are incorrectly rejected. FRR is a

percentage calculated from a combination of a system’s FTE, FTA, and FNM.

• CER (Crossover Error Rate): The rate at which both the accept and reject errors are

equal.

Performance Metrics Curve

• The line labeled EER

represents a balanced performance.

• From the graph, it is easy to

see that if the user comfort is increased, the false positive rate will increase.

Applications of Biometric System

• Criminal identification
• Internet banking
• Attendance system
• Airport, Bank security
• PC login security
• Prevents unauthorized access to private data
• Financial transaction management

Challenges in Biometrics

• Many biometrics are constantly changing
• Every biometric is measured differently each time

Smartphone Biometrics

• Both Google and Apple have introduced some form
• f biometric authentication on their smartphones
• Potential Advantages

– More secure – Easier unlocking of phone

• Potential Problems

– Do you want Google or Apple to have your biometrics at all times?

• Both have been easily broken(Face unlock and

Fingerprint unlock)

• Google tried to fix it by adding a liveness checking
• ption where they required a blink. (It doesn’t really

help)

The brave new world of biometrics

• University of California,

Berkeley: researchers develop technology to access passwords with mind.

• Defense Advanced

Research Projects Agency (DARPA) : "password pill" or "electronic tattoo" that would serve as your personal ID.

Review: 3 Categories

• What you know
• Password
• PIN
• What you have
• e-Token
• Cards & badges
• Who you are
• Biometrics

Pros and Cons of each authentication method

Secondary authentication

• Security questions:
• Favorite athlete?
• Where Barack Obama met his wife?
• Jennifer Lawrence’s mother’s maiden

Image from http://www.wikipedia.org

• Provides unambiguous identification of users by means of

the combination of two or more different components.

Types of secondary authentication

• Two- (or multi-) factor authentication where

secondary authentication is used in conjunction with primary authentication

• Account reset where secondary authentication is

used when the primary authentication is lost/ forgotten/invalidated

Types of secondary authentication

• Which types of secondary authentication do you

know?

• Have you used any type of secondary

authentication?

Secondary authentication methods

• Answer challenge questions (both)
• E-mail with key/link (both)
• SMS with key/link (both)
• Smartphone (both)
• Identify your friends in photos (both)
• Provide old passwords (reset)
• Trusted 3rd party verification (reset)
• Printed secrets or code book (two-factor)
• USB dongle (two-factor)
• Biometrics (two-factor)

Combining Authenticators

Why secondary authentication?

Matt Honan

“the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers”

Enter… Matt Cutts

1) Something you know 2) Something you have

“Authentication at Scale”(2013)

• Google is investing in authentication using two-step

verification via one-time passwords and public-key- based technology to achieve stronger user and device identification.

• “Security and usability problems are intractable: it’s time

to give up on elaborate password rules and look for something better”

“Authentication at Scale”(2013)

• Account types:
• routine (subscription),
• spokesperson(blog),
• sensitive(email)
• very high value transaction (cross- border

monetary flow )

• Authentication methods:
• Device-Centric Authorization
• Two factors verification
• Smartcard-Like USB Token
• Channel Bindings
• Server-Side Technology
• Service Accounts and Delegation
• Common Threats:
• Phishing,
• reuse,
• offline brute forcing,
• easily guessed security questions and

answers,

• Malware infection

“It’s no secret” paper

• 4 of the most popular webmail providers—AOL, Google,

Microsoft, and Yahoo!—rely on personal questions as the secondary authentication secrets used to reset account passwords.

• User study to measure reliability and security of the questions.
• Findings:
• 17% Acquaintances were able to guess the answers
• 20% Users forgot answers after 6 months.
• 13% answers could be guessed within 5 attempts

“It’s no secret” (2009)

• What recruitment method was used for this study?
• Do you think this method would introduce bias into

the study?

• What other method(s) would you have used to

recruit subjects for a study like this?

“It’s no secret” (2009)

• What recruitment method was used for this study? “Our

recruiting team selected participants from a larger pool

• f potential participants they maintain for all studies at

Microsoft.”

• Do you think this method would introduce bias into the

study?

• What other method(s) would you have used to recruit

subjects for a study like this?

It’s Not What You Know, But Who You

• Know. A social approach to last-resort

authentication (2009)

• Authentication system that employs social-

authentication.

• 3 experiments:
• (1)reliably authenticate account holders,
• (2) resist email attacks that target trustees by

impersonating account holders, and

• (3) resist phone-based attacks from individuals close to

account holders.

It’s Not What You Know, But Who You

• Know. A social approach to last-resort

authentication (2009)

• Advantages of the approach?
• Disadvantages of the approach?

It’s Not What You Know, But Who You

• Know. A social approach to last-resort

authentication (2009)

Advantages

• Targeted Content - Websites can obtain a profile and social graph data in order to target

personalized content to the user. This includes information such as name, email, hometown, interests, activities and friends. However, this can create issues for privacy, and result in a narrowing of the variety of views and options available on the internet.

• Multiple Identities - better control their online identity
• Registration Data - Many websites use the profile data returned from social login instead of

having users manually enter their PII into web forms. This can potentially speed up the registration or sign-up process.

• Pre-Validated Email - Identity providers who support email such as Google and Yahoo! can

return the user’s email address to the 3rd party website preventing the user from supplying a fabricated email address during the registration process.

• Account linking - Because social login can be used for authentication, many websites allow

legacy users to link pre-existing site account with their social login account without forcing re- registration.

It’s Not What You Know, But Who You

• Know. A social approach to last-resort

authentication (2009)

• Disadvantages:
• Social login through platforms such as Facebook may

unintentionally render third party websites useless within certain libraries, schools, or workplaces which block social networking services for productivity reasons.

• Difficulties in countries with active censorship regimes,

such as China and its "Golden Shield Project," where the third party website may not be actively censored, but is effectively blocked if a user's social login is blocked.

Case study:Biometrics in banking

• Your bank implemented fingerprint-

scanning for high-value transactions, such as in-person withdrawals.

• Clients have to carry ID and get

fingerprint scanned by a bank representative.

• What could possible go wrong?

A tale of biometrics and secondary authentication

A tale of biometrics and secondary authentication

Bank representative Bank

A tale of biometrics and secondary authentication

Group activity

• Design a secondary authentication mechanism
• –Could be some good challenge questions
• –Could be an entirely different method
• Keep in mind:
• –Who will be using this?
• –What are the most important attributes for your

mechanism?