GA10 People and Security Lecture 3: Biometrics
Applying risk analysis Goals of this lecture • Brief introduction to biometrics • Context: ICAO,US Visit and the ID cards programme • Issues with current equipment – Performance – Usability – User Acceptance • How secure are biometrics?
Applying risk analysis Basics on biometrics • Enrolment and subsequent – verification (through ID + biometric), or – identification (biometric only) • Full images or templates – Passports requires images, templates are more efficient • Size of database affects performance
Applying risk analysis Physical biometrics • Fingerprint • Finger / Palm Vein • Hand geometry • Face recognition • Iris • Retina • Earshape
Applying risk analysis Behavioural biometrics • Voice print • Dynamic Signature Recognition (DSR) • Typing pattern • Gait recognition • Heart rate analysis
Applying risk analysis Fingerprint recognition • Applications – Authentication/Access control • Doors • PCs/laptops • US Visit programme (http://www.dhs.gov/dhspublic/interapp/content_multi_image /content_multi_image_0006.xml)
Applying risk analysis Hand geometry • Applications – Authentication (e.g. INSPASS program) • Usability – Easier to position hand than fingers – Less susceptible to small injuries – Hygiene concerns
Applying risk analysis Voice recognition applications • Applications – Speaker recognition – Telephony-based interactions (home banking and insurance) – Lie detector • Usability issues – Speaker training – Voice changes – colds etc. – Background noise
Applying risk analysis Dynamic Signature Recognition • Applications – Electronic documents with signature: contracts, mortgage agreements – Anything that needs signing • Usability issues – Natural interaction that most users understand, but difficult on handhelds – Declaration of will
Applying risk analysis Biometrics Authentication
Applying risk analysis Enrolment • Crucial for security and subsequent performance – In some context, identity of enrolee needs to be checked – Biometrics enrolled need to be • genuine (see attacks) • good enough quality to work • Enrolment procedure needs to be formalised – Staff need to be trained – Staff need to be trustworthy or closely checked • Time taken to carry out enrolment often under-estimated
Applying risk analysis Failure to Enrol (FTE) & Failure to Acquire (FTA) • FTEs and FTAs threaten Universal Access • Reasons for FTE/FTA – Biometric not present – Biometric not sufficiently prominent or stable • Finger – wearing down of fingerprints, callouses (manual work, chemicals, sports, age), deformation, arthritis • Iris – missing iris, very dark eyes, glasses or contacts (reflection or frame), drooping eyelids • Face – veils, eyepatches, headcoverings, severe disfigurement, inability to keep still
Applying risk analysis Context • International developments – ICAO agreement – US Visit • UK ID legislation – Stand-alone ID card for everyone over 16 – 3 biometrics (face, 10 finger, 2 iris) on card, and in National Identity Register – Access by govt departments, federated ID – Access by commercial organisations
Applying risk analysis Example FTE rates from UKPS enrolment trial Face Iris Finger Quota 0.15% 12.30% 0.69% Disabled 2.73% 39% 3.91%
Applying risk analysis False Acceptance Rate (FAR) & False Rejection Rates (FRR) • FAR – accepting user who is not registered – mistaking one registered user for another – ICAO: FAR of .01% is regarded as acceptable • FRR • – rejecting registered user • High FRRs reduce usability, high FARs reduce security – customer-based applications tend to raise FAR
Applying risk analysis Performance • User performance depends on – frequency of use: • Frequent users complete faster and with fewer errors, infrequent users need step-by-step guidance and detailed feedback – Degree of cooperation – Total usage time (not just for matching)
Applying risk analysis
Applying risk analysis
Applying risk analysis "W e w ere aim ing for it to scan 1 2 pupils a m inute, but it w as only m anaging 5 so has been tem porarily suspended as w e do not w ant pupils' m eals getting cold w hile they w ait in the queue." Careful balancing of business process requirements and security requirements needed
Applying risk analysis Total Usage Process • Time quoted by suppliers often only refer to capture of live image & matching – Walk up to machine – Put down bags, remove hats, etc. – Find token (if used) – Put on token (if used) – Read token – Wait for live image to be captured & matched – Walk away & free machine for next user – Plus average number of rejections & re-tries Average usage time in BioPII 12-20 seconds, longer with infrequent users
Applying risk analysis FRR rates from UKPS enrolment trial Face Iris Finger Quota 30.82% 1.75% 11.70% 39 sec 58 sec 1 min 13 sec Disabled 51.57% 8.22% 16.35% 1 min 3 sec 1 min 18 sec 1 min 20 sec
Applying risk analysis Example: Disney Orlando • Goal: revenue protection • Technology: hand geometry • Users: season ticket holders (4000) • Performance: – High FAR threshold (5% +) – Soft response to rejections – 9-10 secs, ops people grumble: 5 secs needed
Applying risk analysis Example: Smartgate Sydney Airport • Problem: speedy & secure immigration • Technology: Face recognition system • Users: Quantas air crew (2000) • Performance: – FAR “less than 1%” – FRR 2% – “could be faster” (average 12 secs) • Several re-designs necessary, including updating of image templates
Applying risk analysis Usability Issues: Finger • Which finger? • How to position – Where on sensor? – Which part of finger? – Straight or sideways? • Problems: arthritis, long fingernails, handcreme, circulation problems
Applying risk analysis Which finger?
Applying risk analysis Finger position?
Applying risk analysis Usability Issues: Iris • What is it – iris or face? • One or both eyes? • One eye: how to focus? • Distance adjustment • Positioning – “rocking” or “swaying” • Glasses and contact lenses – about half of population wear them – Target area difficult to see when glasses are removed
Applying risk analysis Focussing
Applying risk analysis Height adjustment • Often not sufficient for very short (under 1.55 m) or very tall (over 2.10) people, or wheelchair users • Need to use hand to adjust – If card needs to be held, other things users carry or hold need to be put down
Applying risk analysis Height adjustment
Applying risk analysis … but users may not realise this … or be reluctant to touch equipment, or think it takes too long
Applying risk analysis Usability Issues: Face • What is it? • Where do I stand? • Where do I look/what am I looking at? • Standing straight, keeping still • “Neutral expression” • Hats, changes in (facial) hair, makeup
Applying risk analysis Distance
Applying risk analysis “Neutral expression”
Applying risk analysis UK Passport Service Trial • Best performing: iris with “normal” users – FRR 4% • Worst performing: face recognition with disabled users - FRR 30% • Verification time: 40-80 secs • With a database of 10.000 people
Applying risk analysis User Acceptance • Acceptance requires – perceived need for security – trust in operator – convenience, or at least usability
Applying risk analysis User Acceptance Issues –Finger • Hygiene, Hygiene, Hygiene • Association with forensics/criminals • Finger chopped off
Applying risk analysis
Applying risk analysis
Applying risk analysis Liveness detection • Detects movement, pulse, blood flow • Fitted to several systems, but tends to increase FRR • Users: fine, but do the criminals know about it?
Applying risk analysis User Acceptance Issues - Iris • Iris – Risk to health (e.g. damage to eyes, triggering epilepsy) – Covert medical diagnosis • Illnesses (iridiology) • Pregnancy • Drugs • “Minority Report” attacks
Applying risk analysis User Acceptance Issues - Face • Covert identification • Surveillance/tracking – Direct marketing
Applying risk analysis User Acceptance – General Issues • Data protection – threat to privacy • Abuse by employer, commercial organisations, state, or malicious individuals – Increasing capability of technology – e.g. iris recognition at a distance – Integration with other technologies – e.g. RFID • Doubts about reliability – Sophisticated attackers – Can governement really keep systems secure? – Cheap systems and successful attacks erode confidence
Applying risk analysis
Applying risk analysis
Recommend
More recommend
