GA10 People and Security Lecture 3: Biometrics Applying risk - - PDF document

ga10 people and security lecture 3 biometrics
SMART_READER_LITE
LIVE PREVIEW

GA10 People and Security Lecture 3: Biometrics Applying risk - - PDF document

Jan 28, 2024 119 likes •658 views

GA10 People and Security Lecture 3: Biometrics Applying risk analysis Goals of this lecture Brief introduction to biometrics Context: ICAO,US Visit and the ID cards programme Issues with current equipment Performance

slide-1
SLIDE 1

GA10 People and Security Lecture 3: Biometrics

slide-2
SLIDE 2

Applying risk analysis

Goals of this lecture

  • Brief introduction to biometrics
  • Context: ICAO,US Visit and the ID cards

programme

  • Issues with current equipment

– Performance – Usability – User Acceptance

  • How secure are biometrics?
slide-3
SLIDE 3

Applying risk analysis

Basics on biometrics

  • Enrolment and

subsequent

– verification (through ID + biometric), or – identification (biometric only)

  • Full images or templates

– Passports requires images, templates are more efficient

  • Size of database affects

performance

slide-4
SLIDE 4

Applying risk analysis

Physical biometrics

  • Fingerprint
  • Finger / Palm Vein
  • Hand geometry
  • Face recognition
  • Iris
  • Retina
  • Earshape
slide-5
SLIDE 5

Applying risk analysis

Behavioural biometrics

  • Voice print
  • Dynamic Signature Recognition (DSR)
  • Typing pattern
  • Gait recognition
  • Heart rate analysis
slide-6
SLIDE 6

Applying risk analysis

Fingerprint recognition

  • Applications

– Authentication/Access control

  • Doors
  • PCs/laptops
  • US Visit programme

(http://www.dhs.gov/dhspublic/interapp/content_multi_image /content_multi_image_0006.xml)

slide-7
SLIDE 7

Applying risk analysis

Hand geometry

  • Applications

– Authentication (e.g. INSPASS program)

  • Usability

– Easier to position hand than fingers – Less susceptible to small injuries – Hygiene concerns

slide-8
SLIDE 8

Applying risk analysis

Voice recognition applications

  • Applications

– Speaker recognition – Telephony-based interactions (home banking and insurance) – Lie detector

  • Usability issues

– Speaker training – Voice changes – colds etc. – Background noise

slide-9
SLIDE 9

Applying risk analysis

Dynamic Signature Recognition

  • Applications

– Electronic documents with signature: contracts, mortgage agreements – Anything that needs signing

  • Usability issues

– Natural interaction that most users understand, but difficult on handhelds – Declaration of will

slide-10
SLIDE 10

Applying risk analysis

Biometrics Authentication

slide-11
SLIDE 11

Applying risk analysis

Enrolment

  • Crucial for security and subsequent

performance

– In some context, identity of enrolee needs to be checked – Biometrics enrolled need to be

  • genuine (see attacks)
  • good enough quality to work
  • Enrolment procedure needs to be formalised

– Staff need to be trained – Staff need to be trustworthy or closely checked

  • Time taken to carry out enrolment often

under-estimated

slide-12
SLIDE 12

Applying risk analysis

Failure to Enrol (FTE) & Failure to Acquire (FTA)

  • FTEs and FTAs threaten Universal Access
  • Reasons for FTE/FTA

– Biometric not present – Biometric not sufficiently prominent or stable

  • Finger

– wearing down of fingerprints, callouses (manual work, chemicals, sports, age), deformation, arthritis

  • Iris

– missing iris, very dark eyes, glasses or contacts (reflection or frame), drooping eyelids

  • Face

– veils, eyepatches, headcoverings, severe disfigurement, inability to keep still

slide-13
SLIDE 13

Applying risk analysis

Context

  • International developments

– ICAO agreement – US Visit

  • UK ID legislation

– Stand-alone ID card for everyone over 16 – 3 biometrics (face, 10 finger, 2 iris) on card, and in National Identity Register – Access by govt departments, federated ID – Access by commercial organisations

slide-14
SLIDE 14

Applying risk analysis

Example FTE rates from UKPS enrolment trial

3.91% 39% 2.73% Disabled 0.69% 12.30% 0.15% Quota Finger Iris Face

slide-15
SLIDE 15

Applying risk analysis

False Acceptance Rate (FAR) & False Rejection Rates (FRR)

  • FAR

– accepting user who is not registered – mistaking one registered user for another – ICAO: FAR of .01% is regarded as acceptable

  • FRR
  • – rejecting registered user
  • High FRRs reduce usability, high FARs reduce

security – customer-based applications tend to raise FAR

slide-16
SLIDE 16

Applying risk analysis

Performance

  • User performance depends on

– frequency of use:

  • Frequent users complete faster and with fewer errors,

infrequent users need step-by-step guidance and detailed feedback

– Degree of cooperation – Total usage time (not just for matching)

slide-17
SLIDE 17

Applying risk analysis

slide-18
SLIDE 18

Applying risk analysis

slide-19
SLIDE 19

Applying risk analysis

"W e w ere aim ing for it to scan 1 2 pupils a m inute, but it w as only m anaging 5 so has been tem porarily suspended as w e do not w ant pupils' m eals getting cold w hile they w ait in the queue."

Careful balancing of business process requirements and security requirements needed

slide-20
SLIDE 20

Applying risk analysis

Total Usage Process

  • Time quoted by suppliers often only refer to capture
  • f live image & matching

– Walk up to machine – Put down bags, remove hats, etc. – Find token (if used) – Put on token (if used) – Read token – Wait for live image to be captured & matched – Walk away & free machine for next user – Plus average number of rejections & re-tries

Average usage time in BioPII 12-20 seconds, longer with infrequent users

slide-21
SLIDE 21

Applying risk analysis

FRR rates from UKPS enrolment trial

16.35%

1 min 20 sec

8.22%

1 min 18 sec

51.57%

1 min 3 sec

Disabled 11.70%

1 min 13 sec

1.75%

58 sec

30.82%

39 sec

Quota Finger Iris Face

slide-22
SLIDE 22

Applying risk analysis

Example: Disney Orlando

  • Goal: revenue protection
  • Technology: hand geometry
  • Users: season ticket holders (4000)
  • Performance:

– High FAR threshold (5% +) – Soft response to rejections – 9-10 secs, ops people grumble: 5 secs needed

slide-23
SLIDE 23

Applying risk analysis

Example: Smartgate Sydney Airport

  • Problem: speedy & secure immigration
  • Technology: Face recognition system
  • Users: Quantas air crew (2000)
  • Performance:

– FAR “less than 1%” – FRR 2% – “could be faster” (average 12 secs)

  • Several re-designs necessary, including updating of image

templates

slide-24
SLIDE 24

Applying risk analysis

Usability Issues: Finger

  • Which finger?
  • How to position

– Where on sensor? – Which part of finger? – Straight or sideways?

  • Problems: arthritis, long fingernails, handcreme,

circulation problems

slide-25
SLIDE 25

Applying risk analysis

Which finger?

slide-26
SLIDE 26

Applying risk analysis

Finger position?

slide-27
SLIDE 27

Applying risk analysis

Usability Issues: Iris

  • What is it – iris or face?
  • One or both eyes?
  • One eye: how to focus?
  • Distance adjustment
  • Positioning

– “rocking” or “swaying”

  • Glasses and contact lenses

– about half of population wear them – Target area difficult to see when glasses are removed

slide-28
SLIDE 28

Applying risk analysis

Focussing

slide-29
SLIDE 29

Applying risk analysis

Height adjustment

  • Often not sufficient for very short (under 1.55 m)
  • r very tall (over 2.10) people, or wheelchair users
  • Need to use hand to adjust

– If card needs to be held, other things users carry or hold need to be put down

slide-30
SLIDE 30

Applying risk analysis

Height adjustment

slide-31
SLIDE 31

Applying risk analysis

… but users may not realise this

… or be reluctant to touch equipment,

  • r think it takes too long
slide-32
SLIDE 32

Applying risk analysis

Usability Issues: Face

  • What is it?
  • Where do I stand?
  • Where do I look/what am I looking at?
  • Standing straight, keeping still
  • “Neutral expression”
  • Hats, changes in (facial) hair, makeup
slide-33
SLIDE 33

Applying risk analysis

Distance

slide-34
SLIDE 34

Applying risk analysis

“Neutral expression”

slide-35
SLIDE 35

Applying risk analysis

UK Passport Service Trial

  • Best performing: iris with “normal” users – FRR

4%

  • Worst performing: face recognition with disabled

users - FRR 30%

  • Verification time: 40-80 secs
  • With a database of 10.000 people
slide-36
SLIDE 36

Applying risk analysis

User Acceptance

  • Acceptance requires

– perceived need for security – trust in operator – convenience, or at least usability

slide-37
SLIDE 37

Applying risk analysis

User Acceptance Issues –Finger

  • Hygiene, Hygiene,

Hygiene

  • Association with

forensics/criminals

  • Finger chopped off
slide-38
SLIDE 38

Applying risk analysis

slide-39
SLIDE 39

Applying risk analysis

slide-40
SLIDE 40

Applying risk analysis

Liveness detection

  • Detects movement, pulse, blood flow
  • Fitted to several systems, but tends to increase

FRR

  • Users: fine, but do the criminals know about it?
slide-41
SLIDE 41

Applying risk analysis

User Acceptance Issues - Iris

  • Iris

– Risk to health (e.g. damage to eyes, triggering epilepsy) – Covert medical diagnosis

  • Illnesses (iridiology)
  • Pregnancy
  • Drugs
  • “Minority Report” attacks
slide-42
SLIDE 42

Applying risk analysis

User Acceptance Issues - Face

  • Covert identification
  • Surveillance/tracking

– Direct marketing

slide-43
SLIDE 43

Applying risk analysis

User Acceptance – General Issues

  • Data protection – threat to privacy
  • Abuse by employer, commercial organisations,

state, or malicious individuals

– Increasing capability of technology – e.g. iris recognition at a distance – Integration with other technologies – e.g. RFID

  • Doubts about reliability

– Sophisticated attackers – Can governement really keep systems secure? – Cheap systems and successful attacks erode confidence

slide-44
SLIDE 44

Applying risk analysis

slide-45
SLIDE 45

Applying risk analysis

slide-46
SLIDE 46

Applying risk analysis

  • Simple

– Activate latent prints: breathing, bag with warm water

  • Sophisticated

– Lift print with tape or photograph

  • Gelatine print

(gummy bear attack) – lasts 1x

  • Silicone print

Attacks - Finger

slide-47
SLIDE 47

Applying risk analysis

Attacks - Iris

  • Simple

– Picture of eye stuck on glasses

  • Sophisticated

– Coloured contact lense

  • Get someone else to

enrol and give you lenses & passport

  • Print iris image onto

coloured contact lense

slide-48
SLIDE 48

Applying risk analysis

Attacks - Face

  • Simple

– Photo or video of person – Glasses

  • Sophisticated

– Mask (Mission Impossible attack) http://www.heise.de/ct/english/02/11/114/bild7.jpg

slide-49
SLIDE 49

Applying risk analysis

slide-50
SLIDE 50

Applying risk analysis

Maintaing performance in continuing use

  • Maintenance required to maintain performance,

e.g. cleaning of sensors

  • Keeping systems secure from attacks (including

vandalism and insider attacks)

  • Secure and efficient processes for dealing with

FRRs and FTE/FTA users

  • Secure & efficient processes for new enrolments,

and secure re-enrolment in cases with high FRR

  • r significant changes
slide-51
SLIDE 51

Applying risk analysis

Summary

  • Biometrics have potential to reduce

users’ workload and improve business process, IF

  • 1. systems are reliable, robust, easy to install,

maintain and use

  • 2. Security of overall system can be assured
  • 3. performance meets required level and can be

sustained in everyday use

  • 4. Systems are accessible and acceptable to

users.

slide-52
SLIDE 52

Applying risk analysis

Challenges

  • Large public applications face additional issues
  • Universal access

– System with best FTE performance (face) has worst FRR – Systems with better FRR have unacceptable FTE (for some applications) – Accommodating all users to provide universal access