Privacy & Identity -

Security and Usability:

The viability of
Passwords & Biometrics
Introduction

 Name: Orville Wilson

 Alumni at DePaul University
 Doctoral Student
 Currently work for an Information
Security and Managed Services firm,
Fortrex Technologies, located in
DC/Baltimore area.
 Agenda
 Statistical Research
 Background on Passwords
& Biometrics
 Overview of Biometrics
 How they work
 Strengths, Weakness and
Usability of Biometrics
 Conclusion
Empirical Data

 Yearly cyber crime cost in the US is over

$377 million and rising – CSI/FBI Study
 Federal Trade Commission found that
identity theft accounted for $48 billion in
losses to business over the past five
years
Background on Passwords &
Biometrics
 Passwords
 Ubiquitous Technology
 Passwords are one of the oldest authentication methods.
 Many organizations and institutions have used passwords for
computer access since 1963 when Fernando J. Corbato added
private codes to the CTSS at MIT
 Biometrics
 First introduced in the 1970s and early 1980s
 This technology gathers unique physiological or behavioral
attributes of a person for storing it in a database or comparing it
with one already found in a database.
 Reason for biometrics include the positive authentication and
verification of a person and ensuring confidentiality of
information in storage or in transit
Advantages Disadvantages

 Reduces cost within  Accuracy of Performance

organizations
 Failure to enroll rate
 Increases security
 Information Abuse
 Competitive advantage

 May violate privacy

 Convenience to employees

 Eliminates a paper trail

Example:
Technical working of Fingering scanning
devices

 Fingerprint Scanner

 Electronic images –Token

 Security Application

 Database

 Access or deny
Biometrics

 2 Categories of Biometrics
 Physiological – also known as static biometrics:
Biometrics based on data derived from the
measurement of a part of a person’s anatomy. For
example, fingerprints and iris patterns, as well as
facial features, hand geometry and retinal blood
vessels
 Behavioral – biometrics based on data derived
from measurement of an action performed by a
person and, distinctively, incorporating time as a
metric, that is, the measured action. For example,
voice (speaker verification)
 Biometrics – How do they
work?
 Although biometric technologies
differ, they all work in a similar
fashion:
 The user submits a sample that is
an identifiable, unprocessed
image or recording of the
physiological or behavioral
biometric via an acquisition
device (for example, a scanner or
camera)
 This biometric is then processed
to extract information about
distinctive features to create a
trial template or verification
template
 Templates are large number
sequences. The trial template is
the user’s “password.”
Overview of Biometrics
Biometric Acquisition Device Sample Feature Extracted
Iris Infrared-enabled video Black and white iris image Furrows and striations of
camera, PC iris
camera
Fingerprint Desktop peripheral, PC Fingerprint image (optical, Location and direction of
card, mouse chip silicon, ultrasound or ridge endings and
or reader touchless) bifurcations on
embedded in fingerprint, minutiae
keyboard
Voice Microphone, telephone Voice Recording Frequency, cadence and
duration of vocal
pattern
Signature Signature Tablet, Image of Signature and Speed, stroke order,
Motion-sensitive record of related pressure and
stylus dynamics appearance of
measurement signature
Face Video Camera, PC Facial image (optical or Relative position and shape
camera, single- thermal) of nose, position of
image camera cheekbones
Hand Proprietary Wall- 3-D image of top and sides Height and width of bones
mounted unit of hand and joints in hands
and fingers
Retina Proprietary desktop or Retina Image Blood vessel patterns and
wall mountable retina
unit
 Strengths, Weaknesses and
Usability of Biometrics
Biometric Strengths Weakness Usability
Iris  Very stable over time  Potential user resistance  Information security
 Uniqueness  Requires user training access control,
 Dependant on a single especially for
vendor’s technology Federal Institutions and
government agencies
 Physical access control
(FIs and government)
 Kiosks (ATMs and
airline tickets)

Fingerprint  Most mature biometric  Physical contact required (a  IS access control

technology problem in some cultures)  Physical access control
 Accepted reliability  Association with  Automotive
 Many vendors criminal justice
 Small template (less than
 Vendor incompatibility
500 bytes)
 Hampered by temporary
 Small sensors that can be
physical injury
built into mice, keyboards
or portable devices

Optical  Most proven over time  Large physical size

 Temperature stable  Latent prints
 CCD coating erodes with age
 Durability unproven
 Strengths, Weaknesses and
Usability of Biometrics
Biometrics Strengths Weakness Usability

Silicon  Small physical size  Requires careful enrollment

 Cost is declining  Unproven in sub optimal
conditions

Ultrasound  Most accurate in sub optimal  New technology, few

conditions implementations
 Unproven long term
performance

Voice  Good user acceptance  Unstable over time  Mobile phones

 Low training  Changes with time, illness stress  Telephone banking and
 Microphone can be built into or injury other automated call
PC or mobile device  Different microphones generate centers
different samples
 Large template unsuitable for
recognition

Signatures  High user acceptance  Unstable over time  Portable devices with
 Minimal training  Occasional erratic variability stylus input
 Changes with illness, stress or  Applications where a “wet
injury signature” ordinarily
 Enrollment takes times would be used.
 Strengths, Weaknesses and
Usability of Biometrics
Biometrics Strengths Weakness Usability

Face  Universally present  Cannot distinguish identical  Physical access control

siblings
 Religious or cultural prohibitions

Hand  Small template (approximately  Physical size of acquisition device  Physical access control
10 bytes)  Physical contact required  Time and attendance
 Low failure to enroll rate  Juvenile finger growth
 Unaffected by skin condition  Hampered by temporary physical
injury

Retina  Stable over time  Requires user training and  IS access control,
 Uniqueness cooperation especially for high security
 High user resistance government agencies
 Slow read time  Physical access control
 Dependent on a single vendor’s (same as IS access control)
technology
Comparison of Different
Biometrics Technology
Promise that Biometrics hold
for Privacy
 Increased Security
 Biometric cannot be lost, stolen or
forgotten; it cannot be written down and
stolen by social re-engineering
 By implementing biometrics organizations
can positively verify users’ identities,
improving personal accountability
 In conjunction with smart cards biometrics
can provide strong security for Public Key
Infrastructure (PKI)
Perils that Biometrics hold for
Privacy
 Privacy is one of the leading inhibitor for
biometrics technology. Main issues:
 Misuse of Data
 Health/Lifestyle – Specific biometric data has been
linked with the information beyond which it is set out
to be used for such as AIDS. Is a person able to
control the information gathered on himself/herself?
 Function Creep
 Law Enforcement – The template database may be
available for law enforcement
 Credit Reporting – The template database may be
cross referenced against other databases including
those held in hospitals and the police departments,
by a credit reporting agency
Future Trends in Biometrics

 Body Odor – Body odor can be digitally

recorded for identification. A British company,
Mastiff Electronic System Ltd. Is working on
such a system
 DNA Matching – The is the ultimate biometric
technology that can produce proof positive
identification of an individual
 Keystroke Dynamics – Keystroke dynamics,
also referred to as typing rhythms, is an
innovative biometric technology
Conclusion
1. All authentication methods are prone to errors.
Nevertheless, reliable user authentication must ensure
that an attacker cannot masquerade as a legitimate
user
2. Biometrics is uniquely bound to individuals and may
offer organizations a stronger method of authentication
3. Biometric systems are not foolproof; they can be
compromised by:
 Submission of another person’s biometric
 Submission of enrollee’s biometric with the user under duress or incapacitated

4. A prudent balance between Security and Privacy

needs to be achieved