James Childers - CEO ASG

Recently I have been asked about our response to several articles appearing in global press announcing the "defeat of biometrics". Following is our response to these articles and hopefully we will spark much needed debate within this industry regarding the marketing of biometric products and services while improving the security of our homes, workplaces and country.

For those of you not "in the know", let me start with a primer.

Biometrics is the method of utilizing a physical identifier such as fingerprints, facial geometry, iris scanning or other unique physiological feature to identify and authenticate an individuals credentials to access a facility, network or computer.

True biometric authentication is the "holy grail" of credential management. Uniquely identifying an individual and authenticating access based upon criteria that cannot be duplicated virtually guarantees network and facility security.

There are many different types of biometric authentication methods with more being implemented every day. Of the currently available biometric authentication methods, fingerprint technology has been and continues to be the easiest to implement, among the least invasive and most reliable technologies available. For the purposes of this article we will concentrate on fingerprint identification.

Scientific studies have proven that fingerprints are unique at the rate of 1 in 1,000,000,000 individuals. What makes fingerprints unique is the multiple characteristics that define them. These "minutiae points" are the intersection of ridges, loops, swirls, whirls and the position of these features within the fingerprint.

Fingerprint Biometrics

Fingerprint biometric devices take a picture of these minutiae points and electronically converts them using a mathematical algorithm into a string of characters uniquely identifying each finger enrolled. This "template" is then usually stored in an encrypted area of the local hard drive or network user credential management area. This is known as the enrollment phase of biometric authentication.

During the authentication phase, a new template is made based upon the available minutiae points presented and is compared with the stored template. If the templates match, the user is authenticated and access is granted. If the templates do not match, the user is denied access. Current technology allows for authentication of an individuals identity within a margin of error of .01 to .00001% based upon the algorithm and biometric identifier used.

Most devices today use between 16 and 40 minutiae points to create a template. It should be noted here that the fingerprint itself is not stored anywhere on the PC or network and creating a fingerprint model from 16-40 minutiae points is virtually impossible. It is virtually impossible for someone to "steal your fingerprint" even if they had full access to your template on the network or device.

While a margin of error of 1 in 10,000 to 1 in 1,000,000 may not seem "secure", it is important to understand that there are different types of errors and the way in which each transaction is processed and how errors affect the processing of these transactions can result in near impenetrable security.

Types of Errata and "false acceptance"

FRR - False Rejection Rate - This is the rate at which a device will deny access based upon misreading or misidentifying genuine biometric credentials as "false".

An example of this type of error: Mary is authorized to access her facility by authenticating her fingerprint on a fingerprint reader at the door. Today, while trying to enter the facility, Mary didn't have her finger properly centered on the device, so the minutiae points captured and compared during this attempt are notably different than what is on the stored template. She is denied access even though she has a valid biometric credential (her finger). This is the most common type of error and most devices will default to a FRR as opposed to FAR if the templates are noticeably different.

FAR - False Acceptance Rate - This is the rate at which a device will accept false biometric credentials as acceptable. This level of error is extremely rare, and usually falls within the 1 in 1,000,000 or better range.

An example of this type of error: Ben is not authenticated to access his corporate network via biometric authentication. His fingerprint on his right index finger is close enough to Mary's that he is able to authenticate access by using her identity. He is granted access even though he doesn't possess valid biometric credentials. The odds of this happening in reality with 16 minutiae points captured is one in 16! or 16*1*2*3*4*5...16 or one in 334,764,638,208,000.

Spoofing - This is a method of using a copy of valid biometric credentials to gain access.

An example of this type of false acceptance: David does not have access to the payroll computer in human resources. David knows that Mary's right index finger is the one she uses to authenticate herself on the network. He sneaks into her office after hours, captures a high quality imprint of her right index fingerprint, goes home and makes a perfect copy of this fingerprint in gelatin using information he found on the Internet, returns to Mary's office during off hours and authenticates as Mary on her PC to change his payroll information. Viola` he now has a VP's salary.

Much press recently has been devoted to the so called "defeat" of biometric authentication based upon the example described above. In a much touted demonstration, the German Federal Institute for Information Technology Security in collaboration with the Frauenhoffer Research Institute headquartered in the German city of Darmstadt announced the "Defeat of Biometrics". For more information on this article that would make James Bond proud, please click here:

http://www.extremetech.com/print_article/0,3428,a=27687,00.asp 

Another "test" performed by Tsutomu Matsumoto, a Japanese cryptographer can be seen here:

http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf 

Biometric Credential Theft - This is a method of an unauthorized individual using a valid biometric credential to gain access to a network or facility.

An example of this type of false acceptance: As shown in the movie "The 6th Day" with Arnold Schwarzenegger, the unauthorized individual cuts off the finger that is used to biometrically authenticate onto the network or facility and uses that biometric credential to gain illegal access.

I have only one comment here...

In a standard day-to-day corporate or medical environment, if you are really anticipating this as a viable attack upon your network, I would recommend seeking competent psychological counsel. You've got bigger problems than network or facility security.

Integrating Biometrics in the Real World

Each of the above examples is based upon an "identification" method of biometric credential management. The two types of biometric credential management are:

Identification - Also known as 1:n or 1:Many.

This type of biometric credential management relies solely upon the biometric credential as the statement of user identity. As an example, when I place my finger upon the biometric reader, the program looks at the presented template and goes to the template warehouse and attempts to identify my fingerprint from the entire database. The program asks: Who is this person? Then it asks: Does this person have access? Then the program grants or denies access based upon the business rules previously assigned. This is the slowest form of authentication and is also the most open to the types of errors detailed above.

Authentication - Also known as 1:1

This type of biometric credential management system utilizes a secondary "statement of user identity". In other words, you must also authenticate yourself by something you possess or know and not just by something you are. An example her is when I walk up to my PC I insert my smart card (something I have) into a SC reader attached to my fingerprint scanner or input my PIN or password (something I know) and then authenticate biometrically using my finger on the scanner. This type of credential management system is the fastest template matching method and is the most secure authentication method available today.

Instituting a Biometric Credential Management System utilizing the Authentication method outlined above is the most secure method of end-user authentication. It is exponentially better than existing password, PIN, token and other knowledge or possession based authentication methods and when implemented properly represents a dramatic improvement in data and facility security.

So why all the noise about the "defeat of biometrics"?

There are certain elements within our society that have a misrepresentation of what biometrics is and its capabilities. These elements need to be educated in the science and technology of biometrics and how or how not to use these elements in your security methods.

Other individuals need to have their ego's stroked by touting the fact that they have defeated an "impenetrable" system. These individuals need to find something more fulfilling to occupy their lives: a career, significant relationship, religion, hobby... pick one and stick with it.

Still there are others that are truly trying to improve the quality of security by pointing out that one system alone is not sufficient for all needs. These are the true pioneers of the security industry.

I count myself and other "champions" I know within this industry in the last category.

Security is more than just creating and implementing an impenetrable system... It is a mind-set that every system is penetrable, all solutions are fallible and the only secure system is one that is diligent in its methods, rooted in the fundamentals of secure credential management and uses multiple methods of authentication.

Please feel free to contact me should you have any questions about this article or biometrics in general.

Sincerely,

James Childers CEO ASG - james@iqbio.net