Scribd
Upload
5 views

AccessControl Winter2024 Part2 Posted

The document discusses various biometric authentication methods, emphasizing the differences between static biometrics (like fingerprints and facial recognition) and dynamic biometrics (such as signature and voice recognition). It outlines the challenges of achieving high accuracy in biometric systems, including false reject and accept rates, and the importance of balancing security with user acceptance. Additionally, it highlights the potential attacks on both password-based and biometric systems, as well as the concept of multi-factor authentication for enhanced security.

Uploaded by

jaiminbhagat001
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

AccessControl Winter2024 Part2 Posted

The document discusses various biometric authentication methods, emphasizing the differences between static biometrics (like fingerprints and facial recognition) and dynamic biometrics (such as signature and voice recognition). It outlines the challenges of achieving high accuracy in biometric systems, including false reject and accept rates, and the importance of balancing security with user acceptance. Additionally, it highlights the potential attacks on both password-based and biometric systems, as well as the concept of multi-factor authentication for enhanced security.

Uploaded by

jaiminbhagat001
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Authentication: Something you are/produce

• Biometrics – links proof-of-identity to physiological traits


or behavioral patterns
Authentication: Something you are …
3) Something you are (Static / Standard Biometrics)
 authentication mechanisms that takes
advantage of users’ unique physical
characteristics, including
➢ fingerprints
➢ facial characteristics
➢ retina
Fingerprint scanner ➢ iris

 in contrast to password/token authentic.,


biometric systems do not look for a 100%
match – person’s characteristics are
inherently ‘noisy’
➢ pattern recognition must be involved
 very effective but costly if a large number
of biometric readers need to be installed!
Authentication: Something you are …
Example: In password-based authentication,
an exact (100%) match is required

enrolment stage

100% match
required.

https://www.talwork.net/has-your-password-been-leaked
Authentication: Something you are …
Example: enrollment & authentication in biometric syst.
Database of biometrics
user profiles (feature vectors).
enrolment stage in
biometric systems is
much more involved !!!

it is hard if not impossible


in some type of biometrics
to achieve 100% match

A sample of biometric Feature set is converted into a


reading is captured. feature vector (template).

The most important


https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.I
features are extracted.
R.8334-draft.pdf
Authentication: Something you are …
Example: In biometric-based authentication,
an approximate match is required

How good should


the match be:
99% vs 75% ??

https://www.tutorialspoint.com/biometrics/biometrics_quick_guide.htm
Authentication: Something you are …

 Biometric Modality = different types of biometric


information / measurements that can be used to
discriminate between different individuals

https://www.researchgate.net/publication/281659557_Soft_Biometrics_for_Keystroke_Dyn
amics/figures?lo=1
Authentication: Something you are …

 an ideal biometric modality / information should have


the following properties:
• Universality – all individuals must be characterized by this
information Is hair color a good biometric modality ?

• Uniqueness / Distinctiveness – this information must be


as dissimilar as possible for two different individuals

• Permanency / Stability – this information should be present


during the whole life of an individual & change as little as possible

• Collectability / Measurability – this information should be


dental measured in a (technically & practically) easy manner
imprint • Acceptability – how willing individuals are to have this
biometric information captured and assessed

• Performance – this information can be used to build


accurate and fast biometric/authentication systems
Authentication: Something you are …

 an ideal biometric modality / information should have


the following properties:
• Resistance to Attack – how easy it is for this information
to be forged

universal unique permanent collectable acceptable performance/accuracy


Authentication: Something you are …
Iris scanner Retina scanner

IRIS - colored section of an eye RETINA - cannot be seen by naked eye - the
scan = 2 seconds of near IR imaging ☺ network of blood vessels
subject can be at some distance ☺ most reliable biometrics, aside from DNA ☺
alcohol consumption changes iris  but can be affected by eye-disease 
scan = 15 seconds of low-energy IR scanning 
subject has to be close to scanner 
Authentication: Something you are …

 Biometric System – architecture & operational stages

Should the
entire scan
(image) be
stored ??

STAGE 1:

STAGE 2:
Authentication: Something you are …
Example: Extraction of biometrics features

many biometric systems are


based on image processing

Also see: http://computer.howstuffworks.com/biometrics-privacy.htm


Authentication: Something you are …

Example: Extraction of biometrics features

https://creativentechno.wordpress.com/2012/02/18/face-recognition/
Authentication: Something you are …
 Types of Biometric Systems (Uses)
1) systems for IDENTIFICATION
➢ perform 1:n comparison to identify a user from a database of n users

look
through
profiles

2) systems for AUTHENTICATION


➢ perform 1:1 comparison to check whether a user matches his profile
something you know – to identify the user

find
user’s
profile
Authentication: Something you are …
 Biometric Accuracy / Performance
 in all biometrics schemes, some physical
characteristic of the individual is mapped
NOISE is the biggest challenge of
biometrics system performance: into digital representation
1) Noise during enrollment (to
create an accurate profile)
2) Noise during deployment
 however, physical characteristics may change
(identification / authentication). ➢ facial contours and color may be influenced by
clothing, hairstyle, facial hair, …
➢ the results of fingerprint scan may vary as a
function of: finger placement, finger swelling and
skin dryness …
user 1:
 multiple mappings may have to be taken
in order to create a (statistically) useful
user 2: biometric representation / profile
 a biometric sensor must be able to adapt
to a broad range of appearances
Authentication: Something you are …
match
 Biometric Accuracy score
user
statistical distribution of ‘match score’ between s profile
user’s new scan and user’s stored profile/record new scan

 unfortunately, range of
new scan has large scores/features for any
deviation relative to
user profile particular user is likely
to overlap with scores/
new scan has small
deviation relative to
user profile (e.g. 90%)
/features of other users
for most other  by moving the ‘decision
users, similarity
about (e.g.) 30% new scan
perfectly matches threshold’, sensitivity of
user profile
biomet. system changes
0% 100%
lower scores for imposters higher scores for genuine user move t to left 
system more tolerant
to noise , but also
system more likely to
accept wrong person 
Authentication: Something you are …

impostor user genuine user

probability of
false reject probability of
false accept

reject admit

https://people.scs.carleton.ca/~paulv/toolsjewels/ch3-long.pdf
Authentication: Something you are …
Biometric systems are typically described in
terms of their probability of FR & FA
 Biometric Accuracy (cont.) across all user profiles !

 False Reject Rate (FRR), aka False Negative


➢ % of authorized users who are denied access
values across the ➢ false negatives do not represent a threat to security
whole system !!! but an annoyance to legitimate users

 False Accept Rate (FAR), aka False Positive


➢ % of unauthorized / fraudulent users who are allowed
access to system
➢ represent serious security breach
the higher the FR, the less
convenient an application is
because more subjects are
incorrectly rejected …
for trusted users
the lower the FA, the fewer imposter
users (adversaries) are incorrectly
accepted into the system

against impostors
Authentication: Something you are …

Example: biometric accuracy


Assume a system where each airport passenger is
identified with a unique frequent flyer number and
then verified with a fingerprint sample.
The systems false reject (FR) rate for finger is:
0.03 (= 3%).
1000 people / hour are requesting access to the
airport during a 14 hour day.
How many people will fail to be verified in a day?

# rejected passengers =
= (1000 * 0.03) [rejects / hour] * 14 [hours] =
= 30 [rejects / hour] * 14 [hours] =
= 420 [rejects]
Authentication: Something you are …

Example: biometric accuracy


If you are offered a system with a small
FAR, do not assume a small FRR !!!

http://www.cse.lehigh.edu/prr/Biometrics/Archive/Papers/rc22481.pdf
Authentication: Something you are …

trade-off  Crossover Error Rate (CER), aka Equal


point !!! Error Rate
➢ point at which FRR = FAR – Operating Point of choice
for most biometric systems – provides balance between
sensitivity & performance (i.e., convenience & security)
➢ techniques with 1% CER superior to 5% CER

as threshold moves to the left, system


becomes ‘less sensitive’ and
the value of FRR decreases but the
value of FAR increases

as threshold moves to the right,


system becomes ‘more sensitive’ and
the value of FRR increases but the
value of FAR decreases
How do we find the CER
operating point ??

= more strict decision making


http://fingerchip.pagesperso-orange.fr/biometrics/accuracy.htm (threshold)
Authentication: Something you are …

CER line OPERATING


high threshold
System 2 CHARACTERISTICS
CURVES
for two different
False Reject
System 1 systems.
Which system is better?!

low threshold

False Accept
Authentication: Something you are …

Example: optimal OPERATING POINT in different


biometrics systems/applications

homeland security, critical-infrastructure, …

use of biometrics in criminal investigations to identify


potential suspect(s)

CER
Authentication: Something you produce …

4) Something you produce: Dynamic Biometrics


 authentication mechanisms that makes
use of something the user performs or
produces:
➢ signature recognition
➢ voice recognition
➢ keystroke recognition

 less costly than ‘what you are’ systems,


but not as reliable
➢ signature, voice, keystroke pattern may change
significantly with time and under different
circumstances
Authentication: Something you produce …
Example: Dynamic / behavioral biometrics
Authentication that examines normal actions performed
by the user, e.g. keystroke dynamics.
measure/observe various time-related
parameters during a user’s interaction
with a keyboard
Authentication: Something you produce …

https://www.keytrac.net/en/
Example: Cost vs. accuracy of various biometric
characteristics

DNA
Authentication (cont.)
Example: Biometrics accuracy vs. acceptance
Organizations implementing biometrics must carefully balance
a system’s effectiveness against its perceived intrusiveness and
acceptability to users …
Authentication (cont.)
Authentication (cont.)
Example: Attacks on password-based authenticat. systems
Attacks Authenticators Examples
breaking
(try to ‘get Client attack Password Guessing, exhaustive search
into’ the Plaintext theft,
system by Host attack Password
dictionary/exhaustive search
using a
legitimate Eavesdropping Password "Shoulder surfing"
password)
Replay Password Replay stolen password response
Installation of rogue client or
disabling Trojan horse Password
capture device
(prevent
Lockout by multiple failed
legitimate Denial of service Password
user from authentications
getting into
the system)

1 protected
2 system
Authentication (cont.)
Example: Standard vs. Targeted DoS Attacks
Standard DoS Attack
Attacker’s goal is to prevent victim-
server from providing access/service
to all legitimate user.
X
Targeted DoS Attack
Attacker’s goal is to prevent one
X particular victim-user from obtaining
access/service from a server.
Most systems ‘lock-out’ a user after
multiple login attempts using false
password ….
Authentication (cont.)
Example: Attacks on biometrics-based authenticat. systems

Modify the signal


processing unit to
(e.g.) cause DoS on
legitimate users.

Alter the content of


the template
database.

Spoof biometric data


as someone else.

Spoof the signal


between the
sensor and signal
processing unit.
(e.g., replay voice) Alter the matching
process / software.
latex finger

https://www.nxp.com/docs/en/white-paper/SECBIOAUTHWP.pdf
Authentication (cont.)
Example: Single- and multi- factor authentication

Systems that use one authentication credential (e.g. something


you know) are known as one-factor authentication systems.
Most computer systems / applications are one-factor
authentication systems – they rely on passwords only.

Systems that require strong protection typically combine


multiple authentication mechanisms – e.g. something you
have and something you know. They are known as two-factor
authentication systems.
For example, access to a bank’s ATM requires a banking
card + a personal identification number (PIN).
Authentication (cont.)
Example: Gmail, Hotmail, York-mail as 2- factor
authentication systems …

http://www.google.ca/landing/2step/

You might also like