Вы находитесь на странице: 1из 33

Executive Summary of the Study on biometric technologies applied to security

INFORMATION SECURITY OBSERVATORY

Methodology
INTECO PROJECT ABOUT BIOMETRIC TECHNOLOGIES APPLIED TO SECURITY

RESEARCH
Diagnosis

PRACTICAL GUIDE
Learning and awareness

Documents Analysis + Expert Personal Interviews + 2.0 Investigation + Workshop for final conclusions

Use of biometric technologies in access control and identification

Research on Biometric Technologies


Introduction to biometric technologies
Study on biometric technologies applied to security

Advantages against other identification processes Uses and applications Future lines of investigation Applicable regulations and standards Threats and Vulnerabilities Security measures and good practices Advice to industry and private and public organisms

INFORMATION SECURITY OBSERVATORY

Introduction to Biometric Technologies


Physiological technologies

Fingerprint recognition Facial recognition Iris-scan Retina-scan Hand geometry

Behavioral technologies

Signature-scan Voice recognition Keystroke-scan Gait

Physiological Biometric Technologies

1) Fingerprint recognition

High maturity Competitive prices Usability


Non compatible with some professional activities i.e. Contact with abrasive products

Arch

Tented Arch

Left Loop

Right Loop

Plain Whorl

Ridge Ending Spur Bifurcation Dot Lake Short Ridge Crossover

Physiological Biometric Technologies


2) Facial recognition

Easy to capture Currently successfully


used Patterns variability Environmental noise Luminosity and clothing

3) Iris recognition

Uniqueness Fraud resistant Cost Contact lenses

Physiological Biometric Technologies


4) Retina-scan

Uniqueness Permanence Non user-friendly

5) Hand geometry

Permanence
Injuries

Behavioral Biometric Technologies


1) Signature-scan

Acceptability
Permanence

2) Voice recognition

Useful in remote scenarios Perfect for mobile applications


Noise

Behavioral Biometric Technologies


3) Keystroke-scan

Easy to capture Acceptability


People not using keypads

4) Gait

Recognition in crowds
Still being developed

Biometric Technologies Analysis


Biometric Technologies Comparison
Collectability Permanencia Acceptability Performance Uniqueness Universality M H H H M M L M L M

H: High M: Medium L: Low


Fingerprint Face Iris Retina Hand Hand Signature Voice KeyStrokes Gait

M H L L M M H H M H

H L H H M H L L M M

Fraud resistance

M H M L H M H M M H

H L H H M M L L L L

H M H H M M L L L L

H L H H M M L L L L

10

Biometric Technologies Analysis


Market Implementation
Voice Recognition Hand 3% Geometry 5% Iris Recognition 7% Keystroke Scan 1%

Fingerprint is the most extended technology. It is due to its high maturity level what implies a lower cost.

Signature Scan 12% Facial Recognition 14%

Fingerprint recognition 58%

Facial recognition is in second place but quite far The inclusion of a photography in many identification documents boosts its implementation

11

Biometric Technologies Analysis


Biometry vs. Passwords/Cards
Issue
Secret needed Possibility of beingstolen Possibility of being lost Maintenance Cost Enrolment and regeneration Comparison process Users comfort Spy vulnerability Brute force vulnerability Security counter measures Real authentication Implantation Costs

Biometry

Password/Cards

12

Identification Processes Analysis


Double factor authentication systems Unimodal authentication goes ahead to the double factor authentication (biometry + card, biometry + password or bimodal biometry). A bimodal biometric system uses two biometric techniques, for example a combination of fingerprint and facial recognition.

Advantages:

Disadvantages:

Security raise Fraud resistance Reduction of threats and


vulnerabilities

Cost Comfort

More privacy
13

Biometric Technologies Advantages


Entities More security in users authentication due to the use of the something you are factor. Maintenance costs reduction because of less credential restoration needs. Efficiency processes. raise in authentication Improvement of corporate image guaranteeing the security of employees, clients and providers. New services can be offered.

Internal and external fraud reduction.

14

Biometric Technologies Advantages


Final users

More comfort, not needed to remember or to be safely kept. Waiting time reduction. Remote transactions are possible. More security and privacy.

Advanced technology familiarization

15

Current and Future Uses

Online Banking

ATM

Payment

Secured online
transactions.

For specially critical


operations

Integrated in Point of Sales


Terminal : prevents impersonation and possible errors

16

Current and Future Uses

Access and
presence control

Phone

Banking and call centers

Mobile

Prevents internal fraud in


organizations

Secured remote
transactions (voice recognition).

Verification factor when


using NFC (Near Field Communication).

17

Success Cases
Quick Access to Airport Borders in Spain Technology: Fingerprint and facial recognition. Benefits:

Raise in time/agent/control ratio Security increase Mitigation of the fear of the users to the
use of biometric systems. Future developments: There are future expansion plans to other national borders (airports and ports) using even more verification elements.

18

Success Cases
Public subsidies management in Poland Technology: Finger veins structure recognition. Benefits:

Efficiency raise due to the less time


dedicated to the verification of national identity documents by the bank.

Waiting time reduction. Possible fraud reduction.


Future developments: In retail banking this technology could be used to validate any process that the client wants to do.

19

Regulatory Framework
There is enough legislation related to the personal data protection but may be useful to go deeper in the biometric specific case. LOPD (Spanish Data Protection Act) Considerations: Legitimate use of the data. The user must be informed. The user must consent the process except in some particular cases. The data must be registered in the Data Privacy Authority. Data delegation. International Standards There had been identified several standards that are applicable over many different aspects: information transmission, APIs, Systems performances, etc.

20

Risk Management in Biometry

The implementation and the use of biometric technologies are exposed to several risks, some of them specific and some of them shared with the rest of identification technologies. Identifies threats and vulnerabilities related to different factors. are

There is a set of recommendations and good practices that can suppose a mitigation of the identified risks.

21

Risk Management in Biometry


Snap implementation Inadequate technology No commitment of final users Privacy risks Treat of private and personal data

Pre-Analysis

adapting the system to the organization

Legitimate use of the data. The user must be informed. The user must consent the process
except in some particular cases.

The data must be registered in the Data


Privacy Authority.

Processes and data storage secured

22

Risk Management in Biometry


Information loose or theft Private information Limited traits Identity impersonation Biometric traits thefts or use under coaction

Secured data storage Partial traits capture

Liveness detection and double


factor authentication

23

Risk Management in Biometry


Sabotage / System incidents Affect all technologies Change in biometric traits Involuntary Trying to commit fraud

Continuity Plan

Choose of adequate technology Double factor authentication

passUDe45

24

Risk Management in Biometry


Different quality of the used technology Possible security breaches Negative perception performance Users rejection Lack of privacy sensation Cultural and religious issues Negative use experience due to bad

Quality control for every element


of the system

Information and raise of


awareness

Adapted techniques and cultural


awareness

Training

25

Recommendations
Organizations Pre-analyze Go for quality technologies Avoid prototypes difficult to use Offer collaboration to final users Comply with what is previously about privacy indicated Look for improvement and reduced costs of technologies Spread knowledge Scientists Develop lines of investigation that satisfy current needs

26

Recommendations
Manufacturer and service providers Bet for innovation Offer high quality systems Solve clients doubts Analyze properly the clients Promote algorithm unification Guarantee the security and confidentiality of biometric traits of the users

27

Recommendations
Public organisms. Ease the access to public services using biometry Use biometric systems in their own facilities Invest in defense and border control Invest in investigation and innovation Realize divulgation

28

Conclusions - Strengths and opportunities



More comfort for users Cost reduction for organizations More security Reduces impersonation Prevents attacks

Learning and evolving Second generation, challenges already detected Public Administration commitment Help normalizing and divulgating Big companies impulse Expansion and criteria unification Standardization and interoperability Opened systems and users freedom

29

Conclusions - Weaknesses

Risk of personal privacy invasion Fear of citizens Lack of privacy perception Public exposure High exposure = big repercussion of problems Specific regulation needed Promotion of good practices and accountability

30

Final Thoughts

Mature Technology vs. Developing Market


Lack of offers of integral security Lack of knowledge in enterprises Non confidence of users Current economic difficulties

Comparison standard needed

Risk of overconfidence

High potential benefits

31

Follow us on:
Web
http://observatorio.inteco.es Facebook Profile http://www.facebook.com/ObservaINTECO Twitter Profile http://www.twitter.com/ObservaINTECO Scribd Profile http://www.scribd.com/ObservaINTECO Youtube Profile http://www.youtube.com/ObservaINTECO Information Security Observatory BLOG http://www.inteco.es/blogs/inteco/Seguridad/BlogSeguridad

Send us your questions and comments to:


observatorio@inteco.es

http://www.inteco.es http://observatorio.inteco.es