Its single-mode and multi-mode definition is analyzed. The requirements or criteria for evaluating biometric systems are examined. Finally, the security threats that can affect a biometric system are identified and analyzed. Since the first commercial applications of fingerprint recognition around 1984, countless new and increasingly sophisticated systems and applications have rapidly appeared on the market.

Read More

The ever-increasing power of microelectronics and computers is making the deployment of biometric recognition systems—for both verification/authentication and identification (open-set and closed-universe)—a growing reality. The cost of biometric technology is decreasing, while its reliability, efficiency, and speed are increasing, leading to a growing number of biometric devices becoming an important part of our businesses and our lives. Human needs are evolving; there is a demand for greater mobility in life and business, increased security in the smart society, and a greater degree of convenience, among other things. Biometrics is capable of responding to the growing number of applications in demand, such as in daily life in the context of physical access control to key facilities and infrastructure, such as military/governmental installations, immigration control at airports (for example, the INSPASS (Immigration and Naturalization Service Passenger Accelerated Service System) installed in major US airports is based on hand geometry verification technology, developed by the company (Recognition Systems, Inc.), data processing centers, etc., for example, to protect against terrorist actions; in access control to assets such as homes and private vehicles, ATMs as a protective measure against theft, ATM fraud, etc.; and in access control to information itself, such as access to servers, PCs, networks, PDAs, mobile phones, etc., as a protective measure against unauthorized access.

The use of biometrics itself is not the primary factor contributing to security and privacy risks; rather, it is inappropriate or inadequate implementation. Biometrics has the potential to be used in any application where authentication, verification, and identification are required, and it is only a matter of time before we find and use them in our daily lives (home, work, transportation, entertainment, access to municipal, social, governmental, and healthcare services, etc.).

'

 

 

A biometric system is non-intrusive if the individual does not need physical contact with a sensor or it does not have a negative connotation.

A biometric system is intrusive if it requires the individual to touch a sensor, place a sensor near their body, or participate in a way that is emotionally or psychologically uncomfortable. A biometric system is cooperative if the individual willingly accepts positive identification and provides relevant information (e.g., username, password, PIN, USB token, smart card, etc.). A biometric system is non-cooperative if the individual does not provide assistance during the process (e.g., a facial recognition system at an airport).

Characterization of biometrics

Biometric technology is one of the fastest-growing areas of computer science, dealing with the representation, storage, matching, synthesis, and visualization of physiological biometric information (iris pattern, hand geometry) as well as behavioral information (gait, handwriting, speech, typing, lip movements). Biometrics can be defined in different ways: (1) According to the ISO, it is a measurable physical characteristic or behavioral trait of a person used to recognize or verify the declared identity of a registered individual. Similarly, according to the ISO, a biometric system is an automated system capable of: (i) Capturing a biometric sample from an end user. (ii) Extracting biometric data from that sample. (iii) Comparing the biometric data with the contents of one or more reference templates. (iv) Determining the degree of match. (v) Indicating whether or not identification or identity verification has been performed. (2) It is a technology that verifies a person's identity using specific biometric information from the individual such as palm vein distribution, fingerprints, finger veins (or FV, Finger Vein; Hitachi's FV authentication has been successfully adopted in 75% of Japan's bank branches, making it the dominant biometric system deployed by the Japanese banking sector), facial features, ear pattern, handwritten signature, or biological traces such as DNA (Deoxyribonucleic Acid) in blood or saliva.

Biometrics encompasses both physical and physiological traits of a person, such as hand geometry, iris pattern (a commercial product is Panasonic's BM-ET300 Iris Entry System), retinal pattern, etc., and behavioral traits, such as handwriting signature, voiceprint, gait, etc. (3) It is a technology that confirms a person's identity by comparing, in real time, the patterns of physical, physiological, biological, and/or behavioral characteristics of the person with registered computer records, templates, or models relating to those patterns. (4) It is a technology that uses measurable physical or behavioral characteristics of an individual and compares them to accurately verify or identify that individual. (5) It is the study of methods for the unique recognition of people based on one or more intrinsic physical or behavioral traits. (6) It is the identification of living beings based on physiological and/or behavioral characteristics. (7) It is the automated use of physiological or behavioral characteristics to determine or verify an identity.

 

Multimodal biometrics. Multibiometric systems

Multimodal or multibiometric biometric systems use information from different biometrics, such as fingerprints and hand shape, or fingerprints from different fingers on different hands, etc. Biometric data fusion can occur at different levels: (i) Sensor-level fusion with multiple sensors (e.g., capacitive and optical fingerprint detectors; or with different biometric features, such as a fingerprint sensor and a signature shape sensor on a tablet; or with different instances, such as the index and middle fingers; or with repeated instances, such as the index finger twice; or with different algorithms, such as one based on minutiae and another based on a filter bank). (ii) Feature extraction-level fusion. (iii) Comparison-level fusion. (iv) Decision-level fusion.

Multimodal biometric systems are gaining popularity every day due to their improved performance. In verification systems, they enhance accuracy, and in identification systems, they improve response speed. Multimodal biometric systems that combine uncorrelated modalities (such as fingerprint and face, or two fingers of the same person) offer better performance compared to those that combine correlated modalities (such as comparators of different fingerprints). Multimodal biometric systems can also capture fingerprints from the same finger at subsequent times.

fundamental requirements

The main biometric requirements for comparing different biometric systems are: (1) Universality. All people must possess the characteristic(s) used in the biometric system. A one-armed individual lacks a hand. (2) Uniqueness. It should be unlikely that two people share the biometric characteristic. Height, weight, hair color, or eye color are clearly not unique characteristics of individuals. (3) Permanence. The biometric characteristic used must be invariant over time. A fingerprint does not usually change over time except in the case of injury. DNA and iris patterns are the most invariant characteristics, followed by the retina, then hand and finger geometry, and the least permanent characteristic is voice, followed by typing style and signature. (4) Obtainability. It must be easy and discreet to obtain and collect quantitatively. (5) Performance. The technology used must be accurate, fast, and robust. (6) Non-negotiable. It must be impossible to circumvent or bypass. (7) Acceptable by the user. Accepted and approved technology that ensures in advance that it will not offend users. Selecting the right biometric is a complex problem involving more factors than just accuracy. It depends on cost, error rates, computing speed, acquisition capacity, privacy, and ease of use.

Security threat analysis of a generic biometric system

A threat is a potential event, intentional or unintentional, that can compromise the security integrity of a biometric system. The locations of the main threats that loom over any generic biometric system are specified in Figure 1 and are as follows:

(1) User-related threats. An authorized user unknowingly, reluctantly (coerced), or voluntarily (colluding) provides an imposter with their own biometric sample. Several scenarios can be identified:

(i) The imposter covertly captures a biometric sample of the authorized user, for example a voice recording, a photograph of their face, a fingerprint of a glass, etc.

(ii) The imposter steals a biometric sample from the authorized user, for example by cutting off an authorized user's finger or installing counterfeit biometric readers to capture biometric samples.

(iii) The authorized user voluntarily provides the imposter with their own biometric sample (confabulation).

(iv) The authorized user modifies their own biometric sample to facilitate an imposter attack (collusion).

(2) User threats to the capture subsystem. Several cases can be identified:

(i) The imposter presents their own biometric sample in an effortless attempt to impersonate: (a) A randomly selected authorized user. (b) Any user authorized for identification. (c) A selected weak biometric template. (d) An authorized user with a biometric sample similar to the imposter's, e.g., a monozygotic twin.

(ii) The imposter modifies their own behavior (voice, signature style) or physiology (face, hand) in an attempt to impersonate: (a) A selected authorized user. (b) A selected weak biometric template.

(iii) The imposter presents an artificial biometric sample (a fake fingerprint, a voice recording) attempting to impersonate: (a) A selected user. (b) A selected weak biometric template.
(iv) The imposter presents a noisy, poor or zero quality biometric sample attempting a comparison with a regular or weak quality biometric template.
(v) The imposter uses a residual biometric image left in the biometric system (usually a latent fingerprint) attempting to impersonate the last authorized user.

(vi) The imposter presents their own biometric sample after the imposter's biometric template has been: (a) Provided from a falsified personal data carrier, by illegally enrolled biometric system templates. (b) Illegally added directly to the storage database. (c) Illegally inserted directly into the comparison subsystem.

(vii) The imposter mounts a repeated attempt attack that is not detected through the audit logs.

(3) Threats related to the capture and extraction subsystems. Several cases can be identified:

(i) The imposter intercepts an authorized biometric sample during transmission between the feature capture and extraction subsystems.

(ii) The imposter inserts an authorized biometric sample directly into the feature extraction subsystem, for example using a replay attack, thereby bypassing the capture subsystem.

(4) Threats during verification related to the extraction and comparison subsystems. Several cases can be identified:

(i) The imposter intercepts the extracted biometric characteristics during transmission between the extraction and comparison subsystems

ii) The imposter inserts extracted biometric characteristics directly into the comparison subsystem.

(5) Threats related to template storage and the extraction subsystem during the registration process. Several cases can be identified:

(i) An authorized user presents a null, poor quality, noisy and highly variable biometric sample or modifies their own behavior or presents an artificial sample by attempting to register a weak biometric template.

(ii) An unauthorized user signs up: (a) Administrator error, e.g., credentials not properly verified. (b) The authorized user template is intercepted and replaced with an imposter template during the sign-up process.

(6) Threats related to template/BIR storage. Several cases can be identified:

(i) The imposter's biometric template is either: (a) Provided on a carrier of falsified personal data (e.g., a smart card), or (b) Illegally placed in the biometric system's template storage database; either a new authorized user account is created for the imposter, or the existing user template is replaced by the imposter's template.

(ii) The imposter steals an authorized user's biometric template from the template storage or another biometric system.
(iii) The attacker modifies or deletes the biometric templates from storage.
(iv) The imposter intercepts an authorized biometric template during transmission between the feature extraction and template storage subsystems.

(7) Threats related to template recovery. Several cases can be identified:

(i) The imposter intercepts an authorized biometric template during transmission between the template storage and comparison subsystems.

(ii) The imposter inserts his own biometric template directly into the comparison subsystem.

(8) Threats to the resource manager/administrator. Several cases can be identified:

(i) A hostile authorized user or imposter can acquire administrator privileges through: (a) Non-biometric means, such as coercion, password, backup system, alternative authentication method, or exception manipulation. (b) Biometric means as presented in this profile.

(ii) A non-hostile administrator (under duress or unintentionally) or a hostile authorized user or an imposter who has acquired administrator privileges: (a) Incorrectly modifies the comparison threshold. (b) Incorrectly modifies user privileges. (c) Is allowed unauthorized access to the template storage. (d) Is allowed unauthorized modification of the audit trail. (e) Enrolls an unauthorized user.

(iii) The administrator fails to properly review and respond to audit trail anomalies.

(iv) The attacker modifies the comparison threshold.

(9) Threats to policy/user management. Several cases can be identified:

(i) The imposter authenticates himself as an authorized user through non-biometric means such as coercion, collusion, password, backup system, alternative authentication method, or exception handling procedure.

(10) Threats to policy management. Several cases can be identified:

(i) Inadequate collection of audit data to detect attacks such as repetitive attempts.

(ii) The attacker modifies the user identifier

11) Threats to policy/portal management. Several cases can be identified:

(i) The attacker inserts an appropriate “grant privileges” signal directly into the portal, thereby bypassing the entire biometric system.

(ii) The attacker cuts off the power supply to the biometric system, which means either: (a) The system fails in “open” or “insecure” mode allowing unauthorized access or (b) The system fails in “closed” or “secure” mode not allowing authorized access, in this case the attacker would be achieving a denial of service or DoS attack.

(iii) The attacker overcomes the backup system, the alternative authentication method, or the exception handling process: (a) During normal operation or (b) After a secure mode system failure.

(12) Threats related to the portal. Several cases can be identified:

(i) The attacker gains unauthorized access with voluntary or involuntary assistance (coercion, collusion, piggybacking) to the privileges of an authorized user after the user has been authenticated.

(ii) The user gains access to unauthorized privileges after the privileges have been improperly modified.

(13) Threats to all hardware components. That is, threats to the biometric sensor, the portal hardware, the integrated circuits, the input/output hardware, the computer, etc. Several cases can be identified:

(i) The attacker alters, modifies, bypasses, or disables one or more hardware components.

(ii) The attacker exploits a hardware “backdoor”, design flaw, environmental conditions or failure mode.

(iii) The attacker floods one or more hardware components with noise, for example with electromagnetic or acoustic signals.

(iv) The imposter intercepts/inserts authorized biometric templates from one or more hardware components.

(14) Threats to all software/firmware components. Several cases can be identified:

(i) The attacker alters, modifies, bypasses or disables one or more executable software or firmware components.

(ii) The attacker exploits possible “backdoors” in the software or firmware (microprogramming), a capricious algorithm, a design flaw, or a failure mode.

(iii) A virus (malware or malicious code) is deliberately or accidentally introduced into the system.

(iv) The imposter intercepts/inserts authorized biometric templates from one or more software or firmware components.

(15) Threats to all connections, including network threats. Several cases can be identified:

(i) The attacker alters, modifies, bypasses or disables one or more connections between components.

(ii) The imposter intercepts or inserts a biometric template or sample while it is being transmitted between subsystems or components.

Final considerations

Our research group has been investigating biometrics for almost two decades. It has synthesized various mechanisms, analyzed deployments in diverse environments, and assessed potential threats, implementing corresponding countermeasures.


This article is part of the activities developed within the LEFIS-APTICE (funded by Socrates 2005-2007. European Commission ).


Author:

Prof. Dr. Javier Areitio Bertolín

Professor at the Faculty of Engineering. ESIDE.

Director of the Networks and Systems Research Group. University of Deusto.