When I bring up biometrics as an authentication option to information technology professionals, there usually is a ‘favorite’ biometrics vulnerability story to tell. From a Mission Impossible recorded voice playback scene to the publicized ‘gummi bear’ fake finger report. The attacks seem etched in the minds of these professionals. The purpose of this blog, based on the February InfraGard TV Biometrics learning series, is to begin to talk about and categorize biometric threats as well as countermeasures that can or cannot be employed as part of a multi-factor authentication solution. The good news is that much work has been done over the past ten years by US and international standards bodies to define biometric threats and establish acceptable controls and procedures including system countermeasures. I use those standards as well as other information as supporting information to this talk. Unfortunately, a fee is required regardless of an organizations’ status to download the standards. They are listed below as a reference:
ISO/IEC 24745 – Information Technology – Security Techniques – Biometric Information Protection. This 2011 standard provides guidance for the protection of biometric information under various requirements (of confidentiality, integrity and renewability/revocability) during storage and transfer. It also describes requirements and guidelines for security and privacy-compliant management and processing of biometric information.
ISO 19092 – 2008 Financial Services – Biometrics – Security Framework and US version ANSI X9.84 – 2010 Biometrics Information management and Security for the Financial Services Industry. These standards describe controls and policies and procedures for using biometrics as an authentication mechanism for secure remote electronic access or local physical access controls for the financial industry. The standards provide guidance applicable to other industries and are meant to be tailored for a particular implementation.
I start with the USER as a threat category to biometric authentication. On one hand, some users may mistrust and shun biometrics associated with a government program, for example the NY food stamps program issues surrounding fingerprints. On the other hand, many users today are prone to overly trusting internet applications with facial or other biometrics readily acquired via multi-modal interfaces. Users need a better understanding and tools/services to manage their identities and associated privacy and authorization privileges on an application basis.
The second threat category to biometrics authentication is the APPLICATION. Biometric engines for the various biometrics are available not just through vendors but via open source. Do application providers intend to use the biometrics as a ‘toy’ or as a real security measure? Are there established privacy and use policies that won’t change on a whim or through the inevitable application ‘function creep’ over time? Application providers of all sizes need more understanding of and access to biometrics best practices.
The next threat category to biometrics authentication is PERFORMANCE. In the November InfraGard TV learning series on biometrics technology, I talked more technically about the science of biometrics including ‘What makes a good biometric’ for information security. That is, what traits are unique to the individual and more significantly, different than other users who may pose as an imposter in a large population. The known accuracy of the engine is critical to the security design of a multi-factor authentication solution. If we expect a 97% accurate acceptance rate for the biometric factor as part of the multi-factor solution, then actual performance needs to be tracked and measured with comparisons to at least the baseline performance expectations. Testing of the biometric engine for the targeted user set and environment is required by the engine provider prior to production deployment as well as when the engine expands and is improved overtime.
The fourth threat category to biometrics authentication is SYSTEM vulnerabilities and weaknesses at the system component level and/or during transmission. This category covers spoofing, data insertions, score manipulation, database compromise, hill climbing and threshold manipulation which are broadly described here. In the 2011 biometrics sessions, I covered the basics of the biometrics verification process from an architectural perspective. Biometrics are a statistical process which consists of matching user input to a registered biometric and obtaining a score. In simplistic terms, if there is a match (i.e. the score is above a prescribed threshold) then the claimed users’ biometric is verified as part of the overall authentication process. I included an abstract diagram of biometric systems components, noting that designs varied as to where the component resided.
- Spoofing includes a replay of either raw biometric data (such as an audio recording) or biometric features extracted from the raw data and copied as input to the biometrics process. Since a raw biometric such as your voice is often public information, user’s data can be obtained by hackers nefariously and used to fool the system into believing the user is present. ‘Liveness’ detection is important to a real-time authentication process. Techniques such as challenge response that ask for randomized biometric input can be utilized to combat spoofing or the biometric can be combined with other processes and/or factors of authentication to ensure liveness.
- Attacks that change an impostor’s score to a higher passing score are an avenue of attack. Scores need to be maintained internally by the engine. Other methods to communicate the matching outcome back to the application should be employed instead of exposing a raw score.
- A database compromise on the biometric models considered personal information is problematic even though they are generally considered one-way processes. The above referenced standard, ISO 24745, provides for renewability/revocability which is particularly important to fixed biometrics such as a fingerprint.
- Hill climbing attacks include a brute force attack whereby a hacker continually alters the biometric input viewing the score until such a time that the score is above the threshold and the imposter fools the system. Scores should be kept internal to the engine as previously described and attempts to verify should be limited.
The top threat category to biometrics authentication is one at the ORGANIZATION level associated with identity assurance during enrollment. Is the user being enrolled the authentic user? For higher security applications, rigorous policies and procedures are needed for the enrollment assurance. Industry guidelines or regulations for the integrity of an enrollment process for authentication of the user prior to the acceptance of biometric enrollment credentials should be followed.
In summary, through best practices, biometric threats to multi-factor authentication solutions can be addressed. However, it is important to note that even the best multi-factor solution that delivers high levels of enrollment and verification security does not necessarily protect against other attacks. For example, once the user is authenticated, he or she could become a victim of a man-in-the-middle attack if their machine is infected from malware obtained elsewhere. Layered security that includes secure authentication is what is required today.
Video segments of this talk can be found at Part One (http://www.youtube.com/watch?feature=endscreen&v=smSYaRCyhE8&NR=1) and Part Two (http://www.youtube.com/watch?v=YMQ8v5qQpXY&feature=related).
Author: Valene Skerpac (http://www.ibiometrics.com/Management_Skerpac.html)
Copyright protected 2012
