Title: BIOMETRICS
1BIOMETRICS PRACTICAL APPLICATIONS AND
CONSIDERATIONS
- ISACA KAMPALA CHAPTER
- 30TH MAY 2012
- AGUMA MPAIRWE B.A(HONS),CISA,CIA,FCCA.
2PRESENTATION APPROACH
- DEFINITIONS
- KEY CONCEPTS
- APPLICATIONS
- KEY CONSIDERATIONS
- POINTS TO NOTE
- QUESTIONS
3TO NOTE
- THIS PRESENTATION HAS BEEN PREPARED FOR
EDUCATIONAL PURPOSES. - ATTRIBUTION IS MADE TO PARTICULAR SOURCES OF
INFORMATION WHICH SHOULD BE RE-CHECKED FOR
COMPLETENESS AS CONTENT MAY HAVE BEEN REDUCED FOR
THE SAKE OF BREVITY.
4DEFINITIONS
- BIOMETRICS AUTOMATED METHODS OF DISCOVERING AN
INDIVIDUAL BASED ON MEASURABLE BIOLOGICAL AND
BEHAVIOURAL CHARACTERISTICS (SOURCE- BIOMETRICS
.GOV) - BIOMETRIC CHARACTERISTIC A MEASURABLE
PHYSIOLOGICAL OR BEHAVIOURAL TRAIT OF A LIVING
PERSON, ESPECIALLY ONE THAT CAN BE USED TO
DETERMINE OR VERIFY THE IDENTITY OF A PERSON IN
ACCESS CONTROL OR CRIMINAL FORENSICS.
(SOURCE-GARTNER GLOSSARY)
5HOMELAND SECURITY PRESIDENTIAL DIRECTIVE (HSPD)
24
- BIOMETRICS FOR IDENTIFICATION AND SCREENING TO
ENHANCE NATIONAL SECURITY, - SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008.
- ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL
DEPARTMENTS AND AGENCIES USE COMPATIBLE METHODS
AND PROCEDURES IN THE COLLECTION, STORAGE, USE,
ANALYSIS, AND SHARING OF BIOMETRIC AND ASSOCIATED
BIOGRAPHIC AND CONTEXTUAL INFORMATION OF
INDIVIDUALS IN A LAWFUL AND APPROPRIATE MANNER,
WHILE RESPECTING PRIVACY AND OTHER LEGAL RIGHTS
UNDER UNITED STATES LAW. - (SOURCE BIOMETRICS.GOV)
-
6APPLICATIONS - UGANDA
- GENERAL PHYSICAL ACCESS CONTROL OFFICES,
FINGER,THUMB. - INTERNAL AFFAIRS IMMIGRATION, AIRPORT
IDENTIFICATION OF PASSPORTHOLDER
FINGER/PALM/FACE BIOMETRIC RECOGNITION. - ELECTORAL COMMISSION VOTER REGISTRATION.
- DRIVING PERMIT DRIVER RECOGNITION.
- .
7APPLICATIONS - UGANDA
- VISA APPLICATION UK VISA.
- FINANCIAL SERVICES
- CREDIT REFERENCE BUREAU COMPUSCAN
- MICROFINANCE
- ATM IN ADDITION TO ATM CARD/PIN
- POINT OF SALES TERMINALS
- MOBILE MONEY SERVICES - ENROLLMENT AND
IDENTIFICATION AT CASHOUT
8KEY CONCEPTS
- CLAIM OF IDENTITY STATEMENT THAT A PERSON IS OR
IS NOT THE SOURCE OF A REFERENCE IN A DATABASE,
CAN BE POSITIVE (IN THE DATABASE), NEGATIVE (NOT
IN THE DATABASE) OR SPECIFIC (I AM USER 123). - COMPARISION PROCESS OF COMPARING A BIOMETRIC
REFERENCE WITH A PREVIOUSLY STORED REFERENCE TO
MAKE AN IDENTIFICATION OR VERIFICATION DECISION. - (SOURCE BIOMETRICS.GOV)
9KEY CONCEPTS
- ENROLLMENT PROCESS OF COLLECTING A BIOMETRIC
SAMPLE FROM AN END USER, CONVERTING IT INTO A
BIOMETRIC REFERENCE AND STORING IT IN THE
DATABASE FOR LATER COMPARISION. - EQUAL ERROR RATE (EER) A STATISTIC USED TO SHOW
BIOMETRIC PERFORMANCE. THE LOWER THE EER, THE
HIGHER THE ACCURACCY OF THE SYSTEM. - (SOURCE BIOMETRICS.GOV)
10KEY CONCEPTS
- FAILURE TO ACQUIRE FAILURE OF A BIOMETRIC
SYSTEM TO CAPTURE AND OR EXTRACT USABLE
INFORMATION FROM A BIOMETRIC SAMPLE - FAILURE TO ENROL FAILURE OF A BIOMETRIC SYSTEM
TO FORM A PROPER ENROLLMENT REFERENCE FOR AN END
USER (TRAINING, SENSOR QUALITY). - (SOURCE BIOMETRICS.GOV)
11KEY CONCEPTS
- FALSE ACCEPTANCE RATE THE PERCENTAGE OF TIMES A
SYSTEM PRODUCES A FALSE ACCEPT AN INDIVIDUAL IS
INCORRECTLY MATCHED TO ANOTHER INDIVIDUALS
EXISTING BIOMETRIC. T2 - FALSE ALARM RATE THE PERCENTAGE OF TIMES AN
ALARM IS INCORRECTLY SOUNDED ON AN INDIVIDUAL
WHO IS NOT IN THE BIOMETRIC SYSTEMS DATABASE - (SOURCE BIOMETRICS.GOV)
12KEY CONCEPTS
- FALSE REJECTION RATE THE PRECENTAGE OF TIMES
THE SYSTEM PRODUCES A FALSE REJECT. THIS OCCURS
WHEN AN INDIVIDUAL IS NOT MATCHED TO HIS/HER OWN
EXISTING BIOMETRIC TEMPLATE. T1 - ALGORITHM A LIMITED SEQUENCE OF INSTRUCTIONS OR
STEPS THAT TELLS A COMPUTER HOW TO SOLVE A
PARTICULAR PROBLEM IMAGE PROCESSING, TEMPLATE
GENERATION, COMPARISIONS E.T.C - (SOURCE BIOMETRICS.GOV)
13KEY CONCEPTS
- VERIFICATION A TASK WHERE BIOMETRIC SYSTEM
ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY BY
COMPARING A SUBMITTED SAMPLE TO ONE OR MORE
PREVIOUSLY ENROLLED TEMPLATES USED TO CONFIRM
THAT INDIVIDUAL IS ENROLLED AND HAS CLAIMED
AUTHORISATIONS - AM I WHO I CLAIM I AM ? SYS ADMIN
- IDENTIFICATION A TASK WHERE A BIOMETRIC SYSTEM
ATTEMPTS TO DETERMINE THE IDENTITY OF AN
INDIVIDUAL, A BIOMETRIC IS COLLECTED AND COMPARED
TO ALL TEMPLATES IN THE DATABASE WHO AM I ? - - SOURCES (MICHIGAN STATE UNIVERSITY ARTICLE,
BIOMETRICS .GOV)
14KEY CONCEPTS
- IDENTIFICATION CAN BE
- OPEN SET PERSON NOT GUARANTEED TO EXIST IN
THE DATABASE - CLOSED SET PERSON IS KNOWN TO EXIST IN THE
DATABASE - (SOURCE BIOMETRICS.GOV)
15KEY CONCEPTS
- FAILURE TO ENROLL RATE (FTER) NUMBER OF
UNSUCCESSFUL ENROLLMENTS/TOTAL NUMBER OF USERS
ATTEMPTING TO ENROLL. - CROSS-OVER ERROR RATE (CER)A MEASURE
REPRESENTING THE PERCENT AT WHICH FRR EQUALS FAR.
THIS IS THE POINT ON THE GRAPH WHERE THE FAR AND
FRR INTERSECT. - THE CROSS-OVER RATE INDICATES A SYSTEM WITH GOOD
BALANCE OVER SENSITIVITY AND PERFORMANCE. - (SOURCE ISACA)
16FAR, FRR, CER COMPARISIONS SOURCE - ISACA
17GENERAL APPLICATIONS
- AS A PHYSICAL ACCESS CONTROL
- AS A MECHANISM FOR LOGICAL ACCESS CONTROL
- IN LOGICAL ACCESS CONTROL PART OF IDENTIFICATION
AND AUTHENTICATION PROCESS
18IDENTIFICATION AND AUTHENTICATION (I A)
- IN LOGICAL ACCESS CONTROL SOFTWARE, IS THE
PROCESS OF PROVING ONES IDENTITY - IDENTIFICATION MEANS BY WHICH USER PROVIDES
CLAIMED IDENTITY - HELPS ESTABLISH USER ACCOUNTABILITY
- FIRST LINE OF DEFENSE
- SOURCE CISA REVIEW MANUAL 2003
19IDENTIFICATION AND AUTHENTICATION (I A)
- IS A TECHNICAL MEASURE THAT PREVENTS UNAUTHORISED
PEOPLE (OR UNAUTHORISED PROCESSES) FROM ENTERING
A COMPUTER SYSTEM - I A TECHNIQUES
- SOMETHING YOU KNOW PASSWORD, STATIC PIN
- SOMETHING YOU HAVE TOKEN CARD, PIN GENERATOR
- SOMETHING YOU ARE BIOMETRIC CHARACTERISTIC
- SOURCE CISA REVIEW MANUAL 2003
20BIOMETRIC IDENTIFIERS
- PHYSIOLOGICAL BEHAVIOURAL
- FINGERPRINT
- FINGERVEIN
- PALM PRINT
- HAND GEOMETRY
21BIOMETRIC IDENTIFIERS
- IRIS RECOGNITION
- RETINA RECOGNITION
- VOICE RECOGNITION
- SIGNATURE RECOGNITION
- FACE RECOGNITION
22BIOMETRIC IDENTIFIERS
- KEYSTROKE DYNAMICS
- DNA ? DEBATE, AS NOT PERFORMED BY AN AUTOMATED
METHOD-BIOMETRICS.GOV - GAIT ? IN DEVELOPMENT / PRACTICAL ??
23FINGER PRINT SOURCE - NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY (NIST), USA.
24FINGERPRINT
- ADVANTAGES
- MULTIPLE FINGERS!
- EASY TO USE
- LOW STORAGE SPACE
- LARGE EXISTING DATABASES GLOBALLY FOR WATCHLIST
CHECKS - PROVEN EFFECTIVE OVER TIME
- DISADVANTAGES
- PUBLIC PERCEPTIONS CRIMINAL CONNOTATIONS
- HEALTH CONCERNS EBOLA, BIRD FLU
- AGE, OCCUPATION, WEIGHT GAIN, CUTS
- (SOURCE BIOMETRICS.GOV)
25IRIS - SOURCE - NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY, USA.
26IRIS
- ADVANTAGES
- NO CONTACT REQUIRED
- HIGHLY STABLE OVER TIME
- DISADVANTAGES
- DIFFICULT TO CAPTURE- FOR SOME , TRAINING
- EASILY OBSCURED REFLECTIONS FROM CORNEA,
EYELIDS, EYELASHES - PUBLIC FEARS OF SCANNING THE EYE WITH LIGHT
SOURCE INFRARED LIGHT USED TO ILLUMINATE IRIS
(SOURCE FINDBIOMETRICS .COM) - LIMITED EXISTING DATA FOR WATCHLIST CHECKS
- (SOURCE BIOMETRICS.GOV)
27FACE
- ADVANTAGES
- NO CONTACT
- COMMONLY AVAILABLE SENSORS CAMERA
- LARGE AMOUNTS OF EXISTING DATA
- EASY FOR HUMANS TO VERIFY RESULTS
- DISADVANTAGES
- OBSTRUCTION OF IMAGE BY HAIR, GLASSES, HATS.
- CHANGE OVER TIME
- (SOURCE BIOMETRICS.GOV)
28VOICE
- ADVANTAGES
- PUBLIC ACCEPTANCE
- NO CONTACT REQUIRED
- SENSORS COMMON TELEPHONES, MICROPHONES
- DISADVANTAGES
- NOT SUFFICIENTLY DISTINCTIVE OVER LARGE DATABASES
- (SOURCE BIOMETRICS.GOV)
29DESIRABLE QUALITIES FOR EFFECTIVE BIOMETRIC TRAITS
- UNIQUENESS
- THE TWINS CHALLENGE
- PERMANENCE
30BIOMETRIC ENROLLMENT
- ITERATIVE AVERAGING PROCESS.
- ACQUIRE BIOMETRIC SAMPLE (PHYSICAL /BEHAVIOURAL).
- EXTRACT UNIQUE FEATURES FROM SAMPLE
- FEATURES CONVERTED INTO MATHEMATICAL CODE
31BIOMETRIC ENROLLMENT
- CREATION OF INITIAL TEMPLATE (DIGITAL
REPRESENTATION OF THE BIOMETRIC) - COMPARISION OF NEW SAMPLES WITH WHAT HAS BEEN
STORED - DEVELOPING FINAL TEMPLATE
- ENCRYPTION
- USE TO IDENTIFY USER
- (e.g. FINGERPRINT latent v Conventional Source
NIST, BIOMETROCS.GOV)
32ADVANTAGES
- SECURE ?
- CONVINIENT ?
- CANNOT BE STOLEN ?
- CANNOT BE FORGOTTEN
- DIFFICULT TO FORGE
- (SOURCE SMARTCARDALLIANCE)
33LIMITATIONS/VULNERABILITIES
- TEMPLATE SKIMMING
- NOT ALWAYS ACCURATE - FARs/ FRRs
- 10 OF POPULATION HAVE WORN/CUT/UNRECOGNISABLE
FINGERPRINTS!! SOURCE BIOMETRIC NEWSPORTAL - BIOMETRIC FEATURES MAY ALTER DEGRADE WITH AGE,
DISEASE, WEIGHT GAIN
34LIMITATIONS/VULNERABILITIES
- SECURITY RISKS - CAR THEFT!!
- VOICE BIOMETRICS BACKGROUND NOISE
- STORAGE AND TRANSMISSION QUALITY LOSS
-
35SOLUTIONS
- MULTIMODAL BIOMETRICS USE OF MORE THAN ONE
BIOMETRIC IDENTIFIER FOR INCREASED ACCURACCY - COMBINATION OF BIOMETRICS WITH PINS AND TOKENS
- SMARTCARDS ICC, MEMORY, STORAGE OF BIOMETRIC
TEMPLATES TO AVOID VERIFICATION AT LONG DISTANCE
HOST - (SOURCE VARIOUS)
36AUDIT AND CONTROL IMPLICATIONS
- AUDIT CONTROLS IN MATCHING TEMPLATES GENERATED TO
OTHER DATA CRIMINAL RECORDS, FINANCIAL DEFAULT
HISTORIES - IS AUDIT GUIDELINE ISACA G36
- PRIVACY CONCERNS
- INTRUSIVENESS OF DATA COLLECTION
- HEALTH CONCERNS
- SKILL OF SYSTEM USE BY STAFF
- ROBUSTNESS OF TECHNOLOGY RELIABLE
- COST OF DEPLOYMENT
- LEGISLATIVE AND REGULATORY COMPLIANCE
- RESISTANCE TO CHANGE/USE
37PRACTICAL CONSIDERATIONS
- COST BENEFIT CONSIDERATIONS
- PRACTICALITY AND EFFICIENCY AIRPORT QUEUES,
VOTING PROCESSES. - ACCURACCY FAR, FRR, EER
- CULTURE GLOBAL COMPANIES!
- NON-CO-OPERATION, HEALTH CONCERNS
- (SOURCE NIST, BIOMETRICS.GOV)
38PRACTICAL CONSIDERATIONS
- WILL IMAGES BE COMPACT ENOUGH FOR EFFECTIVE
TRANSMISSION ACROSS NETWORKS WITHOUT DEGRADATION? - WILL IMAGES/TEMPLATES BE COMPACT ENOUGH FOR
STORAGE ON SMART CARD? - INTEROPERABILITY AND STANDARDISATION
IMMIGRATION FACE CAMERA AND FINGER PRINT CAPTURE
TO SINGLE APPLICATION/DEVICE - (SOURCE NIST)
39PRACTICAL CONSIDERATIONS
- INTEROPERABILITY ACROSS GOVERNMENT AGENCIES
- PRIVACY CONCERNS
- DATA SHARING - ACROSS JURISDICTIONS ?
- LEGAL IMPLICATIONS ?
- DATA STORAGE REQUIREMENTS
40.
41REFERENCES
- CIO MAGAZINE - http//www.cio.com/article/573113/U
sing_Biometric_Access_Systems_Dos_and_Don_ts?page
3taxonomyId3092 - BIOMETRICS.GOV http//www.biometrics.gov/
- 2003 CISA REVIEW MANUAL (2003). INFORMATION
SYSTEMS AUDIT AND CONTROL ASSOSCIATION. - GARTNER IT GLOSSARY - http//www.gartner.com/it-gl
ossary/biometrics/ - MULTIMODAL BIOMETRICS BIOMETRIC NEWS PORTAL
http//www.biometricnewsportal.com/multimodal-biom
etrics.asp - NEW NIST BIOMETRIC DATA STANDARD ADDS DNA,
FOOTMARKS AND ENHANCED FINGERPRINT DESCRIPTIONS-
http//www.nist.gov/itl/iad/biometric-120611.cfm - SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE
http//www.smartcardalliance.org/pages/publication
s-smart-cards-and-biometrics - IRIS SCANNERS AND RECOGNITION
http//www.findbiometrics.com/iris-recognition/ - AN OVERVIEW OF BIOMETRIC RECOGNITION
http//biometrics.cse.msu.edu/info.html - ISACA AUDIT GUIDELINE 36 BIOMETRICS
http//www.isaca.org/Knowledge-Center/Standards/Pa
ges/IS-Auditing-Guideline-G36-Biometric-Controls.a
spx