SlideShare a Scribd company logo

Defending Biometric Security

Ned Hayes
Ned Hayes

Biometric exploits are here. Basic overview of attack vectors and how to confront these attacks and harden your biometric-secured systems.

Technology
1 of 39
Download to read offline
Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™
Biometric Exploits are Here
Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive
Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive The Threats to Biometric Security
Identity Locker Biometric Exploits
Biometric Exploits • Fingerprints • Facial Recognition • Iris Scans
Fingerprints on Device Just asking to be broken: • Insecure storage on device Insecure storage in cloud • On-device enclave easily hacked / not encrypted
Basic Exploit that actually works (on some Android phones) • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
How to Hack Fingerprints • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
Update on Fingerprints The Big Exploit (2018) • Deep Master Print – Philip Bontrager & Academic Team at NYU • A machine learning driven exploit that analyzed a number of fingerprints in order to build a 3D model fingerprint that matches a large portion of fingers used on for secure login on devices today.
Facial Recognition Exploits • Facial scans work by matching characteristics of a face to a template enrolled in a DB. Basic “blocks” on face recognizers are known: • Adding obfuscation and visual confusion • Even wearing a hat and sunglasses can muck up a facial scan • Downside of most facial “obfuscation” hacks is that it can be recognized by other human beings More advanced exploits to fake the results: • Machine learning derived fake faces • AI-driven creation of face from multiple angles • 3D printing of 3D faces, with fake liveliness (hard to do, but academics have proven it’s doable)
How to Stop a Facial Scan: Obfuscation
Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
How to Fake a Facial Scan: 3D Heads • Reproduction of Facial Recog Areas only (higher fidelity)_
Iris Scan Exploits • Iris scans appear to be highly secure, because it is scanning a unique body part under high resolution. However, it can be hacked: • Contact Lens can fake an iris • Upload of a infrared scan of a person’s face (no access to reference data, instead, just an infrared scan of a eye at high rez) • Requires technical expertise • Newer hacks require a scan of the iris – hack of reference data
Iris Scan Exploits • Examples: Eye spy By Chaim Gartenberg @cgartenberg May 23, 2017, 10:37am EDT TECH SAMSUNG CYBERSECURITY Hacker beats Galaxy S8 iris scanner using an IR image and a contact lens 11 Based on name alone, the futuristic iris-scanning feature on the Galaxy S8 sounds like it would be the most secure way to lock your phone. Hacker Jan Krissler, who goes by the name Starbug, shows in a recent video that, despite the impressive technology in unlocking your phone with your eyes, the security system can be beaten with a relatively low-tech hack. As the video shows, Starbug is able to take a infrared picture of a person’s face using the night mode setting on a regular point and shoot camera. Print it out on an ordinary laser printer and it fools the camera by placing a contact lens over the image to give it the appearance of an actual human eye. While it certainly is a little more effort than, say, (https://1.bp.blogspot.com/-rSiTjwXZmT4/VPmbURLovxI/AAAAAAAAiH0/jB3L24BeGO0/s728- e100/iris-biometric-security-system.jpg) Hacker Finds a Simple Way to Fool IRIS Biometric Security Systems March 06, 2015 Swati Khandelwal Biometric security systems that involve person's unique identi cation (ID), such as Retinal, IRIS, Fingerprint or DNA, are still evolving to change our lives for the better even though the biometric scanning technology still has many concerns such as information privacy, and physical privacy. In past years, Fingerprint security system (https://thehackernews.com/2013/09/ nally- iphones- ngerprint-scanner.html) , which is widely used in different applications such as smartphones and judicial systems to record users' information and verify person's identity, were bypassed several times by various security researches, and now, IRIS scanner claimed to be defeated.
Veins / Palm Exploits • Vein / Palm scans were thought to be highly secure alternative to fingerprints • Turns out that these can be hacked as well (with reference data)
Veins/ Palms Exploits
Identity Locker Attack Vectors for Biometrics
Biometric Identity Processing System • Input Data (1) • Input Data (1a) • Reference Data (1b) • Sensor (2) • Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) Structure of this system originally outlined in this format by Starbug, 2014
3 Types of Attacks Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)• Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database
1. Attack Via Input Data • Attack the Input Data (1) • Input Data (1a) • Most Common Attack Vector: Easiest and most accessible vulnerability • Reference Data (1b) • No Attacks recently directly along this vector • But high-fidelity hacks require access to cracked original Reference data Sensor Database (1b )(1a) Software Input Data Reference Data (1a)
2. Attack Via Sensor • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) Sensor Software Preprocessing Database (2) (1b)(1a) Input Data (1a)
2. Attack Via Software • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)
Identity Locker Defending Against Biometric Hacks
Multi-factor authentication • NIRVANA: Multiple biometrics + Identity Face match / PIV-I card check validation by an in-person check with actual human (military grade) • BETTER FOR BUSINESS: Multi-factor authentication which includes but does not privilege biometrics – treats data knowledge as equivalent • Multiple biometrics + PIN/Login / Passcode • PRETTY GOOD SECURITY: Multi-factor biometric security which occurs simultaneously (pretty hard to hack all in sync) • Fingerprints + Facial Recognition + Iris + Audio Recognition • Note: Requires enrollment/login stations capable of handling multiple biometrics BEST BETTER GOOD
High fidelity / Multi-finger enrollment • Most fingerprint systems (on device) only collect and store a few millimeters of a fingertip. • This small sample set is relatively easy to replicate and use in a hack. • To prevent this hack, use a higher fidelity enrollment system that enrolls more area of the finger and more fingers on each hand. VS. Collect much more data, match on many more points
Facial Recognition • Facial recognition systems also operate off a limited template • Adding complexity to the input is useful - ensure you are capturing not only the front face, but also the side, the back, as much movement as possible • Add Liveliness detection + multi-angles • Collect much more data, match on many more points VS.
Software How to Prevent 3 Types of Attacks • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • Harden the Software (3) Preprocessing Matching Database (2) (1b)(1a) Input Data (1a) (3) Sensor
1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) Database (1a) Input Data (1a) Sensor Software
1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) • Add multiple biometrics that login simultaneously (not sequentially) • Require higher fidelity enrollment and more data from each biometric • Add more minutiae as input data Database (1b)(1a) Input Data (1a) Input Data + Sensor Software
2. Add Observation of Sensor Database (2) (1b)(1a) Input Data (1a)• Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Software
2. Add Observation of Sensor • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Database (2) (1b)(1a) Input Data (1a) Software
Software 3. Harden the Software Sensor Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time.
Software 3. Harden the Software • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time. Sensor Preprocessing Database (2) (1b)(1a) Input Data (1a) MatchingMatchingMatchingMatching (3)
Software A Hardened Biometrics System More complicated, but much more secure • Complicate/Harden the Input Data (1) • Includes multiple bio inputs • Enroll at higher fidelity / more minutiae • Provide Observation of Sensor (2) • Includes observational data (actual human ideal) • Harden the Software (3) • Higher threshold for enrollment/login • Includes encrypted template DB • Includes multi-factor matching Sensor Preprocessing Matching Database (2) (1b) (1a) Input Data (1a) (3) MatchingMatchingMatching
Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™

Recommended

Biometric security
Biometric securityBiometric security
Biometric securityTanner Stuewe
 
Biometric
Biometric Biometric
Biometric Vinay Gupta
 
Biometric security using cryptography
Biometric security using cryptographyBiometric security using cryptography
Biometric security using cryptographySampat Patnaik
 
Biometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesBiometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesPrabh Jeet
 
Biometric security tech
Biometric security techBiometric security tech
Biometric security techmmubashirkhan
 
Biometrics security
Biometrics securityBiometrics security
Biometrics securityVuda Sreenivasarao
 
Biometrics
BiometricsBiometrics
BiometricsAlan Leewllyn Bivera
 
Ubiquitous security- is it just biometrics?
Ubiquitous security- is it just biometrics?Ubiquitous security- is it just biometrics?
Ubiquitous security- is it just biometrics?Siddharth Kishan
 

Recommended

Biometric security
Biometric securityBiometric security
Biometric securityTanner Stuewe
 
Biometric
Biometric Biometric
Biometric Vinay Gupta
 
Biometric security using cryptography
Biometric security using cryptographyBiometric security using cryptography
Biometric security using cryptographySampat Patnaik
 
Biometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesBiometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesPrabh Jeet
 
Biometric security tech
Biometric security techBiometric security tech
Biometric security techmmubashirkhan
 
Biometrics security
Biometrics securityBiometrics security
Biometrics securityVuda Sreenivasarao
 
Biometrics
BiometricsBiometrics
BiometricsAlan Leewllyn Bivera
 
Ubiquitous security- is it just biometrics?
Ubiquitous security- is it just biometrics?Ubiquitous security- is it just biometrics?
Ubiquitous security- is it just biometrics?Siddharth Kishan
 
Biometric Security Mobile
Biometric Security MobileBiometric Security Mobile
Biometric Security MobileJerry Ruggieri
 
Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningAnkit Gupta
 
Biometrics Technology In the 21st Century
Biometrics Technology In the 21st CenturyBiometrics Technology In the 21st Century
Biometrics Technology In the 21st CenturyStar Link Communication Pvt Ltd
 
Biometrics ppt
Biometrics pptBiometrics ppt
Biometrics pptRaga Deepthi
 
Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Bhargav Amin
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - ReportNavin Kumar
 
Biometrics
BiometricsBiometrics
Biometricsmeeravali shaik
 
Biometric Security Systems ppt
Biometric Security Systems pptBiometric Security Systems ppt
Biometric Security Systems pptOECLIB Odisha Electronics Control Library
 
Biometrics Pros & cons
Biometrics Pros & consBiometrics Pros & cons
Biometrics Pros & consGagan Gowda
 
Biometrics techniques
Biometrics techniquesBiometrics techniques
Biometrics techniquesjackofhearty1
 
Using (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality OnlineUsing (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality Onlines-mueller
 
Biometric Systems
Biometric SystemsBiometric Systems
Biometric SystemsSn Moddho
 
Biometric authentication
Biometric authenticationBiometric authentication
Biometric authenticationAbduhalim Beknazarov
 
Biometrics technology
Biometrics technology Biometrics technology
Biometrics technology Niharika Gupta
 
Biometrics
BiometricsBiometrics
BiometricsShubham Singh
 
Biometric Authentication PPT
Biometric Authentication PPTBiometric Authentication PPT
Biometric Authentication PPTOECLIB Odisha Electronics Control Library
 
Biometrics
BiometricsBiometrics
BiometricsPriyanka Sharma
 
Biometric
Biometric Biometric
Biometric Pratish Sardar
 
Biometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febBiometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febNavin Kumar
 
Biometric security system
Biometric security systemBiometric security system
Biometric security systemMithun Paul
 
Biometrics/fingerprint sensors
Biometrics/fingerprint sensorsBiometrics/fingerprint sensors
Biometrics/fingerprint sensorsJeffrey Funk
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i SecurityPrecisely
 

More Related Content

What's hot

Biometric Security Mobile
Biometric Security MobileBiometric Security Mobile
Biometric Security MobileJerry Ruggieri
 
Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningAnkit Gupta
 
Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Bhargav Amin
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - ReportNavin Kumar
 
Biometrics Pros & cons
Biometrics Pros & consBiometrics Pros & cons
Biometrics Pros & consGagan Gowda
 
Biometrics techniques
Biometrics techniquesBiometrics techniques
Biometrics techniquesjackofhearty1
 
Using (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality OnlineUsing (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality Onlines-mueller
 
Biometric Systems
Biometric SystemsBiometric Systems
Biometric SystemsSn Moddho
 
Biometrics technology
Biometrics technology Biometrics technology
Biometrics technology Niharika Gupta
 
Biometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febBiometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febNavin Kumar
 
Biometric security system
Biometric security systemBiometric security system
Biometric security systemMithun Paul
 

What's hot (20)

Biometric Security Mobile
Biometric Security MobileBiometric Security Mobile
Biometric Security Mobile
 
Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learning
 
Biometrics Technology In the 21st Century
Biometrics Technology In the 21st CenturyBiometrics Technology In the 21st Century
Biometrics Technology In the 21st Century
 
Biometrics ppt
Biometrics pptBiometrics ppt
Biometrics ppt
 
Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - Report
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometric Security Systems ppt
Biometric Security Systems pptBiometric Security Systems ppt
Biometric Security Systems ppt
 
Biometrics Pros & cons
Biometrics Pros & consBiometrics Pros & cons
Biometrics Pros & cons
 
Biometrics techniques
Biometrics techniquesBiometrics techniques
Biometrics techniques
 
Using (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality OnlineUsing (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality Online
 
Biometric Systems
Biometric SystemsBiometric Systems
Biometric Systems
 
Biometric authentication
Biometric authenticationBiometric authentication
Biometric authentication
 
Biometrics technology
Biometrics technology Biometrics technology
Biometrics technology
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometric Authentication PPT
Biometric Authentication PPTBiometric Authentication PPT
Biometric Authentication PPT
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometric
Biometric Biometric
Biometric
 
Biometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febBiometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 feb
 
Biometric security system
Biometric security systemBiometric security system
Biometric security system
 

Similar to Defending Biometric Security

Biometrics/fingerprint sensors
Biometrics/fingerprint sensorsBiometrics/fingerprint sensors
Biometrics/fingerprint sensorsJeffrey Funk
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i SecurityPrecisely
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!Justin Black
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
It's about biometric system L10A_Savvides_Biometrics.pdf
It's about biometric system L10A_Savvides_Biometrics.pdfIt's about biometric system L10A_Savvides_Biometrics.pdf
It's about biometric system L10A_Savvides_Biometrics.pdfpreethi3173
 
Disrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationDisrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationIntel IT Center
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramBGA Cyber Security
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

Similar to Defending Biometric Security (20)

Biometrics/fingerprint sensors
Biometrics/fingerprint sensorsBiometrics/fingerprint sensors
Biometrics/fingerprint sensors
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
 
It's about biometric system L10A_Savvides_Biometrics.pdf
It's about biometric system L10A_Savvides_Biometrics.pdfIt's about biometric system L10A_Savvides_Biometrics.pdf
It's about biometric system L10A_Savvides_Biometrics.pdf
 
Disrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationDisrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User Authentication
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response Program
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 

Recently uploaded

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Defending Biometric Security

  • 1. Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™
  • 3. Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive
  • 4. Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive The Threats to Biometric Security
  • 6. Biometric Exploits • Fingerprints • Facial Recognition • Iris Scans
  • 7. Fingerprints on Device Just asking to be broken: • Insecure storage on device Insecure storage in cloud • On-device enclave easily hacked / not encrypted
  • 8. Basic Exploit that actually works (on some Android phones) • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
  • 9. How to Hack Fingerprints • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
  • 10. Update on Fingerprints The Big Exploit (2018) • Deep Master Print – Philip Bontrager & Academic Team at NYU • A machine learning driven exploit that analyzed a number of fingerprints in order to build a 3D model fingerprint that matches a large portion of fingers used on for secure login on devices today.
  • 11. Facial Recognition Exploits • Facial scans work by matching characteristics of a face to a template enrolled in a DB. Basic “blocks” on face recognizers are known: • Adding obfuscation and visual confusion • Even wearing a hat and sunglasses can muck up a facial scan • Downside of most facial “obfuscation” hacks is that it can be recognized by other human beings More advanced exploits to fake the results: • Machine learning derived fake faces • AI-driven creation of face from multiple angles • 3D printing of 3D faces, with fake liveliness (hard to do, but academics have proven it’s doable)
  • 12. How to Stop a Facial Scan: Obfuscation
  • 13. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  • 14. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  • 15. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  • 16. How to Fake a Facial Scan: 3D Heads • Reproduction of Facial Recog Areas only (higher fidelity)_
  • 17. Iris Scan Exploits • Iris scans appear to be highly secure, because it is scanning a unique body part under high resolution. However, it can be hacked: • Contact Lens can fake an iris • Upload of a infrared scan of a person’s face (no access to reference data, instead, just an infrared scan of a eye at high rez) • Requires technical expertise • Newer hacks require a scan of the iris – hack of reference data
  • 18. Iris Scan Exploits • Examples: Eye spy By Chaim Gartenberg @cgartenberg May 23, 2017, 10:37am EDT TECH SAMSUNG CYBERSECURITY Hacker beats Galaxy S8 iris scanner using an IR image and a contact lens 11 Based on name alone, the futuristic iris-scanning feature on the Galaxy S8 sounds like it would be the most secure way to lock your phone. Hacker Jan Krissler, who goes by the name Starbug, shows in a recent video that, despite the impressive technology in unlocking your phone with your eyes, the security system can be beaten with a relatively low-tech hack. As the video shows, Starbug is able to take a infrared picture of a person’s face using the night mode setting on a regular point and shoot camera. Print it out on an ordinary laser printer and it fools the camera by placing a contact lens over the image to give it the appearance of an actual human eye. While it certainly is a little more effort than, say, (https://1.bp.blogspot.com/-rSiTjwXZmT4/VPmbURLovxI/AAAAAAAAiH0/jB3L24BeGO0/s728- e100/iris-biometric-security-system.jpg) Hacker Finds a Simple Way to Fool IRIS Biometric Security Systems March 06, 2015 Swati Khandelwal Biometric security systems that involve person's unique identi cation (ID), such as Retinal, IRIS, Fingerprint or DNA, are still evolving to change our lives for the better even though the biometric scanning technology still has many concerns such as information privacy, and physical privacy. In past years, Fingerprint security system (https://thehackernews.com/2013/09/ nally- iphones- ngerprint-scanner.html) , which is widely used in different applications such as smartphones and judicial systems to record users' information and verify person's identity, were bypassed several times by various security researches, and now, IRIS scanner claimed to be defeated.
  • 19. Veins / Palm Exploits • Vein / Palm scans were thought to be highly secure alternative to fingerprints • Turns out that these can be hacked as well (with reference data)
  • 22. Biometric Identity Processing System • Input Data (1) • Input Data (1a) • Reference Data (1b) • Sensor (2) • Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) Structure of this system originally outlined in this format by Starbug, 2014
  • 23. 3 Types of Attacks Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)• Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database
  • 24. 1. Attack Via Input Data • Attack the Input Data (1) • Input Data (1a) • Most Common Attack Vector: Easiest and most accessible vulnerability • Reference Data (1b) • No Attacks recently directly along this vector • But high-fidelity hacks require access to cracked original Reference data Sensor Database (1b )(1a) Software Input Data Reference Data (1a)
  • 25. 2. Attack Via Sensor • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) Sensor Software Preprocessing Database (2) (1b)(1a) Input Data (1a)
  • 26. 2. Attack Via Software • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)
  • 28. Multi-factor authentication • NIRVANA: Multiple biometrics + Identity Face match / PIV-I card check validation by an in-person check with actual human (military grade) • BETTER FOR BUSINESS: Multi-factor authentication which includes but does not privilege biometrics – treats data knowledge as equivalent • Multiple biometrics + PIN/Login / Passcode • PRETTY GOOD SECURITY: Multi-factor biometric security which occurs simultaneously (pretty hard to hack all in sync) • Fingerprints + Facial Recognition + Iris + Audio Recognition • Note: Requires enrollment/login stations capable of handling multiple biometrics BEST BETTER GOOD
  • 29. High fidelity / Multi-finger enrollment • Most fingerprint systems (on device) only collect and store a few millimeters of a fingertip. • This small sample set is relatively easy to replicate and use in a hack. • To prevent this hack, use a higher fidelity enrollment system that enrolls more area of the finger and more fingers on each hand. VS. Collect much more data, match on many more points
  • 30. Facial Recognition • Facial recognition systems also operate off a limited template • Adding complexity to the input is useful - ensure you are capturing not only the front face, but also the side, the back, as much movement as possible • Add Liveliness detection + multi-angles • Collect much more data, match on many more points VS.
  • 31. Software How to Prevent 3 Types of Attacks • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • Harden the Software (3) Preprocessing Matching Database (2) (1b)(1a) Input Data (1a) (3) Sensor
  • 32. 1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) Database (1a) Input Data (1a) Sensor Software
  • 33. 1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) • Add multiple biometrics that login simultaneously (not sequentially) • Require higher fidelity enrollment and more data from each biometric • Add more minutiae as input data Database (1b)(1a) Input Data (1a) Input Data + Sensor Software
  • 34. 2. Add Observation of Sensor Database (2) (1b)(1a) Input Data (1a)• Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Software
  • 35. 2. Add Observation of Sensor • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Database (2) (1b)(1a) Input Data (1a) Software
  • 36. Software 3. Harden the Software Sensor Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time.
  • 37. Software 3. Harden the Software • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time. Sensor Preprocessing Database (2) (1b)(1a) Input Data (1a) MatchingMatchingMatchingMatching (3)
  • 38. Software A Hardened Biometrics System More complicated, but much more secure • Complicate/Harden the Input Data (1) • Includes multiple bio inputs • Enroll at higher fidelity / more minutiae • Provide Observation of Sensor (2) • Includes observational data (actual human ideal) • Harden the Software (3) • Higher threshold for enrollment/login • Includes encrypted template DB • Includes multi-factor matching Sensor Preprocessing Matching Database (2) (1b) (1a) Input Data (1a) (3) MatchingMatchingMatching
  • 39. Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™