Content of Figures
- Figure 1 Voiceprint image, from Shinoda Lab., Department of Computer Science, School of Computing, Tokyo Institute of Technology
- Figure 2 Trusted Execution Environment Architecture
- Figure 3 FAR vs. FRR and EER, from www.biometria.sk
- Figure 4 FAR/FRR
- Figure 5 Venn diagram of possible requirements to biometric solutions mapping
1 Executive Summary
Enterprises of all sizes and types experience cyber-attacks daily. Financial information, PII, patient health information, government data, and intel ...Login Get full Access
- Biometric technologies are improving
- Smartphones have basic biometric capabilities built-in
- A myriad of 3rd party biometric authenticators are ...
3 Introduction to biometrics
Biometrics is the process of measuring and analyzing physical and behavioral characteristics of a human subject. For practical applications in securi ...Login Get full Access
Password-based authentication is widely accepted as a weak form of assurance. Over the years, technologists have developed many different alternative ...Login Get full Access
Fingerprint readers are standard on newer smartphones. There are 4 main methods for fingerprint analysis: optical, CMOS, ultrasound, and thermal; an ...Login Get full Access
3.3 Facial recognition
Facial recognition technology relies on optical imaging for comparing the spatial geometry of subjects’ faces. Accuracy tends to improve with high ...Login Get full Access
3.4 Iris recognition
Operationally, iris recognition is similar to facial recognition, in that both methods involve taking a photograph of the subject’s face. With iris ...Login Get full Access
3.5 Voice recognition
Voice recognition combines physical and behavioral measurements. The physical aspect is the construction of the individual’s larynx and vocal cords ...
The suitability for voice recognition is affected by several factors: voices change with age, sickness, tiredness, and stress. Background noise also ...Login Get full Access
3.6 Behavioral biometrics
Behavioral biometrics are technologies which measure differences in how users interact with the mobile device. Several types of behavioral biometric ...Login Get full Access
4 The Smartphone as an Identity Platform
Smartphones are ubiquitous and computationally powerful. Many smartphones have Secure Elements and Trusted Execution Environments that allow for trus ...Login Get full Access
4.1 Mobile push apps and out-of-band transaction confirmation
In the realm of online transactions, consumers are concerned about identity theft, one form of which is fraudulent us of payment card information. On ...Login Get full Access
4.2 Derived PKI Credentials on mobile devices
Mobile devices, including both tablets and smartphones, are selling better than traditional PC platforms. It is natural for users to want to have the ...
Within the next 1-3 years, derived PKI credentials are likely to be used in many countries around the world. As of 2015, twenty-one countries in Euro ...Login Get full Access
5 Standards for mobile authentication
Standards are imperative for security technologies, particularly those involving measurements. Technical standards promote interoperability between s ...Login Get full Access
5.1 Fast IDentity Online (FIDO)
FIDO is a standard specification and protocol for strong mobile authentication to traditional web resources. FIDO’s architecture is client-server, ...Login Get full Access
5.2 Global Platform secure storage and execution specification
As mentioned in section 4.2, the Global Platform standards organization defines specifications for:
- Secure Elements for protected storage, includi ...
5.3 FAR, FRR, EER, and measurements
Biometric accuracy is measured in terms of False Acceptance Rate (FAR) and False Rejection Rate (FRR). FAR and FRR are generally inversely proportion ...
In the US, NIST does perform biometric accuracy testing for vendors who submit their matching software for evaluation. An example of a successful tes ...Login Get full Access
Mobile biometrics provide an opportunity to move away from passwords and improve usability. However, there are architectural, security, and privacy i ...Login Get full Access
6.1 Local vs. Server-based biometric sample validation
Where biometric pattern validation occurs is an important design factor. Server-based biometric validation has the following advantages and disadvant ...
The risk of mobile device tampering can be reduced by using authentication apps that are designed to use SE and TEE.
Local validation of biometric s ...
When biometric samples are stolen from servers, administrators cannot revoke and re-issue fingerprints and faces. The risks of credential loss from s ...Login Get full Access
6.2 Registration attacks
At first glance, biometric authentication technologies seem like bulletproof methods for reliably checking identities. But what if malicious actors c ...Login Get full Access
6.3 Spoofing attacks and liveness detection
Biometric authentication methods can be defeated by spoofing attacks, that is, the presentation of copied samples to the sensor by unauthorized users. ...Login Get full Access
6.4 Biometric method suitability by use case
Fingerprint authentication is both widely available and widely accepted as a form of biometric authentication. It can be used in a large number of us ...
In this table, H = High, M = Medium, L = Low. The ratings are on an A-F scale.
The FAR/FRR is a combined measure of false positives and false negat ...Login Get full Access
6.5 Secrecy vs. Integrity
In traditional security paradigms, the secrecy of the authentication token is paramount. This is why passwords are supposed to not be shared, and pas ...Login Get full Access
Biometrics have entered the mainstream as an authentication technology. Mobile devices have native biometric capabilities. Moreover, mobile devices ...
The circles are pre-requisites, having biometric capable smartphones, regulatory requirements, and enterprise policy requirements. The points of inte ...Login Get full Access
- The Future Digital Identity Landscape in Europe, p. 3
- The Future Digital Identity Landscape in Europe, p. 14.
- For a complete and up-to-date list of FIDO certified components and vendors, see https://fidoalliance.org/certification/fido-certified/