Question:
Give a brief discussion on biometric security.
Answer:
Introduction
Biometric is a term used to collectively describe psychological and behavioral characteristics that are used by humans for gaining access to a system with provision for automated recognition of the user. Different kinds of modalities that are used in biometric systems include face, fingerprint, voice, signature, iris, hand geometry, vein pattern and so on. In addition to gaining physical access as done in the cases of ATM, laboratories and buildings, biometric systems are also used for obtaining logical information and electronic documents.
Biometric systems operate in three steps that include obtaining of biometric data through observation or collection using sensors, conversion of observed data into templates for digital representation that is shared between modalities and vendors and the third step involves checking of the received templates with old existing templates in the database to decide whether the user should be permitted based on the matching score that has to be above certain level. Besides template check, some biometric systems also include liveliness detection which involves assurance that the characteristics are only from a human and thus, can prevent spoofing attacks (Kazimov & Mahmudova, 2015).
Biometric is just one of the security tools like others available in the market, and it can only satisfy security needs in specific environment or circumstances. Thus, it is important to understand the operational requirements of a system to be able to decide whether the biometric system would satisfy the security need of the system. Certain factors that can be taken into considerations while taking a decision on the installation of a biometric system can be location, task, risks, users count, circumstances of users, data used, and so on. Also, while choosing to implement specific modalities of a biometric solution, it is crucial to understand the maturity stage of technology, level of security it provides, ease with which it can be installed and factor of user convenience.
Background
A biometric system can be used for security of an information system with an array of technologies existing that can be used for prevention of dangerous attacks. These technologies can be used for verifying passengers crossing borders, control passport or visa regulations, and other types of recognition systems. The benefits of using a biometric system as a part of security strategy is that it is reliable and can provide maximum protection from unauthorized intruders. Simple applications like work entrance access systems and personal identification during payments have become very common in organizations for securing of their processes and people identities. Applications or activities that require identification of people such that wrong person are unable to gain access to objects or data. For such purposes, biometric systems can be used efficiently.
Another area where high-security biometric systems play a crucial role is prevention of terrorism. There are some clear advantages of biometric systems over other security procedures. Biometrics signatures are not easy to forge and thus, they provide high reliability. Moreover, it cannot be forgotten or lost like possible in case of use of passwords for authentication. In the prevention of terrorism, the use of biometrics is increasing and they are being used in airports, stadiums and other public facilities that are likely to face terrorist attacks.
Several countries in the European Union have also started to use it for e-passport creation where citizen data about insurance card, driver’s license, finger prints, iris, bank accounts, etc. can be stores as electronic documents. There are several types of documents that can now be used with biometric technology for storage in addition to the passport such as permission cards, credit cards, and medical cards and so on.
However, while making a choice of biometric system as security tools, there are different parameters that have to be considered and based on the security needs of a system, there parameters would help a company take decision which level of biometric protection is required or if it required in the fallback mode in additional to another method of security.
While a biometric system can provide a reliable solution for security of operating systems to a large extent, it can also face multiple kinds of attacks affecting the integrity of the authentication processes used by such systems. Attackers can obtain elicit information about individuals in these attacks thereby affecting an operating system performance and integrity. Thus, it is crucial to prevent such attacks for which the biometric systems should be provided with a high level of security.
Critical Analysis
FAR (False Accept Rate) & FRR (False Reject Rates)
FAR and FRR define the level of security a biometric system provides to an operating system. FAR determines the probability of someone getting recognized as authentic when one is not and FRR determines the probability of someone getting rejected when actually he or she is an authentic user. Most biometric systems come with 1 in 10,000 to 1 in 1,000,000 ranges of FAR and FRR. However, these rates may not actually remain effective in actual situations as these measures assume real random samples but actual hackers pick samples intelligently and thus, actual FAR rate can go higher than defined by vendors of the solution. Attackers can use a copy of valid users to fake characteristics that can gain them access. Such an attack is called physical spoof attack. In the cases where attackers do not have a user sample, attacker can create a fake characteristics by intelligent guessing to gain access and as the guesses become more the appropriate chances to get inside in fewer attempts increases for a hacker. Dictionaries further help attackers in making random guess more rapidly. Thus, use of liveliness check can be useful as it can make it more difficult for hackers to make guesses or attacks. Moreover, in addition to attacks using simple biometric characteristics, there could be additional types of attacks happening over systems such as network attacks, cryptographic attacks, and operating system attacks and so on and thus, these vulnerabilities of the system must also be considered while making a decision on implementation and use of a biometric system (IAD, 2009).
Classification, Modules & Components
Biometric systems are majorly divided into four categories including A, B, C & D, each with different levels of security. Based on these levels of protection, biometric security solutions can have different modules. A biometric system is usually made up of six components including portal, central controlling unit, input device, feature extraction unit, storage and matching algorithm.
Portal: A portal is used for protecting an asset such that it acts as the entrance or gate to a building. If the user is authentic to use the asset inside the building then only the access is provided at the gate.
CCU: Authentication request is received by a central control unit which returns the result of authentication upon checking the characteristics of the user.
Input device: An input device is used to collect the biometric data and while doing this, the input device needs to keep a check on the liveliness of user and quality of the data received.
Feature Extraction: Output of the biometric module contains features that are suitable for matching algorithm. This module would also evaluate the quality the data.
Storage: Biometric templates are stored in the database and the template received through processing would be matched with these stored templates keeping security threshold as criteria for authentication. Biometric templates may also be stored in user-held devices but a link is required to be established between user and the template in such a case.
Matching Algorithm: Current biometric characteristics received from the user are compared with the templates stored in the database at the desired security level which acts as one parameter for the matching algorithm. If similarities were found between the two templates, the answer would be yes for authentication.
Different levels of biometric systems have a different manner of operations and processes operating between these modules. Different levels have different set of parameters included in the solution and these parameters include liveliness testing, temper resistance, secure communication, and security threshold level and fallback mode. Based on what parameters are available in the biometric system, it can be classified into four levels each providing different level of security.
Liveliness testing: The idea behind liveliness test is to ensure that the person trying to gain access is actual a living human being and not a computer generated code and this makes it difficult for hackers to crack the data but if only single tools is used for such testing, it can still be failed by a hacker and thus, it is required to use a combination of effective liveliness tests to ensure that the system works properly and the instances of intrusion are reduced.
Tamper resistance: If the biometric system is not supervised continuously by a human, tamper resistance has to be used such that no one can make forge the data or misuse the biometric system in any manner by modification.
Secure communication: Different components of a biometric system can communicate with each other using an external medium and thus, this communication can be encrypted and authenticated for additional protection over a secured line to be used for communication between them.
Security threshold level: A lower rate of false acceptance suggests a higher level of security of the biometric system and thus, this value has to be set as per the security goals of the IT system to be protected by the biometric solution.
Fallback mode: In several systems basic biometric authentication may be sufficient but in certain systems, that may not suffice security needed and thus, additional security methods may be added such that biometric authentication is only a part of the entire security system. In such cases, the biometric system activates in the fallback mode.
Different levels that contain different sets of these biometric parametric considerations include:
Level A or Level 1 (Very Simple Systems): These biometric systems provided a restricted level of protection with no live testing and the system is also not tampered resistant and thus, can be cheated easily. The communication that is happening between different modules does not require any authentication. At this level, high false acceptance rates can be misused through trivial fake copies created for biometric characteristics by hackers.
Level B or Level 2 (Simple Systems): At this level authentication is done while communicating between different components of the biometric system and the communication done is encrypted. No live testing or tamper resistance is provided at this level but it does provide sufficient authentication except in case the biometric system malfunctions. This biometric system is cheaper to install but it does eliminate some easy attacks but the system can still be cheated with fake biometric characteristics.
Level C or Level 3 (Intermediate Systems): At this level there is some liveliness test and components are guarded against tampering as well as the communication between components is encrypted and authenticated. This system can sustain moderate attacks but advanced tampering or fake characteristic generation is still possible and can thus, affect the security of the system.
Level D or Level 4 (Advance level): This is the highest level of security provided by a biometric system and it contains advanced liveliness test methods and the components of the system are guarded against tampering through advanced techniques of protection. Moreover, communication between different components of the system is encrypted and authenticated. At this level, the security system can also resist professional attacks (Matas & Rıha, 2001).
Challenges of Biometric Security
Biometric systems that have false rejection rate below 1% are very rarely found. Although, there are several biometric systems that provide fast and accurate identification and reliable protection, but they can be used limitedly only for identification and verification only. Also, it has other limitations such as hand based systems do not remain appropriate to be used by people who are handicap. Similarly, iris recognition system cannot be used for people who are visually impaired. Thus, biometric systems have also to add capabilities for people in FTE category that can make them expensive, complicated and less secure.
Another challenge is that biometric systems cannot be based only on the biometric characteristics such that user is authenticated upon receiving these characteristics but an added level of protection is required. Direct user authentication through the use of characteristics can remain effective only when the user’s information is fresh and collected from an authentic user. A biometric device is required to be completely trusted while verifying a user. Additional protection can be provided in various ways such as addition of checking of the liveliness of the user and keeping the input device under monitoring by a trusted human or by making the devices tamper-resistant.
There are also some technical and usage limitations in certain biometric systems. For instance, optical print reader can be used for a limited duration or is required to be cleaned from time to time. Biometric systems can also violate privacy of users as they need to contain a lot of personal data of the user such as in case of DNA check that may contain information of the disease a person is carrying which can be very useful for an insurance firm. Fingerprints can also display some sensitive personal information about the person such as tendency of homosexuality which can be assumed if the fingerprints are asymmetric. Some users may find biometric systems as personally invading or dangerous even when they are not.
Another problem is due to the lack of standards because of which different solutions from different vendors can have different specifications and may create difficulties in interoperability.
Conclusions
The paper discussed the concept of biometric security, the main considerations that are important while making a choice of a biometric system, different levels of protection these systems offer as well as how they work to provided different levels of security to a system. It was found that there are four levels of protection that contain different sets of security parameters that could be decided based on the security needs of a system. In some cases, biometric protection is a fallback method such that additional protection parameters may also be used. Moreover, despite its protective capabilities, biometric systems can also fall prey to the security attacks and they need to be protection sufficiently. Also, there are some practical challenges that biometric applications may face that are required to be considered while making decisions on biometric protection. Although biometric protection technology has its own challenges, it still acts as a solid security tools when compared to other methods of security that are not so advanced and thus, biometric security methods are increasingly being used especially in corporate and high-security requirement areas like airports. However, there is still a lot of scope for improvements in biometric systems that are likely to appear in near future such that biometric protection can further be enhanced.
References
Apple could embrace biometric security. (2009). Biometric Technology Today, 17(4), 3. http://dx.doi.org/10.1016/s0969-4765(09)70161-4
Biometric Security secures new investment. (2006). Biometric Technology Today, 14(7-8), 6. http://dx.doi.org/10.1016/s0969-4765(06)70569-0
Biometric system security – Part 2. (2003). Biometric Technology Today, 11(3), 8-9. http://dx.doi.org/10.1016/s0969-4765(03)00318-7
Chirillo, J., & Blaul, S. (2003). Implementing biometric security. Indianapolis, IN: Wiley Pub.
Ignatenko, T., & Willems, F. (2012). Biometric security from an information-theoretical perspective. Boston: Now.
IAD. (2009). Biometrics Security Considerations. IAD.
Kazimov, T., & Mahmudova, S. (2015). The Role of Biometric Technology in Information Security. International Research Journal of Engineering and Technology (IRJET) , 1509-1513.
IT security success for US-based biometric suppliers. (2002). Biometric Technology Today, 10(8), 3. http://dx.doi.org/10.1016/s0969-4765(02)00806-8
IT security success for US-based biometric suppliers. (2002). Biometric Technology Today, 10(8), 3. http://dx.doi.org/10.1016/s0969-4765(02)00806-8
Khan, R. Biometric Security System. SSRN Electronic Journal. http://dx.doi.org/10.2139/ssrn.2401615
Matas, V., & Rıha, Z. (2001). BIOMETRIC AUTHENTICATION — SECURITY AND USABILITY. Czech Republic: Masaryk University Brno.
Safe Homes to offer biometric security. (2005). Biometric Technology Today, 13(7), 5. http://dx.doi.org/10.1016/s0969-4765(05)70365-9
Security. (2005). Washington, D.C.
