Biometrics Week 2

Question 1

What is authentication?

Answer 1

Is the process of verifying or determining the user’s identity.
A natural recognition capability for human being.
Automated authentication assign the task of authentication to machine for greater security, efficiency, and convenience.

Question 2

Authentication can be?

Answer 2

Verification: Am I who I claim I am?
Or
Identification: who am I? (for finding a “wolves in a sheep clothes”)

Question 3

Authentication can be Based on Different Concepts:

Answer 3

Knowledge
Possession
Biometrics
Any combination of the three

Question 4

Knowledge Based Authentication

Answer 4

Something you know:
a password, pass-phrase, PIN…
Works reliably if they are not easily guesses, disclosed…

Question 5

Problem with Knowledge based Approach

Answer 5

Problem:
difficult to remember,
easily guessed by imposters
Can be stolen or forgotten
Can be shared: a limited degree of accountability with transferability of credentials.
More than 15% of people seem to write their PIN on their ATM card

Question 6

Possession Based Authentication

Answer 6

Something you have:
identity document, a token, a key, a card,..
Solve some of the problems with knowledge-based authentication forms:
No need to remember password
A limited degree of accountability with transferability of credentials.
The owner can tell if the card or token is stolen

Question 7

Problem with possession-based approach

Answer 7

Possession could be:
lost,
stolen
shared
misplaced
forgotten

Question 8

Benefits of Biometrics

Answer 8

Convenient: nothing to lose or remember
Can’t be guessed, stolen, shared or lost
Non-repudiation: Links an access to a person, not to a password or a card.
Protects against identity theft
Higher perceived degree of security

Question 9

Security Levels combos:

Answer 9

Know Have Are
Have Are
Know Have
Know

Question 10

Major Factors Influencing the Adoption of Biometrics

Answer 10

Security

Higher security through non-repudiation

Can not be stolen/ easily reproduced/guessed

Convenience

Integral and distinctive part of human being

Set it up once and forget about it

Cost/Technology

Higher return on investment through higher protection

Drop in the price of biometric sensors

The underlying technology is becoming more mature

Products have attained higher level of accuracy and throughput

Question 11

Why Convergence?

Answer 11

Streamlined Provisioning/de-Provisioning
Single Point of enrollment
Lowered risk of penetration
Ease of Use

Shared Credentials
Reduced Cost
Lowered risk of credential sharing

Common Security Policies
Improved Accountability
Better Audit capability
Policies commensurate with overall corporate objectives
Compliance with Regulatory Processes

Question 12

Biometrics Based Authentication

Answer 12

Biometrics = bio (life) + metrics (to measure)
Deals with automated methods of verifying or recognizing living persons based on their:
Biological characteristics (e.g., face, fingerprint, iris, hand geometry, retina)
Behavioral characteristic (e.g., signature, gait)
Combined (e.g., Voice)
No human involved in the authentication process
Should be done in real-time

Question 13

Criteria for a Biometric Solution to be Applied for Authentication

Answer 13

Universality or Availability
Every person should have the characteristic

Uniqueness or Distinctiveness
Different persons should have different characteristics
Also referred to as having the discriminatory power

Permanence or Robustness
The characteristic should be time invariant
Should not change with varying operating condition

Collectable or Accessibility
The characteristic should be measurable quantitatively within reasonable time frame

Performance
It should be practical to collect and measure, and it should give an acceptable identification rate.

Acceptability
Users should not have an objection to collect/measure

Circumvention
Should not be too easy to fool

Question 14

Applications of Biometrics Systems

Answer 14

Forensics
Government
Commercial

Question 15

Taxonomy of uses of Biometrics Systems

Answer 15

Positive identification
Verifies that the submitted sample is from an individual known to the system
exp. Access to a budlings, access to a mobile device,..

Negative identification
Exp. Verifies that the submitted sample is from an individual not known to the system
Exp. Uses for preventing duplicate in welfare.

Question 16

Basic Functions of a Biometric System

Answer 16

Capture
The process of measuring the biometric characteristics of a person using a sensing device

Process
The process of converting the biometric feature into a numeric format (template) that can be stored into the database

Enrolment
Registering a biometric template of a person in a database

Identification
Finding the template in a database that matches the live template at hand.

Verification
One-to-one process: matching a live template against a single stored template

Question 17

Voice

Answer 17

Different from speech recognition
Based on the analysis of voice patterns and characteristics such as pitch, tone,..
Voice signal is transformed and digitized
Speaker verification can be:
Text-dependent, text-independent, language independent, language dependent
Can be used for authentication over phone

Weaknesses
Background noise (airplanes)
Voice can be affected by the person’s health, emotion, …
It can be mimicked, recorded and re-played.
Lengthy enrollment
Attacks:
Tape recordings
Identical twins or people with sound-alike

Question 18

Facial Recognition

Answer 18

A very natural process to human being
Analyze the unique shape, pattern, and position of facial features
Can be based on still or video images
Face biometrics can be applied covertly, and without person’s cooperation

Question 19

2D Facial Recognition

Answer 19

A template can be created from a standard webcam
There is no contact with a sensor
Can be done from a far distance
Highly affected by lighting, position, eyeglasses, facial expressions
Relies heavily on controlled environment resulting in a high failure rate
Technologies for face recognition
Eigen face approach: Face appearance
Feature geometry: feature-based method
Neural network

Question 20

3D Facial Recognition

Answer 20

Uses real-time capture of three-dimensional images of a subject’s face
The uniqueness of the person’s cranio-structure (skull curvature,..) is extracted and stored as a biometric template
Not affected by lighting, background colors, facial hair or makeup,
Uses structured light in near-infrared range where a projector shoots an invisible structured light pattern onto the face, and a video camera records the pattern distorted by the face’s surface geometry
A 3D mesh of the face is created by means of triangulation

Question 21

Iris Recognition

Answer 21

Measures the features associated with the random texture of the colored part of the eye
Based in visible features i.e.
rings, furrows, freckles, and the corona
Requires cooperation from the user
Weakness:
fear and discomfort, proprietary acquisition devices.

Highly accurate
Very stable over-lifetime
It works perfectly even with glasses and contacts
It can be affected though by some diseases such as cataracts.

Question 22

Iriscode

Answer 22

Uses near infrared sensors at a distance of 6 inch to 2 ft
You can measure up to 255 unique features. Features and their locations are used to form the iriscode, which is the digital template
Iris picture can be captured using a normal CCD camera with a resolution of 512 dpi or higher
Different Iriscodes care compared using Exclusive OR

Question 23

Retina Scan

Answer 23

Based on the vascular structure at the back of the eye:
The pattern of blood vessels that emanate from the optic nerve and disperse throughout the retina depends on individuals and never change
An infrared light source is shone through the eye’s pupil to luminate the retina
Extremely accurate and secure
No two retinas are the same even for identical twins

It is considered intrusive, it can reveal some medical conditions, such as hypertension
Requires the user to remove eyeglasses
Long capture time, with 5-15 sec.

Question 24

Most Significant Test Measures of Biometrics Systems

Answer 24

False Matching Rate (FMR)
False Non-Match Rate (FNMR)
Failure to Enroll (FTE)
Equal-Error-Rate (EER)

Question 25

False Matching Rate (FMR)

Answer 25

Also referred to as False Acceptance Rate (FAR)
The ratio between numbers truly non-matching samples, which are matched by the system and total numbers of test.
It is the probability that a user making a false claim about her identity will be verified as that false identity
It usually tell you the strength of the matching algorithm

Question 26

False Non-Match Rate (FNMR)

Answer 26

Also referred to as False Rejection Rate (FRR)
The ratio between numbers truly matching samples, which are not matched by the system and total numbers of test.
It is the probability that a user making a true claim about her identity will be rejected as herself.
It usually tell you the accuracy and robustness of the matching algorithm

Question 27

Failure to Enroll (FTE)

Answer 27

It is the probability that a user attempting to biometrically enroll will be unable to.
Vendors usually use the Rule of Three.
It usually tell you the coverage for the population that the biometric system has.

Question 28

Equal-Error-Rate (EER)

Answer 28

The point on the error rate diagrams where the false match and false non-match are equal
Can be computed from the crossover point of FRR/FAR or using the Receiver Operating Characteristics (ROC).

Question 29

What is Convergence?

Answer 29

Formal Cooperation between (at least) two separate security functions
Streamlined Provisioning/de-Provisioning
Shared Authentication Credentials
Common Security Policies

Question 30

Where is Convergence?

Answer 30

Commercial
Proprietary Enterprise Systems
Federal
FIPS 201/PIV
Standards driven
Open interoperable system

Question 31

Physical Access Control

Answer 31

Support multi-factor authentication in many combinations
Fingerprint biometrics
Face biometrics
Proximity cards
Smart cards
Personal Identification Numbers (PIN)

Question 32

Logical Access Control

Answer 32

Multi-factor Authentication
Solution that uses a wide range of strong authentication methods.

Enterprise Network Logon
for desktop and network security.

Enterprise-level Single Sign On for
Windows and Web applications.

Managed by a robust and extensible Role- Based Access
Control Policy Engine.

Question 33

Common Credentials
/Policies) use?

Answer 33

Both physical and logical control

Question 34

Benefits – Converged System

Answer 34

Common policies across physical and logical access
Role-based Authorization
Harmonized security privileges

Centralized Enrollment Processes
Similar models for Commercial and Government systems

A range of Authentication Factors can be coordinated
Authentication factors can be “cascaded”
Events can be coordinated

Question 35

Smart Cards

Answer 35

Card with the capability to store and/or process information for a particular application

Can store financial, personal, and specialized information

Types of smart cards
Memory: only memory card;
more storage than the magnetic strip
Microprocessor: Memory, processor, and co-processor to support cryptography

Question 36

Driving Factors for the Smart Cards

Answer 36

Declining cost in the price of smart cards
From $15 in the 1980’s to couple of dollars in 2000, to sub-dollars now
Fears that magnetic strip cards can’t provide the necessary security against fraud and security breaches.

Question 37

Forms of Smart Cards

Answer 37

Smart cards come in two forms
Contact
Contact-less.
May contain its own battery,
Most of the times, the power is supplied by an inductive loop

Question 38

Contact Smart cards

Answer 38

Identified by its gold connector plate
ISO Standard (7816-2) defined eight contacts,
Though only 6 are actually used:

8 metallic pads on the surface:
Vcc: supply voltage - generally, 5 volts.

GND: ground reference

RST: Reset is the signal line that is used to initiate the state of card- Reset the microprocessor

Clock: used drive the logic of the IC (Clock Signal)

Vpp: used for the high voltage signal that is necessary to program the EPROM memory.

Serial input/output (SIO) connector: used to receive commands and interchanges data with the outside world.
2 RFU: reserved for future use.

Question 39

Smart Card Hardware

Answer 39

Microprocessor unit (MPU) 32-bit RISC

I/O Control: manage the flow of data in/out of the card
RAM: for temporary storage

ROM for Chip OS (COS) or Mask

EEPROM: Application memory
(Electrically erasable programmable ROM)
For permanent application data storage

Question 40

Chip OS (COS)

Answer 40

A Chip OS is required to:
Manage data in/out of the card
Manage of files
Access the data and function
Management of card security
Maintain reliability, interrupt, data consistency, error recovery

A COS can be
General purpose COS for all applications

Dedicated COS for specific applications

No standard COS

Question 41

Security Features of Smart Card

Answer 41

Card level protection by several passwords
Card get reset in case of hardware attack
File level security
Secret password based
A second password based
External authentication
Encrypted

Mutual authentication

Question 42

Mandatory – PIV Card Storage - Interoperability

Answer 42

Two Index Fingers
Templates generated from segmented 10-print enrollment images
Stored as ANSI/INCITS 378 templates
PIV Card fingerprint templates
Interoperable PIV Card fingerprint templates can only be read through the contact interface following entry of a PIN

Question 43

PIV Card Interoperability

Answer 43

PIV Card used for Logical and Physical Access
Logical Access primarily based on PKI
PIN required for access to private key and other data
Physical Access systems typically not configured for PKI
Physical Access systems typically based on contactless readers for throughput and durability

Questions/Concerns

How to achieve interoperability across both logical and physical access whilst meeting the demands of both environments?

Question 44

PAC Biometric Readers – contactless interface

Answer 44

Interoperable PIV Card fingerprint templates can only be read through the contact interface following entry of a PIN
However, the card holder unique ID (CHUID) can be read from the contactless interface and without a PIN
Also, Agency-specific data (biometric template) can be written to PIV Card and accessed via contactless interface
Can appropriate biometric PAC Scenarios for FIPS 201 be established using the CHUID and biometric template?

Question 45

PAC Biometric Readers – Operational biometric templates

Answer 45

SP 800-76, Sec. 1.2 states:
“…for both logical and physical access applications, and for applications using biometric data stored either on or off the PIV Card, this document neither requires nor precludes the use of:

The PIV Card fingerprint templates;
Specific authentication paradigms such as match-on-card;
Data from other biometric modalities (e.g., hand geometry, iris, etc.);
Data formatted according to other standards;
Data whose format is proprietary or otherwise undisclosed.”

Question 46

PAC Biometric Readers – PIN

Answer 46

Biometric Industry Association Viewpoint:
PIN entry is not necessary for Minutiae templates
Previous privacy issues related to full fingerprint images
Biometric Templates stored on PIV Card are digitally signed
A live version of the biometric sample is required for verification
Mutual Authentication between card and reader can provide template privacy

Consider 2-factor Authentication Use Cases with Contactless Access to PIV Card and Biometrics

Question 47

Summary scenarios

Answer 47

Read off slides

Question 48

Authentication can be Based on Different Concepts:

Answer 48

Knowledge
Possession
Biometrics
Any combination of the three

Question 49

Biometrics Based Authentication

Answer 49

Biometrics = bio (life) + metrics (to measure)
Deals with automated methods of verifying or recognizing living persons based on their:
Biological characteristics (e.g., face, fingerprint, iris, hand geometry, retina)
Behavioral characteristic (e.g., signature, gait)
Combined (e.g., Voice)
No human involved in the authentication process
Should be done in real-time

Question 50

Facial Recognition

Question 51

Most Significant Test Measures of Biometrics Systems

Answer 51

False Matching Rate (FMR)
False Non-Match Rate (FNMR)
Failure to Enroll (FTE)
Equal-Error-Rate (EER)

Question 52

Fingerprints how it works

Answer 52

Based on the ridges of the fingers
Very mature technology especially in forensic applications
Can use live-scan or inked impression

Question 53

Fingerprints consideration

Answer 53

Fingerprints don’t change over time

Things to consider:
Small population might not be able to use it because of cuts, scars, occupational requirement.
Requires a contact with a sensor
Highly associated with law enforcement

Attacks on Fingerprints
Finger decapitation
“Gummy” fingers
Defenses
Measure physical properties of a live finger (pulse, oxygen level).

Question 54

Friction Skin Anatomy

Answer 54

Minute ridges with furrows between them are present on the inside surface of hands and feet of human beings.

Such a structure, called friction skin, allows for:
Good grip
Good sense of touch
Exudation of perspiration

The structure and function of friction skin is different from other skin that covers our fingertips:
Not covered by hair
Does not contain oil glands
It contains a high concentration of nerve endings and sweat glands
A lack of pigmentation

Question 55

Permanence and Uniqueness of Fingerprints

Answer 55

Fingerprints are permanent marks on the skin. They are formed at the fetal stage and stay the same throughout lifetime.
Fingerprints of an individual are “unique” features of the individual; different person, even identical twins, have distinctive fingerprints.
Around 4% of the human population though might be born without fingerprints or their fingerprints might have deteriorated

Question 56

Applications of FP: Government

Answer 56

Criminal records
Finger prints for diplomats and military personnel
National identity card
E-voting

Question 57

Applications of FP: Forensic

Answer 57

Link a person to the crime place
Link person to previous records (history)

Question 58

Applications of FP: Civil and Commercial Applications

Answer 58

Banking
Welfare
Smartcards
Access Control
Time and Attendance

Question 59

Fingerprint Authentication System

Answer 59

Sensing
Feature extraction
Matching

Question 60

Fingerprint Sensing

Answer 60

Taking an imprint of the fingertip
On-line acquisition or off-line fingerprint acquisition using the ink-technique.
Nowadays, live-scan is the most widely fingerprint acquisition technique used.

Question 61

Off-Line Acquisition

Answer 61

Adv: possibility of producing rolled impression

Question 62

Specifications for a Good Fingerprint

Answer 62

Considerations
Resolution
Area
Dynamic range
Image quality
Signal to Noise

Question 63

FP Scanning: Scanners

Answer 63

Sweep and touch systems

Question 64

Live-Scan

Answer 64

3 Main categories:
Optical sensors
Solid-state sensors or silicon sensors
Ultra-sound sensors.

Additional
Multispectral
3-D touchless

Question 65

Feature Extraction

Answer 65

A fingerprint is produced when a fingertip is pressed against a smooth surface producing ridges (black in the picture) and valleys (white).

Question 66

Levels of Fingerprint Features

Answer 66

Level 1: refers to macroscopic patterns formed by the flow of the ridges
Level 2: refers to major ridge path deviations, also known as minutiae.
Level 3: refers to intrinsic or innate ridge formations: the alignment and shape of each ridge unit, pore shape, and relative pore positions).

Question 67

Level 1 Features–Singularities

Answer 67

Singularities are regions where ridges assumes distinctive shapes:
– Loop, delta, whorl, core

Question 68

FP Classification

Answer 68

Used as index for searching a large DB of fingerprints.
FP can be broadly classified into:
Left and right loop, whorl, Arch and tented Arch

Question 69

Fingerprint Class Distribution

Answer 69

5% of the FP have Arch type

65% of the FP have Loop type

30% of the FP have Whorl type

Question 70

Level 2: Minutiae.

Answer 70

Minutia: refers to various ways that a ridge can be discontinued
For each minutia, we keep:
the x,y coordinates
The angle of the tangent line to the ridge with the x-axix

The FBI model considers only termination and bifurcation minutiae

Question 71

Level 3: Sweat Pores

Question 72

Steps for Feature Extraction

Answer 72

Local Ridge Orientation
Local Ridge Frequency
Singularity Detection
Segmentation
Fingerprint Enhancement
Binarization
Thinning
Feature Extraction

Question 73

Fingerprints: Strength and advantages

Answer 73

Fingerprints are unique
Fingerprints are not time-variant
A very mature and proven core technology
It can provide a high level of accuracy
It can be deployed in a range of environments
Uses ergonomic and easy-to-use devices
Numerous sources (ten fingers) available for collection

Question 74

Fingerprints: Disadvantages or weaknesses

Answer 74

Associated with crime control/investigation
Require user cooperation
Cuts and scars will affect fingerprints
Sensor interoperability
Hygiene: Important to keep capture surface clean
Most devices are unable to enroll some small percentage of users

Question 75

What can we learn from a Speech?

Answer 75

Message,
Language,
Speech disorders/pathologies,
Emotional state, and
Speaker identity

Voice Biometric: Automated use of voice as the biometric trait to recognize speakers

Question 76

‘Speaker Identity’ in the Speech Signal

Answer 76

Physiological factors: Vocal tract characteristics, articulatory organs: dimension of vocal cavities, length of vocal tract and folds, etc.

Linguistic Habits: phonological, prosodic (emotional state of the speaker, sarcasm, focus,…), linguistic and semantic habits (influenced by geographic, family, socio-cultural and professional factors)

Question 77

Multiple Level of Speaker Individuality in a Speech

Answer 77

Idiolectal: how a speaker use a specific linguistic system
Considered as a linguistic pattern unique among speakers
Determining factors include:
Family, level of education, sociological, region,…

Phonotactics: describes the use by each speaker of the phonemes units and possible realizations available.

Not all languages have same phonemes
Key in foreign language training

Question 78

Advantages of Speaker Verification

Answer 78

Automatic and natural (unlike fingerprinting),
Low cost of input device: Can use standard microphone or telephone set
Low cost of processing using DSP technology,
Telemetric - Most suited modality over the telephone
User friendly - non-invasive, lacks the negative perceptions associated with other biometrics such as fingerprint
Can collect samples from uncooperative subjects.
Can be combined with challenge/response techniques

Question 79

Disadvantages of Speaker Verification

Answer 79

Affected by pathological changes in physical characteristics (cold)
Less unique than fingerprints, iris,, retina,…DNA.
more susceptible to replay attacks than other biometrics.
Its accuracy is challenged by low-quality capture devices, ambient noise, channel, distortion and so on.
Temporal drift
The large size of the template limits the number of potential applications.

Question 80

EXAMPLE QUESTIONS

Question 81

A natural recognition capability for a human being is known as?

Answer 81

AUTHENTICATION

Question 82

T or F Verification confirms who am I?

Answer 82

FALSE

Question 83

Authentication can be based off the following concepts:

Answer 83

Possesion
Biometrics
Knowledge

Question 84

What is not a problem for posssesiop based authetication compared to knowledge based?

Answer 84

No need to remember the password

Question 85

A major drawback of knowledge based?

Answer 85

Can be guessed by imposters

Question 86

Which of these options is not a biological characteristic: Gait. hand geometry, face, fingerprint

Answer 86

Gait

Question 87

T/F: In biometric authenttication no human is involved in the authetication process

Answer 87

True

Question 88

What is meant by Non-repudent in biometric system authetication

Answer 88

Access is linked to a person

Question 89

What is a predesesor to modern biometric systems/tech?

Answer 89

Antropometry

Question 90

Which of the following is not a criterion for biometric features: )Accesibility. Permanence. Circumvention, Universality)

Answer 90

Universality

Question 91

List 5 basic functions of biometric systems sequentially:

Answer 91

Capture, Process, Enrollment. Identification, Verification

Question 92

Verification is considered 1 to many T/F?

Answer 92

False

Question 93

Identification “ Am i who I claim to be?” T/F

Answer 93

False

Question 94

What is convergance in relation to biometric tech in support of identification and access control?

Answer 94

Formal cooperation between atleast 2 seperate security functions

Question 95

A key selling point of integration of biometric tech in access control/time and attendence measures is?

Answer 95

Clear return on investment

Question 96

Convergance allows for?

Answer 96

Streamlined provisioning. Shared credentials, common security policies

Question 97

Contact smart card ISO standard (7816-2) defined how many contracts?

Answer 97

8

Question 98

Contact smart card ISO standard (7816-2) , how many are actually being used?

Answer 98

6

Question 99

Chip OS is required for smart card tech to ensure?

Answer 99

Data access and functionality

Question 100

In implementing a biomtric solution when do u consider a smart card?

Answer 100

Security and confidentiality of the record is important

Question 101

What is not an advantage of smart card tech?

Answer 101

Scalability of the solution

Question 102

Smart cards under development can do all the processing on the card?TF

Answer 102

True