Biometrics

Sunday, April 4, 2010

SURVEY OF ISSUES


Choice of biometric system will depend on a host of issues:

  • What is the security level you need?
  • Will the system be attended or unattended?
  • Is it important that your system be resistant to spoofing? If so, how will you accomplish?
  • Do you need the system to work 24 hours a day? Accordingly what is the protection and backup process? What are the cost implications of such a protection?
  • How do you deal with persons who may be rejected or cannot adopt this system - persons without clear fingerprint or skin diseases, blind persons
  • Is the enrolment assisted? Have you considered the ergonomics, convenient, accepted way of giving sample?
  • The system requires a voluntary ("buying act") enrolment
  • A sensor in a cellular phone has to be small in size.
  • Do you envisage a "signature token" system? How do you store the signature securely and reliably? What are the cost implications?
  • Privacy issues - a fingerprint system will be immediately trusted by people; Is there any enforcement from the government?
The governing issues with biometrics are it should distinguish an imposter from an authentic user; it should verify the supplicant's input with the template to accept or reject, with the desired level of reliability and accuracy. Tamper-resistant fingerprint reader and the verification engines can aid in enhancing security. However, a finger print data sent in the clear can be intercepted and exploited. In such a case encryption has to be adopted.

Other issues are:

Once the digital fingerprint is stolen it remains stolen. However, the later day technologies test the 'aliveness' of the finger, which can distinguish a forged fingerprint from a live fingerprint.

At the storage end of the service provider, cancelable biometrics, which distorts the biometric image or features before matching, will enable 'reuse' of a stolen fingerprint.

One of the practical ways of avoiding attack either through a stolen fingerprint or man-in-the-middle attack is to have multiple authentication system, which will require repeated user interventions - e.g. password entry, signature with the mobile acting as verification device, followed by voice recognition.


Reference:

http://pagesperso-orange.fr/fingerchip/biometrics/types.htm
http://www.strassmann.com/pubs/searchsecurity/2002-4.php

Book:

Secrets and lies - By Bruce Schneier Wiley (2004)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)