On security of multi-factor biometric authentication

This paper focuses on security and accuracy of multi-factor biometric authentication schemes that are based on applying User-Based Transformations (UBTs) on biometric features. Typically, UBTs employ transformation keys generated from passwords/PINs or retrieved from a token. In this paper, we argue that the effect of compromised transformation keys on authentication accuracy has not been tested rigorously, and that the widely reported claim in the literature that in the case of stolen keys, accuracy drops but remains close to the accuracy of biometric only system is based on false assumptions. We show that multi-factor authentication systems setup to operate at a zero or near zero EER can be undermined in the event of keys being compromised where the False Acceptance Rate reaches unacceptable levels. This research also demonstrates by experiments on iris, fingerprint, and face biometrics that probabilities of impostors with stolen keys being falsely accepted are 21%, 56%, and 66% respectively.

[1]  Libor Masek,et al.  MATLAB Source Code for a Biometric Identification System Based on Iris Patterns , 2003 .

[2]  E.E. Pissaloux,et al.  Image Processing , 1994, Proceedings. Second Euromicro Workshop on Parallel and Distributed Processing.

[3]  Hisham Al-Assam,et al.  A lightweight approach for biometric template protection , 2009, Defense + Commercial Sensing.

[4]  Andy Adler,et al.  Vulnerabilities in Biometric Encryption Systems , 2005, AVBPA.

[5]  H. Al-Assam,et al.  Improving performance and security of biometrics using efficient and stable random projection techniques , 2009, 2009 Proceedings of 6th International Symposium on Image and Signal Processing and Analysis.

[6]  Andrew Beng Jin Teoh,et al.  PalmHashing: a novel approach for dual-factor authentication , 2004, Pattern Analysis and Applications.

[7]  S. Kanade,et al.  Three factor scheme for biometric-based cryptographic key regeneration using iris , 2008, 2008 Biometrics Symposium.

[8]  David Zhang,et al.  An analysis of BioHashing and its variants , 2006, Pattern Recognit..

[9]  Anil K. Jain,et al.  Multibiometric systems: fusion strategies and template security , 2008 .

[10]  Sharath Pankanti,et al.  Filterbank-based fingerprint matching , 2000, IEEE Trans. Image Process..

[11]  David Zhang,et al.  Revealing the Secret of FaceHashing , 2006, ICB.

[12]  Loris Nanni,et al.  Empirical tests on BioHashing , 2006, Neurocomputing.

[13]  Pong C. Yuen,et al.  A hybrid approach for face template protection , 2008, SPIE Defense + Commercial Sensing.

[14]  Yongjin Wang,et al.  Face Based Biometric Authentication with Changeable and Privacy Preservable Templates , 2007, 2007 Biometrics Symposium.

[15]  Andy Harter,et al.  Parameterisation of a stochastic model for human face identification , 1994, Proceedings of 1994 IEEE Workshop on Applications of Computer Vision.

[16]  John Daugman,et al.  How iris recognition works , 2002, IEEE Transactions on Circuits and Systems for Video Technology.

[17]  Alessandra Lumini,et al.  Fingerprint Image Reconstruction from Standard Templates , 2007, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[18]  David Chek Ling Ngo,et al.  PalmHashing: A novel approach for dual-factor authentication , 2004, Pattern Analysis and Applications.

[19]  Anil K. Jain,et al.  Biometric Template Security , 2008, EURASIP J. Adv. Signal Process..

[20]  Andrew Beng Jin Teoh,et al.  Biohashing: two factor authentication featuring fingerprint data and tokenised random number , 2004, Pattern Recognit..