SE-4063, Leveraging Fingerprint Biometric Authentication to Streamline Secure Access, by Sean Dyon...
-
Upload
amd-developer-central -
Category
Technology
-
view
629 -
download
5
description
Transcript of SE-4063, Leveraging Fingerprint Biometric Authentication to Streamline Secure Access, by Sean Dyon...
Jim Sullivan Sean Dyon
November 2013
Agenda
• BIO-‐key background • The problems we solve • Biometric Opportunity • Architecture • BIO-‐key + AMD + TrustZone • FreeChoiceID • The Biometric Debate
• US-‐Based -‐ Headquartered in Wall, NJ with development labs in Eagan, MN
• Founded in 1993, public since 1997
• Fast, high accuracy fingerprint authenScaSon and idenSficaSon plaTorm with device interoperability, and cloud ready infrastructure.
• IntegraSons and agreements with leading IAM and healthcare technology companies such as IBM, CA, Oracle, Allscripts & Epic
The leader in fingerprint biometric idenSficaSon soluSons
BIO-‐key InternaSonal, Inc.
SOME COMMERCIAL CUSTOMERS
Commercial Customer Track Record
! AT&T – Retail store wireless network employee ID ! McKesson – PharmaceuScal dispensing cabinets in thousands of
hospitals naSonwide ! NCR (Radiant Systems) – 40,000 restaurant POS units & self
service kiosks ! LexisNexis – ID verificaSon and fraud prevenSon for all MCAT,
CPA, FINRA and CAT examinees at 2000 Prometric tesSng centers worldwide – RealSme 5 year alias lookback
! Allscripts – (Healthcare soluSon provider) Electronic Health
Record access soluSon
BIO-‐key value proposiSon
5
Fingerprint enabled endpoint devices plus BIO-‐key yields connecHvity to exisHng enterprise IAM plaIorms and integrated enterprise applicaHons
Frost & Sullivan recognizes BIO-‐key Interna9onal, Inc. (BKYI) with the 2013 North America Frost & Sullivan Award for CompeBBve Strategy InnovaBon and Leadership.
The company exclusively offers mobile and Internet-‐based soGware solu9ons, giving it an unbeatable edge in the cloud-‐based fingerprint biometric solu9on market.
THE PROBLEMS WE SOLVE
Problem 1: Rapidly evolving Fingerprint Scanner Marketplace
• 2006 – Fujitsu EOLs fingerprint scanner, OEMs stuck
• Sept 2010 – Authentec acquires UPEK for 31M
• Nov 2012, Apple acquires Authentec for $356M, ceases offering OEM sensor modules
• October 2013 – SynapScs acquires Validity
• Rumors abound about who’s next
Who’s Lei/Next?
SoluSon: Interoperable Soiware
• Insulates device manufacturers and ISVs from strict dependence on scanner specific soiware – reduces risk
• Offers NIST cerSficaSon of accuracy, required for many regulated applicaSons
• Allows for free interchange of scanners, and creates a longer-‐lived asset in the fingerprint enrollment
• ExisSng integraSons with leading IAMs
BIO-‐key Supported Fingerprint Scanners
Problem 2: Algorithm Accuracy Letdowns
• Apple’s scanner hack raised the awareness of the vulnerability of having a poor algorithm.
• Most scanner manufacturers focus on the hardware image quality, and the soiware gets short shrii.
• The natural inclinaSon is to make the thresholds for match low to create a more easy to access result
ImageCapture
ImageEnhancement
ModelCreation Matchingv
• BIO-‐key technology enhances each fingerprint 43X • Extracts between 1,200 – 1,600 data-‐points vs. the norm of 50-‐60 • MathemaScal template extraced using patented Vector Segment Technology
Positive Identification in One Second or Less
Patented Technology
False Non Match Rate
BIO-key Imprivata IDS Lockheed Avalon Parima
Averages 0.0113 0.1684 0.0179 0.0515 0.0133 0.0200
Equal Error Rate
BIO-key Imprivata IDS Lockheed Avalon Parima
Averages 0.0066 NA NA 0.0225 0.0067 0.0094
BIO-‐key achieves Top Tier Scores for Accuracy
SoluSon: Select a bemer algorithm Accuracy is usability
NIST's mission is to promote U.S. innovaSon and industrial compeSSveness
by advancing measurement science, standards, and technology in ways that enhance economic security and improve
our quality of life. www.nist.gov
Table 1: TAR at FAR of 0.0001 Name ID DHS2 DOS POE BIO-key 2C 0.9909 0.9978 0.9990 Sagem 1C 0.9908 0.9969 0.9988 L1 1Y 0.9907 0.9994 0.9996 Sagem 1H 0.9905 0.9974 0.9989 ID Solutions Q 0.9874 0.9960 0.9975 Neuro 1T 0.9844 0.9951 0.9980 Thales 1I 0.9782 0.9920 0.9962 BioLink 1E 0.9748 0.9731 0.9880
Table 9: Equal Error Rates Name ID DHS2 DOS POE BIO-key 2C 0.0047 0.0012 0.0005 L1 1Y 0.0051 0.0004 0.0004 Sagem 1C 0.0058 0.0017 0.0009 Sagem 1H 0.0062 0.0013 0.0008 BioLink 1E 0.0072 0.0113 0.0043 ID Solutions Q 0.0080 0.0023 0.0013 Thales 1I 0.0087 0.0036 0.0019 Neuro 1T 0.0089 0.0023 0.0014
Fact: BIO-‐key Far Outperforms NaSve Algorithms
Real World Performance Results
• Capture 1,500 to 2,000 points of data • 40+ layers of image enhancement • Validated by The NaSonal InsStute of
Standards & Technology (NIST) • Superior “One to Many”
idenSficaSon
Month Average ID
Score Successes Failures Success Rate %
November 89.56 251,447 1661 99.34%
Staff ID# FuncBon QuanBty Average ID
Score Low Score High Score Failures Success Rate %
xxxxxxxxx ID Submit 5,999 92 52 99 0 100%
#4 Ranked Hospital 251,447 authenScaSons with a 99.34% success rate
Problem 3: Inside the box thinking
If the only enabled applicaSon for the scanner authenScaSon is to unlock the device, then the value to the user is limited.
SoluSon: IAM SoluSon Architecture
Cloud
User’s Device
Browsers
Applications
Utility Functions
Device Options
WEB
-‐key Client
DataStore
• CA – Validated SiteMinder IntegraSon – Joined Cloud Commons
• On Sales and SoluSons Catalogs
• IBM – Validated ISAM for Web IntegraSon – OEM into ESSO
• Oracle – OAM IntegraSon – OEM into ESSO
Integrated with WAM & ESSO
14
OpenID Flexible MF AuthenScaSon RP
User
OpenID Client / Browser
MulH-‐Factor Auth Proxy
Biometric Client
SIM / UICC
OpenID Server
MulH-‐Factor Auth Layer (Server) / Master IdP
PWD Server
Biometric Proxy
FuncHon AAA
Biometric Auth Server
SIM
HSS
UE
USER AUTH
BIOMETRIC USER AUTH
DEVICE AUTH
BIOMETRIC OPPORTUNITY
0
1000
2000
3000
4000
5000
6000
7000
8000
2000 2002 2004 2006 2008 2010 2012 2014
From Millions to Billions
Focus on WarLSID
Physical Access
Electronic Health RecordsGov’t Incentive Program
DEA ePrescription GuidelinesApprove Biometric Technology
$261M In 2000
Dot Com Crash
9/11 Increased
Need
L1 Investment Partners Biometrics Roll-up
Lockheed Martin Wins F.B.I
BIO-key & Morpho
Bangladesh Voter ID
$6 Billion Dollar Market
Mobility Mobile Banking & NFC
Government & Civil ID Mainstream Consumer Healthcare Payments Account Access
Traditional ID Physical Access
Biometric Market Growth
Light the fuse
1993 BBG Engineering Seek to create fingerprint ID soluSon
1995 SAC Technologies First Patent
1996 Company Publically Traded
2000 – 2001 BIO-‐key Formed
2004 Acquire Public Safety Group Acquire Aether Systems Mobile Gov’t Div.
2009 Sell Law Enforcement Division for $11.3M
2010 FBI Contract
2013 Hospitals Blood Centers Retail IAM
2013: Tremendous Track Record 70+ Hospital EHR Systems
3,000+ Drug Dispensing Cabinets 3,000,000 Blood Donors
80,000,000 Large Scale ID Project 10 Registered Patents
The market we were built to address is the next market
2007 Sell Fire & Safety Division for $7.4M
Biometrics is a mulS-‐phase market
• BIO-‐key is a soGware development company providing full and complete finger biometric soluSons for local and enterprise use, including cloud ready server plaTorms.
• Soiware supports and provides interoperability for all major fingerprint reader manufacturers, devices and plaTorms.
• BIO-‐key provides a secure, web-‐based infrastructure supporSng the most innovaSve finger scanning devices for remotely capturing fingerprint data to idenSfy individuals
• BIO-‐key has targeted consumer markets with our plaTorm, and we conSnue to innovate on how to make that plaTorm meet all needs, including the privacy needs of the end customers.
This infrastructure quickly scales to any size, and can be accessed from any device with an internet connecHon using any supported fingerprint reader
Ambidextrous Biometric Approach
p 25
Yesterday’s market views biometrics as a point soluSon, responding to the opportunity to get creaSve with authenScaSon with a myopic, fear-‐based approach. Some symptoms are:
• Ignorance of biometric enrollment lifecycle – “only match here in the device” – This leads to non-‐interoperable algorithms being used, and vendor lock
• Thinking that the scanner technology is the only consideraSon – Apple fell vicSm to this in putng all their eggs into the “market leading” sensor company without
the algorithm chops behind it to really make an impact on security. Now they can’t let the data off the phone, and they were quickly hacked.
• Forgetng about the benefits of a highly trustworthy, long-‐lived biometric idenSty asset to associate an idenSty.
– Everyone is so focused on the print never leaving the phone. What if I already gave my fingerprint to my bank and they just want to match the person effecSvely standing there with a withdrawal slip, using the “you will know it’s me, if” metric?
• Missing the benefits of the fricSonless authenScaSon that biometrics offers (think of a doorman), focusing instead on a bristling authenScaSon process that feels more like Checkpoint Charlie.
Yesterday’s Market vs. the Next Market
p 26
The Next market views biometrics as an asset – the more you have to associate with it, the more strategic it becomes. PosiSve indicators are:
• Broad use of biometrics, in different contexts – face to face, mobile, at kiosks, and at home. The quesSons being asked are “What about other applicaSons?”
• Realizing that the scanner is going to be an evolving capture commodity – one size will not fit all!
– Don’t get hung up on the belief that there are any staSc truths about all fingerprint capture technology. The interoperable, highly accurate enrollment is the asset, and at the end of the day, only one person has the real finger that matches the enrollment.
• Biometrics can be your door man, making a secure entry easier to navigate The Next market operates from a place of opportunity, offering idenSty security and businesses certainty by allowing your idenSty to be in a vault, not just watched over. The Next market will leverage BIO-‐key’s privacy enhancing plaTorm features to make biometrics palatable to all.
Yesterday’s Market vs. the Next Market
IdenHficaHon…Anywhere, Anyplace, AnyHme
ACCURACY " Superior “One to Many” idenSficaSon for de-‐duping
" Biometric indexing scalability
SPEED & SCALABILITY " Integrates quickly with exisSng hardware & web applicaSons
" Scalable over many servers, scale up and out
INTEROPERABILITY
" Device independence with a single enrollment
" Every major fingerprint reader manufacturer supported!
Key DifferenSators
So what can Cloud Biometrics do?
• Works face to face when it’s just you wanSng to prove who you are – not device dependent – Really important when you lose your device
• One enrollment works across the Internet of Things, not trapped inside one device
So what can Cloud Biometrics do?
• Allows you to quickly and automaScally prove who you are in the growing disintermediated economy
ARCHITECTURE
WEB-‐key
• Primary Features – Complete Framework for Enrollment/AuthenScaSon
– Security Handling – ReporSng FuncSons – MulS-‐Factor Support – Flexible AdministraSve ProperSes – Simple IntegraSon – Reader Independence
33
WEB-‐key Architecture
• WEB-‐key® – Network / ApplicaSon Security – Strong EncrypSon
• PKI EllipScal Curve, Unique keys – Thin Client Plug-‐in
• Browsers • ApplicaSons • Other
– Easy to Configure – Adaptable User Interface – Managed from ApplicaSon
Run local or remote – your choice
34
User Device
Browser
Application
WEB-‐key Client
Cache
App Server
Application
App Server
Proxy
WEB-‐key
Security Service
Data
Users Audit Config
WEB-‐key APIs
WEB-‐key APIs
BIO-‐KEY + +
TrustZone IntegraSon
• BIO-‐key’s products are being integrated to leverage TrustZone on the client and the server. – Trustonic as a bridge
Page 36
WEB-‐key and TrustZone
37
User Device
Browser
Application
WEB-‐key Client
Cache
App Server
Application
App Server
Proxy
WEB-‐key
Security Service
Data
Users Audit Config
WEB-‐key APIs
WEB-‐key APIs
FreeChoiceID – What is it? BIO-‐key’s FreeChoiceID is a patent-‐pending technology soluSon to the longstanding problem of having to choose between trusHng a recipient of sensiSve data and not giving the data at all Raises comfort levels of users, reduces liability of recipients Has broad applicaSons for any sensiSve data given voluntarily to or held by any recipient who wants to offer users control over their data
Typical Biometric Repository
TradiSonal ProtecSon
Single Key
TradiSonal ProtecSon -‐Problems
• Requires enrollees to trust recipient’s privacy policy (if they even read it)
• Revocability – data is “out there” • Data is subject to unintended access outside of policy – Insider access – Data thei – Subpoena – Snooping agencies
BIO-‐key FreeChoiceID: Per User EncrypSon + Per User Control
Each key is different, and is controlled by the user
FreeChoiceID – User remains in command of their private data
• Every request for access to secured data in the server has to first be approved by the data owner before a one-‐Sme use decrypSon key is sent to the server – Always-‐on smartphone connecSvity allows this – Human created key can also be used.
• All decrypSon and matching may be placed in TrustZone to ensure that data access is limited and secure.
THE BIOMETRIC DEBATE
Widespread Myth = Fear
Many believe that a biometric system behaves like a password-‐ or token-‐based system, in that possessing or knowing something empowers anyone to be an imposter for another person. This leads to concerns that a hacked database costs you your idenSty.
The Truth Will Set You Free
Biometrics in fact are just that, “measurements of you.” The measurements are of your finger ridge detail. The credenHal is your finger, not the fingerprint that it leaves behind. The key issue is ensuring confidence in a live capture of an actual finger. Only if we believe this is not possible to assure should we live in fear.
The Biometric Debate
Will FEAR or EFFICIENCY win out in the end? Could misconcepSons about biometrics ulSmately deny our economy the incredible benefits it conveys? Or will there be an understanding that the power of the cloud applies in biometrics, to ensure that only you can use your idenSty?
The Biometric Debate
Will FEAR or EFFICIENCY win out in the end? Is fear a valid reason to not transmit a biometric to a secure server which in most cases will already have your biometric data – because you want them to have it, to protect your ID? Aren’t there beler ways for the government to track a person versus biometric matching?
Look to History for the Answer
“EZPass” Toll Transponders: FEAR: The government will track you, issue speeding Sckets Reality: They may track you, but the benefit of cruising through tolls is worth it.
Look to History for the Answer
Electronic Devices on Planes during take-‐off FEAR: Electronic acSvity might affect the plane’s electronics, or distract you in a crash. Reality: These fears have been shown to be unfounded – airlines now allowing electronics gate to gate
ArSficial market limitaSons projected onto consumers that are based solely on FEAR, not actual risk impact, will eventually be challenged and displaced in favor of greater efficiency and acceptance of managed risk.