Biometric Authentication and IoT: Are they a match? · 2016/10/18 · Biometric Authentication Many modalities available in IoT! • Behavioral, physiological, cognitive; other emerging

Copyright © 2016, Novetta Solutions, LLC. All rights reserved.

Biometric Authentication and IoT: Are they a match?

E-mail [email protected] 10/19/2016

Andrea ChoiniereSenior Consultant, Identity Intelligence Group

nove%a.com!Copyright © 2016, Novetta Solutions, LLC.

All rights reserved.

Agenda

•  About Novetta•  Biometrics and Internet of Things (IoT) Defined•  IoT: Growth and Devices

•  Transactions in the IoT•  Authentication Schemes: Advantages and Disadvantages

•  Security Challenges•  Final Thoughts

COMPANY PROPRIETARY nove%a.com 3 !Copyright © 2016, Novetta Solutions, LLC.


About Novetta

Novetta is an advanced analytics company specializing in identity-focused subject matter expertise and technologies. Our interdisciplinary, diverse knowledge base and customized R&D capabilities enable us to solve customers’ complex problems.

ü 15+ years of independent biometric integration, consulting, and research

ü Advanced countermeasures to biometric sensor attacksü Social and mobile identity managementü Open source intelligence from traditional and social mediaü Network analysis, identity data discovery, and due diligenceü Cryptocurrency insightsü Virtual and online financial identity analysis, including

commercial fraud monitoringü  Trade-offs inherent in remote identification schemesü  Specific use case consultingü  Anonymity / De-anonymizing research and enhancements



Biometrics and Internet of Things DefinedWhat are Biometrics?!

•  Broad term encompassing the study of measurable biological characteristics!•  Within this context the focus is on biological characteristics (face, fingerprint, iris,

voice) or behaviors (typing rhythms, site access patterns) that can:!•  Be measured in near real time!•  Be automatically compared to a previously collected reference measurement in near real time!•  And, upon comparison, provide a statistical measure of assurance the presented sample is

the same as the reference sample!•  Separate from biometrics, there is device fingerprinting: the establishment of unique

identifiers – probabilistic or determinant – for non-biological physical items, electronics, or software.!

What is the Internet of Things (IoT)?!•  The group of internet enabled physical devices – aka connected or smart devices –

embedded with some form of sensor, electronics, software, or actuator!•  These devices are designed to collect, transmit, and receive data related to their

own state and the state of their surrounding environment and neighboring devices!



IoT: Growth and DevicesProjected growth varies:!

•  In 2013 Cisco predicted nearly 6 IoT devices per human by 2020 (graph)!•  In 2015 Gartner Research predicted only 2.5 IoT devices per human by 2020 (report)!

•  Variation due to slower adoption: Gartner saw only 4.9 billion devices in 2015!

Imagefrom:Cisco’sSecuringtheInternetofThings:AProposedFrameworkh=p://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html



Transactions in the Internet of ThingsMachine - Machine!

•  True backbone of IoT !•  Device to device communication without human interaction!

•  Smart lock sends continual status info to home hub / smart phone app!•  Soil sensors send continual status info to irrigation controls!•  Baby monitor transmits feed for internet remote monitoring!

•  Data transmitted includes functionality/errors and either state of the current device (door is locked/unlocked) or state of the surrounds (soil moisture level, video feed)!

Human - Machine!•  User interaction either directly or indirectly with devices!•  Direct interaction includes wearables and biometrically enabled

locks!•  Indirect interaction is often through smart phone apps or websites!



Authentication SchemesAuthentication is the process of confirming identity – in IoT identity confirmation of both the user and the device(s) are required!

Common non-biometric schemes!•  Identifier with or without password!

•  Advantages: Simple, low cost (CPU-wise), easy to scale!•  Disadvantages: Creates common fail point - see DDoS attacks using Mirai!

•  PKI (asymmetric encryption based)!•  Advantages: More secure, backed by math, scales fairly well!•  Disadvantages: CPU expensive, encryption schemes become obsolete!

Other non-biometric schemes!•  Blockchain-backed tamper monitoring with device fingerprinting!

•  Advantages: Low cost (CPU-wise), scales fairly well!•  Disadvantages: Private blockchain management centralizes records, requires

‘phoning home’ with device fingerprint!



Biometric AuthenticationMany modalities available in IoT !

•  Behavioral, physiological, cognitive; other emerging modalities!•  Face, fingerprint, iris, voice!

Multiple options of where to perform authentication!•  Direct on IoT device!•  Chip on card!•  Smart phone!

Potential to integrate passive, !continual authentication!

•  Probe user during entire device!interaction period, not solely!during log-in!

•  Provide added assurance in!longer sessions!



Biometric AuthenticationAdvantages!

ü Requires no user memory!ü More seamless user

interactions are possible!ü Authenticator tied to

individual’s body or behavior!ü Local authentication is fast!ü Biometric enabled devices

(smart phones, wearables) are becoming more ubiquitous!

Disadvantages!ü Biometrics cannot be revoked!ü Biometrics are not private and

can be spoofed!ü Limits non-enrolled authentication!ü Biometric matching is

probabilistic, accuracy depends on environment and user!

ü Often requires use of an app controlling the end IoT devices!

ü Does not address machine-machine transactions!

ü Does not preclude Man-in-the-Middle or Social Engineering attacks!



Security ChallengesVerifying the user without verifying the IoT devices in the system!

•  Device trusts ‘home’ displays message to user asking the user to update firmware by logging into a website!

•  Device trusts ‘home’ sends signal of video feed to new website address following diagnostic or debugging protocols!

Providing authorization schemes in combinations with authentication!•  Not all users require full access to devices!•  Monitoring versus controlling and status versus data!

Allowing for varying levels of authorization based on user identity!•  Decoupling device status and user privacy!

Limited resources, power and memory, on devices limits viable solutions!

•  Many encryption schemes use to much resources for deployment!•  Patching security flaws is hard due to low-bandwidth networks and intermittent

connectivity!•  New transport protocols require enhanced / new security measures!



Final ThoughtsBiometric Authentication is best suited for IoT applications where:!!

Ø The system doesn’t require high security!•  Consumer devices rather than critical infrastructure!•  Localized closed loop device sets!

Ø The system has secure machine-machine protocols in place!•  PKI based authentication!•  Secured device fingerprinting!•  Encrypted data transfer!

Ø Frequent additions to or changes of system users are not expected!

Ø Alternate authentication methods can be provided!•  Not all users can use all biometric modalities!



Questions during (or after) the presentation?

Andrea ChoiniereSenior Consultant, Identity Intelligence Group!!Email [email protected] !

Your speaker today: Andrea Choiniere

•  5 years’ experience in biometrics, biometric presentation attacks, online financial identity, fraud monitoring, and cryptocurrencies!

•  Has led multiple Novetta cryptocurrency and fraud monitoring-related projects for USG clients!

•  Co-authored 4 whitepapers on biometric presentation attacks and cryptocurrencies!•  Recently spoke to the Financial Service Roundtable on: “Modernizing Payments:

Blockchain”!

Documents

Biometric Authentication and IoT: Are they a match? · 2016/10/18 · Biometric Authentication Many modalities available in IoT! • Behavioral, physiological, cognitive; other emerging