biometric authentication and iot: are they a match? · 2016/10/18 · biometric authentication...
TRANSCRIPT
Copyright © 2016, Novetta Solutions, LLC. All rights reserved.
Biometric Authentication and IoT: Are they a match?
E-mail [email protected] 10/19/2016
Andrea ChoiniereSenior Consultant, Identity Intelligence Group
nove%a.com!Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Agenda
• About Novetta• Biometrics and Internet of Things (IoT) Defined• IoT: Growth and Devices
• Transactions in the IoT• Authentication Schemes: Advantages and Disadvantages
• Security Challenges• Final Thoughts
COMPANY PROPRIETARY nove%a.com 3 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
About Novetta
Novetta is an advanced analytics company specializing in identity-focused subject matter expertise and technologies. Our interdisciplinary, diverse knowledge base and customized R&D capabilities enable us to solve customers’ complex problems.
ü 15+ years of independent biometric integration, consulting, and research
ü Advanced countermeasures to biometric sensor attacksü Social and mobile identity managementü Open source intelligence from traditional and social mediaü Network analysis, identity data discovery, and due diligenceü Cryptocurrency insightsü Virtual and online financial identity analysis, including
commercial fraud monitoringü Trade-offs inherent in remote identification schemesü Specific use case consultingü Anonymity / De-anonymizing research and enhancements
COMPANY PROPRIETARY nove%a.com 4 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Biometrics and Internet of Things DefinedWhat are Biometrics?!
• Broad term encompassing the study of measurable biological characteristics!• Within this context the focus is on biological characteristics (face, fingerprint, iris,
voice) or behaviors (typing rhythms, site access patterns) that can:!• Be measured in near real time!• Be automatically compared to a previously collected reference measurement in near real time!• And, upon comparison, provide a statistical measure of assurance the presented sample is
the same as the reference sample!• Separate from biometrics, there is device fingerprinting: the establishment of unique
identifiers – probabilistic or determinant – for non-biological physical items, electronics, or software.!
What is the Internet of Things (IoT)?!• The group of internet enabled physical devices – aka connected or smart devices –
embedded with some form of sensor, electronics, software, or actuator!• These devices are designed to collect, transmit, and receive data related to their
own state and the state of their surrounding environment and neighboring devices!
COMPANY PROPRIETARY nove%a.com 5 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
IoT: Growth and DevicesProjected growth varies:!
• In 2013 Cisco predicted nearly 6 IoT devices per human by 2020 (graph)!• In 2015 Gartner Research predicted only 2.5 IoT devices per human by 2020 (report)!
• Variation due to slower adoption: Gartner saw only 4.9 billion devices in 2015!
Imagefrom:Cisco’sSecuringtheInternetofThings:AProposedFrameworkh=p://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html
COMPANY PROPRIETARY nove%a.com 6 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Transactions in the Internet of ThingsMachine - Machine!
• True backbone of IoT !• Device to device communication without human interaction!
• Smart lock sends continual status info to home hub / smart phone app!• Soil sensors send continual status info to irrigation controls!• Baby monitor transmits feed for internet remote monitoring!
• Data transmitted includes functionality/errors and either state of the current device (door is locked/unlocked) or state of the surrounds (soil moisture level, video feed)!
Human - Machine!• User interaction either directly or indirectly with devices!• Direct interaction includes wearables and biometrically enabled
locks!• Indirect interaction is often through smart phone apps or websites!
COMPANY PROPRIETARY nove%a.com 7 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Authentication SchemesAuthentication is the process of confirming identity – in IoT identity confirmation of both the user and the device(s) are required!
Common non-biometric schemes!• Identifier with or without password!
• Advantages: Simple, low cost (CPU-wise), easy to scale!• Disadvantages: Creates common fail point - see DDoS attacks using Mirai!
• PKI (asymmetric encryption based)!• Advantages: More secure, backed by math, scales fairly well!• Disadvantages: CPU expensive, encryption schemes become obsolete!
Other non-biometric schemes!• Blockchain-backed tamper monitoring with device fingerprinting!
• Advantages: Low cost (CPU-wise), scales fairly well!• Disadvantages: Private blockchain management centralizes records, requires
‘phoning home’ with device fingerprint!
COMPANY PROPRIETARY nove%a.com 8 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Biometric AuthenticationMany modalities available in IoT !
• Behavioral, physiological, cognitive; other emerging modalities!• Face, fingerprint, iris, voice!
Multiple options of where to perform authentication!• Direct on IoT device!• Chip on card!• Smart phone!
Potential to integrate passive, !continual authentication!
• Probe user during entire device!interaction period, not solely!during log-in!
• Provide added assurance in!longer sessions!
COMPANY PROPRIETARY nove%a.com 9 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Biometric AuthenticationAdvantages!
ü Requires no user memory!ü More seamless user
interactions are possible!ü Authenticator tied to
individual’s body or behavior!ü Local authentication is fast!ü Biometric enabled devices
(smart phones, wearables) are becoming more ubiquitous!
Disadvantages!ü Biometrics cannot be revoked!ü Biometrics are not private and
can be spoofed!ü Limits non-enrolled authentication!ü Biometric matching is
probabilistic, accuracy depends on environment and user!
ü Often requires use of an app controlling the end IoT devices!
ü Does not address machine-machine transactions!
ü Does not preclude Man-in-the-Middle or Social Engineering attacks!
COMPANY PROPRIETARY nove%a.com 10 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Security ChallengesVerifying the user without verifying the IoT devices in the system!
• Device trusts ‘home’ displays message to user asking the user to update firmware by logging into a website!
• Device trusts ‘home’ sends signal of video feed to new website address following diagnostic or debugging protocols!
Providing authorization schemes in combinations with authentication!• Not all users require full access to devices!• Monitoring versus controlling and status versus data!
Allowing for varying levels of authorization based on user identity!• Decoupling device status and user privacy!
Limited resources, power and memory, on devices limits viable solutions!
• Many encryption schemes use to much resources for deployment!• Patching security flaws is hard due to low-bandwidth networks and intermittent
connectivity!• New transport protocols require enhanced / new security measures!
COMPANY PROPRIETARY nove%a.com 11 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Final ThoughtsBiometric Authentication is best suited for IoT applications where:!!
Ø The system doesn’t require high security!• Consumer devices rather than critical infrastructure!• Localized closed loop device sets!
Ø The system has secure machine-machine protocols in place!• PKI based authentication!• Secured device fingerprinting!• Encrypted data transfer!
Ø Frequent additions to or changes of system users are not expected!
Ø Alternate authentication methods can be provided!• Not all users can use all biometric modalities!
COMPANY PROPRIETARY nove%a.com 12 !Copyright © 2016, Novetta Solutions, LLC.
All rights reserved.
Questions during (or after) the presentation?
Andrea ChoiniereSenior Consultant, Identity Intelligence Group!!Email [email protected] !
Your speaker today: Andrea Choiniere
• 5 years’ experience in biometrics, biometric presentation attacks, online financial identity, fraud monitoring, and cryptocurrencies!
• Has led multiple Novetta cryptocurrency and fraud monitoring-related projects for USG clients!
• Co-authored 4 whitepapers on biometric presentation attacks and cryptocurrencies!• Recently spoke to the Financial Service Roundtable on: “Modernizing Payments:
Blockchain”!