Biometric Attribute

Full Title or Meme

Biometrics are literally the measures of the biologic phenotype of a User.

Context

• Biometric Attributes are taken to be exclusively the measure of human characteristics like fingerprint, facial and behavior patterns.
• The human characteristics are another factor that can be a part of Multi-factor Authentication.
• So the human characteristics can be considered to be a Credential.
• The measurements of the characteristic are compared against a template of the characteristics using some Assurance level to produce a Validated claim.

Problems

• False positives typically come from either relaxed testing, environmental noise or obsolete technology.
• False negatives infuriate Users which is why false positives are tolerated.
• Attacks against the sensor capabilities. Various movie and television plots have shown the attacks like taking someone's eyeball, or using a thin-film replica of a fingerprint to complete an Authentication which Authorizes access.
• Attacks against the sensor processor. The device that does the validation of the biometric using the human evidence must be trusted to both securely store the biometric template and accurately compare that to the live human evidence, which is usually an image of some sort.
• Attacks against the template store. Access to the Authentication data store can often be the simplest attack as it is based on known techniques.
• Biometric Attributes attached to official documents may inadvertently become Biometric Identifiers which invade the user's privacy. See the wiki page Biometric Identifier for user cases where that has damaged a user's life.
• Liveness proofs require some indicator that the image presented is that of a live human who is present at the sensor. The continued presence of the human may also be required in some long-lived interactions.
• Hook, Line and Sinker: Phishing Windows Hello for Business Yehuda Smirnov 2024-03-19 Long story short — it is possible to phish the phishing resistant authentication method: Windows Hello for Business by downgrading the authentication, here’s how you can defend from it

Solutions

• [https://www.computer.org/csdl/journal/oj/2022/01/09663008/1zBahhRd0Fa A Privacy-Preserving Biometric Authentication System with Binary Classification in a Zero Knowledge Proof Protocol) 2022. Creates a complex protocol for check fingerprint and iris evidence, but does not address the security of the sensor or of the biometric template.
• Coincident with the Mobile Driver's License the airports are looking at automated ways to compare the user's face to the mDL as in the linked example from IDEMIA. (2021-11-23)
• ISO 30107-3:2017 describes testing of Biometric Attribute presentations.
• The first Level 1 rating in the NIST/NVLAP-certified iBeta Presentation Attack Detection (PAD) Certification test was granted on (2018-09-23) to facetec^[1]
• Fujitsu Proposes Windows Hello Palm Vein Authentication in the Workplace 2018-02-12

References

1. ↑ Planet Biometrics, FaceTec notes achievement in anti-spoofing test. (2018-09-23) http://www.planetbiometrics.com/article-details/i/7463/desc/facetec-notes-achievement-in-anti-spoofing-test/

Other Material

• See the Biometric Pre-Check use case on the Kantara Privacy Enhanced Mobile Credential Work Group wiki (2202-02)
• See the wiki page Biometric Factor for a discussion on the use of a Biometric Attribute for Authentication.