Difference between revisions of "Biometric Factor"

Latest revision as of 15:39, 10 April 2024

Full Title or Meme

Biometric Attributes of the biologic phenotype of a User may be used as an authentication factor to Identify that user.

Context

• Biometric Attributes are taken to be exclusively the measure of human characteristics like fingerprint, facial and behavior patterns.
  • Some authentication processes may allow the holder to enter some sort of code if the biometric device (e.g. the camera) is not currently available.
• The human characteristics are another factor that can be a part of Multi-factor Authentication (aka Something you are).
• So the human characteristics can be considered to be a Credential.
• The measurements of the characteristic are compared against a template of the characteristics using some Assurance level to produce a Validated claim.
• There are two major use cases for Biometric Factors during Authentication (including step-up authentication that starts after the session is already in progress):

1. Is the person on the device the one that owns the credentials presented
2. Is the person that started the connection still at the device (aka liveness).

Problems

• Biometric Attributes attached to official documents may inadvertently become Biometric Identifiers which invade the user's privacy. This wiki page Biometric Identifier has user cases where that has damaged a user's life.
• Biometric Factors are just like any other as they are subject to attack, not only by spoofing (which is the most common problem), but also because the security the hardware or software in inadequate. For example Windows Hello was the subject of a security review.^[1] which found many implementations where vulnerable.
• In 2022 Europe Is Building a Huge International Facial Recognition System which sounds like huge over kill, but typical of all European governments.^[2] Lawmakers are advancing proposals to let police forces across the EU link their photo databases—which include millions of pictures of people’s faces. Pictures of people’s faces shouldn’t be combined in one giant central database, the official proposal says, but police forces will be linked together through a “central router.”
• In a case described in the New York Times Magazine^[3] an emigrant from Haiti had her fingerprints taken on several occasion while applying for citizenship. One of those forms was used to apply for citizenship for a differently named person. When that case was abandoned, a judge issues a deportation order. The emigrant was later granted citizenship. Many years later the government digitalized all the fingerprint records, found the fraudulent earlier application and used the fingerprints on the fraudulent form to charge with new citizen with a felony in spite of no evidence that she had filed the fraudulent form.

Categories

• Full face photos and comparable images
• Fingerprints
• Palm prints - Whole Foods scanning palm prints 2022-08-10
• Voice prints
• Retinal images

Solutions

• How TSA’s opt-outs for biometric screenings informed White House AI policy 2024-04-10 The Office of Management and Budget’s recent guidance on the government’s responsible use of AI elevates TSA's practice of allowing travelers to decline biometric scans at airport security to national policy.
• Use of Biometric Identifiers can be crucial in cases where no other identity documents are available, such as refugees or homeless people, but their use without evidence of intent, or contemporaneous binding to a document, is fraught with the potential for severe privacy violations.
• Amazon has announced in July 2023 a new contactless transaction service that allows shoppers to pay with their palms. Users can enable transactions by hovering their palms over an Amazon One device, which can facilitate payment, identification, loyalty program membership, and entry. Amazon said palm payment is impossible to replicate because the system creates unique "palm signatures" for each customer by examining the palm and the underlying vein arrangement. Each palm signature, the company added, corresponds to a numerical vector representation, and is securely warehoused in the Amazon Web Services cloud. The technology is already available at 200 Amazon locations in 20 U.S. states, and the company intends to deploy it at more than 500 Whole Foods and Amazon Fresh outlets by year's end.^[4]
• Biometric Factors can be of great help when used with other factors. As an example Windows Hello and most Smartphones us them to unlock access and provide liveness section.
• See Vittorio's paper^[5] for examples

References

1. ↑ Tom Warren, Microsoft’s Windows Hello fingerprint authentication has been bypassed (2023-11-22) https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability
2. ↑ Matt Burgess, Europe Is Building a Huge International Facial Recognition System Wired 2022-04) https://www.wired.com/story/europe-police-facial-recognition-prum/?esrc=AUTO_PRINT&source=EDT_WIR_NEWSLETTER_0_DAILY_ZZ&utm_brand=wired
3. ↑ Seth Freed Wessler, Denaturalized. (2018-12-30) New York Times Magazine p. 36ff
4. ↑ CBS News Amazon Cashless 'Pay by Palm' Technology Requires Only a Hand Wave (2023-07-20) https://www.cbsnews.com/news/amazon-one-palm-signatures-cashless-technology-whole-foods/
5. ↑ Vittorio Bertocci, A Tale of Two Biometrics Styles Auth0 (2023-03-10) https://auth0.com/blog/a-tale-of-two-biometrics-styles/

Other Material

• The origin of the Windows Biometric Framework aka Windows Hello
• Also see wiki page ISO/IEC 27533 for standardization of Biometric Factors.
• See the wiki page Biometric Attribute for a discussion on the use of a Biometric Factor as one element of a user description.