BIOMETRICS ON CAMPUS Todd Brooks Director of Product Management, ColorID © 2016, ColorID, LLC 1 AGENDA • Universities are becoming more interested in biometrics – Biometrics – How it (they?) works – History – Fingerprint – Iris – Emerging technologies • Use cases – Athletic Facilities – Child Care Centers – Rec Centers – Dining Halls – Data Centers – Medical Labs • Wrap-up • Questions BIOMETRICS Measuring different parts • Body part is presented to the sensor • Sensor captures an image • Image is converted to a template – Template is a number • Template is matched BIOMETRIC SYSTEM TERMINOLOGY • 1:1 matching – “One to one” – Template from sensor is compared to one template from database • Requires use of card, PIN, other identifier 1:1 Matching 12345 BIOMETRIC SYSTEM TERMINOLOGY 1:N matching • “One to many” • Template from sensor is compared to all templates in database • Can be used with or without additional identifier 1:Many Matching 12345678901234 92345675812346 82345581234567 82345581234567 72354892531008 © 2016, ColorID, LLC 5 BIOMETRIC MATCHING • Template matching is always based on a probability – Every transaction is a little different • False acceptance – Bad • False rejection – Annoying • Systems must balance false acceptance against false rejection • Quality and type of sensor significantly affects system performance FINGERPRINT FOR ACCESS • Fingerprint is the most familiar – Early fingerprint access systems did not work very well • Bioscrypt – Newer sensors are more effective • Lumidigm, Morpho, Integrated Biometrics – Can be less expensive than other modes – Sensors available for physical and logical access – iPhone 5S and 6 – Authentec sensor OPTICAL FINGERPRINT – Optical • Glass platen or prism with camera • FBI approved for live scan • Single finger – PIV – Mobile – Logical access • 10-print live scan • Very dependent on algorithms for accuracy, security CAPACITANCE FINGERPRINT – Single finger – Good for 1:1 – Logical access – Inexpensive, found on older laptops – iPhone 5S – Silicon may degrade over many uses MULTI-SPECTRAL • Lumidigm – Not approved by FBI – Single finger scanner – Scanning Electron Microscope image of capillary tufts under surface of fingerprint skin: ELECTROLUMINESCENCE • Integrated Biometrics – Film that emits light – Weatherproof – Very high resolution – FBI approval pending FINGER ON THE FLY • No contact • 4 or 5 finger simultaneous capture FINGERPRINT FOR ACCESS • Original access systems did not work very well – Bioscrypt • Newer sensors are more effective – Lumidigm, Morpho, Integrated Biometrics • Can be less expensive than other modalities • Sensors available for physical and logical access • Improve performance with additional factor – PIN or card • Reader outputs – Wiegand – USB HAND GEOMETRY • Developed many years ago – most prevalent biometric system • Requires contact with reader • Small amount of unique data per template - 9 bytes • Best in 1:1 mode • Requires PIN + biometric for larger user groups • Wiegand interface to PACS system • Common applications • University of Georgia dining hall • Time & attendance applications • Physical security DEVELOPING TECHNOLOGIES VEIN PATTERN RECOGNITION – Palm or finger vein – Infrared scanners – blood absorbs light – Not really “no-contact” – Will require 1:1 matching for large user groups (>4,000) • Card or PIN required DEVELOPING TECHNOLOGIES – Speech – your bank probably uses this – 3-D Facial – expensive, not great for 1:N – DNA – good for forensics – Eye vein pattern - promising – Gait – hope for surveillance systems IRIS • The iris is not the retina! – The donut shape of the eye except the black part (pupil) is the iris. – Iris recognition takes a photo of the eye Sclera Iris Choroid Aqueous Humor Retina Optic Cornea Nerve Ciliary Muscle Retina Lens Iris IRIS ACCURACY • Measures more than 240 of the 400 variables in the eye • Uniqueness = Accuracy • The probability of two persons with the same iris pattern is 1 in 1078 • Twins have same DNA but different iris patterns • Right and left eye are totally different Flakes falling on Earth in Estimated probability of two like one year = 10 23 irises = 10 78 IRIS: STABLE AND RELIABLE • Smallest outlier population • Stable for life • One time lasting enrollment • Fastest authentication • Lowest FAR(false accept ratio) and lowest FRR(false reject ratio) Boundary of Upper Eyelid Boundary of Pupil Boundary of Boundary of the sclera Lower Eyelid (limbus) IRIS FOR PHYSICAL ACCESS • Iris concerns – Often confused with retinal scan – Retinal scanners are invasive – no longer used – Expensive compared to cards ?? – Generated templates are proprietary to each system – Images follow ISO standards – Camera requires installation USE CASE: ATHLETIC FACILITIES • Convenient for Athletes (No Card to carry) • Higher Security • Iris – Non-contact (Dirty Hands, Gloves) USE CASE: DINING • Can be very fast • Secure (1,2, or 3 factor) • Fraud Prevention (Unlimited Meal Plans) • Works like any other card reader • Example Schools: – University of Georgia (HandKey) – Boston University (Finger) – Georgia Southern University (Iris) – Virginia Commonwealth University (Iris) – George Mason University (Iris) USE CASE: MEDICAL LABS Irradiator Rooms Cadaver Labs • Government Funding for Iris • Three Factor Authentication Required USE CASE: RECREATION CENTERS • Convenient – Don’t have to carry cards • Non-Contact – Sweat / Germs • Prevents Fraud (Card Sharing) • Interface with Turnstiles USE CASE: CHILD CARE CENTERS • Modalities – Iris – Finger – Vein Pattern • Secure access to child care facility • Easy way to insure safety of children • Winthrop University - Iris BIOMETRIC SPOOFING • Poor templates can be reverse engineered to produce images – Larger templates may be more susceptible • Image acquisition sensors might read high res photo – Liveness tests built into system • Movement – blinking, blood flow, pupil dilation • Fingerprint data below skin • Challenge and response • Fingerprints – Gummi Bears, Latex • Iris – Photo BIOMETRICS AND PRIVACY • Popular concerns – If my biometric is stolen, I can’t replace my body part • Credit card comparison • Identity theft – like a permanent PIN – I don’t want the government to have my biometric • Related to opposition to Real ID, national ID • Desire for anonymity – Cultural differences – Voluntary vs. involuntary • Known to subject – US-VISIT • Unknown to subject – surveillance cameras BIOMETRICS AND PRIVACY • Americans are getting used to less privacy – Smart phone revolution – We give up privacy to get apps • Responses – Store template on card or token only • Less convenient - slower – Don’t store images in database – Encrypt biometric data in transit and at rest • IT security best practices • Images cannot be reverse engineered from good templates – Stolen template has to be injected into system to work – Layered security design • Importance of good algorithms • Responsibility of government and industry to provide secure biometric implementations SECURITY CONUNDRUM • Convenience vs. security – Perennial challenge • If nothing can ever go wrong, everything must be monitored all the time • We must always accept some risk – How and who to determine appropriate risk level? – Airport checkpoint security, for example BIOMETRIC SELECTION • Application – what do you want to accomplish? – Higher security - small number of users – Convenience and throughput – no card or PIN - large number of users – Coolness factor • What existing systems have to interface with the biometric system? – Does the biometric system meet the existing interface specification? • Products – what sensors and systems are available? – The available products determine your choice of technology – “Cool concept” may not be the sole criterion • System cost • For mandates – read the biometric specification carefully – Example, does DoE require 2-factor or 3-factor for this application? QUESTIONS? THANK YOU! Todd Brooks Director of Product Management, ColorID [email protected].