Evaluation of privacy and security implications of biometric authentication systems: challenges and solutions.
Lead Research Organisation:
University of Oxford
Department Name: Computer Science
Abstract
This project falls within the EPSRC Pervasive and ubiquitous computing research area.
User authentication commonly relies on password-based mechanisms. With the increase in the number of
accounts owned by users, passwords became an annoying burden, as users are required to memorize dozens of them.
In recent years, user devices (e.g., mobile phones, tablets, smartwatches) are becoming more powerful, affordable, and rich of sensors, which made biometric recognition one viable instrument for authentication.
While a lot of attention has been placed on the performance metrics of the biometric recognition, that is the false accept rate and the
false reject rate, little emphasis has been placed to more powerful threat models. Adversaries with increased capabilities and/or knowledge must be considered in order to achieve a realistic evaluation of the authentication system security and privacy guarantees.
In this project, we will evaluate the impact of novel threat models on biometric authentication systems. One of the main factor that will be analyzed is the collectability of biometric information. With the pervasiveness of sensors that come with user devices biometrics are now widespread. This means that biometrics can be obtained by an adversary through several channels that did not exists in the past. Classic examples are fingerprints, that can be collected from drinking glasses or other surfaces that the victim has touched, or face pictures, that can be easily found and downloaded from social medias. Newer scenarios might involve IoT devices listening to the user's voice, or malware infecting fingerprint-equipped smartphones to steal the user's fingerprints. Furthermore, authentication system designers must consider the irrevocability of biometric information. Contrary from passwords, that can be reset, once a biometric trait has been disclosed, its confidentiality is lost in a permanent way.
This project aims to analyze challenges of biometric systems, regarding the introduction of unexplored threat models, and to investigate possible countermeasures. The evaluation of such aspects will enable a deeper understanding of the implications of deploying biometric-based authentication systems.
This project is comprised in the research area of pervasive and ubiquitous computing, and is well-described in the challenges related to cyber-security in pervasive and ubiquitous systems. We will collaborate with Mastercard as an industrial partner in order to validate our research in real-world use cases (e.g., mobile payments, online identity).
User authentication commonly relies on password-based mechanisms. With the increase in the number of
accounts owned by users, passwords became an annoying burden, as users are required to memorize dozens of them.
In recent years, user devices (e.g., mobile phones, tablets, smartwatches) are becoming more powerful, affordable, and rich of sensors, which made biometric recognition one viable instrument for authentication.
While a lot of attention has been placed on the performance metrics of the biometric recognition, that is the false accept rate and the
false reject rate, little emphasis has been placed to more powerful threat models. Adversaries with increased capabilities and/or knowledge must be considered in order to achieve a realistic evaluation of the authentication system security and privacy guarantees.
In this project, we will evaluate the impact of novel threat models on biometric authentication systems. One of the main factor that will be analyzed is the collectability of biometric information. With the pervasiveness of sensors that come with user devices biometrics are now widespread. This means that biometrics can be obtained by an adversary through several channels that did not exists in the past. Classic examples are fingerprints, that can be collected from drinking glasses or other surfaces that the victim has touched, or face pictures, that can be easily found and downloaded from social medias. Newer scenarios might involve IoT devices listening to the user's voice, or malware infecting fingerprint-equipped smartphones to steal the user's fingerprints. Furthermore, authentication system designers must consider the irrevocability of biometric information. Contrary from passwords, that can be reset, once a biometric trait has been disclosed, its confidentiality is lost in a permanent way.
This project aims to analyze challenges of biometric systems, regarding the introduction of unexplored threat models, and to investigate possible countermeasures. The evaluation of such aspects will enable a deeper understanding of the implications of deploying biometric-based authentication systems.
This project is comprised in the research area of pervasive and ubiquitous computing, and is well-described in the challenges related to cyber-security in pervasive and ubiquitous systems. We will collaborate with Mastercard as an industrial partner in order to validate our research in real-world use cases (e.g., mobile payments, online identity).
Organisations
People |
ORCID iD |
| Ivan Martinovic (Primary Supervisor) | |
| Giulio Lovisotto (Student) |
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/N509711/1 | 01/10/2016 | 30/09/2021 | |||
| 1894505 | Studentship | EP/N509711/1 | 01/10/2017 | 30/09/2020 | Giulio Lovisotto |