BIOMETRIC CONTROLS 1 Introduction

2.1.1 The word ‘biometric’ is derived from the Greek words ‘bio’ and ‘metric’ meaning ‘life measurement’. It is defined as the automated identification or verification of an individual based on physiological or behavioural characteristics. The science of biometrics exploits the advantage of uniqueness of an individual’s physiological or behavioural characteristics.

2.1.2 Biometric controls refer to the use of individual’s physiological or behavioural characteristics to design policies, procedures,

practices and organisational structures to provide reasonable assurance that business objectives, with reference to identification and authorisation, are achieved and that undesirable events will be prevented or detected and corrected.

2.1.3 Typically biometric systems perform the functions listed in figure 1.

Figure 1—Typical Biometric System Functions

Enrollment The enrollment process requires the intended user to provide the system a biometric sample that will be digitally converted and stored in a repository as a reference template. Many biometric systems use multiple samples, and the average of all the templates is used in the creation of a reference template. Data storage Individual reference templates are stored in an accessible repository for verification of the user’s

biometrics during real-time access. Storage can be local in the biometric device, remote in a central repository, in portable tokens such as smart cards, or a combination of these methods.

Data acquisition Data are acquired for identification and authentication of valid users to gain access. Data are acquired every time the user wishes to gain access.

Transmission A transmission channel is used by the system to transmit the data acquired for the purpose of identification and authentication. This channel may be internal to the biometric system or external such as a local area network (LAN).

Signal processing Signal processing or image processing involves the matching and validating of the data acquired with the data stored. The reference template stored in the repository is matched with the data acquired, and the result is based upon the quality of matching.

Decision This is the function where a ‘match’ or ‘no match’ decision is made for allowing or denying access to the user.

2.2 Identification vs. Authentication

2.2.1 Biometrics is the automated process for identifying or authenticating the identity of a living person based on physiological or behavioral characteristics.

2.2.1 In biometrics, identification involves a one-to-many search of individual characteristics from the repository of data. Authentication in biometrics involves the one-to-one search to verify a claim to an identity made by the individual.

2.2.2 Typically, a biometric uses identification in physical controls and authentication in logical controls.

2.3 Performance Measures

2.3.1 Performance measures are designed to provide a baseline for help in evaluation of products. IS auditors should consider these measures in evaluating the performance of the biometric systems during the course of the audit assignment. The primary measures in biometric systems are as follows and shown in figure 2.

Figure 2—Sample Graph of FAR, FRR and CER (illustrative) 2.3.2 FaFallsseerreejjeeccttiioonnrraattee(F(FRRRR))ororttyyppeeIIererrroorr——The

measure of the percentage of times a valid subject has been falsely rejected by the system. FRR (%) = number of false rejections * 100/total number of unique attempts.

2.3.3 FaFallsseeaacccceeppttaanncceerraattee((FFAARR))ororttyyppeeIIIIeerrrroorr—— The measure of the percentage of times an invalid subject has been falsely accepted by the system. FAR (%) = number of false acceptance * 100/total number of unique attempts.

2.3.4 CrCroossss--oovveerrererrroorrrraattee((CCEERR))——A measure representing the percent at which FRR equals FAR. This is the point on the graph where the FAR and FRR intersect. The cross-over rate indicates a system with good balance over sensitivity and performance.

2.3.5 EnEnrroollllmmeennttttiimmee——The time taken to initially enroll a new subject with a system by providing samples for creation of reference templates.

2.3.6 FaFaiilluurreetotoenenrroollllrarattee(F(FTTEERR))——Used to

determine the rate of failed enrollment attempts. FTER = number of unsuccessful

enrollments/total number of users attempting to enroll.

2.3.7 ThThrroouugghhppuuttrraattee——The time taken by the system to validate transaction data with the data in repository to process the identification or authentication function. This is the rate at which enrolled subjects are processed for acceptance or rejection by the system.

FAR

FRR

CER

FAR decreases as sensitivity increases and FRR increases with increase in sensitivity of biometric system

2.4 Types of Biometric Systems

2.4.1 Biometric systems are broadly classified under two categories; one based on physiological characteristics, i.e., ‘what we are’ and the other based on behavioural characteristics, i.e., ‘what we do’.

2.4.2 Various biometric systems based on physiological characteristics are listed in figure 3.

Figure 3—Biometric Systems Based on Physiological Characteristics Biometric System Data Enrollment/Acquisition

Fingerprint An image is obtained when the subject firmly presses his/her finger against a glass or polycarbonate plate.

Fingertip Blood vessel pattern under the skin is captured. Finger joint Finger section between first and second joint is captured.

Hand geometry Vertical and horisontal images are simultaneously captured by cameras to obtain a three- dimensional record of the length, width and height of the hand and fingers.

Retina scan An image of the blood vessel pattern of the retina on the inside rear portion of the eyeball is captured by a camera.

Iris recognition An image of the iris (coloured portion of the eye surrounding the pupil) is captured by a camera. Wrist veins The vein pattern on the wrist is captured.

Knuckle creases Knuckle crease patterns are captured while grasping a bar. Face recognition Facial images are captured by high-quality cameras.

Facial thermograph Heat patterns of the facial tissue are captured using thermal devices.

2.4.3 Various biometric systems based on behavioural characteristics are listed in figure 4.

Figure 4—Biometric Systems Based on Behavioural Characteristics Biometric System Data Enrollment/Acquisition

Voice recognition Voice is digitally converted into voiceprint and stored in binary numbers. Keystroke dynamics The subject’s dwell time (length of time the key is held down) and flight time (time

taken to move between keys) are measured.

Signature dynamics The subject’s signature is compared, and speed, pressure and timing during signature are monitored.

2.5 Data Storage

2.5.1 Reference templates should be stored in an accessible repository for easy retrieval and comparison.

2.5.2 Local storage within the biometric reader device enables quick availability of reference templates and faster matching and allows flexibility in deployment. However, the system will require re-enrollment upon system crash if not adequately supported by the backup and restore process.

2.5.3 Large organisations store reference templates in a central repository that allows users to enroll at central locations and be recognised by networked biometric devices. A central repository allows backup, restore and auditable features. Retrieval will be relatively slower, especially where the data size/volume is large.

2.5.4 Reference templates should be stored on smart cards where the user carries the biometric reference samples and the user is responsible for the privacy, confidentiality, availability and integrity of the reference template. Smart cards may also have additional security features, such as encryption and digital signatures to further secure the device.

2.5.5 Confidentiality and integrity of data should be managed so that personal information is protected from unauthorised access.

2.6 Risks and Controls in Biometric System

2.6.1 The IS auditor should be aware of the risks and control measures typical to the biometric system. The most common risks and countermeasures are listed in figure 5.

Figure 5—Common Biometric System Risks and Countermeasures

Risks Examples Possible Countermeasures

Spoofing and mimicry attacks Artificial finger used on fingerprint biometric device

Multimodal biometrics, vitality detection, interactive authentication Fake template risk Fake template stored in server Encryption, intrusion detection

system (IDS), smart cards Transmission risk

Data intercepted during transmission during enrollment or data acquisition

Interactive authentication, rejection of identical signals, system integration

Cross-system risk The same template used in different applications with different security levels

Hash functions, encoding algorithms

Component alternation risk Malicious code, Trojan, etc. System integration, well- implemented security policy Enrollment, administration and

system use risk

Data altered during enrollment, administration or system use

Well-implemented security policy

Noise and power loss risk Flashing light to optical sensor, changing temperature or humidity of fingerprint

Well-implemented security policy

Power and timing analysis risk

Power analysis and differential power analysis garner data on biometric template.

Noise generators, low power consumption chips in biometric devices

Risks Examples Possible Countermeasures

Similar template/similar characteristics risk

An illegitimate user has a template similar to a legitimate user.

Technology assessment, multimodal access, calibration review

Brute-force attack risk An intruder uses brute force to deceive the system.

Account lock after number of unsuccessful attempts

Injection risk

Captured digital signal injected into authentication system

Secure transmission; heat sensor activated scanner (warm body present); date/time stamps in digital representation of images

Users’ rejection

The invasive nature of biometrics techniques could cause users to reject using the system.

Training and awareness of users and the selection of the least intrusive technique possible Changes in physical characteristics Some techniques depend on face or

hand characteristics, but these human aspects change with the years.

Monitoring of CER

Cost of integration with other legacy systems

Coherence with other techniques used for legacy systems than have to be integrated

Cost-benefit analysis

Risk of loss of data Hard disk/hardware failure Data backup and restoration