INCITS Study Report on Biometrics in E-Authentication

In December 2003, OMB issued M-04-04, “E-Authentication Guidance for Federal Agencies.” Subsequently, in September of 2004, NIST issued SP800-63, “Electronic Authentication Guideline.” This document, which forms the technical basis for the US government’s eauthentication initiative, part of e-Gov, specifies the requirements, technologies, and protocols to be used at each of the four assurance levels defined in the OMB directive. However, it allowed for a very narrow usage of biometric authentication in this context. As a follow-on, NIST held a workshop on Biometrics in E-Authentication, which spawned a study group within INCITS M1 (consisting of representatives from industry, academia, and government) to investigate and make recommendations regarding how biometrics should be applied in a remote e-authentication environment. This report is the product of that group, which met over a period of 1.5 years.

Biometrics-based authentication offers several advantages over other authentication methods, prompting a significant surge in the use of biometrics for user authentication in recent years. It is important that such biometrics-based authentication systems be designed to withstand attacks when used in a remote e-authentication environment. This document outlines inherent strengths of biometrics-based authentication, identifies challenges and potential vulnerabilities in systems employing biometrics-based authentication, and presents solutions for eliminating these weak links. A threat model is presented and overlaid on several possible biometric authentication architectures which vary depending on the location where the biometric reference is stored and where the matching operation is performed.

An open discussion of some of the challenges (or critiques) of biometric authentication addresses topics such as integrity versus secrecy, compromise and revocation, sensor spoofing, entropy and strength of function, peer review, and privacy. Differences between biometric authentication and traditional authentication methods (such as passwords or cryptographic protocols) are also examined.

The major findings of this report are:

1. There is a role for biometric authentication at each of the four assurance levels defined in
OMB M-04-04

2. Some additional challenges and threats accompany the use of biometric authentication, but countermeasures exist to address them

3. Biometric authentication can provide significant benefits in certain situations, not least of which is the tight binding of the authentication event to the physical presence of a human claimant

4. Biometrics present a different paradigm than traditional authentication methods where authentication data is always secret.

5. In general, integrity and authenticity are more critical than secrecy in a biometric authentication protocol/implementation, although many mechanisms exist to provide for the privacy of the biometric data.

6. In addition, some biometrics may be used to convey ancillary information, such as a secret (e.g., a password or PIN) or shared knowledge, by leveraging the ability of the user to control the manner in which the biometric is presented to the system

7. Recommended edits to SP800-63 are provided in Annex A of this report


The following companies and organizations provided written technical contributions towards this
report:
Alphabetical by Company Name:
Organization Name
Authentify Andy Rolfe
Biometric Associates John Hochstein
Bio Password Dave Friant
Bioscrypt Colin Soutar, Rene McIver
BioVision Philip Statham, Tony Mansfield
CrossMatch Greg Cannon
Daon Cathy Tilton
DoD BTF Dale Hapeman
DHS John Mayer-Splain
DynaSig Corp. Richard Kim
IBG Victor Lee
Innove Jeff Stapleton
Iridian Technologies Jim Cambier
OSS Nokalva Alessandro Triglia
NIST Fernando Podio
Purdue University Matthew Young, Shimon Modi
SAFLINK Dustin Best
TBF Fred Herr
Transaction Security Inc. Rod Beatson
UPEK Michael Chaudoin
Viisage Jim Kottas
VoiceXML Forum Judith Markowitz

The InterNational Committee for Information Technology Standards (INCITS) is the forum of choice for information technology developers, producers and users for the creation and maintenance of formal de jure IT standards. INCITS is accredited by, and operates under rules approved by, the American National Standards Institute (ANSI). These rules are designed to ensure that voluntary standards are developed by the consensus of directly and materially affected interests.

http://www.incits.org/


April 09, 2007

Read more about Biometric Industry Events and Conferences.

Read more about Biometric Industry Useful Links.

Read more about Biometric Technologies:

Fingerprint, Iris Recognition, Hand & Finger, Facial Recognition, Voice/Speaker, Consultants, Smart Cards/Multimodal, Signature/Keystroke, 2D Barcodes, Sensors, Middleware/Software, Vascular Pattern Recognition

Read more about Biometric Applications:

Physical Access Control, Logical Access Control, Justice/Law Enforcement, Time and Attendance, Border Control/Airports, HIPAA, Financial/Transactional, Integrators/Resellers, Safes, Door Locks, Other


April 09, 2007



 

back
RSS News Feed
RSS Biometrics Industry Events

Showcases
Fingerprint
Iris Recognition
Hand & Finger
Facial Recognition
Voice/Speaker
Consultants
Smart Cards/Multimodal
Signature/Keystroke
2D Barcodes
Sensors
Middleware/Software
Vascular Pattern Recognition

Applications



Site Search



Sponsor Links

BIO-key
 BIO-key develops and licenses advanced biometric finger identification technologies that are cost effective, scalable and easy to deploy.

Identica Corp.
Is the exclusive provider of the Techsphere Hand Vascular Pattern Recognition biometric solution in the USA, Canada, Mexico and the Caribbean Islands.

ZK Software
 ZKSoftware Inc. is a leading OEM/ODM manufacturer offering Fingerprint Time & Attendance and Access Control, Fingerprint Door Locks and IT products.

Ceelox
Ceelox is a developer and marketer of biometric authentication and biometric file security software products.

Datastrip
Datastrip is the leading provider of biometric verification devices in today's mobile arena, enabling fast, accurate identity verification.


Guides

What are "Biometrics"?
Biometrics Glossary
How Well Do Biometrics Work?
Identification vs Verification


Articles & Research

US VISIT Fact Sheet
The Anatomy Lesson
Smile: You're On Scan Camera
Privacy - Friend or Foe?
New Opportunities for Biometrics
Let Me In!
Archived Q & A's
Videos & Product Demos



Biometrics Events | Biometrics Links | Biometrics Press Releases
Biometrics Feature Articles | Biometrics Company Q&A's | Biometrics Product Videos/Demos
About Us | Contact Us | Advertising Info | Privacy Policy | Terms of Use