Establishing the digital chain of evidence in biometric systems

Traditionally, a chain of evidence or chain of custody refers to the chronological documentation, or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Whether in the criminal justice system, military applications, or natural disasters, ensuring the accuracy and integrity of such chains is of paramount importance. Intentional or unintentional alteration, tampering, or fabrication of digital evidence can lead to undesirable effects. We find despite the consequences at stake, historically, no unique protocol or standardized procedure exists for establishing such chains. Current practices rely on traditional paper trails and handwritten signatures as the foundation of chains of evidence.;Copying, fabricating or deleting electronic data is easier than ever and establishing equivalent digital chains of evidence has become both necessary and desirable. We propose to consider a chain of digital evidence as a multi-component validation problem. It ensures the security of access control, confidentiality, integrity, and non-repudiation of origin. Our framework, includes techniques from cryptography, keystroke analysis, digital watermarking, and hardware source identification. The work offers contributions to many of the fields used in the formation of the framework. Related to biometric watermarking, we provide a means for watermarking iris images without significantly impacting biometric performance. Specific to hardware fingerprinting, we establish the ability to verify the source of an image captured by biometric sensing devices such as fingerprint sensors and iris cameras. Related to keystroke dynamics, we establish that user stimulus familiarity is a driver of classification performance. Finally, example applications of the framework are demonstrated with data collected in crime scene investigations, people screening activities at port of entries, naval maritime interdiction operations, and mass fatality incident disaster responses

Frictionless Authentication Systems: Emerging Trends, Research Challenges and Opportunities

Authentication and authorization are critical security layers to protect a wide range of online systems, services and content. However, the increased prevalence of wearable and mobile devices, the expectations of a frictionless experience and the diverse user environments will challenge the way users are authenticated. Consumers demand secure and privacy-aware access from any device, whenever and wherever they are, without any obstacles. This paper reviews emerging trends and challenges with frictionless authentication systems and identifies opportunities for further research related to the enrollment of users, the usability of authentication schemes, as well as security and privacy trade-offs of mobile and wearable continuous authentication systems.Comment: published at the 11th International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2017

Biometric security systems: finally, a friend?

Information systems security has broadened its meaning and significance and has started to affect our lives and behaviours. The research literature identifies five related research domains: information systems, security policies, security technologies, security assurance, and security interfaces. This paper discusses some aspects of user acceptance of biometrical measurements for the purposes of authentication and access control and concludes that initial user rejection of the commonly implemented biometrics and fear of privacy abuse have been replaced by a de facto user acceptance. It hypothesizes that there is correlation between users’ awareness of the broader consequences of a particular biometric system and the level of their acceptance of the system

Insider Misuse Identification using Transparent Biometrics

Insider misuse is a key threat to organizations. Recent research has focused upon the information itself – either through its protection or approaches to detect the leakage. This paper seeks a different approach through the application of transparent biometrics to provide a robust approach to the identification of the individuals who are misusing systems and information. Transparent biometrics are a suite of modalities, typically behavioral-based that can capture biometric signals covertly or non-intrusively – so the user is unaware of their capture. Transparent biometrics are utilized in two phases a) to imprint digital objects with biometric-signatures of the user who last interacted with the object and b) uniquely applied to network traffic in order to identify users traffic (independent of the Internet Protocol address) so that users rather than machine (IP) traffic can be more usefully analyzed by analysts. Results from two experimental studies are presented and illustrate how reliably transparent biometrics are in providing this link-ability of information to identity.

Future Security Approaches and Biometrics

Threats to information security are proliferating rapidly, placing demanding requirements on protecting tangible and intangible business and individual assets. Biometrics can improve security by replacing or complementing traditional security technologies. This tutorial discusses the strengths and weaknesses of biometrics and traditional security approaches, current and future applications of biometrics, performance evaluation measures of biometric systems, and privacy issues surrounding the new technology

BehavePassDB: Public Database for Mobile Behavioral Biometrics and Benchmark Evaluation

Mobile behavioral biometrics have become a popular topic of research, reaching promising results in terms of authentication, exploiting a multimodal combination of touchscreen and background sensor data. However, there is no way of knowing whether state-of-the-art classifiers in the literature can distinguish between the notion of user and device. In this article, we present a new database, BehavePassDB, structured into separate acquisition sessions and tasks to mimic the most common aspects of mobile Human-Computer Interaction (HCI). BehavePassDB is acquired through a dedicated mobile app installed on the subjects devices, also including the case of different users on the same device for evaluation. We propose a standard experimental protocol and benchmark for the research community to perform a fair comparison of novel approaches with the state of the art1. We propose and evaluate a system based on Long-Short Term Memory (LSTM) architecture with triplet loss and modality fusion at score levelThis project has received funding from the European Unions Horizon 2020 research and innovation programme under the Marie Skodowska-Curie grant agreement no. 860315, and from Orange Labs. R. Tolosana and R. Vera-Rodriguez are also supported by INTER-ACTION (PID2021-126521OB-I00 MICINN/FEDER

Evaluating current authentication methods: Prediction of a more suitable authentication approach for public interaction

The trend in information technology is towards achieving ubiquitous service rendering where barriers (geographical, time) in getting information related services will be eliminated. A good example of this is the ATM machines used by banks for public banking services, the likes in other sectors are currently on the way.This paper explores the user’s perception on the current identity authentication (Token-based and Knowledgebased) with a view to predict a more secured authentication for authentication in public places.A survey study is conducted so as to justify the claims of the previous authors on the need to migrate from the conventional knowledge-based and tokenbased authentication methods to a more secured biometric authentication approach which makes impossible user’s impersonation, and thus minimizing fraud, particularly in business transactions.Also, biometrical identification was also reviewed with respect to the all known biometric identifiers where human iris data was revealed to be the best human trait that can be used for identification/authentication purposes in public zone

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild

Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA. In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.Comment: 14 pages, 7 table