Usability in biometric recognition systems

Mención Internacional en el título de doctorBiometric recognition, which is a technology already mature, grows nowadays in several contexts, including forensics, access controls, home automation systems, internet, etc. Now that technology is moving to mobile scenarios, biometric recognition is being also integrated in smartphones, tablets and other mobile devices as a convenient solution for guaranteeing security, complementing other methods such as PIN or passwords. Nevertheless, the use of biometric recognition is not as spread as desired and it is still unknown for a wide percentage of the population. It has been demonstrated [1] that some of the possible reasons for the slow penetration of biometrics could be related to usability concerns. This could lead to various drawbacks like worst error rates due to systems misuses and it could end with users rejecting the technology and preferring other approaches. This Thesis is intended to cover this topic including a study of the current state of the art, several experiments analysing the most relevant usability factors and modifications to a usability evaluation methodology. The chosen methodology is the H-B interaction, carried out by Fernandez-Saavedra [2], based on the ISO/IEC 19795 [3], the HBSI [4], the ISO 9241-210 [5] and on Common Criteria [6]. Furthermore, this work is focused on dealing with accessibility concerns in biometric recognition systems. This topic, usually included into the usability field, has been addressed here separately, though the study of the accessibility has followed the same steps as the usability study: reviewing the state of the art, pointing and analysing the main influential factors and making improvements to the state of the art. The recently published standard EN 301 549 – “Accessibility requirements suitable for public procurement of ICT products and services in Europe” [7] has been also analysed. These two topics have been overcome through the well-known user-centric-design approach. In this way, first the influential factors have been detected. Then, they have been isolated (when possible) and measured. The results obtained have been then interpreted to suggest new updates to the H-B interaction. This 3-steps approach has been applied cyclically and the factors and methodology updated after each iteration. Due to technology and usability trends, during this work, all the systems/applications developed in the experiments have been thought to be mobile directly or indirectly. The biometric modalities used during the experiments performed in this Thesis are those pointed as suitable for biometric recognition in mobile devices: handwritten recognition signature, face and fingerprint recognition. Also, the scenarios and the applications used are in line with the main uses of biometrics in mobile environments, such as sign documents, locking/unlocking devices, or make payments. The outcomes of this Thesis are intended to guide future developers in the way of designing and testing proper usable and accessible biometrics. Finally, the results of this Thesis are being suggested as a new International Standard within ISO/IEC/JTC1/SC37 – Biometric Recognition, as standardization is the proper way of guaranteeing usability and accessibility in future biometric systems. The contributions of this Thesis include: • Improvements to the H-B interaction methodology, including several usability evaluations. • Improvements on the accessibility of the ICT (Information and Communications Technology) products by means of the integration of biometric recognition systems • Adaptation and application of the EN 301 549 to biometric recognition systems.El reconocimiento biométrico, que es una tecnología ya madura, crece hoy en día en varios contextos, incluyendo la medicina forense, controles de acceso, sistemas de automatización del hogar, internet, etc. Ahora que la tecnología se está moviendo a los escenarios móviles, el reconocimiento biométrico está siendo también integrado en los teléfonos inteligentes, tabletas y otros dispositivos móviles como una solución conveniente para garantizar la seguridad, como complemento de otros métodos de seguridad como el PIN o las contraseñas. Sin embargo, el uso del reconocimiento biométrico es todavía desconocido para un amplio porcentaje de la población. Se ha demostrado [1] que algunas de las posibles razones de la lenta penetración de la biometría podrían estar relacionadas con problemas de usabilidad. Esto podría dar lugar a diversos inconvenientes, ofreciendo un rendimiento por debajo de lo esperado debido al mal uso de los sistemas y podría terminar con los usuarios rechazando la tecnología y prefiriendo otros enfoques. Esta tesis doctoral trata este tema incluyendo un estudio del estado actual de la técnica, varios experimentos que analizan los factores de usabilidad más relevantes y modificaciones a una metodología de evaluación de la usabilidad, la "H-B interaction" [2] basada en la ISO / IEC 19795 [3], el HBSI [4], la ISO 9241 [5] y Common Criteria [6]. Además, este trabajo se centra también en los problemas de accesibilidad de los sistemas de reconocimiento biométrico. Este tema, que por lo general se incluye en el campo de la usabilidad, se ha tratado aquí por separado, aunque el estudio de la accesibilidad ha seguido los mismos pasos que el estudio de usabilidad: revisión del estado del arte, análisis de los principales factores influyentes y propuesta de cambios en la metodología H-B interaction. Han sido también analizados los requisitos de accesibilidad para las Tecnologías de la Información y la Comunicación (TIC) en Europa, bajo la norma EN 301 549 [7]. Estos dos temas han sido estudiados a través de un enfoque centrado en el usuario (User Centric Design - UCD). De esta manera, se han detectado los factores influyentes. A continuación, dichos factores han sido aislados (cuando ha sido posible) y medidos. Los resultados obtenidos han sido interpretados para sugerir nuevos cambios a la metodología H-B interaction. Este enfoque de 3 pasos se ha aplicado de forma cíclica a los factores y a la metodología después de cada iteración. Debido a las tendencias tecnológicas y de usabilidad, durante este trabajo, todos los sistemas / aplicaciones desarrolladas en los experimentos se han pensado para ser móviles, directa o indirectamente. Las modalidades utilizadas durante los experimentos realizados en esta tesis doctoral son las que se señalaron como adecuados para el reconocimiento biométrico en dispositivos móviles: la firma manuscrita, la cara y el reconocimiento de huellas dactilares. Además, los escenarios y las aplicaciones utilizadas están en línea con los principales usos de la biometría en entornos móviles, como la firma de documentos, el bloqueo / desbloqueo de dispositivos, o hacer pagos. Los resultados de esta tesis tienen como objetivo orientar a los futuros desarrolladores en el diseño y evaluación de la usabilidad y la accesibilidad en los sistemas de reconocimiento biométrico. Por último, los resultados de esta tesis doctoral se sugerirán como un nuevo estándar de ISO / IEC / JTC1 / SC37 - Biometric Recognition, ya que la normalización es la manera adecuada de garantizar la usabilidad y la accesibilidad en los futuros sistemas biométricos. Las contribuciones de esta tesis incluyen: • Mejora de la metodología de evaluación H-B interaction, incluyendo varias evaluaciones de usabilidad. • Mejora de la accesibilidad de los sistemas de información / electrónicos mediante la integración de sistemas biométricos y varias evaluaciones. • Adaptación y aplicación de la norma de accesibilidad EN 301 549 al campo de los sistemas biométricos.Programa Oficial de Doctorado en Ingeniería Eléctrica, Electrónica y AutomáticaPresidente: Patrizio Campisi.- Secretario: Enrique Cabellos Pardo.- Vocal: Marcos Faundez Zanu

Analyzing & designing the security of shared resources on smartphone operating systems

Smartphone penetration surpassed 80% in the US and nears 70% in Western Europe. In fact, smartphones became the de facto devices users leverage to manage personal information and access external data and other connected devices on a daily basis. To support such multi-faceted functionality, smartphones are designed with a multi-process architecture, which enables third-party developers to build smartphone applications which can utilize smartphone internal and external resources to offer creative utility to users. Unfortunately, such third-party programs can exploit security inefficiencies in smartphone operating systems to gain unauthorized access to available resources, compromising the confidentiality of rich, highly sensitive user data. The smartphone ecosystem, is designed such that users can readily install and replace applications on their smartphones. This facilitates users’ efforts in customizing the capabilities of their smartphones tailored to their needs. Statistics report an increasing number of available smartphone applications— in 2017 there were approximately 3.5 million third-party apps on the official application store of the most popular smartphone platform. In addition we expect users to have approximately 95 such applications installed on their smartphones at any given point. However, mobile apps are developed by untrusted sources. On Android—which enjoys 80% of the smartphone OS market share—application developers are identified based on self-sign certificates. Thus there is no good way of holding a developer accountable for a malicious behavior. This creates an issue of multi-tenancy on smartphones where principals from diverse untrusted sources share internal and external smartphone resources. Smartphone OSs rely on traditional operating system process isolation strategies to confine untrusted third-party applications. However this approach is insufficient because incidental seemingly harmless resources can be utilized by untrusted tenants as side-channels to bypass the process boundaries. Smartphones also introduced a permission model to allow their users to govern third-party application access to system resources (such as camera, microphone and location functionality). However, this permission model is both coarse-grained and does not distinguish whether a permission has been declared by a trusted or an untrusted principal. This allows malicious applications to perform privilege escalation attacks on the mobile platform. To make things worse, applications might include third- party libraries, for advertising or common recognition tasks. Such libraries share the process address space with their host apps and as such can inherit all the privileges the host app does. Identifying and mitigating these problems on smartphones is not a trivial process. Manual analysis on its own of all mobile apps is cumbersome and impractical, code analysis techniques suffer from scalability and coverage issues, ad-hoc approaches are impractical and susceptible to mistakes, while sometimes vulnerabilities are well hidden at the interplays between smartphone tenants and resources. In this work I follow an analytical approach to discover major security and privacy issues on smartphone platforms. I utilize the Android OS as a use case, because of its open-source nature but also its popularity. In particular I focus on the multi-tenancy characteristic of smartphones and identify the re- sources each tenant within a process, across processes and across devices can access. I design analytical tools to automate the discovery process, attacks to better understand the adversary models, and introduce design changes to the participating systems to enable robust fine-grained access control of resources. My approach revealed a new understanding of the threats introduced from third-party libraries within an application process; it revealed new capabilities of the mobile application adversary exploiting shared filesystem and permission resources; and shows how a mobile app adversary can exploit shared communication mediums to compromise the confidentiality of the data collected by external devices (e.g. fitness and medical accessories, NFC tags etc.). Moreover, I show how we can eradicate these problems following an architectural design approach to introduce backward-compatible, effective and efficient modifications in operating systems to achieve fine-grained application access to shared resources. My work has let to security changes in the official release of Android by Google

Handbook of Vascular Biometrics

This open access handbook provides the first comprehensive overview of biometrics exploiting the shape of human blood vessels for biometric recognition, i.e. vascular biometrics, including finger vein recognition, hand/palm vein recognition, retina recognition, and sclera recognition. After an introductory chapter summarizing the state of the art in and availability of commercial systems and open datasets/open source software, individual chapters focus on specific aspects of one of the biometric modalities, including questions of usability, security, and privacy. The book features contributions from both academia and major industrial manufacturers

Secure Neighbor Discovery and Ranging in Wireless Networks

This thesis addresses the security of two fundamental elements of wireless networking: neighbor discovery and ranging. Neighbor discovery consists in discovering devices available for direct communication or in physical proximity. Ranging, or distance bounding, consists in measuring the distance between devices, or providing an upper bound on this distance. Both elements serve as building blocks for a variety of services and applications, notably routing, physical access control, tracking and localization. However, the open nature of wireless networks makes it easy to abuse neighbor discovery and ranging, and thereby compromise overlying services and applications. To prevent this, numerous works proposed protocols that secure these building blocks. But two aspects crucial for the security of such protocols have received relatively little attention: formal verification and attacks on the physical-communication-layer. They are precisely the focus of this thesis. In the first part of the thesis, we contribute a formal analysis of secure communication neighbor discovery protocols. We build a formal model that captures salient characteristics of wireless systems such as node location, message propagation time and link variability, and we provide a specification of secure communication neighbor discovery. Then, we derive an impossibility result for a general class of protocols we term "time-based protocols", stating that no such protocol can provide secure communication neighbor discovery. We also identify the conditions under which the impossibility result is lifted. We then prove that specific protocols in the time-based class (under additional conditions) and specific protocols in a class we term "time- and location-based protocols," satisfy the neighbor discovery specification. We reinforce these results by mechanizing the model and the proofs in the theorem prover Isabelle. In the second part of the thesis, we explore physical-communication-layer attacks that can seemingly decrease the message arrival time without modifying its content. Thus, they can circumvent time-based neighbor discovery protocols and distance bounding protocols. (Indeed, they violate the assumptions necessary to prove protocol correctness in the first part of the thesis.) We focus on Impulse Radio Ultra-Wideband, a physical layer technology particularly well suited for implementing distance bounding, thanks to its ability to perform accurate indoor ranging. First, we adapt physical layer attacks reported in prior work to IEEE 802.15.4a, the de facto standard for Impulse Radio, and evaluate their performance. We show that an adversary can achieve a distance-decrease of up to hundreds of meters with an arbitrarily high probability of success, with only a minor cost in terms of transmission power (few dB). Next, we demonstrate a new attack vector that disrupts time-of-arrival estimation algorithms, in particular those designed to be precise. The distance-decrease achievable by this attack vector is in the order of the channel spread (order of 10 meters in indoor environments). This attack vector can be used in previously reported physical layer attacks, but it also creates a new type of external attack based on malicious interference. We demonstrate that variants of the malicious interference attack are much easier to mount than the previously reported external attack. We also provide design guidelines for modulation schemes and devise receiver algorithms that mitigate physical layer attacks. These countermeasures allow the system designer to trade off security, ranging precision and cost in terms of transmission power and packet length

User-controlled Identity Management Systems using mobile devices

Thousands of websites providing an array of diversified online services have been the crucial factor for popularising the Internet around the world during last 15 years. The current model of accessing the majority of those services requires users to register with a Service Provider - an administrative body that offers and provides online services. The registration procedure involves users providing a number of pieces of data about themselves which are then stored at the provider. This data provides a digital image of the user and is commonly known as the Identity of the user in that provider. To access different online services, users register at different providers and ultimately end up with a number of scattered identities which become increasingly difficult to manage. It is one of the major problems of the current setting of online services. What is even worse is that users have less control over the data stored in these providers and have no knowledge how their data is treated by providers. The concept of Identity Management has been introduced to help users facilitate the management of their identities in a user-friendly, secure and privacy-friendly way and thus, to tackle the stated problems. There exists a number of Identity Management models and systems, unfortunately, none of them has played a pivotal role in tackling the problems effectively and comprehensively. Simultaneously, we have experienced another trend expanding at a remarkable rate: the consumption and the usage of smart mobile devices. These mobile devices are not only growing in numbers but also in capability and capacity in terms of processing power and memory. Most are equipped with powerful hardware and highly-dynamic mobile operating systems offering touch-sensitive intuitive user-interfaces. In many ways, these mobile devices have become an integrated part of our day-to-day life and accompany us everywhere we go. The capability, portability and ubiquitous presence of such mobile devices lead to the core objective of this research: the investigation of how such mobile devices can be used to overcome the limitations of the current Identity Management Systems as well as to provide innovative online services. In short, this research investigates the need for a novel Identity Management System and the role the current generation of smart mobile devices can play in realising such a system. In this research it has been found that there exist different inconsistent notions of many central topics in Identity Management which are mostly defined in textual forms. To tackle this problem, a comprehensive mathematical model of Identity and Identity Management has been developed. The model has been used to analyse several phenomenons of Identity Management and to characterise different Identity Management models. Next, three popular Identity Management Systems have been compared using a taxonomy of requirements to identify the strength and weakness of each system. One of the major findings is that how different privacy requirements are satisfied in these systems is not standardised and depends on a specific implementation. Many systems even do not satisfy many of those requirements which can drastically affect the privacy of a user. To tackle the identified problems, the concept of a novel Identity Management System, called User-controlled Identity Management System, has been proposed. This system offers better privacy and allows users to exert more control over their data from a central location using a novel type of provider, called Portable Personal Identity Provider, hosted inside a smart mobile device of the user. It has been analysed how the proposed system can tackle the stated problems effectively and how it opens up new doors of opportunities for online services. In addition, it has been investigated how contextual information such as a location can be utilised to provide online services using the proposed provider. One problem in the existing Identity Management Systems is that providers cannot provide any contextual information such as the location of a user. Hosting a provider in a mobile device allows it to access different sensors of the device, retrieve contextual information from them and then to provide such information. A framework has been proposed to harness this capability in order to offer innovative services. Another major issue of the current Identity Management Systems is the lack of an effective mechanism to combine attributes from multiple providers. To overcome this problem, an architecture has been proposed and it has been discussed how this architecture can be utilised to offer innovative services. Furthermore, it has been analysed how the privacy of a user can be improved using the proposed provider while accessing such services. Realising these proposals require that several technical barriers are overcome. For each proposal, these barriers have been identified and addressed appropriately along with the respective proof of concept prototype implementation. These prototypes have been utilised to illustrate the applicability of the proposals using different use-cases. Furthermore, different functional, security and privacy requirements suitable for each proposal have been formulated and it has been analysed how the design choices and implementations have satisfied these requirements. Also, no discussion in Identity Management can be complete without analysing the underlying trust assumptions. Therefore, different trust issues have been explored in greater details throughout the thesis

Personality Identification from Social Media Using Deep Learning: A Review

Social media helps in sharing of ideas and information among people scattered around the world and thus helps in creating communities, groups, and virtual networks. Identification of personality is significant in many types of applications such as in detecting the mental state or character of a person, predicting job satisfaction, professional and personal relationship success, in recommendation systems. Personality is also an important factor to determine individual variation in thoughts, feelings, and conduct systems. According to the survey of Global social media research in 2018, approximately 3.196 billion social media users are in worldwide. The numbers are estimated to grow rapidly further with the use of mobile smart devices and advancement in technology. Support vector machine (SVM), Naive Bayes (NB), Multilayer perceptron neural network, and convolutional neural network (CNN) are some of the machine learning techniques used for personality identification in the literature review. This paper presents various studies conducted in identifying the personality of social media users with the help of machine learning approaches and the recent studies that targeted to predict the personality of online social media (OSM) users are reviewed

Novel Analytical Methods in Food Analysis

This reprint provides information on the novel analytical methods used to address challenges occurring at academic, regulatory, and commercial level. All topics covered include information on the basic principles, procedures, advantages, limitations, and applications. Integration of biological reagents, (nano)materials, technologies, and physical principles (spectroscopy and spectrometry) are discussed. This reprint is ideal for professionals of the food industry, regulatory bodies, as well as researchers

E-Governance: Strategy for Mitigating Non-Inclusion of Citizens in Policy Making in Nigeria

The Nigerian federation that currently has 36 states structure adopted the Weberian Public Administrative system before now as an ideal way of running government, which was characterized with the traditional way of doing things without recourse to the deployment of Information Communication Technology (ICT). Today e-governance is seen as a paradigm shift from the previous way of governance. Research has shown that, the adoption and implementation of e-governance is more likely to bring about effective service delivery, mitigate corruption and ultimately enhance citizens’ participation in governmental affairs. However, it has been argued that infrastructure such as regular electricity power and access to the Internet, in addition to a society with high rate of literacy level are required to effectively implement and realize the potentials of e-governance for improved delivery of services. Due to the difficulties currently experienced, developing nations need to adequately prepare for the implementation of e-governance on the platform of Information Communication Technology (ICT). Hence, this study seeks to examine whether the adoption and implementation of e-governance in the context of Nigeria would mitigate the hitherto non-inclusion of citizens in the formulation and implementation of government policies aimed at enhanced development. To achieve the objective of the study, data were sourced and analyzed majorly by examining government websites of 20 states in the Nigerian federation to ascertain if there are venues for citizens to interact with government in the area of policy making and feedback on government actions, as a way of promoting participatory governance. The study revealed that the adoption and implementation of e-governance in the country is yet to fully take place. This is due to lack of infrastructure, low level of literacy rate and government inability to provide the necessary infrastructure for e-governance to materialize. The paper therefore, recommends among others the need for the Federal Government to involve a sound and clear policy on how to go about the adoption and implementation of egovernance through deliberate effort at increasing budgetary allocation towards infrastructural development and mass education of citizens

The Impact of e-Democracy in Political Stability of Nigeria

The history of the Nigerian electoral process has been hitherto characterized by violence stemming from disputes in election outcomes. For instance, violence erupted across some states in Northern Nigeria when results indicated that a candidate who was popular in that part of the country was losing the election leading to avoidable loss of lives. Beside, this dispute in election outcome lingers for a long time in litigation at the electoral tribunals which distracts effective governance. However, the increasing penetrating use of ICTs in Nigeria is evident in the electoral processes with consequent shift in the behavior of actors in the democratic processes, thus changing the ways Nigerians react to election outcomes. This paper examines the trend in the use ICT in the Nigerian political system and its impact on the stability of the polity. It assesses the role of ICT in recent electoral processes and compares its impact on the outcome of the process in lieu of previous experiences in the Nigeria. Furthermore, the paper also examines the challenges and risks of implementing e-Democracy in Nigeria and its relationship to the economy in the light of the socio-economic situation of the country. The paper adopted qualitative approach in data gathering and analysis. From the findings, the paper observed that e-democracy is largely dependent on the level of ICT adoption, which is still at its lowest ebb in the country. It recognizes the challenges in the provision of ICT infrastructure and argues that appropriate low-cost infrastructure applicable to the Nigerian condition can be made available to implement e-democracy and thus arouse the interest of the populace in governance, increase the number of voters, and enhance transparency, probity and accountability, and participation in governance as well as help stabilize the nascent democrac