Privacy-preserving biometric authentication techniques

 Contents

Project Topic: Privacy-preserving biometric authentication techniques. 2

Motivation: 2

Introduction: 2

Importance of Privacy-Preserving Biometric Authentication Techniques: 2

Impact of Privacy-Preserving Biometric Authentication Techniques: 3

The Basics of Biometric Authentication Systems. 4

Possible attacks on Biometric Authentication Systems. 5

Spoofing attacks: 5

Replay attacks: 6

Denial of Service attacks: 6

Biometric data breaches: 6

Privacy attacks: 6

Machine learning attacks: 7

Brute-force attacks: 7

Injection attacks: 7

Remote work creating a big security challenge. 7

Multi-Factor Authentication. 8

Conceptual model to deal with advanced attacks. 9

How to Keep Biometric Information Secure. 12

Current Advances and Technologies Used: 13

Recommendations for Implementing Privacy-Preserving Biometric Authentication. 13

Lessons Learned: 14

Bibliography

Motivation:

In recent years, the use of biometric authentication techniques has become increasingly popular in various sectors such as healthcare, banking, government, and other organizations. Biometric authentication refers to the use of unique physical or behavioral characteristics of an individual for verifying their identity. Biometric authentication techniques provide better security and convenient alternative to conventional authentication methods like passwords and PINs. However, the use of biometric data for authentication purposes raises concerns about privacy and security. Privacy-preserving biometric authentication techniques aim to address these concerns by ensuring that biometric data is protected from unauthorized access and misuse. This report aims to provide an overview of the importance, impact, current advances, technologies used, and challenges associated with privacy-preserving biometric authentication techniques.

Introduction:

In today's digital world, secure and efficient authentication is critical for the protection of sensitive data and prevention of fraudulent activities. Biometric authentication, which involves the use of physiological or behavioral characteristics such as fingerprints, voice, or facial recognition, has gained popularity as a means of authentication due to its convenience and perceived security. However, biometric authentication raises concerns regarding privacy, as biometric data is unique to an individual and cannot be changed in the event of a data breach or unauthorized access.

Privacy-preserving biometric authentication techniques aim to address these concerns by providing secure and efficient authentication while protecting the privacy of individuals' biometric data. This self-study project aims to develop deeper knowledge about privacy-preserving biometric authentication techniques, their importance, impact, current advances, and technologies used. This report is intended for a large corporate organization such as a bank, a hospital, a software company, a university, or a government organization in Qatar, which is looking for insights into privacy-preserving biometric authentication techniques.

Importance of Privacy-Preserving Biometric Authentication Techniques:

Privacy-preserving biometric authentication techniques are important for several reasons. First, they help to protect Health records, financial data, and government data are examples of sensitive data. Because biometric information is specific to a person and cannot be readily copied or guessed, biometric authentication provides a better level of security that conventional authentication mechanisms such as passwords and PINs.

Privacy-preserving biometric authentication techniques can help to prevent identity theft and fraud. Biometric authentication can ensure that only authorized individuals are granted access to sensitive data, reducing the risk of data breaches and fraudulent activities. Privacy-preserving biometric authentication techniques can also provide convenience and ease of use for individuals. Biometric authentication eliminates the need for individuals to remember and enter passwords or PINs, making authentication faster and more efficient.

Impact of Privacy-Preserving Biometric Authentication Techniques:

Privacy-preserving biometric authentication techniques have the potential to impact various sectors, such as healthcare, banking, government, and other organizations. In healthcare, biometric authentication can provide secure access to patient records and improve patient care. Biometric authentication can also be used for identification and access control in hospitals and other healthcare facilities.

In the banking sector, biometric authentication can help to prevent fraudulent activities such as identity theft and improve customer experience. Biometric authentication can also provide secure access to financial information and transactions.

In government organizations, biometric authentication can be used for identification and access control in secure facilities and access to sensitive data. Biometric authentication can also be used for border control and immigration.

The Fundamentals of Biometric authentication systems

Privacy-preserving BAS are designed to protect the biometric data and user privacy while still allowing secure access control [1]. These systems use various techniques to ensure that the biometric data cannot be used for other purposes, such as tracking or profiling, by third-party attackers. These techniques include encryption, data masking, and biometric template protection.

Encryption: It is a technique used to protect data by converting it into an unreadable format. In BAS, Cipher can be used to secure biometric data while it is being sent or stored. For example, biometric data from a user may be encoded before being delivered to a server, preventing attackers from intercepting and stealing it. Encryption can also be used to safeguard biometric information when it is saved on a device and server. [2]. This means that even if attackers gain access to the storage device, they will not be able to read the biometric data because it is encrypted.

Data masking: It is another technique used to protect biometric data. Data masking involves altering the biometric data before it is stored or transmitted so that it cannot be used to reconstruct the original data. For example, in face recognition systems, data masking can involve the addition of random noise to the image [3]. This noise is added in such a way that the original face cannot be reconstructed, but the system can still recognise the person.

Biometric template protection: It involves converting the biometric data into a secure template that can be used for authentication but cannot be used to reconstruct the original data. Template protection techniques can include cryptographic hash functions or fuzzy extractors [4]. These techniques allow the biometric data to be converted into a template that can be used for authentication but cannot be used to reconstruct the original biometric data.

Biometric authentication systems: It offer a user-friendly and efficient method for access control, but they are susceptible to privacy and security threats. Privacy-preserving BAS techniques, such as encryption, data masking, and biometric template protection, can help mitigate these risks and provide secure and privacy-preserving authentication. These techniques must be used and implemented carefully to ensure that the privacy and security of the user are maintained.

Figure 1: Privacy-Preserving Authentication [5]

The Basics of Biometric Authentication Systems

In general, these systems work by registering a user's biometric template during the registration phase, which becomes the user's reference template. During the authentication phase, the user submits their identity and a fresh template, and the system checks if the fresh template matches the stored one. Biometric traits such as voice, signature, DNA, fingerprint, iris, and ear shape are used for authentication. The comparison process takes into account the natural variability and noise of biometric credentials. Privacy-preserving BAS transform biometric traits into secure data vectors while guaranteeing the anonymity of the user. The enrolment phase involves registering the biometric template and identity in the database, while the authentication phase involves submitting fresh biometric data and identity to be matched with the stored data. In a privacy-preserving system, the biometric data is encrypted to protect against passive and active adversaries. A distributed architecture is used to limit the amount of information each entity has, thus avoiding single points of failure [6].

Figure 2: Architecture of biometric authentication system [7]

Possible attacks on Biometric Authentication Systems

Despite the potential advantages, biometric authentication systems are still susceptible to several types of attacks. In this section, we will discuss some of the most common attacks on these systems and how they can be mitigated.

Spoofing attacks:

Spoofing attacks involve creating fake biometric traits or presenting fake biometric samples. These attacks can be carried out by presenting fake fingers, artificial eyes, or even high-resolution photos of a face or a fingerprint. Biometric authentication systems are vulnerable to these attacks if they rely on unimodal biometric traits. To mitigate spoofing attacks, many modern systems use multimodal biometric traits. These systems require the presentation of multiple biometric traits from different body parts or behaviors to increase the difficulty of successful spoofing attacks.

Replay attacks:

In a replay attack, an attacker captures the biometric trait of an authorized user during the authentication process and replays it later to gain access to the system. These attacks can be carried out by intercepting the communication in between the server and the client and replaying the captured biometric trait. To mitigate replay attacks, many systems incorporate countermeasures such as time stamps or challenge-response protocols that require the presentation of a different biometric trait each time.

Denial of Service attacks:

The aim of Denial of Service (DoS) attacks is to disrupt or overload the system by sending a large number of authentication requests, causing the system to become unavailable. DoS attacks can be carried out by an attacker to prevent legitimate users from accessing the system. To mitigate DoS attacks, systems can incorporate measures such as rate-limiting or limiting the number of authentication attempts per user.

Biometric data breaches:

Biometric authentication systems are vulnerable to data breaches that could compromise the privacy and security of the biometric data stored in the system. An attacker who gains access to the biometric data can potentially impersonate authorized users or launch more sophisticated attacks. To mitigate biometric data breaches, systems should implement strong security measures such as encryption, access controls, and monitoring of access logs.

Privacy attacks:

Privacy attacks on biometric authentication systems aim to link a user's identity to her biometric template, compromising her privacy. These attacks can be carried out by an attacker who has access to the biometric data or who intercepts the communication between the client and the server. To mitigate privacy attacks, systems can use privacy-enhancing techniques such as data anonymization, data perturbation, or secure multi-party computation.

Machine learning attacks:

Machine learning attacks aim to bypass biometric authentication systems by creating synthetic biometric traits that can fool the system. These attacks can be carried out by training machine learning models to generate biometric traits that resemble those of authorized users. To mitigate machine learning attacks, systems can incorporate anti-spoofing measures such as liveness detection or behavioral biometrics that capture the user's unique behavioral patterns.

Brute-force attacks:

A brute-force attack involves trying all possible combinations of biometric data until the correct one is found. For example, an attacker might try different fingerprints until they find the one that matches the user's fingerprint. This type of attack is time-consuming but can be effective if the biometric system is not configured to lock out users after a certain number of failed attempts.

Injection attacks:

Injection attacks involve injecting false data into the biometric system's database. This type of attack can be used to create false identities or to modify existing ones. Attackers can also use injection attacks to alter the biometric data of a legitimate user, which can result in the user being locked out of the system.

Biometric authentication systems have the potential to provide a secure and convenient authentication mechanism. However, they are susceptible to various types of attacks that need to be mitigated to ensure their security and privacy. A combination of strong security measures, privacy-enhancing techniques, and anti-spoofing measures can help to make these systems more secure and reliable [8].

Remote work creating a big security challenge

Remote work has become more prevalent due to the COVID-19 pandemic, resulting in new challenges for security professionals. Remote employees often use unsecured home Wi-Fi networks and personal devices, introducing vulnerabilities that companies may not have dealt with previously. Onboarding new employees remotely can also create gaps in setup that can cause problems down the line. Shadow IT has become a concern as well, with employees downloading and using software as they see fit. Employees mixing work and personal devices and using them interchangeably can create issues, especially with GDPR compliance. Cyberattacks have increased in frequency and sophistication, with attackers finding new ways to bypass IT protocols or trick employees with phishing scams. Many companies are implementing biometric authentication factors to increase security, such as fingerprint, face, and voice scanners, but combining biometric and traditional techniques is crucial for remaining vigilant [9].

Multi-Factor Authentication 

Figure 3: Multi-Factor Authentication [10]

It is a security approach that demands users to give two or more methods of confirming their identity before being granted access to classified information. These authentication elements often comprise something you know (such as a password), a device you own (such as a phone), or something that you are (like biometrics). In spite of the fact that approximately 60% of worldwide firms have already deployed MFA, the majority still rely on password or token for authentication. However, these authentication factors are vulnerable to cybercriminals, as they are easily stolen, lost, or forgotten. As a result, businesses are turning to biometric authentication, which relies on unique physical characteristics to identify and verify a user's identity.

Biometric authentication is an inherent factor, meaning that it is something you are, which is much more challenging to spoof than something you know or have. Biometric authentication methods include fingerprint scanners, facial recognition software, and voice recognition. Biometric authentication provides a higher level of security and convenience, as users do not need to remember or enter a password every time they log in. Many mobile devices and applications already use biometric authentication, and businesses can integrate biometrics into their existing MFA systems to increase security and provide a seamless user experience. Biometrics can be used to secure cloud applications, shared drives, and even email.

However, businesses must also consider the limitations and challenges of biometric authentication. For example, biometric data can be compromised or stolen, and some users may have physical characteristics that cannot be easily scanned or identified. Additionally, not all biometric authentication methods are equally secure or accurate, and some may be vulnerable to spoofing or hacking. To address these concerns, businesses can combine biometric authentication with traditional authentication factors, such as passwords or security tokens, to create a layered security approach. This approach, known as adaptive authentication, can assess the risk of each login attempt and require additional authentication factors for high-risk logins.

Businesses can improve their security posture by adopting MFA and incorporating biometric authentication into their authentication systems. Biometric authentication provides a higher level of security and convenience, but businesses must also consider the limitations and challenges of biometric authentication and combine it with other authentication factors for a more robust security approach [9].

Conceptual model to deal with advanced attacks

It is a  conceptual model that is proposed for biometric authentication systems consists of two important aspects. The first part is concerned with guaranteeing optimum security for each application that interacts with the biometric or identification system, which is illustrated in the model as the ring of competence. The second aspect focuses on preventing attacks that can occur during data processing or transit, which is represented by the cloud in the model. The model depicts a person utilizing a biometric or authentication device to carry out daily tasks.

The model shows four applications: Apps 1, 2, 3, and 4. Apps 1, 2, and 3 interface with the biometric directly, whereas App 4 communicates with the system indirectly. Each application's lock symbol indicates that it is safe and free of flaws that may allow for hacking or the execution of harmful code. Each application that interacts with biometric and identification system must be safe and be inside the organization's scope of expertise.

The tube in the model, which serves as a secure conduit or pathway for the biometric procedure, serves to further emphasize the need of doing so. Whether the procedure is an authentication or enrollment process is determined by the choice module in the model. If enrollment, data preparation, feature extraction, and encrypting of created templates take place next. Following a classifier, the templates are sent into a secure database storage before being stored. The model also shows that database storage is safe and does not have any flaws that could allow for template leakage or modification.

Similar steps are taken, including data pretreatment, extraction of features, and encryption of encoded templates before they are sent via the matcher module, if the process is being used for authentication reasons. Authentication is successful if the template is located in the database storage. Otherwise, the procedure terminates, indicating a failed authentication. A foundation for providing optimum security and avoiding assaults on biometric authentication devices is provided by the conceptual model that is being offered.

The business must make sure that a secure channel is used for the procedure after the user has accessed the biometric system. The suggested conceptual paradigm, shown in Figures 1, is built on two crucial tenets. First, maximum security must be given within the scope of competence for each program that interacts with biometrics and identification system. Second, since assaults frequently occurs when data is being processed or transferred, all communications must take place over a secure communication channel or in the cloud.

The region where the biometrics and identification system functions safely is represented by the circle or competence, which is shown as a dashed line creating a square. Applications that either directly or indirectly interact with the biometric system are represented by ovals that point to the system. There are four apps in this model: Apps 1, 2, 3, and 4. While Apps 1, 2, and 3 communicate with the biometric directly, App 4 does so in a more indirect manner.

Each application which interacts with the biometrics & authentication system is safe and does not have any vulnerabilities that may allow for infiltration or the execution if malicious code or script, according to the padlock symbol available for each app. As an application interacts with the network, it enters the organization's sphere of influence, and security must be maintained. A secure route or path for the process is represented by the tunnel in Figure 1. The decision module determines if the procedure is one of authentication or enrollment. Data is preprocessed for the registration process before going to the module for feature extraction, in which it is encrypted. The classifier processes the created templates, which are then saved in the data storage and symbolised by a lock sign.

The data storage is protected with appropriate access restrictions and is free of flaws that might allow for the theft, alteration, or alterations to current templates or the leaking of the database. The matcher module is then used to compare the templates to the template that already exists in the database store. If the template has already been enlisted, the procedure will terminate, indicating that the user has already been enrolled. If not, it checks to see if all processes for enrolling in the service have been completed. If the procedures are not fulfilled, the process is aborted, with an error saying that the formalities for enrolling as a new user have not been completed. [11].

Figure 4: Conceptual model against attack vectors authentication and biometric systems [6]

How to Keep Biometric Information Secure

Biometric authentication has gained popularity as an additional layer of security for data protection. However, biometric information, such as fingerprints, retina scans, and facial recognition, can be vulnerable to cyberattacks, and thus, it is crucial to take appropriate measures to keep this information secure.

Limiting access to authorized personnel

One way to protect biometric information is by limiting access to authorized personnel only. Implementing the principle of least privilege and confining access to a small group of people can reduce the chances of biometric exposure. Moreover, it is recommended to turn off any unnecessary services associated with the applications.

Enforcing encryption

Another way to safeguard biometric information is by enforcing encryption. Encryption is necessary to protect data that is in use and in transit. Utilizing runtime encryption can ensure data is protected at all times, including data stored on servers or hard drives.

Ensuring network security

Ensuring network security is also crucial. Companies should continuously test their firewall and perform necessary auditing and mapping. Keeping all software and systems up to date and using cybersecurity software to monitor and address anomalies quickly can prevent cyberattacks.

Live detection

Implementing live detection and anti-spoofing technology can also enhance the security of biometric information. Interactive sensors with built-in challenge-response features can detect and block unauthorized users. Anti-spoofing technology can prevent attackers from getting around biometric authentication with rubber masks or partial prints that work on most fingerprint scanners.

Making multi-factor authentication (MFA) complex

Moreover, making multi-factor authentication (MFA) complex can make it harder for cybercriminals to enter the system. Employing a diverse set of biometric authentication methods and combining them with conditional access policies, such as GPS location or IP address, as well as trusted authenticator apps or other smartphone solutions such as push notification MFA, can add more barriers to classified data.

Awareness

Educating employees about the risks of weak passwords, sharing biometric data, or compromising MFA can enhance the security of biometric information. Employees can be trained to recognize potential threats and report them promptly, which can go a long way in keeping the company and customers safe.

Protecting biometric information requires a multi-pronged approach, including limiting access, enforcing encryption, ensuring network security, implementing live detection and anti-spoofing technology, making MFA complex, and educating employees. Implementing these measures can help prevent data breaches and keep biometric information secure [12].

Current Advances and Technologies Used:

Several privacy-preserving biometric authentication techniques have been developed to address the privacy concerns associated with biometric data. One approach is the use of biometric template protection, which involves the storage of biometric data in a template. There are other methods such as secure multiparty computation, homomorphic encryption, and differential privacy. These techniques allow for the secure processing and storage of biometric data while preserving the privacy of the data. For example, secure multiparty computation allows for the computation of a function using inputs from multiple parties without revealing the inputs to each other. Homomorphic encryption allows for the secure computation of encrypted data without the need for decryption, while differential privacy ensures that statistical queries on the data do not reveal sensitive information. These techniques provide a high level of security and privacy for biometric data, enabling its use in various applications.

Recommendations for Implementing Privacy-Preserving Biometric Authentication

When implementing privacy-preserving biometric authentication techniques, it is important to consider several factors to ensure their effectiveness. Firstly, the choice of biometric data type should be carefully considered, as certain types of biometric data may be more susceptible to attacks or may not be suitable for certain applications.

The selection of the appropriate privacy-preserving tool should be based on the specific needs and requirements of the application. Different tools may be more suitable for different types of applications, and it is important to choose the right tool for the job.

The importance of user education cannot be overstated. Users should be informed about the collection and use of their biometric data, and should be provided with clear information about how their data is being protected and used [6].

Based on our research and analysis, we recommend that our organization should consider implementing privacy-preserving biometric authentication techniques in its operations. We suggest that a team be formed to investigate how these techniques can be applied to our operations and identify the potential benefits that can be derived from their implementation. Furthermore, we recommend that our organization should educate its employees on the benefits of privacy-preserving biometric authentication techniques and their potential applications in our operations.

We also suggest that our organization should collaborate with other organizations in Qatar to share knowledge and experiences, identify potential challenges, and develop best practices for implementing privacy-preserving biometric authentication techniques.

Lessons Learned:

Through this project, we have gained knowledge on the potential benefits of privacy-preserving biometric authentication techniques in enhancing security and protecting privacy. We have learned that these techniques can enable secure authentication without compromising the privacy of individuals by ensuring that sensitive biometric information is not stored in plaintext.

We have also learned that privacy-preserving biometric authentication techniques can be applied in various industries, including banking, healthcare, software development, education, and government organizations. These techniques can provide a more secure and efficient authentication process, which can reduce the risk of fraud and unauthorized access to sensitive information.

Overall, this project has improved our understanding of privacy-preserving biometric authentication techniques and their potential benefits in enhancing security and protecting privacy. We have learned that organizations that adopt these techniques can gain a competitive advantage over their peers and ensure that their operations are secure and privacy-preserving. We also learned that education and collaboration are essential to the successful implementation of privacy-preserving biometric authentication techniques.

Bibliography

[1]	J. Hao, "Protecting biometric templates with sketch," IEEE Spectrum, vol. vol. 47, p. pp. 28–33, 2010.
[2]	A. R. a. A. Jain, Handbook of Multibiometrics, US: Springer, 2006.
[3]	A. K. J. a. E. N. P. R. Gross, "Biometrics: A tool for information security," IEEE Transactions on Information Forensics and Security, Vols. vol. 1, no. 2, p. pp. 125–143, 2006.
[4]	M. K. Y. J. H. a. K. R. P. E. J. Kim, "Privacy preservation of biometric data based on fuzzy commitment scheme," in Proceedings of the International Conference on Advanced Communication Technology, p. pp. 1652–1655, 2010.
[5]	Erkam Uzun, " Privacy-Preserving Authentication," [Online]. Available: https://sites.gatech.edu/euzun/projects/biometrics-authentication/. [Accessed 11 March 2023].
[6]	E. a. M. A. Pagnin, "Privacy-Preserving Biometric Authentication: Challenges and Direction," Security and Communication Networks, no. https://doi.org/10.1155/2017/7129505., p. pp. 1–9, 2017.
[7]	n.d., "Fig.2 Biometric Authentication System Architecture.," ResearchGate, no. https://www.researchgate.net/figure/Biometric-Authentication-System-Architecture_fig1_331674242.
[8]	Javatpoint, "Biometrics System Attacks and Security," [Online]. Available: https://www.javatpoint.com/biometric-system-security-and-attacks. [Accessed 12 March 2023].
[9]	K. Kinzer, "How to Keep Biometric Information Secure," 2022. [Online]. Available: https://jumpcloud.com/blog/how-to-keep-biometric-information-secure.. [Accessed 12 March 2023].
[10]	Wallarm, "What is multifactor authentication (MFA)?," 20 February 2023. [Online]. Available: https://www.wallarm.com/what/what-is-multifactor-authentication-mfa. [Accessed 11 March 2023].
[11]	A. a. K. A. Sandirakumaran, "Defending against advanced attack vectors on biometric and authentication systems," Nucleation and Atmospheric Aerosols [Preprint], no. https://doi.org/10.1063/5.0110607., 2022.
[12]	Y. W. L. &. Y. X. Dai, "Biometric Authentication with Template Protection: A Survey.," IEEE Transactions on Circuits and Systems for Video Technology, no. https://doi.org/10.1109/tcsvt.2020.3014695, pp. 30(11), 4304–4324, 2020.