Evaluating Biometric Security (Invited keynote paper)

Daniel Lopresti, Fabian Monrose, and Lucas Ballard

Abstract

Growing interest in biometric security has resulted in much work on systems that attempt to exploit the individuality of human behavior. In this paper, we survey our recent research examining issues arising when such biometrics are to be used for authentication or cryptographic key generation. We propose steps towards the development of more rigorous evaluation methodologies for behavioral biometrics that take into account threat models previously ignored in the literature. The pervasive assumption that adversaries are minimally motivated (or, even worse, naive), or that attacks can only be mounted through manual effort, is too optimistic and even dangerous. The discussion is illustrated by summarizing our analysis of a handwriting-based key generation system showing that the standard evaluation methodology significantly overestimates its security. We also present an overview of our work on fully automated (generative) attack models that can be nearly as effective as skilled human forgers and thus present both a serious threat as well as a potential tool for improving the testing of biometric systems.

[pdf.gz]