The reasons why secure biometric systems still require hardware-based security
By Bernd Zwattendorfer, Infineon Technologies
The proof of a claim of a person’s identity – both identification and authentication – are fundamental processes for granting or denying access to services. These being either physical (yes, you really booked the hotel room) or digital online (yes, you are authorized to use the cloud service). Identification and authentication has entered our daily lives, meaning than today different mechanisms for supporting identification and authentication exist.
One easy and user-friendly way is through the use of biometrics. Biometrics or a biometric characteristic is defined as “a biological and behavioral characteristic of an individual from which distinguishing, repeatable biometric features can be extracted for the purpose of biometric recognition”1. Therefore, by recognising and verifying certain biometric characteristics (e.g. against a stored template), a person can be distinguished from others and thus uniquely identified and authenticated. Typical biometric characteristics captured for identification and authentication are a person’s face, fingerprint, or voice. Of course, other biometric characteristics exist and can be captured for verification. Table 1 briefly lists physiological and behavioral biometric characteristics.
Biometrics is attractive for identification and authentication purposes for several reasons. One of the biggest advantages is that biometric characteristics are universal to humans, i.e. they can be measured from each individual. Furthermore, biometrics provide uniqueness, which allows the distinguishing of individuals from each other without the need of restricting the context. Finally, biometric characteristics very rarely change over time.
Biometric use cases
Biometrics can be used in various ways and systems. Biometrics entered our lives many years ago. Typical application areas are travel and border control, logical or physical access and even consumer applications.
For travel and border control, besides facial data, many electronic passports have also been equipped with fingerprints, which are stored on a security chip. Enterprises requiring a high level of security for their physical and logical assets are now protecting themselves with biometrics; For instance, door systems are equipped with biometric access control mechanisms. Finally, nearly every smartphone today contains some kind of biometric sensor, protecting access to the individual device itself.
Biometrics support different use cases, Figure 1 illustrates the more prominent ones in a generic manner.
During a physical and attended verification process – even supported by electronic means – a human entity will still perform an additional check on the biometric characteristics. During a physical unattended verification process, biometric verification is fully automated, and access to a building, room, or gate automatically granted or denied. Biometric technologies can also support remote use cases, e.g. protecting access to a remote online service. Finally, many devices have already built-in biometric sensors that can be used as convenient alternative to PINs as unlocking mechanisms for the devices.
There is no single, unique approach on how biometric characteristics are captured, where they are stored, and where and how they are processed, e.g. comparing reference data for verification. Different architectural approaches and systems have emerged over the last few years, all displaying both advantages and disadvantages. Table 2 briefly categorises biometric systems based on biometric capture, storage, and processing and provide implementation examples.
Smart cards, FIDO tokens or electronic passports are typical examples where the biometric data is stored locally in a security chip.
Fast Identity Online (FIDO)
FIDO is an emerging industry standard for improving the security of online authentication. Insecure username/ password mechanisms should be additionally protected by a strong second factor or substituted by other authentication factors such as biometrics. The main idea is to authenticate locally against a FIDO authenticator (USB token, smart card) and to transmit the authentication result to the online service to decide about granting access to the service or not. By that, no personal-related information such as biometric data are transmitted to the online service. FIDO supports biometric capturing and verification/matching directly in secured hardware on the FIDO authenticator, thus providing a very high level of protection for biometric authentication data.
This provides users a high level of security and privacy, as the user can keep the card in their domain for control of the data. The sensor for capturing and matching the data can be on the card itself or on an external reading device. If biometric data matching is carried out in the secure element itself, it is usually referred to as Match-on-Card (MoC). If data matching is carried out on the reading terminal, such as for electronic passports, it is referred to as Match-on-Terminal. In these examples, matching can be executed offline, thus no connection to any remote server is required. However, only 1:1 and no 1:n matching is supported in this case. A 1:1 matching refers to the comparison of single captured data item against a single stored data item (1 person’s biometric information matches exactly 1 stored template), whereas 1:n matching refers to the comparison of a single captured data item against many (n) stored data items. The process of 1:n matching (where 1 person’s biometric information is searched in an entire database of templates) is typically supported by a server- based approach because they have larger storage capabilities as well as the required higher computing power.
One example for server-based systems is AFIS (Automated Fingerprint Identification Systems). In such systems, biometric data for verification are captured locally by an external reading terminal and are subsequently transmitted to a remote server for matching against stored reference data sets. The level of privacy is lower compared to chip-based solutions, as users have no direct control over their remotely stored data. However, AFIS supports 1:n matching. Nevertheless, for verification this always requires an online communication channel between the reading device and the server, where all the biometric data is stored for comparison.
The need for hardware-based security
According to the EU data protection regulation (GDPR)2, biometric data has been classified as one special category of personal data per se and is prohibited from being processed for the purpose of uniquely identifying a natural person. While there are certainly some exceptions for its processing within GDPR guidelines, biometric data is sensitive data in and of itself and therefore is in need of special protection.
Hardware-based security such as security chips should be the means of choice for protecting security-critical data such as biometrics. Hardware-based security offers strong tamper- resistant protection across the entire product lifetime, regardless of the application. Hardware-based security can be incorporated into biometric systems and applications, where biometric data can be stored locally or even remotely.
When dealing with biometrics, template storage and its matching procedure are the most security critical functionalities; it is paramount that these features be packed with hardware security. The highest level of security can be achieved, when biometric data is stored in a tamper-resistant security chip, where the matching takes place within the security chip itself. Furthermore, decentralized storage of single biometric templates in a security chip provides higher protection compared to a centralized storage of many different templates in a remote database. If the database becomes compromised, biometric data of many individuals could be revealed. In case of single hardware-based local storage, only a single template can be disclosed after a successful attack.
Using biometrics for identification and authentication provides a fast and user-friendly way compared to traditional knowledge and password-based authentication mechanisms. However, whereas lost passwords can easily be recovered by creating a new one, lost biometrics – if they get into the wrong hands – could cause severe personal and financial damage. Biometrics simply cannot be changed; the link to its individual and its identity is in the static nature of biometric data itself. Once compromised, the identity threat will last forever. This is the biggest argument for protecting biometrics properly, preferably with tamper- resistant hardware- based security.
The impact of COVID-19 on biometric verification
The COVID-19 pandemic affects everyone by reducing physical contact, not only with persons but also with common surfaces. This affects biometric technologies too, especially biometric data capturing mechanisms with commonly used sensors. It is expected that we will see a trend towards contactless biometric capturing mechanisms (face recognition, contactless fingerprint sensors) as well as contact-based sensors for single individuals only (fingerprint sensor on card) in the future.