SOLUTIONS
Biometric
The anatomy of a single sign-on solution based on biometric authentication
Business Need
Business applications increasingly make use of biometric verification to authenticate users or clients. Although today access control might be the most wide-spread use of biometric technologies, this secure and convenient method of authentication is rapidly making its way into your application landscape handling day to day business transactions.
Non-repudiation has become a common business need.
In general terms, non-repudiation is the assurance that someone cannot deny something. Typically, non-repudiation refers to the ability to ensure that a party to an agreement or transaction cannot deny the authenticity of their signature or cannot deny having been party to this agreement.
Non-repudiation requires a number of elements to be in place, one of them being a secure and undeniable method of authenticating a person, or in other words, proving beyond reasonable doubt, that a person was present at a transaction, and has agreed to it.
Biometric verification can provide for this need, sometimes as only form of authentication, sometimes combined with other means.
The CIO of a large corporate will be faced with difficult choices, first of which will be the choice of biometric mode. Biometric mode refers to different technologies, such as fingerprints, facial recognition, iris scanning, or vein patterns.
Once a choice for one (or multiple) modes has been made, you will want to deploy or use a verification and identification service, without becoming dependent on any particular technology vendor. This is where technical challenges begin.
The Technical Challenge
Every biometric solution deals with two or three fundamental biometric processes:
- Enrolment
- Verification
- Identification
Enrolment refers to the process where we collect the biometric features of a person of interest, which may be a client, a supplier, or it may be an employee. From a business perspective, it is critical that we make sure that we enrol the correct person – as from this moment on, we will trust the enrolled information to authenticate this person over and over again.
Technically, it is critical that we perform the enrolment securely, and with the best possible quality – so that future verifications have a good chance of accepting the right person and rejecting the wrong person. Failures to do so are called the False Acceptance Ratio (FAR) and False Rejection Ration (FRR), both of which must be kept low.
Verification is the process where we make use of an enrolled biometric information, and confirm that the person is how he or she claims to be. We compare a newly taken biometric sample to the enrolled one, and if we can confirm a match, we accept the authenticity of the person – in isolation or in combination with other means of identification. Technically, we also refer to verification as 1-or-1 comparison.
The third biometric process is identification, and is not utilised by all users of biometric technology. Identification, or 1-or-many searches, tries to identify a person in a database of many enrolled persons. On a small scale, this can mean that your access control system searches through a database of 200 employees, and opens the door if a match against any employee is found.
A variant of identification is de-duplication, where we ensure that any given person is only enrolled in your database once. Here, an identification search is performed on enrolment of a new person, and if a match is found, the person will be flagged as potentially fraudulent.
On a large scale, identification means searching through a national database of all citizens, ensuring that a person can only apply for an ID card or passport once. The South African Government makes use of large-scale identification for both civic purposes at Home Affairs, as well as criminal purposes at SAPS. Systems being able to perform such large-scale identification are specialised and not commonly used by the private sector.
In order to implement enrolment, verification, or even identification, your business application needs to handle three fundamental integration points:
- Capture a biometric sample – from the sensor.
- Feature extraction and comparison – by the engine.
- Storage and retrieval of samples and features – to and from the store.
Capturing a biometric sample and potentially feature extraction and comparison are performed by the client-facing application, and are not dealt with in this paper in any greater detail.
Storage and retrieval of biometric data could, of course, be handled by the existing database of your business application. In this case you would create tight coupling between biometric capability and business data, which might not be desirable in all cases. And also, your developers would have to build a deep understanding of the intricacies of non-repudiable secure storage of biometric data, where there is an encrypted chain of evidence showing how the enrolment was performed, ensuring that it has not been tampered with, and you can prove in court that you have enrolled the right person. Emerging data privacy issues further complication matters.
You would also have to deal with complex rules of which biometric object to store, when to replace a biometric object with one of better quality, how to convert samples (such as fingerprint images) into features (such as fingerprint minutiae records), how to compare and verify different biometric modalities and different proprietary biometric objects and arrive at a composite matching score.
As a result, you might in many cases decide to use an off-the-shelf biometric store, which encapsulates these complexities and allows your business analysts, architects, and developers to focus on your business processes.
Business Process
Deciding on your business process and how to use biometric authentication to reduce business risk and improve customer experience can be a daunting task.
Some of the questions which will arise in this process are:
- What are our risk events and what must happen to avoid them? What is the cost of prevention versus the cost of the risk event itself? How does financial exposure and reputational cost balance?
- What biometric modes to we want to implement. Fingerprint, facial recognition, iris, voice? Do we want to implement more than one?
- How do we handle exceptions, where persons do not have usable fingerprints? Or amputated or bandaged fingers? How do we handle head scarves for facial recognition? What cultural aspects do we need to consider?
- Where in the business process do we want to perform a biometric verification? When starting a session, or throughout the session at critical points? Do we want to implement non-repudiation? Do we want clients or employees to “biometrically sign” transactions? How does this relate to cryptographic signatures?
- How does the law treat a biometric signature?
- Do we require identification and de-duplication, or are we looking purely at a verification operation? Can we make use of an external identification system for de-duplication?
- Do we want to perform local verifications, or are server-based verifications sufficient? How do we balance server load with network load with response times?
- How do we run a quality-based biometric capture operation?
- How many fingers should we enrol?
Your business analysts are in all probability well-versed in the business challenges and processes required by your organisation, but may not have practical experience with biometric operations.
Alcazar offers a broad range of services, where we work with your analysts to determine the right choices for your business process, minimising your business risk, and optimising payback periods for the biometric solution.
Anatomy of a biometric single sign-on solution
Irrespective of the specific business requirements or processes, a biometric verification or authentication solution will need to consider most or all of the components shown in the diagram below.
It starts with biometric logon to the user workstation or device. Secure, multi-factor authentication for employees and users is becoming more of a necessity than an optional nice-to-have. Passwords are no longer considered sufficient. If user identity is secured from the entry point, the security architecture starts on a strong foundation.
For client applications, be that smart-client applications or apps, or web-based applications to benefit from strong authentication, they must be biometrically enabled. A generic, reusable biometric enablement layer creates an enterprise standard, whereas all client applications participate in the same authentication scheme, avoiding duplication and operational complexity.
Depending on the nature of the business, the client application layer might introduce the next challenge, that not only internal users, but also clients shall be biometrically enrolled and verified against their enrolment. Clients are normally not represented in the corporate directory, and are therefore authenticated differently, using external means of identification (Identity document), or client cards (such as bank cards). Nevertheless, to ensure providing the correct service level to the correct person, strong authentication is required. Client biometric verification closes that gap.
The shared biometric store provides a secure hub for verification and identification for both internal users and clients. The biometric store liaises with client applications, through the biometric enablement layer, to provide enrolment services, identification services, and verification services to enabled applications.
Related Applications
Biostore
Enterprise-level biometric verification and identification, using fingerprint, face, iris, or voice.