By Elaine Newton, NIST
By 2020 it’s estimated that 4.8 billion biometric-enabled devices will be in use globally. Prior to 2013 – when Apple unveiled Touch ID – there were a handful of biometric handsets in the market, but now that market has exploded and biometric technology is near ubiquity on smartphones.
But how do you know if one biometric authenticator is as good as another? This is what the National Institute of Standards and Technology (NIST) wants to accomplish with a project we call Strength of Function for Authenticators – Biometrics, or SOFA-B. The idea is to create a framework that will measure the strength of different biometric authenticators in order to compare them. Ultimately, we expect the SOFA project to cover comparisons with other authenticator types beyond biometrics, to include passwords, tokens, and others. We started with biometric authenticators because of their increasing availability in consumer devices and the lack of security guidance available. By providing guidance for measuring the strength of biometric solutions, we hope to achieve a level of measurability similar to that of entropy for passwords.
The framework would determine the overall strength of biometric authentication by considering matching performance, presentation attack detection ability — aka liveness detection — and the effort required to spoof a system
Too often security practitioners treat biometric credentials like passwords, requiring biometric matching rates that meet the acceptance rates set for passwords, while ignoring the types of attacks that are unique to biometrics.
The goal behind SOFA-B is to develop a framework to evaluate the security of biometric technologies. The framework would facilitate a tester’s determination of the overall strength of biometric authentication by considering matching performance, presentation attack detection ability — aka liveness detection — and the effort required to spoof a system.
This will enable organizations to match the strength of the biometric authentication against the risk for the transaction. It will also allow a cross-modality comparison so that multiple types of biometrics can be combined, offering a greater variety of authentication factors that organizations can accept interchangeably, all of which meet the organization’s needed level of risk mitigation.
We envision many purposes for SOFA-B in the future. Organizations that want to procure new technologies can use it as a guide to choose secure systems that meet their needs and adequately mitigates the vulnerabilities of a biometric system. They can apply the SOFA-B framework in designing their own biometric authentication system to make sure the strength meets the organizations’ security needs. Biometric vendors can use SOFA-B to explain the security properties of their products, enabling them to provide a basis to compare and contrast what is available on the market. Ultimately, this latter point is of utmost importance; a consistent approach to measuring the strength of their solutions helps align vendors’ incentive for a race to the top on security performance.
The framework can help understand the trade-off between different vulnerabilities in a system, resulting from false matches, false rejections, or failures to detect presentation attacks. Quantifying this trade-off can assist organizations in their technical architecture and policy design considerations. Relying parties can also use the framework when deciding which credentials to accept, stating that they only accept credentials of a certain strength or higher.
Working with the biometrics community, NIST has a five-step approach to creating the SOFA-B framework:
- Analyzing the attack points of a biometric system
- Requiring baseline security to mitigate common attacks
- Quantifying factors specific to biometric systems
- Differentiating attack types as random attacks or targeted attacks on a known user
- Measuring strength of function for biometric authenticators
The components of the SOFA-B Framework will look at matching performance, presentation attack detection (PAD) capability and effort to execute a successful attack. The SOFA-B model requires the adoption of baseline security controls for the important but not inherently biometric-related aspects of biometric authentication – for example, protection against man-in-the-middle attacks.
Two metrics determine matching performance for a biometric algorithm: 1) the false match rate at which it incorrectly matches a fraudulent user and 2) the false non-match rate at which it rejects the correct user.
Already, SOFA-B has contributed to the authentication landscape, aiding in updates to documents such as NIST SP 800-63-3 and shaping requirements developed in other organizations such as the FIDO Alliance, ISO, and ANSI’s X9 Financial Industry standards committee
SOFA-B also incorporates a system’s failure to detect a presentation attack; PAD measures the correct detection by a system of a spoofed presentation by an attacker. The level of effort accounts for the time, knowledge, and resources needed to attack an authentication factor. This project is exploring practical ways to quantify effort and compare the level of effort needed to attack biometric authenticators compared to other authentication factors.
Already, SOFA-B has contributed to the authentication landscape, serving as the basis for biometric updates to documents such as NIST SP 800-63-3: Digital Identity Guidelines—and shaping the requirements developed in other standards organizations, such as the FIDO Alliance, the joint technical committee of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Information and Communication Technology standards, and American National Standards Institution’s X9 Financial Industry standards committee.