1. Field
This application relates to biometric authentication systems, specifically those that verify the identity of an individual by measuring one or more physical attributes of a person and making a comparison to stored measurements of known persons.
2. Prior Art
Authentication, along with confidentiality and integrity, is one of the fundamental requirements of any secure system. Typically authentication is performed by one or more of three major ‘factors’: (1) something a user knows (e.g.—a password, pass code or pass phrase), (2) something a user has (e.g.—a physical key, card, bar code, mobile phone or certificate) and (3) something a user is (e.g.—a person's physical characteristic such as DNA, iris, hand, skin texture, voice, face, fingerprint or blood vessel patterns). These three factors are often referred to as knowledge-based, token-based and biometric-based authentication factors, respectively. Demand for multifactor authentication systems (a.k.a—‘fused,’ ‘dual’ or ‘combinatoric’ systems) that combine one or more of these three factors is increasing because they present a higher obstacle to criminals. Such techniques are also becoming easier to implement thanks to the wide availability of mobile phones, PDAs and other such devices. For example, modern bank web sites often send a text message to users' mobile phones containing a random code that they must type into a web form. This combines a token-based factor (i.e.—possession of the phone) with a knowledge based factor (i.e.—the standard password prompt) in a manner that is cheap enough to be widely deployed.
However, purpose-built biometric authentication hardware is not widely deployed among consumers and therefore biometrics are infrequently used over the web. Furthermore, biometric authentication systems are particularly vulnerable to replay attacks in which a criminal makes a copy of the real user's features and later presents them to the authentication device. For example, an attacker can steal a photograph of a user's eye and present it to an eye scanner, or intercept data in transit across a network and re-transmit it to the authentication server at a later date. This problem is compounded by the fact that in the web usage model the authentication system is under the physical control of the untrusted user. However, the embodiments of the present invention are not susceptible to such simple attacks and could therefore be implemented with widely deployed commodity hardware such as mobile phones, laptops, tablet computers or PDAs. This capability will enable businesses and individuals to conduct a larger fraction of their transactions over the Internet due to the improved security.
Although biometric and multifactor authentication systems exist in the prior art, none are simultaneously deployable on commodity hardware and resistant to replay attacks. All are therefore poorly suited to wide deployment over the Internet. U.S. Pat. No. 7,766,223 to Stephen M. Mello et al describes a multifactor authentication system involving voice prints for biometric factors. However, no mention is made of replay attacks and therefore the biometric factor can be defeated easily using an audio recording. In fact this patent refers to ‘the’ keyword or phrase used for voice authentication indicating that it is static and unchanging and therefore vulnerable to replay attacks. Furthermore voice is the only biometric authentication factor addressed. U.S. Pat. No. 7,373,515 to William N. Owen describes a multifactor authentication system but makes no mention of securing the biometric reader device or defeating replay attacks. U.S. Pat. No. 6,941,001 to Bolle et. al. describes a method for defeating replay attacks against fingerprint biometrics, but requires a ‘combined pointing and fingerprint recognition device’ which is rarely, if ever, available on commodity hardware due to cost. Furthermore, fingerprints are the only biometrics addressed and no claim is made upon the technique of randomly stimulated user input claimed here. In fact, the method uses a previously defined ‘gestural password’ which is not random and again, is therefore susceptible to replay attacks.
U.S. patent application Ser. No. 11/644,573 by Michael Baentsch et. al. asserts that there will always be natural, random fluctuations in biometric data and accordingly rejects authentication data that looks ‘too close’ to the expected template. The technique attempts to differentiate between malicious manipulation of an image of the subject and statistically expected variations. However, this means that the technique would be vulnerable to a stolen video of the subject, which would contain the subject's natural and therefore statistically expected movements. No discussion of resistance to video replay attacks is present in the patent.
There are several types of replay attack detection systems that rely on timestamps, ‘numbers used once’ (nonce) and digests (hash functions) of those values—U.S. Pat. Nos. 6,957,339 (2002), 7,178,025 (2003) and U.S. patent application Ser. Nos. 10/280,732 (2002) and 11/094,452 (2005). However, these approaches only address the security of data after it has been collected by the reader—which is inherently trusted in these architectures. No method is presented for ensuring that the person is currently alive and present at the reader. This assurance is critical for the purposes of secure web commerce since large numbers of uncontrolled devices will be used. For example, if an attacker successfully replayed an image of an iris to a scanner device utilizing nonces and timestamps, the device would generate a new nonce and timestamp for the data and blindly send it along to the authentication server.
U.S. Pat. No. 7,027,617 to Robert Frischholz describes the display of objects at random positions on a computer screen and estimating the line of sight of an eye looking at the objects to defeat replay attacks. However, the small screens of commodity mobile devices make this technique unfeasible for that important class of devices. Furthermore, eye-based techniques are the only methods addressed by the patent, and the detection of prompted blinking or finger extension is not addressed.
3. Advantages
An advantage of the method described in the present application is that randomized integrity checking is integrated with the biometric measurement itself. This is in contrast to other systems that use non-biometric factors to defeat replay attacks against the biometric factor, thus marginalizing the benefit of biometrics. The present method achieves this by prompting the user to adjust their biometric input at randomly generated time intervals, e.g.—by blinking, extending or retracting fingers, reciting prompted words, etc. These prompts are generated by the trusted authentication server, and their responses are generated by the user requesting authentication. Since both entities are external to the reader system its integrity is not critical for the system to work, making commodity mobile devices suitable as readers. The reader device essentially becomes a data capture and transport mechanism and is no more trusted than any given router on the transport network connecting the reader to the authentication server. This enables authentication in e-commerce applications to a far larger degree than in the prior art because users will be able to use equipment they already own to conduct secure transactions on the web.
Another advantage to the approach described here is that the user responses are captured by the same sensor that is used to capture the biometric data. This ensures that the person in control of the biometric feature is alive and present at the reader. This would not be the case if, for example, one was required to scan a fingerprint on a reader and subsequently respond to a random sequence of commands on a computer touch pad. The sequence of command responses could be entered by a different finger than the scanned finger.
The randomness of the user prompts ensures the integrity of the biometric authentication so that it can legitimately add security when used as one factor in a multifactor system. Systems such as U.S. Pat. No. 7,039,812 to Citicorp Development Center, Inc. that require the user to always enter a known sequence of biometric inputs would be vulnerable to replay attacks precisely because the sequence is known. Such attempts at combining knowledge based and biometric authentication factors would be vulnerable to simple replay attacks using video or other recordings.