I527-290 ESRIF Final Report (WEB).indd - European Commission
I527-290 ESRIF Final Report (WEB).indd - European Commission
I527-290 ESRIF Final Report (WEB).indd - European Commission
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
174<br />
In parallel, with the development of eID cards, the concept of an electronic signature (eSignature) is also emerging. An eSignature<br />
can be defi ned as any legally recognized electronic means that indicates that a person adopts the contents of an electronic<br />
message. It is another strong pillar of a trustworthy information society. However, the variety of means by which eSignature<br />
can be implemented make its generalization complicated. A <strong>European</strong> directive, published in 1999, could be used as a starting<br />
point to develop new eSignature standards in order to address the crucial cross-border interoperability challenges.<br />
Trust in Internet payments<br />
A large number of credit cards holders claim misuse via ID theft of other means through their credit card. There have been<br />
improvements in security in this area with some measures being standardised – for example the use of smart cards and card<br />
Pins or password protection. However, these do not prevent the use of cards by unauthorised persons if the user is not very<br />
careful with the way s/he types-in the code. The integration of biometrics to grant access to the card information is a solution.<br />
Besides, linking the user’s credit card and mobile phone may add signifi cant trust.<br />
A key challenge is to provide a next generation payment mechanism, available on internet (but also in any mall or shopping<br />
area), based on a PIN code, a signature or a digit sequence, but with strong authentication of the user’s identity to ensure trust<br />
and security.<br />
8.2.1.2 Trust in biometric systems<br />
What you are vs. what you have<br />
Given the demand for strong identity assurance, biometric technologies have a unique potential, by off ering the “gold<br />
standard” of true three-factor authentication. The fi rst two factors, “something you know” and “something you have”, can<br />
be satisfi ed by traditional username / password / token means – but only biometrics can off er the fi nal third factor of<br />
“something you are”. This provides a level of control in identity management that has never been reached before by any<br />
other technology and therefore, the trust in the identity management systems is dramatically increased both for the users<br />
and the authorities. However, we will see that there are areas that remain to be improved if we are to avoid undermining<br />
the strength of biometric systems.<br />
Biometric data protection is key to trust<br />
Biometric data protection, acquired by enhancing a system’s robustness, is a most crucial requirement for a system to be<br />
trusted. There are mainly two classes of attacks, by which an attacker can breach the security of a biometric system or fool the<br />
system to gain access to the biometric data of a legitimate user:<br />
External attacks: the attacker tries to fool the acquisition device by showing a fake image (like a copy of a fi ngerprint of a<br />
legitimate user). Such attacks can be prevented with appropriate anti spoofi ng mechanisms.<br />
Internal attacks: the attacker is able to retrieve the template of a genuine user that has already enrolled onto the system.<br />
This can be done by spoofi ng the system while the legitimate user uses the system or by hacking the database where<br />
the biometrics are stored or simply by access not being adequately protected or restricted. The attacker then injects the<br />
template directly into the matching algorithm. This solution is more complex to implement as the attacker needs to interfere<br />
with components within the system perimeter.<br />
Due to such threats, biometric data of citizens must be protected to a high level. This issue is addressed by the Personal<br />
Data Protection legislation but further measures or standards for secure deployment are required. A strict application of the<br />
Directive is very important since stealing or spoofi ng of biometric user characteristics, may lead to a “permanent” fake identity<br />
ownership or identity theft. We need improved security to protect the biometric data used in our systems. Some people are<br />
considering user behaviour as a kind of biometric identifi cation.<br />
The building of user profi les deduced from user behaviour in his/her interaction with an application may provide meaningful<br />
information to detect abnormal user operations and thus, potential identity theft. It is a major challenge in the mid-term to<br />
build and evaluate appropriate counter-measures.<br />
Research should focus on evaluating performance and robustness of counter-measures related to internal and external attacks<br />
and, if required, as well on profi ling<br />
<strong>ESRIF</strong> FINAL REPORT - PART 2 • Working Group: Identifi cation of People and Assets