ESR 9: Vulnerability assessment in the use of biometrics in unsupervised environments

Objectives: Using biometrics on mobile devices means that the authentication will be carried out without any kind of supervision. As there is no supervision, the user (or anyone having obtained access to the device) is able to perform any kind of attack to the authentication process without restriction. Therefore, mechanisms to detect those attacks and avoid the misuse of the device shall be implemented. Although this target is common to many other kind of authentication systems, new challenges appears when considering the use of mobile devices. The first one is the variety of manufacturers, models and operating systems of the devices owned by citizens. This challenge means that the solutions obtained shall be as multiplatform as possible. Another challenge is that mobile devices have not been manufactured considering biometric authentication, not even authentication itself, but for providing other kind of services to the users (e.g. calls, data connection, web-browsing, etc.). This means that the researcher should a-priori not consider any kind of help from device manufacturers, even though some manufacturers may be initially against any kind of suggestion to integrate new sensors due to a potential increase of its cost. On the other hand, mobile devices have many other sensors that could be exploited by the authentication process in order to mitigate vulnerabilities. So another challenge is to analyse how these can be used for the benefit of the citizen at low cost. This three year project will start by studying biometrics, mobile technologies and security. Following this, security analysis and risk assessment will be performed by the ESR, targeting different use cases. With the results obtained, in particular all the vulnerabilities detected, R&D will be conducted to develop a quantifiable framework and tools to identify and mitigate for vulnerabilities, keeping universality at a viable level (i.e. not reducing significantly the user population by the introduction of mechanisms). The mechanisms developed will be integrated in some of the most common applications to check performance, robustness and user acceptance, promoting the use of the device and framework by the industry.

Expected Results: There are three expected outcomes from this project: a) an objective and practical analysis of the security of the authentication in mobile devices under the most typical use cases, b) a set of tools to either eliminate or mitigate the vulnerabilities detected and c) a set of prototypes that allow the demonstration of the previous results, assisting the promotion of the solutions defined.

Planned secondment(s): Two secondments will take place within this project. The first is a four month visit to the team at OVGU which will explore theoretical security mechanisms during the first year of the project. The expected results of this secondment are twofold: first ESR 7 will learn which of its results have further vulnerabilities, and second, ESR 9 will discover new security mechanisms that will overcome the detected vulnerabilities. The second secondment would be six months with NEXTBIO, which would focus on the adoption of the vulnerability mechanisms in industry solutions. This is scheduled for the beginning of the third year of the project. The expected result of this secondment is to apply the research carried out and the results obtained to industrial products, achieving the validation of the assessment developed.

Start Date: July 2017