A Cyber-Physical Systems Perspective on Biometric Security and Privacy (Keynote)

The wide adoption of fingerprint and face recognition on mobile phones has brought biometric recognition firmly into the mainstream. Many of the usability concerns that plagued biometric recognition systems in the past have been addressed. As we let applications use our biometrics to conveniently authorize logins, make payments, and access locked phones, it is easy to ignore the security and privacy risks inherent in biometric system implementation. When we take a look at these risks from a cyber-physical systems (CPSS) perspective, we find that some of these risks fall naturally within the purview of traditional biometrics research, but there are other risks that have nothing to do with biometrics. The biometric recognition systems on today’s mobile devices have generally proved successful in preventing adversaries from exfiltrating the enrolled biometric features. However, to enable quick, convenient authentication with a very low false reject rate, these systems take shortcuts that make them vulnerable to a variety of spoofing attacks. Spoofing is less successful in the comprehensive biometric recognition systems that have been developed by governments for civilian and law enforcement applications. Today, these systems maintain massive biometric databases that are, in turn, parts of much larger cyber-physical infrastructure. To assure the security and privacy of these databases, it is necessary not only to harden the protocols used for biometric recognition, but to securely configure the entirety of the system. The biometrics community has worked hard to address the former problem, but the latter problem remains unsolved. Industrial security offerings currently lack the ability to derive system-wide configurations that optimize security and functionality. This can put sensitive biometric data in these systems at risk. The past two decades have seen impressive and stimulating research in biometric template protection, which seeks to avoid the privacy risks to biometric databases, by not needing to store biometric features in the clear. However, several thorny problems remain to be solved before template protection systems can be widely deployed. The main issues that the biometrics community has focused on pertaining to preventing loss of performance w.r.t. conventional biometric systems. However, there are other extremely important questions that pertain to the difficulty of key management and key exchange, especially in systems that leverage encrypted-domain computation. As the standardization community will attest, there are several practical difficulties related to performance evaluation, which are made worse by our inability to assign common metrics by which to judge different flavors of template protection. My hope is that this cyber-physical systems security perspective will help us re-prioritize the problems that are most worth solving in the design of biometric recognition systems.