Skip to main content
SpringerLink
Log in

Biometric-Based Password Management

  • Conference paper
  • First Online:
Security and Trust Management (STM 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14336))

Included in the following conference series:

  • 155 Accesses

Abstract

Major threat for the user’s identity stem from selecting weak passwords or re-using the same password for different systems. Modern password managers are designed to address this human factor. But in most cases this is achieved at cost of using a single master secret to either derive access keys to protected services, or to encrypt a credentials database. Despite wide adoption, this boils down to security and availability of this master secret.

We propose a technology to derive cryptographically-strong (of sufficient length and entropy) master secret from user’s biometrics, such as face and voice. If applied to password manager scenario, this allows to amend or even completely replace master secret to avoid related risks. While general approach (using fuzzy extractors) is known, the unique part of the presented technology is small hint size (58KB for 128 bits key) and low computational complexity (it takes 125 msec to extract the key on Galaxy S22 phone in the worst case).

Experimental results show that FAR and FRR are close to \(0\%\) for wide range of cryptographic keys lengths (from 80 to 256 bits). All computations are performed on-device, which means the technology is privacy-friendly: user’s biometrics never leaves the phone. The technology does not require storing any sensitive data on the device, that is important advantage in comparison with traditional biometric authentication solutions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For example, Firefox Monitor and Firefox Password Manager for Firefox, Google Password Manager for Chrome, Edge Password Manager for Microsoft Edge and Safari Password Manager for Safari browsers.

Abbreviations

BC:

Biometric Cryptosystems

BKG:

Biometric Key Generators

BTP:

Biometric Template Protection

CK:

Cryptographic Keys

DE-PAKE:

Device-Enhanced Password Authenticated Key Exchange

DL:

Digital Lockers

FE:

Fuzzy Extractors

FR:

Facial Recognition

FAR:

False Acceptance Rate

FRR:

False Rejection Rate

OPRF:

Oblivious Pseudo Random Function

PM:

Password Manager

References

  1. Most hacked passwords revealed as UK cyber survey exposes gaps in online security. National Cyber Secyurity Centre (2019). https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

  2. 2020 end-of-year data breach report. Technical report, Identity Theft Resource Center (2020). https://www.idtheftcenter.org/data-breaches/

  3. Card-based crypto hardware wallet: Protecting crypto wallet private keys and transactions with a biometric card. Idemia Inc. report (2022). https://www.idemia.com/card-based-crypto-hardware-wallet

  4. Set up iCloud Keychain. Apple Inc. (2022). https://support.apple.com/en-gb/HT204085

  5. The role of biometrics in the metaverse. CoinTelegraph Inc. report (2022). https://cointelegraph.com/metaverse-for-beginners/the-role-of-biometrics-in-the-metaverse

  6. Top 200 most common passwords. NordPass Inc. (2022). https://nordpass.com/most-common-passwords-list/

  7. Overview of One Tap sign-in on Android. Google Inc. (2023). https://developers.google.com/identity/one-tap/android/overview

  8. User Authentication Specifications Overview. FIDO Alliance (2023). https://fidoalliance.org/specifications/

  9. Ardila, R., et al.: Common voice: a massively-multilingual speech corpus (2019). https://doi.org/10.48550/ARXIV.1912.06670

  10. Aydar, M., Cetin, S.C., Ayvaz, S., Aygun, B.: Private key encryption and recovery in blockchain (2019). https://doi.org/10.48550/ARXIV.1907.04156

  11. Bae, G., et al.: DigiFace-1M: 1 million digital face images for face recognition (2022). https://doi.org/10.48550/ARXIV.2210.02579

  12. Ballard, L., Kamara, S., Reiter, M.: The practical subtleties of biometric key generation. In: 17th USENIX Security Symposium (2008)

    Google Scholar 

  13. Bathen, L.A.D., et al.: SelfIs: self-sovereign biometric IDs. In: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), pp. 2847–2856 (2019)

    Google Scholar 

  14. Bradski, G.: The OpenCV library. Dr. Dobb’s J. Softw. Tools (2000)

    Google Scholar 

  15. Bramanti, M.: Matematica: Calcolo Infinitesimale e Algebra Lineare. Zanichelli, Bologna (2004)

    Google Scholar 

  16. Canetti, R., Fuller, B., Paneth, O., Reyzin, L., Smith, A.: Reusable fuzzy extractors for low-entropy distributions. Technical report, Cryptology ePrint Archive (2017). https://eprint.iacr.org/2014/243.pdf

  17. Inernational Technical Committee: ISO/IEC 24745:2011. Information technology - Security techniques - Biometric information protection. Technical report, International Organization for Standardization and International Electrotechnical Committee (2011). https://www.iso.org/standard/52946.html

  18. Daugman, J.: Information theory and the IrisCode. IEEE Trans. Inf. Forensics Secur. 11, 400–409 (2015)

    Article  Google Scholar 

  19. Delpy, B., Le Toux, V.: mimikatz. GitHub repository (2020). https://github.com/ParrotSec/mimikatz

  20. Google: Measuring Biomentric Unlock Security (2020). https://source.android.com/security/biometric/measure

  21. Gray, R., Neuhoff, D.: Quantization. IEEE Trans. Inf. Theory IT-44(6), 2325–2383 (1998)

    Google Scholar 

  22. de Groot, J., Škorić, B., de Vreede, N., Linnartz, J.-P.: Quantization in zero leakage helper data schemes. EURASIP J. Adv. Sig. Process. 2016(1), 1–13 (2016). https://doi.org/10.1186/s13634-016-0353-z

    Article  Google Scholar 

  23. Grother, P., Ngan, M., Hanaoka, K., Yang, J.C., Hom, A.: FRVT 1:1 verification. Technical report, National Institute of Standards and Technology (2022). https://pages.nist.gov/frvt/html/frvt11.html

  24. Herder, C., Ren, L., van Dijk, M., Mandel Yu, M., Devadas, S.: Trapdoor computational fuzzy extractors and stateless cryptographically-secure physical unclonable functions. IEEE Trans. Depend. Secure Comput. 14, 65–82 (2017)

    Google Scholar 

  25. Hersey, F.: Iris biometrics integrated with DIDH for ‘most secured’ data system for blockchain, metaverse. BiometricUpdate Site, News (2022). https://www.biometricupdate.com/202207/iris-biometrics-integrated-with-didh-for-most-secured-data-system-for-blockchain-metaverse

  26. Jarecki, S., Krawczyk, H., Shirvanian, M., Saxena, N.: Device-enhanced password protocols with optimal online-offline protection. In: ACM Asia Conference on Computer and Communications Security (ASIACCS 2016). ACM (2016)

    Google Scholar 

  27. Kim, I., et al.: DiscFace: minimum discrepancy learning for deep face recognition. In: Ishikawa, H., Liu, C.-L., Pajdla, T., Shi, J. (eds.) ACCV 2020. LNCS, vol. 12626, pp. 358–374. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-69541-5_22

    Chapter  Google Scholar 

  28. Lim, M.H., Yuen, P.: Entropy measurement for biometric verification systems. IEEE Trans. Cybern. 46, 1065–1077 (2015)

    Article  Google Scholar 

  29. Liu, W., Wen, Y., Yu, Z., Li, M., Raj, B., Song, L.: SphereFace: deep hypersphere embedding for face recognition. In: The IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2017) (2017)

    Google Scholar 

  30. Meng, Q., Zhao, S., Huang, Z., Zhou, F.: MagFace: a universal representation for face recognition and quality assessment (2021). https://doi.org/10.48550/ARXIV.2103.06627

  31. Miessler, D., Haddix, J.: SecList: the Pentester’s companion. GitHub repository (2022). https://github.com/danielmiessler/SecLists

  32. Parkhi, O.M., Vedaldi, A., Zisserman, A.: Deep face recognition. In: British Machine Vision Conference (2015)

    Google Scholar 

  33. Phillips, P., Moon, H., Rizvi, S., Rauss, P.: The FERET evaluation methodology for face recognition algorithms. IEEE Trans. Pattern Anal. Mach. Intell. 22, 1090–1104 (2000)

    Google Scholar 

  34. Phillips, P., Wechsler, H., Huang, J., Rauss, P.: The FERET database and evaluation procedure for face recognition algorithms. Image Vis. Comput. 16(5), 295–306 (1998)

    Article  Google Scholar 

  35. Rathgeb, C., Merkle, J., Scholz, J., Tams, B., Nesterowicz, V.: Deep face fuzzy vault: implementation and performance, November 2021

    Google Scholar 

  36. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.: Stronger password authentication using browser extensions. In: USENIX Security Symposium (USENIX 2005) (2005)

    Google Scholar 

  37. Shamir, A.: How to share a secret. Commun. ACM 22 (1979)

    Google Scholar 

  38. Shirvanian, M., Jareckiy, S., Krawczykz, H., Saxena, N.: SPHINX: a password store that perfectly hides passwords from itself. In: IEEE 37th International Conference on Distributed Computing Systems (ICDCS 2017). IEEE (2017)

    Google Scholar 

  39. Snyder, D., Garcia-Romero, D., Sell, G., Povey, D., Khudanpur, S.: X-Vectors: robust DNN embeddings for speaker recognition. In: 2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 5329–5333 (2018). https://doi.org/10.1109/ICASSP.2018.8461375

  40. Suresh, K., Pal, R., Balasundaram, S.R.: Two-factor-based RSA key generation from fingerprint biometrics and password for secure communication, 8, 3247–3261 (2022). https://doi.org/10.1007/s40747-022-00663-3

  41. Tambay, A.A.: Testing fuzzy extractors for face biometrics: generating deep datasets. Master’s thesis, University of Ottawa, Ottawa, Canada (2020). https://doi.org/10.20381/ruor-25653

  42. Team, S.D.: Personalized Hey Siri. Technical report, Apple Inc. (2018). https://machinelearning.apple.com/research/personalized-hey-siri

  43. Tian, Y., Li, Y., Deng, R.H., Sengupta, B., Yang, G.: Lattice-Based Remote User Authentication from Reusable Fuzzy Signature. IACR Cryptology ePrint Archive 2019, 743 (2019)

    Google Scholar 

  44. Toubba, K.: Notice of recent security incident in 2022 year. Technical report, LastPass Inc. (2022). https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

  45. Wang, Y., Yang, C., Shark, L.K.: Method for estimating potential recognition capacity of texture-based biometrics. IET Biometrics 7, 581–588 (2018)

    Article  Google Scholar 

  46. Whittaker, Z.: Norton LifeLock says thousands of customer accounts breached. Technical report, TechCrunch Inc. (2023). https://techcrunch.com/2023/01/15/norton-lifelock-password-manager-data/

  47. Zhang, K., Cui, H., Yu, Y.: Facial template protection via lattice-based fuzzy extractors. Cryptology ePrint Archive, Paper 2021/1559 (2021). https://eprint.iacr.org/2021/1559

Download references

Author information

Authors and Affiliations

  1. N-iX LTD, Kyiv, Ukraine

    Pavlo Kolesnichenko

  2. Samsung R &D Institute Ukraine, Kyiv, Ukraine

    Dmytro Progonov, Valentyna Cherniakova & Oleksandra Sokol

  3. Igor Sikorsky Kyiv Polytechnic Institute, Kyiv, Ukraine

    Dmytro Progonov

  4. Taras Shevchenko National University of Kyiv, Kyiv, Ukraine

    Andriy Oliynyk

Authors
  1. Pavlo Kolesnichenko
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dmytro Progonov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Valentyna Cherniakova
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Andriy Oliynyk
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Oleksandra Sokol
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dmytro Progonov .

Editor information

Editors and Affiliations

  1. University of Malaga, Málaga, Spain

    Ruben Rios

  2. University of Passau, Passau, Germany

    Joachim Posegga

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kolesnichenko, P., Progonov, D., Cherniakova, V., Oliynyk, A., Sokol, O. (2023). Biometric-Based Password Management. In: Rios, R., Posegga, J. (eds) Security and Trust Management. STM 2023. Lecture Notes in Computer Science, vol 14336. Springer, Cham. https://doi.org/10.1007/978-3-031-47198-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-47198-8_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-47197-1

  • Online ISBN: 978-3-031-47198-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation