Abstract
Major threat for the user’s identity stem from selecting weak passwords or re-using the same password for different systems. Modern password managers are designed to address this human factor. But in most cases this is achieved at cost of using a single master secret to either derive access keys to protected services, or to encrypt a credentials database. Despite wide adoption, this boils down to security and availability of this master secret.
We propose a technology to derive cryptographically-strong (of sufficient length and entropy) master secret from user’s biometrics, such as face and voice. If applied to password manager scenario, this allows to amend or even completely replace master secret to avoid related risks. While general approach (using fuzzy extractors) is known, the unique part of the presented technology is small hint size (58KB for 128 bits key) and low computational complexity (it takes 125 msec to extract the key on Galaxy S22 phone in the worst case).
Experimental results show that FAR and FRR are close to \(0\%\) for wide range of cryptographic keys lengths (from 80 to 256 bits). All computations are performed on-device, which means the technology is privacy-friendly: user’s biometrics never leaves the phone. The technology does not require storing any sensitive data on the device, that is important advantage in comparison with traditional biometric authentication solutions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For example, Firefox Monitor and Firefox Password Manager for Firefox, Google Password Manager for Chrome, Edge Password Manager for Microsoft Edge and Safari Password Manager for Safari browsers.
Abbreviations
- BC:
-
Biometric Cryptosystems
- BKG:
-
Biometric Key Generators
- BTP:
-
Biometric Template Protection
- CK:
-
Cryptographic Keys
- DE-PAKE:
-
Device-Enhanced Password Authenticated Key Exchange
- DL:
-
Digital Lockers
- FE:
-
Fuzzy Extractors
- FR:
-
Facial Recognition
- FAR:
-
False Acceptance Rate
- FRR:
-
False Rejection Rate
- OPRF:
-
Oblivious Pseudo Random Function
- PM:
-
Password Manager
References
Most hacked passwords revealed as UK cyber survey exposes gaps in online security. National Cyber Secyurity Centre (2019). https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security
2020 end-of-year data breach report. Technical report, Identity Theft Resource Center (2020). https://www.idtheftcenter.org/data-breaches/
Card-based crypto hardware wallet: Protecting crypto wallet private keys and transactions with a biometric card. Idemia Inc. report (2022). https://www.idemia.com/card-based-crypto-hardware-wallet
Set up iCloud Keychain. Apple Inc. (2022). https://support.apple.com/en-gb/HT204085
The role of biometrics in the metaverse. CoinTelegraph Inc. report (2022). https://cointelegraph.com/metaverse-for-beginners/the-role-of-biometrics-in-the-metaverse
Top 200 most common passwords. NordPass Inc. (2022). https://nordpass.com/most-common-passwords-list/
Overview of One Tap sign-in on Android. Google Inc. (2023). https://developers.google.com/identity/one-tap/android/overview
User Authentication Specifications Overview. FIDO Alliance (2023). https://fidoalliance.org/specifications/
Ardila, R., et al.: Common voice: a massively-multilingual speech corpus (2019). https://doi.org/10.48550/ARXIV.1912.06670
Aydar, M., Cetin, S.C., Ayvaz, S., Aygun, B.: Private key encryption and recovery in blockchain (2019). https://doi.org/10.48550/ARXIV.1907.04156
Bae, G., et al.: DigiFace-1M: 1 million digital face images for face recognition (2022). https://doi.org/10.48550/ARXIV.2210.02579
Ballard, L., Kamara, S., Reiter, M.: The practical subtleties of biometric key generation. In: 17th USENIX Security Symposium (2008)
Bathen, L.A.D., et al.: SelfIs: self-sovereign biometric IDs. In: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), pp. 2847–2856 (2019)
Bradski, G.: The OpenCV library. Dr. Dobb’s J. Softw. Tools (2000)
Bramanti, M.: Matematica: Calcolo Infinitesimale e Algebra Lineare. Zanichelli, Bologna (2004)
Canetti, R., Fuller, B., Paneth, O., Reyzin, L., Smith, A.: Reusable fuzzy extractors for low-entropy distributions. Technical report, Cryptology ePrint Archive (2017). https://eprint.iacr.org/2014/243.pdf
Inernational Technical Committee: ISO/IEC 24745:2011. Information technology - Security techniques - Biometric information protection. Technical report, International Organization for Standardization and International Electrotechnical Committee (2011). https://www.iso.org/standard/52946.html
Daugman, J.: Information theory and the IrisCode. IEEE Trans. Inf. Forensics Secur. 11, 400–409 (2015)
Delpy, B., Le Toux, V.: mimikatz. GitHub repository (2020). https://github.com/ParrotSec/mimikatz
Google: Measuring Biomentric Unlock Security (2020). https://source.android.com/security/biometric/measure
Gray, R., Neuhoff, D.: Quantization. IEEE Trans. Inf. Theory IT-44(6), 2325–2383 (1998)
de Groot, J., Škorić, B., de Vreede, N., Linnartz, J.-P.: Quantization in zero leakage helper data schemes. EURASIP J. Adv. Sig. Process. 2016(1), 1–13 (2016). https://doi.org/10.1186/s13634-016-0353-z
Grother, P., Ngan, M., Hanaoka, K., Yang, J.C., Hom, A.: FRVT 1:1 verification. Technical report, National Institute of Standards and Technology (2022). https://pages.nist.gov/frvt/html/frvt11.html
Herder, C., Ren, L., van Dijk, M., Mandel Yu, M., Devadas, S.: Trapdoor computational fuzzy extractors and stateless cryptographically-secure physical unclonable functions. IEEE Trans. Depend. Secure Comput. 14, 65–82 (2017)
Hersey, F.: Iris biometrics integrated with DIDH for ‘most secured’ data system for blockchain, metaverse. BiometricUpdate Site, News (2022). https://www.biometricupdate.com/202207/iris-biometrics-integrated-with-didh-for-most-secured-data-system-for-blockchain-metaverse
Jarecki, S., Krawczyk, H., Shirvanian, M., Saxena, N.: Device-enhanced password protocols with optimal online-offline protection. In: ACM Asia Conference on Computer and Communications Security (ASIACCS 2016). ACM (2016)
Kim, I., et al.: DiscFace: minimum discrepancy learning for deep face recognition. In: Ishikawa, H., Liu, C.-L., Pajdla, T., Shi, J. (eds.) ACCV 2020. LNCS, vol. 12626, pp. 358–374. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-69541-5_22
Lim, M.H., Yuen, P.: Entropy measurement for biometric verification systems. IEEE Trans. Cybern. 46, 1065–1077 (2015)
Liu, W., Wen, Y., Yu, Z., Li, M., Raj, B., Song, L.: SphereFace: deep hypersphere embedding for face recognition. In: The IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2017) (2017)
Meng, Q., Zhao, S., Huang, Z., Zhou, F.: MagFace: a universal representation for face recognition and quality assessment (2021). https://doi.org/10.48550/ARXIV.2103.06627
Miessler, D., Haddix, J.: SecList: the Pentester’s companion. GitHub repository (2022). https://github.com/danielmiessler/SecLists
Parkhi, O.M., Vedaldi, A., Zisserman, A.: Deep face recognition. In: British Machine Vision Conference (2015)
Phillips, P., Moon, H., Rizvi, S., Rauss, P.: The FERET evaluation methodology for face recognition algorithms. IEEE Trans. Pattern Anal. Mach. Intell. 22, 1090–1104 (2000)
Phillips, P., Wechsler, H., Huang, J., Rauss, P.: The FERET database and evaluation procedure for face recognition algorithms. Image Vis. Comput. 16(5), 295–306 (1998)
Rathgeb, C., Merkle, J., Scholz, J., Tams, B., Nesterowicz, V.: Deep face fuzzy vault: implementation and performance, November 2021
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.: Stronger password authentication using browser extensions. In: USENIX Security Symposium (USENIX 2005) (2005)
Shamir, A.: How to share a secret. Commun. ACM 22 (1979)
Shirvanian, M., Jareckiy, S., Krawczykz, H., Saxena, N.: SPHINX: a password store that perfectly hides passwords from itself. In: IEEE 37th International Conference on Distributed Computing Systems (ICDCS 2017). IEEE (2017)
Snyder, D., Garcia-Romero, D., Sell, G., Povey, D., Khudanpur, S.: X-Vectors: robust DNN embeddings for speaker recognition. In: 2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 5329–5333 (2018). https://doi.org/10.1109/ICASSP.2018.8461375
Suresh, K., Pal, R., Balasundaram, S.R.: Two-factor-based RSA key generation from fingerprint biometrics and password for secure communication, 8, 3247–3261 (2022). https://doi.org/10.1007/s40747-022-00663-3
Tambay, A.A.: Testing fuzzy extractors for face biometrics: generating deep datasets. Master’s thesis, University of Ottawa, Ottawa, Canada (2020). https://doi.org/10.20381/ruor-25653
Team, S.D.: Personalized Hey Siri. Technical report, Apple Inc. (2018). https://machinelearning.apple.com/research/personalized-hey-siri
Tian, Y., Li, Y., Deng, R.H., Sengupta, B., Yang, G.: Lattice-Based Remote User Authentication from Reusable Fuzzy Signature. IACR Cryptology ePrint Archive 2019, 743 (2019)
Toubba, K.: Notice of recent security incident in 2022 year. Technical report, LastPass Inc. (2022). https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
Wang, Y., Yang, C., Shark, L.K.: Method for estimating potential recognition capacity of texture-based biometrics. IET Biometrics 7, 581–588 (2018)
Whittaker, Z.: Norton LifeLock says thousands of customer accounts breached. Technical report, TechCrunch Inc. (2023). https://techcrunch.com/2023/01/15/norton-lifelock-password-manager-data/
Zhang, K., Cui, H., Yu, Y.: Facial template protection via lattice-based fuzzy extractors. Cryptology ePrint Archive, Paper 2021/1559 (2021). https://eprint.iacr.org/2021/1559
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kolesnichenko, P., Progonov, D., Cherniakova, V., Oliynyk, A., Sokol, O. (2023). Biometric-Based Password Management. In: Rios, R., Posegga, J. (eds) Security and Trust Management. STM 2023. Lecture Notes in Computer Science, vol 14336. Springer, Cham. https://doi.org/10.1007/978-3-031-47198-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-47198-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-47197-1
Online ISBN: 978-3-031-47198-8
eBook Packages: Computer ScienceComputer Science (R0)