processes and systems architecture for the new biometric application ... components, so that one can develop desktop or Web applications, for local or ...
A multibiometric access control architecture for continuous authentication Adriana Esmeraldo de Oliveira, Gustavo Henrique Matos Bezerra Motta, Leonardo Vidal Batista Informatics Department, Federal University of Paraíba, João Pessoa – PB – Brazil {drill, gustavo, leonardo}@di.ufpb.br Abstract—In order to enhance security, biometrics has increasingly become part of access control architectures. Since some of unibiometrics’ vulnerabilities have already shown up, they’ve been replaced or enhanced by multibiometrics. Also, continuous authentication processes have been considered an important security caution. In such a context, this paper presents an information security architecture for access control that aims to accomplish a high security level by adding multibiometrics and a continuous authentication process. Keywords-multibiometrics; biometrics; access continuous authentication; software architecture.
I.
control;
INTRODUCTION & BACKGROUND
A biometric system that employs one single trait is constrained, especially by intrinsic factors [2]. This limitation can be reduced by fusing the information presented by multiple sources. A system that consolidates the evidence presented by multiple biometric sources is known as a multibiometric system [3]. In access control systems, a user might be forced to authenticate in order to give an unauthorized access to a criminal. An alternative to this problem is to use a continuous authentication process. The continuous authentication must be a process that verifies if the user identified at the start of the software application is still able to remain on the system, without human interferences or breaks in the process [1]. Much of the literature on biometric system design has focused on system error rates and scaling equations. However, it is also important to have a solid foundation for future progress as the processes and systems architecture for the new biometric application are designed [4]. Yet, a well-defined architecture for multibiometric systems may help developers to standardize, among other things, their data structure, so as to enable and facilitate templates fusion and interoperability. In this paper, we propose a multibiometric access control architecture for continuous authentication.
II.
The Persistence component must provide an interface with different ways of persisting users’ information such as their identification numbers and biometric templates. The Engine component includes images processing and biometric recognition algorithms. The selected biometric characteristics were fingerprint, face and voice. The recognition method is the same used in a common biometric system. However, unlike these systems, the Engine component does not include the sensor module, in which a sensor is needed for enrollment. The Authentication and Identification component must respond to requests of registration, identification and authentication of users. In order to do this, it must use the Engine component. It also directly accesses the Persistence component and must have information security mechanisms for data transmission and validation, in order to guarantee the authenticity, integrity and confidentiality of the process and the data involved. The Software Development Kit component has libraries to communicate with the hardware devices, i.e., the biometric sensors, and other libraries to communicate with the Service package components, so that one can develop desktop or Web applications, for local or distributed environments, with or without a continuous authentication process. In order to identify and authenticate users in their personal computers and mobile devices, the Logon component shows up as a client application to be integrated with the operational system. Therefore, instead of using the traditional access control mechanism, a multibiometric identification and authentication can be used to log in. Yet, a continuous authentication process must block the access in the user absence. The Logon component is a ready-to-use application that must use the SDK component in its implementation. The Plugin must be responsible for making the interaction between the Authentication and Identification component, and websites and other applications. The Plugin intends to facilitate the developer work by encapsulating biometric enrollment and information security issues as well as Web Services usage.
III.
THE PROPOSED ARCHITECTURE
With the proposed architecture, a developer might be able to decide which biometric traits may be used, which environment the system is supposed to run on (desktop or Web), whether a continuous authentication process may be required, etc. As it can be seen in Figure 1, the architecture components have relations of dependence, which are represented by dotted lines with arrowheads.
CONCLUSIONS
This paper presented a multibiometric access control architecture for continuous authentication. It was designed to support and easily deal with future changes or complements. This architecture provides flexibility to access control systems development, in a way that any combination of the exploited features can be used so as to build a system in its most suitable form. REFERENCES [1]
[2] [3] [4]
Brosso, M.I.L. “Autenticação Contínua de Usuários em Redes de Computadores”, Tese de Doutorado, Escola Politécnica da Universidade de São Paulo, Departamento de Engenharia da Computação e Sistemas Digitais, São Paulo, 2006. Roberts, C. “Biometric attack vectors and defenses”, Computers and Security Journal, Vol. 26, pp.14-25, 2007. Ross, A.A., Nandakumar, K., and Jain, A.K. “Handbook of multibiometrics”, Springer Science, New York, 2006. Wayman, J., Jain, A., Maltoni, D. and Maio, D. “Biometric Systems : technology, design and performance evaluation”, Springer Science, London, 2005.
Figure 1. General scheme of the proposed architecture.
This work is being supported in part by CAPES under scholarship grant and CNPq under grant 555741/2009-5.
978-1-4244-6446-3/10/$26.00 © 2010 IEEE
171
ISI 2010, May 23-26, 2010, Vancouver, BC, Canada
