On security of multi-factor biometric authentication

This paper focuses on security and accuracy of multi-factor biometric authentication schemes that are based on applying User-Based Transformations (UBTs) on biometric features. Typically, UBTs employ transformation keys generated from passwords/PINs or retrieved from a token. In this paper, we argue that the effect of compromised transformation keys on authentication accuracy has not been tested rigorously, and that the widely reported claim in the literature that in the case of stolen keys, accuracy drops but remains close to the accuracy of biometric only system is based on false assumptions. We show that multi-factor authentication systems setup to operate at a zero or near zero EER can be undermined in the event of keys being compromised where the False Acceptance Rate reaches unacceptable levels. This research also demonstrates by experiments on iris, fingerprint, and face biometrics that probabilities of impostors with stolen keys being falsely accepted are 21%, 56%, and 66% respectively.