As the travel restrictions imposed to control the coronavirus pandemic are beginning to be relaxed in some parts of the world, it is time to start rethinking airport security in the age of COVID-19. Even if an effective vaccine is found for COVID-19, it will be out of the question to go back to long lines at security checkpoints and boarding gates, and the manual checking of identity documents and boarding passes.
In a provisional patent application that I coauthored with Karen Lewison before the pandemic and have now published, we proposed an automated method of verifying the identity of travelers that could be used in the post-pandemic world to speed up the security check and the boarding process, and to eliminate the face-to-face interaction with a security officer at the checkpoint and a flight attendant at the boarding gate. The method takes advantage of the high accuracy achieved by today’s deep neural networks for face recognition, while overcoming the privacy concerns raised by the collection and storage of facial images.
Here is a summary of the method.
Continue reading “Airport Security in the Age of COVID-19”
Updated April 1st, 2020
This blog post has been coauthored with Karen Lewison
The coronavirus pandemic is causing unprecedented disruption throughout
the business world. Businesses that are not able to cope with public
health orders and new customer behaviors are going out of business,
while businesses that are able to adapt are thriving and expanding
their market share. Disruption will be temporary in sectors of the
economy where face-to-face interaction adds value to the
business-to-customer relationship and a physical presence on the
street is an essential requirement of the business model; gyms, bars
and conference centers will no doubt reopen once the pandemic has been
controlled. But changes brought by the pandemic will be permanent in
sectors of the economy where face-to-face interaction adds no value
and a physical presence is a legacy of a traditional business model.
One of those sectors is the financial world.
A challenge to financial institutions
Financial institutions have been less impacted than other businesses
by the pandemic. In the US, the entire financial sector has been
declared critical infrastructure by DHS and is thus protected against
closure orders by states or counties. And most financial transactions
are now conducted online using web browsers or mobile apps, without
face-to-face interactions that would put employees and customers at
risk of contagion. Nevertheless, coronavirus poses a challenge to
financial institutions: how to verify the identity of new customers.
Continue reading “Identity Verification: A Coronavirus Challenge to the Financial World”
Pomcor has been granted US
Patent 10,567,377, Multifactor Privacy-Enhanced Remote Identification Using a
Rich Credential. Karen Lewison is the lead inventor and I am
a coinventor. Pomcor has so far been granted a total of eight patents,
two of which we have sold. The remaining six patents that we own are
listed in the Patents page of this web site.
This latest patent is special because it provides a solution to a
major societal problem: how to identify people over the Internet with
strong security. Techniques are available for authenticating repeat
visitors to a web site or current users of a web application. But
authentication techniques are only applicable once a relationship has
been established. They are not applicable when somebody wants to
establish a new relationship, e.g. by becoming a new customer of a
bank, or signing up with a robo advisor, or applying for a mortgage,
or renting an apartment, or switching to a different car insurance.
Continue reading “Pomcor Granted Patent on Rich Credentials”
This blog post has been coauthored with Karen Lewison
In recent posts we have been concerned with online credit card fraud
and how to fight it using cardholder authentication. In this post we
are concerned with another kind of financial fraud, known as
application fraud or new account fraud. Both kinds of fraud have been
rising after the introduction of chip cards, for reasons mentioned by
Elizabeth Lasher in her
Surge of Application Fraud:
“Due to the high volume of data breaches, Social Security numbers,
mailing addresses, passwords, health history, even the name of our
first pet is all for sale on the Dark Web. When you combine this
phenomenon with the economic pressure applied on fraudsters to find a
new cash cow after chip and signature plugged a gap in card-present
fraud in the US, there is a perfect storm.”
The term “application fraud” refers to the creation of a
financial account, such as a bank account or a mortgage account, with
the intention to commit fraud. Application fraud can be first-party
fraud, where the account is opened under the fraudster’s own identity,
or third-party fraud, where the fraudster uses a stolen identity.
Here we are primarily concerned with the latter.
Continue reading “A New Tool Against the Surge of Application Fraud”
Karen Lewison and I have contributed the chapter on Biometrics to the book
Interaction and Cybersecurity Handbook, published by Taylor &
Francis in the CRC Press series on Human Factors and Ergonomics. The
editor of the paper, Abbas Moallem, has received the SJSU 2018 Author
and Artist Award for the book.
Biometrics is a very complex topic because there are many biometric
modalities, and different modalities use different technologies that
require different scientific backgrounds for in-depth understanding.
The chapter focuses on biometric verfication and packs a lot of
knowledge in only 20 pages, which it organizes by identifying general
concepts, matching paradigms and security architectures before diving
into the details of fingerprint, iris, face and speaker verification,
briefly surveying other modalities, and discussing several methods of
combining modalities in biometric fusion. It emphasizes presentation
attacks and mitigation methods that can be used in what will always be
an arms race between impersonators and verifiers, and discusses the
security and privacy implications of biometric technologies.
Feedback or questions about the chapter would be very welcome as
comments on this post.
Crytpographic Library (PJCL).
initial public release
provided digital signature functionality,
which we had been using internally for our own research
on authentication and identity proofing.
This release adds key agreement
and key derivation functionality. The next release will provide
symmetric and asymmetric encryption primitives, including
AES and RSA. To be notified of future releases you may
sign up for the
user forum, subscribe
to the feed of this blog, or follow me on Twitter (@fcorella).
(Update: The PJCL user forum has been discontinued as of May 27, 2018.)
and server-side (e.g. under Node.js). It comes with
on the functionality that it provides, which includes:
Continue reading “Second Release of PJCL Expands Functionality Following NIST Cryptographic Specifications”
environment and based on very fast big integer arithmetic functionality that may be of interest in
its own right.
is available free of charge for any kind of
use, but not under a traditional open source license. The traditional open source paradigm
encourages contributions by the developer community at large, but we believe that this
paradigm is not well suited to cryptography. To protect the integrity of the cryptographic code, the
prohibits modification of the cryptographic functions.
We have been using the library internally for our own research on authentication and identity
proofing, and this first release includes symmetric and asymmetric digital signature functionality,
including HMAC, DSA, and ECDSA with NIST curves. Future releases will provide broader cryptographic
functionality, including encryption and key exchange. We believe that the library provides the
opportunities for hiding backdoors that might be provided by elliptic curve technology.
This blog post is a companion to a presentation made at the
2017 International Cryptographic Module Conference
and refers to the presentation
slides, revised after the
conference. Karen Lewison is a co-author of the presentation and of
this blog post.
Slide 2: Key storage in web clients
Most Web applications today use TLS, thus relying on cryptography to
provide a secure channel between client and server, and to
authenticate the server to the client by means of a cryptographic
credential, consisting of a TLS server certificate and its
associated private key. But other uses of cryptography by Web
applications are still rare. Client authentication still relies
primarily on traditional username-and-password, one-time passwords,
proof of possession of a mobile phone, biometrics, or combinations of
two or more of such authentication factors. Web payments still rely
on a credit card number being considered a secret. Encrypted
messaging is on the rise, but is not Web-based.
A major obstacle to broader use of cryptography by Web applications is
the problem of where to store cryptographic keys on the client side.
Continue reading “Storing Cryptographic Keys in Persistent Browser Storage”
NIST is working on the third revision of SP 800-63, which used to be
called the Electronic Authentication Guideline and has now
been renamed the Digital Identity Guidelines. An important
change in the current draft
of the third revision is a much expanded scope for biometrics.
The following are comments by Pomcor on that aspect of the new
guidelines, and more specifically on
5.2.3 of Part B, which we have sent to NIST in response to a call
for public comments.
The draft is right in recommending the use of presentation attack
detection (PAD). We think it should go farther and make PAD a
mandatory requirement right away, without waiting for a future edition
as stated in a note.
But the draft only considers PAD performed at the sensor.
Continue reading “Comments on the Recommended Use of Biometrics in the New Digital Identity Guidelines, NIST SP 800-63-3”
This is the last of a four-part series of posts presenting results of
a project sponsored by an SBIR Phase I grant from the US Department of
Homeland Security. These posts do not necessarily reflect the
position or the policy of the US Government.
We have just published a
the last three of the five solutions that we have identified in the
project on remote identity proofing that we are now finalizing.
Solutions 3–5 use Near-Field Communication (NFC) technology for
remote identity proofing. Each of the solutions uses a preexisting
NFC-enabled hardware token designed for some other purpose as a
credential in remote identity proofing. A native app running on an
NFC-enabled mobile device serves as a relay between the NFC token and
the remote verifier.
In Solution 3 the token is a contactless EMV payment card. In
Solution 4, the token is a medical identification smart card
containing a private key and a certificate that binds the associated
public key to attributes and a facial image. In Solution 5, the token
is an e-Passport with an embedded RFID chip that contains signed data
comprising biographic data and a facial image.
In solutions 4 and 5 a native app submits to the verifier an
audio-visual stream of the subject reading prompted text. The
verifier matches the face in the video to the facial image in the
NFC token, uses speech recognition technology to verify that the
subject is reading the text that was prompted, and verifies that the
audio and video channels of the stream are in synchrony by matching
distinguishable visemes in the video channel to phonemes in the audio