8.3.1. Biometrics

The word biometric comes from the Greek words bios (life) and metrikos (measurement). Biometric authentication is a technique that calls on the statistical analysis of biological characteristics. It consists of using physical characteristics to identify a person. These characteristics should be reliable, unfalsifiable, universal, unique for each individual, measurable and recordable.

Biometrics is therefore used in many applications entering a location, accessing work station, etc. It is even beginning to replace classical methods, which depend on what the user knows (password, PIN, etc.) or possesses (key, card, etc.), that can be discovered, modified or stolen.

8.3.2. Biometric techniques

In the main, there are two types of biometric techniques that are used for identification applications (see Figure 8.1):

• – physiological techniques, based on identifying physical characteristics that are unique. This category includes the iris, the retina, handshape, fingerprints, facial features, etc.;
• – behavioral techniques, based on analyzing people’s behavior. This category includes voice recognition, signature dynamic, key stroke dynamic, etc.

There is another technique, called biological or anatomical, which is the study of biological traces such as DNA, blood, saliva, urine and odor. Today, this technique is not used in authentication.

8.3.3. The different properties of biometrics

Biometric characteristics making it possible to verify the identity of an individual should have the following properties (Ometov et al. 2018):

• – universality: the biometric should be present in each person;
• – uniqueness: the biometric should differ sufficiently between one person and another;
• – stability: the properties of the biometric should remain invariable throughout the person’s life;
• – collectability: the biometric should be easy to measure in an individual;
• – performance: the biometric should be sufficiently robust, reliable and easy to analyze when it is used to verify a person’s identity;
• – acceptability: use of the biometric should be socially acceptable;
• – identity theft: the biometric should not be easy for an attacker to steal.

Biometric characteristics possess these properties to different degrees as Table 8.1 shows. None of these different biometric characteristics is ideal, but each of them can be taken and adapted to particular applications.

8.3.4. Operating a biometric system

A biometric system makes it possible to sense biometric information, analyze it and extract characteristic elements from it and compare these with others memorized in a database.

Using a biometric system requires two stages:

• – an enrollment stage (also called a learning stage), which consists of sensing, modeling (constructing a model of the individual) and storing biometric data in the database;
• – a reconnaissance stage, which consists of comparing the new sensing with the assumed model of the individual.

The reconnaissance will differ depending on the mode of identification or verification:

• – identification mode: to guess the identity of the person, the system answers the question “Who am I?”. In this mode, the system compares the signal measured with the models stored in the database. We often speak of a closed problem (each person using the system has a model in the database);
• – verification mode: to verify the person’s identity, the system answers the question “am I the person I claim to be?”. The person proposes an identity to the system and the system verifies that the identity of the person is really the one proposed. We call it an open problem (we suppose that a person who has no model in the database may seek to be recognized).

8.3.5. System performances

It is impossible to obtain a “signature” signal created during verification that is similar to a “signature” signal created at the moment of learning. It is impossible to reproduce original elements identically (an image, an ECG signal, a sound, etc.).

The performances of biometric authentication systems are measured by:

• – FRR (False Rejection Rate): this is the proportion of legitimate users wrongly rejected;
• – FAR (False Acceptance Rate): this is the proportion of users accepted/identified erroneously.

8.4.1. Multifactor authentication

In general, authentication is the procedure that enables a system (e.g. an IoT device) to verify whether an entity (e.g. another IoT device or even a user via their terminal) is authorized or not to access resources controlled by this system. Authentication methods are based on authentication factors such as the password, smart card and/or biometrics (Figure 8.2). There are two authentication categories:

• – simple authentication, which requires only a single authentication factor (e.g. a password and badge);
• – strong authentication (also called multifactor authentication), which calls on many factors simultaneously (at least two).

In general, a reliable authentication protocol is based on three security factors (Table 8.2):

• – a memory factor (what you know): information that is known only by the user (e.g. passwords and PIN codes);
• – a material factor (what you have): a physical key that belongs only to the user (e.g. smart card or mobile phone);
• – a bodily factor (who you are, biometrics): biometric data are unique for each individual (e.g. voice, fingerprints and ECG).

In this context, many researchers have developed authentication protocols based on three factors (a password, a smart card and biometrics) to ensure security of communications in an IoT network (Dhillon and Kalra 2017; Ali et al. 2018; Ahmed and Ahmed 2019; Li et al. 2019; Sammoud et al. 2020c).

In fact, authentication protocols based on a single factor (e.g. a password) do not provide reliable authentication (Sammoud et al. 2020c). We also note that the majority of authentication protocols that are based on two factors, memory and material, have not managed to guarantee good resistance to some significant attacks such as identity guessing attacks, insider attacks and password guessing attacks (Sammoud et al. 2020c). To do this, authentication protocols based on three factors have been proposed. They have the objective of improving security of authentication in the IoT.

8.4.2. Examples of multifactor authentication approaches for securing the IoT

Several pieces of research focus on the security of the IoT via multifactor authentication approaches. In this context, in 2017, Dhillon and Kalra proposed a multifactor authentication approach based on biometrics, dedicated to services offered by the IoT. Formal and informal analysis of this proposition demonstrates its robustness in terms of security. In 2019, Ahmed and Ahmed proposed a multifactor authentication approach to securing the IoT. The authors show that the proposed approach is robust against many types of attack and also guarantees the integrity, authenticity and availability of detected data for legitimate devices in the IoT.

The IoT has contributed to the dramatic evolution of services offered in the healthcare sector. It is very important to guarantee the protection of sensitive data exchanged in this domain. In 2018, Ali et al. proposed an authentication protocol based on three factors for securing the IoT in the context of e-health systems. They have demonstrated the robustness of the security of their protocol using BAN (Burrows-Abadi-Needham) logic and security analysis with the formal verification tool, AVISPA. In 2019, Li et al. proposed a multifactor authentication protocol for the wireless medical sensor network. The security of this protocol has been demonstrated by the formal verification tool ProVerif. Recently, Sammoud et al. (2020c) proposed an optimal protocol for multifactor authentication and generation of session keys to secure direct communications between healthcare professionals and the patient’s medical sensors. Using analysis of formal and informal security, they have demonstrated that their protocol is robust enough against the most well-known attacks such as password attacks, replay attacks and attacks on the gateway or sensor, or attacks that involve stealing the user’s identity. In addition, the authors of Sammoud et al. (2020c) have shown that their protocol is more efficient in terms of the resources required (calculation, memory and energy) than the protocols proposed by Ali et al. (2018) and Li et al. (2019).

8.4.3. Presentation of the approach of Sammoud et al. (2020c)

Sammoud et al. (2020c) have proposed a multifactor authentication protocol with generation of a session key to secure a direct communication between medical personnel and a patient’s network of wireless body sensors (WMSN: Wireless Medical Sensors Network). In this type of communication, with a terminal (wired, wireless or cellular) and Internet access, a doctor (or more generally, a healthcare professional) can access a medical sensor situated in the patient’s WMSN network via a gateway. This access is generally achieved in the following way. First of all, a smartcard is delivered to the healthcare professional by the administration system. This smart card is then used to verify the legitimacy of the healthcare professional and to send a connection message to the gateway via a public channel (e.g. the Internet). Then, via the gateway, the healthcare professional and the medical sensor agree on a session key to secure later communications.

The authors of Sammoud et al. (2020c) have shown that the proposed protocol ensures a robust protection against known attacks while still ensuring low consumption of resources (CPU, memory and energy). Indeed, formal and informal security analysis of the protocol has demonstrated its robustness against password guessing attacks, user identity guessing attacks, gateway impersonation attack, sensor impersonation attack, insider attacks and replay attacks, as well as maintaining user untraceability and protection of the symmetric key generated, which will be used later to secure communications between the healthcare professional and the medical sensor against illicit disclosure. In addition, by comparing the protocol with other multifactor authentication protocols, the authors of Sammoud et al. (2020c) have demonstrated that their proposition has the advantage of resisting a large number of attacks while still minimizing consumption of resources (calculation, memory and energy).

Like most work in this domain (defining multifactor authentication), this approach has five phases: setup, healthcare professional registration, login, authenticating and password change phase.

8.4.3.1. Notation

Table 8.3 introduces the notations that will be used to describe the approach of Sammoud et al. (2020c).

Notation	Explanation
Ui	Healthcare professional (user) i
GW	Gateway
SNj	Sensor node j
IDi	User identifier Ui
PWi	User password Ui
Bi	Biometric characteristic of the user Ui
IDg	Gateway identifier GW
SIDj	Sensor node identifier SNj
SK	Symmetric key, generated to secure communication between Ui and SNj
Gen, Rep	Probabilistic generation procedure and deterministic reproduction procedure of the fuzzy extractor
h(⋅)	Hashing function
	XOR Operator
||	Concatenation operator

8.4.3.3. Healthcare professional registration phase

At first, a user U_i who is a healthcare professional should register at the gateway, through an administration system SA, so as to be authorized to access the wireless medical sensor network. The following steps are needed for registration (see Figure 8.3).

• – Step 1: U_i chooses an identity ID_i and a password PW_i. Then, they imprint their personal biometric data B_i (fingerprint) on a specific device and calculate (B^*_i, P_i) = Gen (B_i). Gen () is a probabilistic generation procedure by the fuzzy extractor. B^*_i represents the biometric key and P_i designates the public reproduction parameter that will be used later to reproduce B^*_i. Then, U_i calculates BPW_i = h(PW_i ∥ B^*_i) and IPW_i = h(PW_i ∥ ID_i). The user then sends the message {IPW_i, BPW_i} to the system administrator, and this transmits the message received at the gateway GW. Indeed, to resist insider attacks as well as password guessing attack (e.g. a brute force attack) and user identity guessing attack, U_i uses a hashing function to ensure that their personal information, such as a password, their personal identity and their biometric data, are masked when they are transmitted to the system administrator and then to the GW.
• – Step 2: after having received the message from U_i, the gateway GW produces a dynamic identity DID_i for U_i and then calculates A_i = h (DID_i ∥ k ∥ ID_g), C_i = A_i ⊕ BPW_i, D_i = DID_i ⊕ BPW_i and F_i = A_i ⊕ IPW_i. In fact, the reason to use a dynamic identity DID_i is to strengthen user untraceability. Then, GW sends {C_i, D_i, F_i, h(⋅)} to SA. The system administrator then sends a smart card containing the information {C_i, D_i, F_i, h(⋅)} and transmits this to U_i via a secure channel (e.g. hand to hand or via a registered post).

• – Step 3: after they have received their smart card from the SA, the healthcare professional U_i stores P_i in SC_i. So, after this update, the smart card SC_i finally contains parameters {C_i, D_i, F_i, P_i, h(.)}.

8.4.3.4. Login phase

• – Step 4: U_i inserts their own SC_i into the smart card reader and re-enters his ID_i and his PW_i. Then, he imprints his biometric data (fingerprint) B' with the help of a specific sensor (Figure 8.4). Then, the smart card SC_i reproduces B^*_i = Rep (B'_i, P_i) where Rep(.) is a deterministic reproduction procedure of the fuzzy extractor. Finally, SC_i calculates BPW_i = h(PW_i ∥ B^*_i), A_i = C_i ⊕ BPW_i and F'_i = A_i ⊕ h(PW_i ∥ ID_i), and compares F'_i with stored F_i. Where they match, U_i passes identity verification and SC_i passes to the following operation stage. Where this does not happen, the connection request is refused.
• – Step 5: SC_i recovers DID_i = D_i ⊕ BPW_i and generates a random number (nonce) M_i. Then, it calculates M₁ = M_i ⊕ A_i , M₂ = h(ID_i ∥ SID_j), M₃ = Eh(Mi) (ID_i ∥ SID_j ∥ M₂∥ T₁) and transmits {DID_i, M₁, M₃} to GW via a public channel (e.g. the Internet). The random number generated M_i as well as the timestamp T₁ helps to protect this approach against replay attacks. Furthermore, M_i is used, masked by a hashing function, as a symmetric key for the message M₃. In fact, this random number is known only by the user. To recover M_i, an attacker needs to be able to guess the user’s biometric data and password, which are well protected. This approach therefore guarantees a high level of resistance against user impersonation attack.

8.4.3.5. Authentication phase

To ensure mutual authentication and secure sharing of a session key between U_i and SN_j, the following steps should be carried out (Figures 8.5(a) and 8.5(b)).

• – Step 6: after having received the connection request message from U_i, GW should, first of all, recover M_i = M₁ ⊕ h(DID_i ∥ K ∥ ID_g). Then, GW decrypts M₃ by using h(M_i) as a decryption key to retrieve {ID_i ∥ SID_j ∥ M₂ ∥ T₁} and verifies, afterward, if T₂ - T₁ ≤ △T. Where they do not match, GW ends the session. Otherwise, GW calculates M'₃ = h(ID_i || SID_j) and compares M'₃ to M₃. Where they do match, U_i is correctly identified by the GW and the following steps will be carried out. Where they do not match, the session is terminated.

• – Step 7: the gateway GW generates a random number (nonce) N_i and calculates M₄ = N_i ⊕ h(K_sn), M₅ = h (ID_i ∥ N_i ∥ T₃∥ ID_g) and M₆ = Eh(Ksn||Ni) (ID_g ∥ ID_i ∥ M_i ∥ M₅ ∥ T₃). Then, GW transmits {M₄, M₆} to SN_j via a public channel. The random number generated N_i and the timestamp T₃ are used to protect this approach against replay attacks. The message M₆ is encrypted using h(K_sn ∥ N_i) as a symmetric key, where K_sn is a symmetric key known only by the gateway GW and the sensor SN_j concerned. Furthermore, N_i is very difficult for an attacker to predict. This approach is therefore well protected against gateway impersonation attack.
• – Step 8: after having received the message from GW, SN_j recovers N_i = M₄⊕ h(K_sn) to decrypt M₅ and can extract {ID_g ∥ ID_i ∥ M_i ∥ M₅ ∥ T₃}. Then, it verifies whether T₄ - T₃ ≤ △T. Where they do not match, SN_j ends the session. Otherwise, SN_j calculates M'₅ = h(ID_i ∥ N_i ∥ T₃∥ ID_g) and compares M'₅ with the M₅ received. Where they match, GW is correctly authenticated by SN_j and other steps will be carried out. Where they do not match, the session will be terminated.
• – Step 9: SN_j proceeds to generate the random number (nonce) V_i and calculates M₇ = V_i ⊕ h (M_i ∥ N_i), the session key SK = h(ID_i ∥ ID_g ∥ SID_j ∥ M_i ∥ N_i ∥ V_i) and M₈ = h (SK ∥ ID_i ∥ ID_g ∥ T₅). Then, SN_j transmits {M₇, M₈, T₅} to GW via a public channel. Use of a random number V_i and the timestamp T₅ helps us to protect this approach against replay attacks. M₇ and M₈ will both be used by GW to verify the identity of the sensor SN_j. Both messages will be generated on the basis of data known only by GW and SN_j. To do this, we can say that this approach is fairly robust against sensor node impersonation attack.
• – Step 10: after having received the message from SN_j, GW first verifies whether T₆ - T₅ ≤ △T. Where they do not match, GW ends the session. Otherwise, it recovers V_i = M₇ ⊕ h (M_i ∥ N_i) and calculates SK' = h(ID_i ∥ ID_g ∥ SID_j ∥ M_i ∥ N_i ∥ V_i) and M'₈ = h (SK ∥ ID_i ∥ ID_g ∥ T₅). Then, GW compares M'₈ with M₈ received. Where they match, SN_j is correctly authenticated by the GW and other stages will be carried out. Where they do not match, the session will be terminated.
• – Step 11: GW produces a new dynamic identity DIDⁿ_i for the user U_i and calculates Aⁿ_i =h (DIDⁿ_i ∥ k ∥ ID_g). Then, it calculates M₉ = h(SK ∥ Aⁿ_i ∥ DIDⁿ_i) and M₁₀ = Eh(Mi) (Aⁿ_i ∥ N_i ∥ V_i ∥ DIDⁿ_i ∥ M₉ ∥ T₇) before transmitting M₁₀ to U_i >via a public channel. The message M₁₀ contains the information needed for U_i to be able to generate the symmetric key SK and update the parameters stored in their smart card. It is impossible for the attacker to obtain this secret data because the message M₁₀ is encrypted with the help of a symmetric key h(M_i) which is the result of hashing the secret information M_i.

• – Step 12: after receiving the message M₁₀ from GW, U_i (via their smart card) applies the decryption function on M₁₀ using h(M_i) as a symmetric key to recover {Aⁿ_i ∥ N_i ∥ V_i ∥ DIDⁿ_i ∥ ID_g ∥ M₉ ∥ T₇}. Then, they verify whether T₈ - T₇ ≤ △T. Where they do not match, U_i ends the session. Otherwise, U_i calculates SK' = h(ID_i ∥ ID_g ∥ SID_j ∥ M_i ∥ N_i ∥ V_i) and M'₉ = h(SK' ∥ Aⁿ_i ∥ DIDⁿ_i) and then compares M'₉ to M₉. Where they match, GW is correctly authenticated at U_i and other stages will be carried out. Where they do not match, the session will be terminated. We should note that the secret session key SK generated will later be used to encrypt/decrypt sensitive medical data between the user U_i and the sensor node SN_j. Indeed, this session key SK is unique for each user/gateway/sensor authentication session.
• – Step 13: U_i calculates Cⁿ_i = C_i ⊕ A_i ⊕ Aⁿ_i, Dⁿ_i = DIDⁿ_i ⊕ BPW_i and Fⁿ_i = F_i ⊕ A_i ⊕ Aⁿ_i to replace C_i , D_i and F_i stored in the smart card by the new values Cⁿ_i , Dⁿ_i and Fⁿ_i. Indeed, updating the secret parameters stored in the smart card is carried out to guarantee the untraceability of the healthcare professional (user) in this approach.

8.5.1. Machine learning algorithms

Several machine learning algorithms are used for identification/authentication. In this section, we present the most powerful machine learning algorithms compared to other algorithms for biometric applications (Yeh et al. 2016):

• – Neural networks: networks of artificial neurons are inspired by biological neural systems in the human brain (Negnevitsky 2005). They are characterized by their capacity to handle large quantities of information. These networks are formed of a set of neurons working simultaneously. Multilayer (MLP: MultiLayer Perceptron) networks are the most widely used classifiers for neural networks. They are formed using supervised algorithms. RBF (Radial Basis Function) networks derive from the approximation theory of functions that have a powerful architecture (Feedforward). This type of network was introduced for the first time by Hardy (1995), and the corresponding theory was developed by Powell (1999). Afterward, this type of network was known by the “term” neural networks. This type of network uses Gaussian functions. The learning is based essentially on the least squares algorithm and the K-means algorithm.
• – Support-vector machines (SVMs): are supervised learning techniques intended to solve problems of regression and discrimination. SVMs were developed during the 1990s and are characterized by their capacity to work with large dimension data. SVMs use linear separators that maximize the margin between two different classes with the aim of providing an optimal classification (Nguyen and Armitage 2008).
• – k-nearest neighbors: the k-nearest neighbors (KNN) method is a supervised learning method that can be used when searching for new biomarkers for diagnostics (Bhatia and Vandana 2010). KNN is a non-parametric method in which the model memorizes observations from all the learning to classify data from all the tests. This machine learning algorithm is called Lazy Learning because it learns nothing during the training stage. To estimate the output linked to a new input, the KNN method consists of considering (identically) the k learning samples whose input is closest to the new input, depending on a distance to be defined (e.g. Euclidean distance) (Bhatia and Vandana 2010).
• – Decision tree: the decision tree (DT) method is one of the most popular supervised learning methods for data classification problems. This tool to aid decision-making makes it possible to represent a set of choices in graph form in the shape of a tree. Indeed, a DT models a hierarchy of tests to predict a result. The possible decisions are situated at the extremities (the leaves of the tree) and are reached depending on the decisions at each stage. A DT works by applying very simple logical rules iteratively; these rules are chosen depending on the result of the preceding rule. DTs have the advantages of being simple to interpret and quick to use, of being non-parametric and of requiring very little data pre-processing (Phyu 2009).

8.5.2. Examples of authentication approaches based on biometrics and machine learning

These days, mobile phones with touch screens represent an increasingly substantial part of the mobile market. Users often also use their mobile phones to store personal and sensitive data. It is therefore important to protect mobile phones by authenticating legitimate users and by detecting intruders. Authentication on mobile devices often occurs using iris recognition. However, these authentication systems can be attacked. The authors of Gragnaniello et al. (2015) used an LBP (Local Binary Pattern) model to evade these attacks. To improve the discrimination capacity of LBP and better explore image statistics, a linear SVM classification schema is proposed in Gragnaniello et al. (2015).

In Mondal and Bours (2015), the authors used continuous authentication based on biometrics using mouse dynamics and SVM and ANN algorithms for classification. In Meng et al. (2012), the authors proposed a new authentication scheme, based on touch dynamics, that uses a set of behavioral features linked to touch dynamics for a precise authentication. To evaluate their system’s performances, they collected and analyzed touch gesture data from 20 Android phone users by comparing several known classifiers. Experimental results show that an optimized neural network classifier (ANN) is well adapted to authenticate different users with an average error rate of around 3% for the selected features.

8.5.3. Authentication approaches based on ECG and machine learning

8.5.3.1. Overall schema for authentication by ECG

The electrocardiogram (ECG) is a graph representing the electrical activity of the heart. The device used to obtain and display the ECG is called an electrocardiograph (or quite simply an ECG device). This device registers electrical cardiac currents (voltages or potential) by means of selective conductive nodes at the surface of the body and provides a voltage-time graph of the heart’s rhythm.

There are two approaches for human identification:

• – Fiducial approach: the ECG signal is formed of three waves P, QRS and T (Figure 8.6). The fiducial characteristics describe the peaks and intervals between the three waves. Fiducial methods detect, process and classify these characteristics to identify individuals.
• – Non-fiducial approach: to avoid the cost of detecting peaks or intervals, the non-fiducial approach uses signal processing based on the shape of the waves in the frequency domain.

In general, authentication by ECG happens in four stages (Figure 8.7).

• – Stage 1: acquiring an ECG signal (Figure 8.8). The ECG is acquired via three electrodes placed on the right and left upper limbs and the lower right limb.

• – Stage 2: pre-processing the ECG signal. Usually, the ECG contains noise. Consequently, a pre-processing stage is carried out using filters (Wang et al. 2007).
• – Stage 3: extracting characteristics. Several methods have been used such as the Fourier Transform (FT), the Discrete Cosine Transform (DCT) and the Discrete Wavelet Transform (DWT).
• – Stage 4: classification. The question is asked: “Is the signal really an ECG graph of an individual or not?” To solve this problem, several approaches try to use machine learning algorithms that can make it possible to predict the data from different types of databases. These ML algorithms are used to discover a set of rules in the database to carry out a precise classification (Wang et al. 2007).

8.6.1. Quality of biometric data

Authentication using biometrics is less precise than that based on what a person knows or possesses. Indeed, comparison of two biometric vectors is expressed in similarity, which never reaches 100%. The quality/precision of sensors has an impact on the quality and performances of biometric authentication systems.

8.6.2. Non-revocability of biometric data

Unlike a code, biometric data cannot be modified after falsification or theft. The existence of these vulnerabilities has given rise to a need to protect biometric data.

8.6.3. Security of biometric systems

A biometric system can present security failures against attacks on the sensor, attacks on transmission channels, direct attacks on stored data and attacks during the enrollment stage.

In addition, the use of biometrics presents risks in terms of respecting privacy. The capturing, processing and preservation of biometric data can be an invasion of privacy. Biometric data are sensitive in nature and no international standard protects these data. Several solutions can be imagined, such as anonymization or consideration of respect for privacy from the stage of designing the biometric system (Privacy by design).