Biometric Signature Authentication Solution
ANB’s BioSign is a client/server based behavioral biometric authentication solution enables users to authenticate their signature (behavioral biometric identity) from their smartphone device/mobile device using the device touch screen. The ANB’s BioSign authentication system is built for the enterprise and its system components are scalable and can be configured to the organization needs.
Compliance with ISO SC37 standards on biometrics
The ANB’s BioSign solution and its core technology were developed and designed using the latest world leading biometric standards as following:
• ISO/IEC 19795-4 Biometric Performance Testing and Reporting
• ISO/IEC 19794-7 Biometric Data Interchange Formats – Part 7: Signature/Sign time Series Data
• ISO/IEC 24713-1 Biometric Profiles for Interoperability and Data Interchange –
Part 1: Biometric Reference Architecture
• Encrypted Data Exchange
• ISO/IEC 19784-2 BioAPI 2.0
• ISO/IEC 24709-1 Conformance Testing for BioAPI
The ANB’s CTO and the Chief scientist were presented in the ISO SC37 committees that defined the new ISO SC37 standards on biometrics and in particular on the biometric signature. This activity was under the Israeli Standard organization.
Compliance with world leading SSO secured protocol
In general, ANB BioSign solution is integrated with the OpenID SSO protocol. In addition, it can be integrated to other environments and protocols such as the new coming FIDO protocol.
ANB team is currently working on integrating BioSign services with MDM system such as Mobile IRON and other single-sign-in systems such as PINGFederate. PingFederate is a standalone federated identity server utilizing SAML 1.0, 1.1 and 2.0 to enable secure single sign-on to Internet applications for employees, customers and business partners. The following diagram demonstrates the way PingFederate works using a SAML interfacing protocol.
The overall authentication process workflow in such SSO environment is:
(1) Upon a risk-based authentication request (Login or Payment transaction), initiated by the organization business entity/system (for example the ePayment Service), the authentication request is forwarded to ANB’s BioSign services.
(2) The BioSign Authentication services forward the request directly to the user according to his mobile device information.
(3) The user signs on his personal smartphone device and sends the captured behavioral biometric signature for inspection by the BioSign services.
(4) Based on the confidence required by the initiator, the BioSign services authenticate the user behavioral information and then send the authentication results directly and securely to the organization entity/system (tunneled channel) which initiated the transaction.
Biometric Behavioral Profiles and characteristics
The BioSign behavioral biometric system is a risk-based oriented system. It learns each new authenticated signature within each user personal profile using self-adaptive capabilities as long as the provided new signature is within the acceptable differentiation from the user’s profile, which is configured by the organization’s policy. Over time and use, the BioSign solution “learns” and recognizes user’s behavioral identity better. In the case of unstable users’ behavioral signature or any suspicious activity, the system alerts the administration team in real-time and is further reflected by reducing the security level of the inspected user profile.
In a typical security policy configuration, with completion of the user’s signature enrollment, the system may start with a reasonable tolerance that is based on the first 5 enrollment signatures. As the user continues to successfully sign and be authenticated, the system may tighten this tolerance according to the overall stability of user’s signing. The updated signature reference template is based on more samples and in most cases converges into a stable biometric pattern. Each user threshold is personal and reflects the user’s signature security level, consistency level and biometric level. With time and practice each user threshold is converged into a Safezone.
The usage of handwritten dynamic (biometric) signatures in the digital world
The idea of trustworthy digitizing of a handwritten signature was not in the minds of those that were responsible for law making in the late 90’s. Up until today still quite a lot of people tend to know little about how to use so-called dynamic (or biometric) signatures in digital processes. However the technology has reached a mature stage and is ready to be used in e-banking, insurance, e-government, education, retail and in the automotive industry.
The business value of dynamic signatures is obvious: Securing electronic documents with dynamic signatures allows to minimize paper usage and related costs (printing, shipping, scanning, indexing), reducing the loss of time and the potential of errors caused by media breaks as well as speeding up the workflow and achieving a higher level of automation. Besides the financial view on return on investment aspects the social factor of user acceptance and the well established form of unambiguous authentication with handwritten signatures are still underrated.
The obvious conclusion is that signature images are not enough.
If a signature has to be non-repudiated, the processes of capturing, storing and verifying have to fulfil certain technical and legal requirements. Furthermore, the engine(s) used for signature verification must achieve an acceptable Equal Error Rate (EER).
A lot of signatures today are taken with a low resolution. One example is the capturing devices that courier services are using. They capture a rather pixilated image of a signature that is usually not applicable for a later verification. Signatures taken on these devices may easily be claimed to be a forgery. Non-repudiation can only be achieved when the biometric characteristics of a signature are captured too, and when this information is securely bound to the signed document. The additional verification of dynamic signals offers a higher level in security. A signature with a similar image like the reference signature may be detected as falsification because differences in their creation characteristics are discovered.
Nowadays a lot of companies are capturing a signature image and embed it into documents somehow. They do not realize that this image will not allow any further verification process if its authenticity is in doubt. Furthermore this process is not compliant with various e-sign laws throughout the world.
The solution which is embedded in ANB’s BioSign is by capturing Reliable Signature Data.
In order to understand what is necessary to trust a signature it is important to keep in mind that forensic experts rely on the holistic analysis of signatures, i.e. they look at and take into account the paper features, type of stylus, the ink flow and “visible” pressure. Most forensic experts exposed to the analysis of dynamic signatures tend to forget to apply the same principles. The equivalent holistic approach for dynamic signatures must take into account which device was used for signature capture, the device features (see below) and maybe even the signing environment and the co-relations to the signing process.
Signatures may be digitized during the signing process instead of scanning them from paper using a wide range of instruments: pen pads (with and without LC display), special pens and Tablet PCs. They allow a gradual move from paper based documentation to electronic forms and straight-through-processing as well as upgrading the quality of signature verification in general.
ANB has defined a set of quality criteria for capturing signatures with digitizing instruments. A proper comparison of static signature characteristics and dynamic signature signals requires a digitizing instrument that is taking a sufficient amount of time signals. It also has to be able to differentiate between various pressure levels and to provide an appropriate resolution rate. These requirements are also reflected in the standard for the interchange of biometric signature data (ISO/IEC FDIS 19794-7).
Where Dynamic Signatures are used today
To judge the business and legal relevance of dynamic signatures today it is best to list some of the projects in the various vertical markets that use dynamic signature related products. While signature capturing and verification used to be a typical banking topic it became a truly horizontal application in recent years.
Finance: IT-Processing Centers of German Savings Banks are offering their customers solutions to embed dynamic signatures securely into electronic documents in an Adobe LiveCycle environment: The first savings banks implemented signature capture at the teller for account openings, standing orders, exemption orders for capital gains, deposits and other banking products. A very large US bank (name cannot be disclosed at time of publication of this release), has embarked on a similar approach. The e-Finance-Lab, think tank of the German banking industry, has showcased the feasibility of replacing PIN/TANs with dynamic signatures for online banking at the D/A/CH Security conference in March 2006 in Duesseldorf.
Insurance: Signing an insurance contract (for liability reasons the focus is on accident, life and health insurance) and documenting the consulting process that is required by EU legislation from July 1st 2007 onwards are triggers for several insurance companies to go paperless with either signature capturing tablets connected to a notebook or a Tablet PC.
Real Estate: Increasingly popular among real estate agents - especially in the US - is the option of paperless contracting through signing on Tablet PCs.
Automotive: The house bank of a big German car manufacturer evaluates a pilot for its dealers to sign leasing contracts on-line.
Health: The Hospital of Ingolstadt is capturing and verifying the signatures of their doctors that fill electronic patient records on Tablet PCs. The National Health Service in the United Kingdom has started a similar project.
Telecommunication: Signing phone and DSL contracts in the telecom shops is another emerging market.
Retail: In combination with a major payment solutions provider, pilots are under preparation to capture dynamic signatures at the point of sale.
Another project blue print sees loyalty cards users that authenticate themselves with dynamic signatures.
Education: Paperless signing becomes an issue in this vertical as well. Projects are under way with counties in the US and various universities in the UK and the US as well as usage in training classes in Germany
Government: The Chambers of Commerce in Saudi Arabia have chosen to authenticate their web portal users by verification of dynamic signatures.