Last Airport Suicide Terrorist Attack and Multi-Source Biometry for Permanent Authentication.

Security currently cares about authentication and authorization. Responsibility is a private business. Last suicidal terrorist attack in Moscow airport reminds us again some facts we knew (but always ignored – “see no evil, hear no evil, speak no evil”) before: 1. There are lot of public places (Dangerous Public Object) which a. Even are entry free sometimes. b. Have to be controlled because they could be attacked by terrorist (just because they are crowded) 2. People in such places (Dangerous Public Object Users) have to be controlled in user-friendly manner. 3. The control should not be limited to one-time entry case. We have to implement permanent or quasi-permanent control like good bodyguards’ team does. 4. And like good bodyguards’ team, the control purpose is to define dangerous irresponsible user. So now we see why we pretend to ignore the problem – just because we can not afford to use good bodyguards’ team in every public place. But I don’t think we lost the battle. This letter introduces the concepts of a new security service (Permanent Authentication) and new authentication method (Multi-source Biometry). The current idea of authentication remains the same since the advent of cars, that when a driver inserts a key that fits, he is allowed to drive. It does not matter that the real owner is sound asleep at home or at the local Starbucks drinking a cup of coffee – what matters if that the key fits! You can cut off his finger for the fingerprints or take a digital photo of his iris, but you'll end up in the same situation. (This letter does not pretend to investigate intruder techniques.) Some insignificant improvement has been made toward maintaining access for the appropriate people. Some examples include having a ticket time to live, a key (an access card) that must remain in the socket to maintain access, and other improvements. However, the public must agree that Dangerous Public Objects (DPOs) like nuclear plants, planes, ships, big trailers, and etc. are not managed in a reliable, consistent, permanent, and responsible manner. It is expected that the DPO operator (DPOO) is an authorized person while he remains on duty for the entire shift. At the same time, authentication should not disturb an operator or somehow prevent him from the execution of his responsibilities; it should be Reliable Responsible Access (RRA). Interaction between security personnel and customers must be user friendly on board any DPO. Maintaining an appropriate balance between interpersonal relationships and safety, and security, is crucial and extremely difficult. For example, take the boarding of passengers (DPO users - DPOU) on a plane; it is assumed that the people who board the plane are who they claim to be according to some piece of paper, and that they remain in a reassuring state of mind throughout the boarding procedure and the flight itself. However, since security personnel cannot perform multiple security checks on every person who remains on the plane to ensure the identity of the person, as it is deemed excessive and not user friendly, a security breach can occur relatively easily. It is assumed that a thorough background check was performed on the DPOO and that the DPOO had the proper professional training prior to initiating employment. Due to the sensitive nature of the DPOO position, it is possible to require that the DPOO wears or is even implanted with a set of wireless connected devices so that the Body Area Network (BAN) could support DPOO RRA. BAN could provide very useful information about the DPOO's level of responsibility using health

The dynamic characteristics and reactions to changing environmental conditions could low level of false acceptance. and will be more reliable since existing iris-falsifying techniques will be hard to implement against screen-shot sequences of moving eyes caught by stereo cameras.15 WPAN™ Task Group 6 Body Area Networks” project can not be used because the WPAN project has other goals then RRA security. So how these concepts could be implemented? Permanent use of complex biometry (Eye-Movements / Iris / BAN) requires not only EBAD devices development. Due to the nature of the human condition. other parameters are deeply unique for every human being (see literature's section below). Permanent authentication requires use of natural unique features. WPAN project proposals should be used. Set of standards for the network and devices in a secure BAN. 1. 3. or the BAN gateway can be connected to another BAN. However. a furtive look. We subconsciously interpret the expression in other people's eyes to understand their mood and their actions. and other authentication infrastructure which makes additional / parallel authentication ). On the other hand. This double (Eye-Movements and Iris) authentication could be the answer to the DPOU and the DPOO RRA problem because it could realize an idea of Permanent Authentication. Eye Based Authentication Devices (EBAD) could be physically located in several places. 2. But in case of a DPOO. The features should have unique dynamic characteristics and the dynamics should be somehow predictable according to the current environment and the DPOO's current state of health. These patterns are recognizable and could be used to send signals. The “eyes speak” means that the eyes' behavior is predictable. and etc. This feature should be monitored remotely so it could also be used for the DPOU as a user friendly method and at the same time avoid disturbing the DPOO. respiratory rate. EBAD will be located remotely from the DPOU. In case of a DPOU. voice recognition. local security centers. The features should exist only in a living and unharmed body. the requirements for the natural unique feature could be satisfied by EyeMovement biometrics supported through an Iris scan. Analysis of information from multiple sources will make it hard to mislead an authentication system. and another carried by the DPOO. Similarly. hence making the possibility of falsifying authentication extremely unlikely. the DPOO should have the opportunity to signal for help when help is required. presence and the amount of diaphoresis. We all subconsciously judge others by interpreting the look in their eyes. brain waves. All these could be done by computer through camera based techniques in addition to Iris authentication. connection to external security network.measurements such as heart rate. for control purpose. a person should not be able to consciously control the involuntary features that are being monitored. One remote. We all heard the phrase “the eyes are the windows to the soul”. like fingerprints. we need two types of devices. But the PA infrastructure should also include other remote identification devices ( face recognition. and therefore cannot be used as Permanent Authentication (PA) devices. a covert glance. As well. BAN is an infrastructure in / on the DPOO and it is supposed to be part of the PA infrastructure. It seems that the “IEEE 802. A person under duress would not have the same configuration or dynamic parameters as the eyes of the same person who is not under duress. and etc. a connection to the DPOO's state of health allows the security personnel to assert a conclusion about the level of DPOO's responsibility. but also requires the following New infrastructure. Human eyes always move even when we sleep. Other remote identification devices. and external security centers (up to a countrywide level). Eye-Movements / Iris authentication should be supported by BAN devices in case of DPOO's Authentication. this information should be used as supplementary information only because BAN devices can be separated from the DPOO body. However. Hence. . People could recognize a drunk man’s gaze. security centers.

“Panic as pilot goes insane at 30. This requirement necessitates a Directory service. Andrei Mihaila and Pasi Fränti http://www. Eye movement and Direction and How it Can Reveal the Truth or a Lie” http://www.An unified data structure to support an exchange of information between security centers. Literature and Links 1. which will lead technical issues. political issues. So the current question is whether this idea worth the creation of a new Task Group? 4.Biometric identification and authentication method. “Eye-Movements as a Biometric” Roman Bednarik. Tomi Kinnunen. 2.springerlink.html . and national / international law-related issues (especially in the field of Privacy laws).uk/news/top-stories/2008/01/31/panic-as-pilot-goes-insane-at-30-000fton-london-bound-flight-89520-20303911/ IEEE 802.15 WPAN™ Task Group 6 Body Area Networks (BAN) “Eye Direction and Lying. 5. 3.blifaloo.000ft on London-bound flight” http://www.php US Patent 7346195 Rise of international anti-terror efforts will lead to some sort of communication between national security centers. International efforts.ieee802.