Thèses sur le sujet « Personal Authentication »

Thesis (M. Phil.)--Hong Kong University of Science and Technology, 2003.
Includes bibliographical references (leaves 104-109). Also available in electronic version. Access restricted to campus users.

Confidential electronic services such as chat, e-commerce and banking services should be accessible by their clients at any time and from anywhere. This sets new requirements for a cheap, usable, and safe authentication mechanism. Knowledge-based authentication, such as the use of passwords, is relatively convenient, easy and cheap to implement. However, it suffers from memorability problems that lead to insecure behaviour such as users writing down passwords, or choosing guessable passwords. The best techniques that build on the how the human memory operates use personal information and images. However, these techniques are also more vulnerable to guessability (De-Angeli et al. 2005)attacks especially by friends and family.

This thesis describes two proposed schemes that could be used to secure mobile messaging (SMS/MMS) as well as one scheme that could be used to secure mobile content. The security services we considered in securing the mobile messages are confidentiality, authentication, non-repudiation and integrity. We used Identity Based Cryptography in order to secure the mobile messaging and Blowfish algorithm to secure the mobile content. Due to some of the disadvantages imposed by the Identity Based Cryptography, we recommended using it along with the RSA algorithm. The proposed schemes were implemented in java and tested on an actual device, Nokia N70. In addition, we measured the time required by each of the algorithms we used to encrypt/decrypt a certain number of bytes. We found that the time taken by RSA and Blowfish algorithms will not be noticeable by the user. However, since the implementation of the Identity Based Cryptography we used was not meant to run on mobile devices, we encountered a noticeable delay whenever encrypting/decrypting the data using this algorithm. Securing the SMS messages will make it to be considered as one of the proposed means that could be used to conduct m-commerce. In addition, securing the MMS messages and the mobile content will increase the usability and the reliability of the mobile phones especially to the users on the move.
Phone: +46735731360

Mobile personal devices with USB communication capabilities are essential elements of our modern lives. Their large-scale pervasive deployment within the population has promoted many malware attacks some of which are capable of infiltrating physically isolated critical control systems. This research investigates mobile malware capable of infecting and spreading through a system with heterogeneous computing, communication and storage components. Two novel prevention methods are presented: user accountability and system immunity. While the former uses a novel intrusive USB authentication, authorization and accounting solution, the latter exploits coding theory to make the system immune and allergic to the malware behaviour.

Online examinations are an integral component of many online learning environments and a high-stake process for students, teachers and educational institutions. They are the target of many security threats, including intrusion by hackers and collusion. Collu-sion happens when a student invites a third party to impersonate him/her in an online test, or to abet with the exam questions. This research proposed a profile-based chal-lenge question approach to create and consolidate a student's profile during the learning process, to be used for authentication in the examination process. The pro-posed method was investigated in six research studies using a usability test method and a risk-based security assessment method, in order to investigate usability attributes and security threats. The findings of the studies revealed that text-based questions are prone to usability issues such as ambiguity, syntactic variation, and spelling mistakes. The results of a usability analysis suggested that image-based questions are more usable than text-based questions (p < 0.01). The findings identified that dynamic profile questions are more efficient and effective than text-based and image-based questions (p < 0.01). Since text-based questions are associated with an individual's personal information, they are prone to being shared with impersonators. An increase in the numbers of chal-lenge questions being shared showed a significant linear trend (p < 0.01) and increased the success of an impersonation attack. An increase in the database size decreased the success of an impersonation attack with a significant linear trend (p < 0.01). The security analysis of dynamic profile questions revealed that an impersonation attack was not successful when a student shared credentials using email asynchronously. However, a similar attack was successful when a student and impersonator shared information in real time using mobile phones. The response time in this attack was significantly different when a genuine student responded to his challenge questions (p < 0.01). The security analysis revealed that the use of dynamic profile questions in a proctored exam can influence impersonation and abetting. This view was supported by online programme tutors in a focus group study.

The issue of traditional user authentication methods, such as username/passwords, when accessing information systems, the Internet, and Web-based applications still pose significant vulnerabilities. The problem of user authentication including physical and logical access appears to have limited, if any, coverage in research from the perspective of biometric as ‘something the user knows.’ Previous methods of establishing ones’ identity by using a password, or presenting a token or identification (ID) card are vulnerable to circumvention by misplacement or unauthorized sharing. The need for reliable user authentication techniques has increased in the wake of heightened concerns about information security and rapid advancements in networking, communication, and mobility. The main goal of this research study was to examine the role of the authentication method (BIO-PIN™ or username/password) and time, on the effectiveness of authentication, as well as the users’ ability to remember the BIO-PIN™ versus username/password (UN/PW). Moreover, this study compared the BIO-PIN™ with a traditional multi-factor biometric authentication using multiple fingerprints (without sequence) and a numerical PIN sequence (noted as "BIO+PIN"). Additionally, this research study examined the authentication methods when controlled for age, gender, user’s computer experience, and number of accounts. This study used a quasi-experimental multiple baseline design method to evaluate the effectiveness of the BIO-PIN™ authentication method. The independent, dependent, and control variables were addressed using descriptive statistics and Multivariate Analysis of Variance (MANOVA) statistical analysis to compare the BIO-PIN™, the BIO+PIN, and UN/PW authentication methods for research questions (RQs) 1 and 2. Additionally, the Multivariate Analysis of Covariance (MANCOVA) was used to address RQ 3 and RQ4, which seeks to test any differences when controlled by age, gender, user experience, and number of accounts. This research study was conducted over a 10-week period with participant engagement occurring over time including a registration week and in intervals of 2 weeks, 3 weeks, and 5 weeks. This study advances the current research in multi-factor biometric authentication and increases the body of knowledge regarding users’ ability to remember industry standard UN/PWs, the BIO-PIN™ sequence, and traditional BIO+PIN.

Over the course of history, different means of object and person identification as well as verification have evolved for user authentication. In recent years, a new concern has emerged regarding the accuracy of verifiable authentication and protection of personal identifying information (PII), because previous misuses have resulted in significant financial loss. Such losses have escalated more noticeably because of human identity-theft incidents due to breaches of PII within multiple public-access environments. Although the use of various biometric and radio frequency identification (RFID) technologies is expanding, resistance to using these technologies for user authentication remains an issue. This study addressed the effect of individuals’ perceptions on their resistance to using multi-method authentication systems (RMS) in public-access environments and uncovered key constructs that may significantly contribute to such resistance. This study was a predictive study to assess the contributions of individuals’ perceptions of the importance of organizational protection of their PII, noted as Perceived Value of Organizational Protection of PII (PVOP), authentication complexity (AC), and invasion of privacy (IOP) on their resistance to using multi-method authentication systems (RMS) in public-access environments. Moreover, this study also investigated if there were any significant differences on the aforementioned constructs based on age, gender, prior experience with identity theft, and acquaintance experience with identity theft. As part of this study, a rollout project was implemented of multi-factor biometric and RFID technologies for system authentication prior to electronic-commerce (e-commerce) use in public-access environments. The experimental group experienced the multi-factor authentication and also was trained on its use. Computer users (faculty & students) from a small, private university participated in the study to determine their level of PVOP, IOP, and AC on their resistance to using the technology in public-access environments. Multiple Linear Regression (MLR) was used to formulate a model and test predictive power along with the significance of the contribution of the aforementioned constructs on RMS. The results show that all construct measures demonstrated very high reliability. The results also indicate that the experimental group of the multi-factor authentication had lower resistance than the control group that didn’t use the technology. The mean increases indicate an overall statistically significant difference between the experimental and control groups overall. The results also demonstrate that students and participants’ increased levels of education indicate an overall statistically significant decrease in resistance. The findings demonstrate that overall computer authentication training do provide added value in the context of measuring resistance to using newer multi-method authentication technology.

It is very probable that VoIP will soon replace the ordinary telephone. Beside all advantages of the digital voice-connection it is linked to the danger of spam on the telephone. A lot of approaches have been developed to solve the problem of VoIP spam. Because some of these solutions are based on access to personal information of its users, a broad discussion about the best and most ethical approach has started.

This thesis analyzes the users’ point of view towards the VoIP spam problem and the extent of users’ willingness to offer private information in order to avoid VoIP spam. It presents results from a qualitative and a quantitative research as well as approaches for a most realistic- and most promising VoIP solution. These new approaches are based on the results of the research.

The main points of the results showed that users were not willing to offer private information to companies and that they were not willing to pay any amount of money for VoIP spam solutions. Users held governmental organisations and telephone operators responsible for finding a solution against VoIP spam.

The enormous growth of the Internet and the World Wide Web has provided the opportunity for an enterprise to extend its boundaries in the global business environment. While commercial functions can be shared among a variety of strategic allies - including business partners and customers, extranets appear to be the cost-effective solution to providing global connectivity for different user groups. Because extranets allow third-party users into corporate networks, they need to be extremely secure and external access needs to be highly controllable. Access control and authorisation mechanisms must be in place to regulate user access to information/resources in a manner that is consistent with the current set of policies and practices both at intra-organisational and cross-organisational levels. In the business-to-customer (B2C) e-commerce setting, a service provider faces a wide spectrum of new customers, who may not have pre-existing relationships established. Thus the authorisation problem is particularly complex. In this thesis, a new authorisation scheme is proposed to facilitate the service provider to establish trust with potential customers, grant access privileges to legitimate users and enforce access control in a diversified commercial environment. Four modules with a number of innovative components and mechanisms suitable for distributed authorisation on extranets are developed: * One-shot Authorisation Module - One-shot authorisation token is designed as a flexible and secure credential for access control enforcement in client/server systems; * Token-Based Trust Establishment Module - Trust token is proposed for server-centric trust establishment in virtual enterprise environment. * User-Centric Anonymous Authorisation Module - One-task authorisation key and anonymous attribute certificate are developed for anonymous authorisation in a multi-organisational setting; * Agent-Based Privilege Negotiation Module - Privilege negotiation agents are proposed to provide dynamic authorisation services with secure client agent environment for hosting these agents on user's platform

The enormous growth of the Internet and the World Wide Web has provided the opportunity for an enterprise to extend its boundaries in the global business environment. While commercial functions can be shared among a variety of strategic allies - including business partners and customers, extranets appear to be the cost-effective solution to providing global connectivity for different user groups. Because extranets allow third-party users into corporate networks, they need to be extremely secure and external access needs to be highly controllable. Access control and authorisation mechanisms must be in place to regulate user access to information/resources in a manner that is consistent with the current set of policies and practices both at intra-organisational and cross-organisational levels. In the business-to-customer (B2C) e-commerce setting, a service provider faces a wide spectrum of new customers, who may not have pre-existing relationships established. Thus the authorisation problem is particularly complex. In this thesis, a new authorisation scheme is proposed to facilitate the service provider to establish trust with potential customers, grant access privileges to legitimate users and enforce access control in a diversified commercial environment. Four modules with a number of innovative components and mechanisms suitable for distributed authorisation on extranets are developed: * One-shot Authorisation Module - One-shot authorisation token is designed as a flexible and secure credential for access control enforcement in client/server systems; * Token-Based Trust Establishment Module - Trust token is proposed for server-centric trust establishment in virtual enterprise environment. * User-Centric Anonymous Authorisation Module - One-task authorisation key and anonymous attribute certificate are developed for anonymous authorisation in a multi-organisational setting; * Agent-Based Privilege Negotiation Module - Privilege negotiation agents are proposed to provide dynamic authorisation services with secure client agent environment for hosting these agents on user's platform

Cheng Po Sum.
Thesis submitted in: July 2003.
Thesis (M.Phil.)--Chinese University of Hong Kong, 2004.
Includes bibliographical references (leaves 64-67).
Abstracts in English and Chinese.
List of Figures --- p.i
List of Tables --- p.iii
Acknowledgments --- p.iv
摘要 --- p.v
Thesis Abstract --- p.vi
Chapter 1. --- Mobile Commerce --- p.1
Chapter 1.1 --- Introduction to Mobile Commerce --- p.1
Chapter 1.2 --- Mobile commence payment systems --- p.2
Chapter 1.3 --- Security in mobile commerce --- p.5
Chapter 2. --- Mobile authentication using Fingerprint --- p.10
Chapter 2.1 --- Authentication basics --- p.10
Chapter 2.2 --- Fingerprint basics --- p.12
Chapter 2.3 --- Fingerprint authentication using mobile device --- p.15
Chapter 3. --- Design of Mobile Fingerprint Authentication Device --- p.19
Chapter 3.1 --- Objectives --- p.19
Chapter 3.2 --- Hardware and software design --- p.21
Chapter 3.2.1 --- Choice of hardware platform --- p.21
Chapter 3.3 --- Experiments --- p.25
Chapter 3.3.1 --- Design methodology I - DSP --- p.25
Chapter 3.3.1.1 --- Hardware platform --- p.25
Chapter 3.3.1.2 --- Software platform --- p.26
Chapter 3.3.1.3 --- Implementation --- p.26
Chapter 3.3.1.4 --- Experiment and result --- p.27
Chapter 3.3.2 --- Design methodology II ´ؤ SoC --- p.28
Chapter 3.3.2.1 --- Hardware components --- p.28
Chapter 3.3.2.2 --- Software components --- p.29
Chapter 3.3.2.3 --- Implementation Department of Computer Science and Engineering --- p.29
Chapter 3.3.2.4 --- Experiment and result --- p.30
Chapter 3.4 --- Observation --- p.30
Chapter 4. --- Implementation of the Device --- p.31
Chapter 4.1 --- Choice of platforms --- p.31
Chapter 4.2 --- Implementation Details --- p.31
Chapter 4.2.1 --- Hardware implementation --- p.31
Chapter 4.2.1.1 --- Atmel FingerChip --- p.32
Chapter 4.2.1.2 --- Gemplus smart card and reader --- p.33
Chapter 4.2.2 --- Software implementation --- p.33
Chapter 4.2.2.1 --- Operating System --- p.33
Chapter 4.2.2.2 --- File System --- p.33
Chapter 4.2.2.3 --- Device Driver --- p.35
Chapter 4.2.2.4 --- Smart card --- p.38
Chapter 4.2.2.5 --- Fingerprint software --- p.41
Chapter 4.2.2.6 --- Graphical user interface --- p.41
Chapter 4.3 --- Results and observations --- p.44
Chapter 5. --- An Application Example 一 A Penalty Ticket Payment System (PTPS) --- p.47
Chapter 5.1 --- Requirement --- p.47
Chapter 5.2 --- Design Principles --- p.48
Chapter 5.3 --- Implementation --- p.52
Chapter 5.4 --- Results and Observation --- p.57
Chapter 6. --- Conclusions and future work --- p.62
Chapter 7. --- References --- p.64

碩士
朝陽科技大學
資訊工程系碩士班
94
Personal password authentication is an important techanics on the information environment which is rife with fraudulent e-mails, imitation web pages, dictionary attacks, and spywares. Recently, the pattern recognition with keystroke biometric has great improvement, which includes the minimum distance, statistic, neural network, fuzzy control , and parallel decision tree. In this paper, we propose a process by the control chart of the quality control that can be a judgment of key in action whether it is steady state or not, and a method of recognizing the patterns. It overcomes higher variation of keystroke, and it also avoids a large number of training patterns and retraining the system when new member added. The result shows that it can really promote the security of the computer, and reduce the complication of operations and excessive training patterns. It also resolves the features extraction problem, furthermore, it makes a foundation for inquiring into a dynamic state, big unit system and the keystroke recognition of non specific keyboards.

碩士
國立交通大學
資訊科學與工程研究所
96
Document security is now an important issue on personal computer. According to the statistics show[25], as high as 92% of end-users are using Microsoft Windows operating system of the world. In which, 90% of users will not encrypt to protect their confidential documents in their computers. More than 80% of security threats are issued from internal of company[20]. If the attacker, who think to steal data, can obtain the computer entity, all unencrypted documents are exposed. The user will not encrypt his confidential documents because he thinks it needs more complex procedure to encrypt them manually, or does not understand the importance of encryption protection. In view of this, in this paper, we propose a software system: SecCap, which is based on NTFS file system, Windows user and key management. SecCap authenticates the user by smartcard, and automatically encrypts the confidential documents with acceptable overhead. This is the main hope to solve above problem, so that users can more easily reach to goal of personal document security.

碩士
國立中興大學
資訊科學與工程學系所
97
In this report, we proposed energy factors method analyzes the iris information to distribute and to apply on individual identity confirmation system. When image pre-processing, we obtain iris region information and normalized to a fixed measurable region, after standardization, will carry out second-order wavelet transform and remove non-prominent features. This process will then allow us to carry on re-distribution work and transform these regions to energy factors state. Calculation will be performed on each region’s energy charact-eristic, and this region’s energy content will then be characterized as iris’s finger prints. Utilize these energy characteristics to produce a group of revolving gene. Revolving gene can then be used to compare and make the necessary adjustments. The differences in energy characteristics between two irises can also be used to gauge the similarity of the two. Dual threshold standard can then be applied to examine whether irises fall into the same category. In this report, we carried out system testing on 108 groups and for the total of 756 iris images tested, the proposed method have the success rate of 98.02% in iris identification and equal error rate of 11.69%. In the case of FAR=0 also resulted in low FRR value of 22.97. Hence, this validated our proposed method of using energy factors expressed in iris texture region distributed information. As the result, this process proves to be highly efficient in recognition rate and also under the high security requirements situation.

ABSTRACT Biometric authentication systems have been used since decades. Palmprint and finger knuckle prints are two such modalities that are universal and possess uniqueness. A variety of algorithms are available to extract features from these modalities and do the authentication process. In this report, use of a machine learning, unsupervised Hidden Markov Model algorithm is proposed to classify the users into genuine and imposter classes. In the following report, a multimodal system using palmprint and finger knuckle print has been proposed using a combination of Harris Corner Detector; SIFT descriptors and Continuous Density Hidden Markov Model (CDHMM). Here the states defining the origination of the observation feature vectors are hidden. The features are extracted using Harris Corner Detector and are described using Scale Invariant Feature Descriptor (SIFT). An approach is proposed to do the authentication at feature level as well as at score level. The log-likelihood computed by HMM and the parameters are maximised by Expectation-Maximization Algorithm. An iterative approach is used to increase the authentication rates and to get the correct number of states in each Hidden Markov Model of each user at feature level and for genuine and imposter classes at score level. The various fusion methods at score level are experimented for the PolyU, IITD palmprint and PolyU finger knuckle print database. The authentication rates obtained are as high as 99% GAR at 0.01 FAR for PolyU palmprint database that are comparable to other methods of authentication at score level. The highest GAR was recorded using SUM fusion rule. The authentication rates are high for feature level authentication as well for both knuckle prints and palmprints. GAR was recorded as high as 97% for right middle knuckle finger print at 0.01 FAR.

ABSTRACT In this work, different approaches like Gaussian Mixture Models (GMM) and Support Vector Machine (SVM) have been investigated for multimodal biometric authentication. There are various schemes for multimodal fusion like normalization techniques, classifier based approaches and density evaluation approaches. Finite mixture models like GMM have been used for multimodal biometric systems and which produces significantly good results on multimodal databases. Multimodal databases can be constituted of multiple instances of same biometric trait or can be obtained from various matching algorithms which determine the scores of genuine and imposter classes. The experiments have been performed on palmprint, knuckleprint and iris databases. Different feature extraction techniques like Gabor-Scale Invariant Feature Transform (SIFT), Gabor-Harris and Gabor-HOG has been used for feature extraction in palmprint and knuckleprint databases. These techniques work significantly well for both constrained(IITD) and unconstrained(PolyU) databases which are used in the work and produce efficient results for performance measures as compared to the prior techniques like line based approaches, texture based and appearance based approaches. GMM has been used for classification from the scores generated by these feature extraction techniques. The parameters evaluation for the GMM technique has been evaluated using Expectation-Maximization (EM) algorithm. Maximum Likelihood Estimation (MLE) further improvises the results of GMM. SVM which is active learning methods also results in good results for palm and knuckle database and gives optimal performance. The results show that these techniques are quite robust for multimodal authentication schemes.

碩士
東海大學
資訊管理學系
106
Patient-centered personal health record systems are promoted in past years, aiming to permanently record personal physiological conditions and health improvement plans. The combination with a mature physiological sensing device could establish personal health record system in the Internet of Things environment to rapidly collect personal information which is transmitted to the back-end for reservation and future access. Nevertheless, the transmission of information is opener under the Internet of Things environment. In comparison with past routes, the identity can be more easily stolen or data are intercepted in the transmission process to further steal patients’ medical records and relevant data of medical institutions and health care personnel. Without an effective security mechanism, the users would not trust such a structure to largely affect the use of the system as well as the promotion and quality of long-term health plans. To protect users’ important privacy from hostile attack and even stealing, the owners should have complete authority to manage personal health records and authorize other users. Such a secure identity authentication mechanism could guarantee that merely legal users could log in the system to acquire the system service resources. Aiming at personal health record system under Internet to Things environment, a user identity authentication mechanism with security and privacy allows medical personnel permanently retrieving the user’s health information and assisting in long-term health care plans. With double authentication mechanisms of password and exclusive smart card, the mechanism allows the owners and the authorized users logging in the system and accessing relevant personal records. The use of cryptosystem based on bilinear pairing for two-way user identity authentication could effectively prevent from hostile invasion and stealing behaviors.

With the progress achieved to this date in mobile computing technologies, mobile devices are increasingly being used to store sensitive data and perform security-critical transactions and services. However, the protection available on these devices is still lagging behind. The primary and often only protection mechanism in these devices is authentication using a password or a PIN. Passwords are notoriously known to be a weak authentication mechanism, no matter how complex the underlying format is. Mobile authentication can be strengthened by extracting and analyzing keystroke dynamic biometric from supplied passwords. In this thesis, I identified gaps in the literature, and investigated new models and mechanisms to improve accuracy, usability and resilience against statistical forgeries for mobile keystroke dynamic biometric authentication. Accuracy is investigated through cost sensitive learning and sampling, and by comparing the strength of different classifiers. Usability is improved by introducing a new approach for typo handling in the authentication model. Resilience against statistical attacks is achieved by introducing a new multimodal approach combining fixed and variable keystroke dynamic biometric passwords, in which two different fusion models are studied. Experimental evaluation using several datasets, some publicly available and others collected locally, yielded encouraging performance results in terms of accuracy, usability, and resistance against statistical attacks.
Graduate
2019-09-25

碩士
國立中央大學
資訊工程學系碩士在職專班
93
Phonemes are the basic acoustic elements of a language, and the visemes are the lip shapes of a word while speaking. Since the uttering characteristic/manner is unique to each individual [8] [9], a personal authentication system can fully make use of the biometric information. The biometric uttering features include lip visual features [1-3], visemes [4], and phonemes [4] of an individual. In this thesis, we propose an effectively web-based personal authentication system by utilizing filter model with biometric uttering features in Chinese, that is a user equipped with a web camera can register and log in the system later by the registered biometric uttering features. In our work, we compare and analyze these biometric features, then build 2 GMM classifier, and finally fuse the outputs to a personal authentication system. The consideration of system scalability and networking bandwidth may more or less sacrifice the recognition rate. However, experiments results shows that the proposed system can handle data stream of personal frontal view in 320*240 pixels with 30*15 pixels of lip in reasonable response time and satisfactory recognition rate above 80% can be achieved.

碩士
國立彰化師範大學
數學系所
101
Internet brings people lots of conveniences, but it provides a mode which can spread virus of computer easily and quickly. There are some problems can be showed; for example, people cannot identify personal details to each other accurately on Internet. Also, username as well as password are easily cracked or embezzled. Therefore, cybercrime is highly increased. Recently, some scholars draw keystroke dynamics on free text identification; some relevant researches show that the keystroke dynamics can really improve the accuracy of personal authentication in free text. In order to improve the accuracy of personal authentication in free text, this study proposes a new biometrics referred to KC-Map (Keystroke Clusters Map) by clustering users’ keystrokes. Because KC-Map is the results of clustering, the user’s keystrokes have been non-informed. Therefore, KC-Map is not suitable for the traditional statistical classifier, which is used for authentication. In order to solve this problem, the study also proposes a KCMS classifier (Keystroke Clusters Map Similarity Classifier). Experimental results show that combination of KC-Map and KCMS classifier can improve the accuracy of personal authentication in free text with up to 1.27 times. In addition, there is a big problem on the current free text identification that users are required to be trained for several months. Long training time makes free text identification impractical. Another motivation of this study is to explore if it is possible to shorten the training time in an acceptable range. Experimental results show that users need to carry out only about 20 minutes for training to achieve a good identification accuracy.

Szybki rozwój handlu elektronicznego, w szczególności z udziałem usług bankowości świadczonych online wymaga silnych narzędzi uwierzytelniania w celu weryfikacji stron transakcji. Obecnie fizyczna obecność stron umowy i/lub transakcji nie jest już niezbędna. Dlatego też proces uwierzytelniania klienta w sposób elektroniczny jest kluczowy dla potwierdzenia tożsamości klienta i autoryzacji. Stosowanie typowych haseł, kodów PIN lub tokenów nie wydaje się być skutecznym narzędziem dla transakcji o wysokiej wartości. Dane biometryczne pozwalają zweryfikować lub zidentyfikować oraz uwierzytelnić osobę na podstawie zestawu jej unikalnych cech. Dzięki wykorzystaniu cech o charakterze fizycznym lub behawioralnym tworzony jest wzorzec biometryczny, który może być wykorzystany jako referencja dla przyszłych pomiarów cech biometrycznych. Wzorzec biometryczny może być przechowywany w centralnej bazie danych i/lub karcie mikroprocesorowej, np. karcie płatniczej. Dane biometryczne są następnie wykorzystywane w procesie porównywania danych konkretnej osoby z utworzonym dla nich wzorcem biometrycznym w celu określenia ich podobieństwa. Przedmiot rozprawy doktorskiej „Prawne aspekty bankowości biometrycznej” dotyczy analizy przepisów prawa mających zastosowanie do stosowania danych biometrycznych w sektorze bankowym. Po wprowadzeniu, praca została podzielona na cztery rozdziały, tj. (I) Bankowość biometryczna; (ii) Charakter prawny danych biometrycznych; (iii) Aksjologiczne podstawy stosowania danych biometrycznych przez bank; (iv) Ewolucja ograniczeń wykorzystania danych biometrycznych. Celem pracy doktorskiej jest udzielenie odpowiedzi na pytanie czy prawo polskie reguluje bankowość biometryczną adekwatnie dla rozwoju systemów biometrycznych w bankach. Rozprawa doktorska obejmuje naukowe opracowanie dotyczące regulacji odnoszących się do uprawnionego wykorzystywania danych biometrycznych przez banki. Wskazuje warunki prawne, ryzyka, ocenę kryteriów odnoszących się do tożsamości klienta banku, jak również autoryzacji operacji bankowych. Rozważania prawne obejmują następujące regulacje: (i) Konstytucję RP; (ii) RODO; (iii) PSD II; (iv) Prawo bankowe; (v) Kodeks pracy. Oprócz ustawowych przepisów prawa, rozprawa uwzględnia „soft law” mające zastosowanie do sektora bankowego, a także zasady wynikające z orzecznictwa sądowego konieczne dla oceny ewolucji ograniczeń rozwoju rozwiązań biometrycznych. Przeprowadzone badania naukowe pozwalają stwierdzić, że przepisy prawa polskiego pod wpływem zmian wynikających z przepisów prawa UE zostały uzupełnione i coraz bardziej nadążają za potrzebami i statusem rozwoju bankowości biometrycznej. Pomimo właściwego kierunku zmian, regulacje dotyczące bankowości biometrycznej nie są kompleksowe. Ponadto analiza przeprowadzona w dysertacji potwierdziła, że ze względu na fakt, iż bank jest podmiotem zaufania publicznego pełniącym istotną funkcję publiczną w zapewnianiu bezpieczeństwa powierzonych mu depozytów, efektywność metod uwierzytelniania ma znaczący wpływ na bezpieczeństwo depozytów, dlatego w sektorze bankowym istnieje aksjologiczne i systemowe uzasadnienie dla wykorzystywania danych biometrycznych.
The rapid development of e-commerce, in particular banking online services requires strong authentication tools to verify the parties to the transaction. Physical presence of the parties to the agreement and/or transaction is no longer needed. That is why the client’s digital authentication is a crucial process for user’s identity and authorisation confirmation. Using typical password, PIN or token seems to be not efficient tool in particular for high value transactions. Biometric data allow a person to be verified and/or identified and authenticated based on a set of unique data that are specific to each individual person. Based on the physical and/or behavioral individual characteristics the biometric template is created that can be used as a reference for future measurement of people’s data. The template may be stored in central database and/or a smart card, e.g. payment card. Biometrics are used in the process of comparing data being the person's characteristics to that person's biometric "template" in order to determine resemblance. The subject matter of the doctoral dissertation “Legal aspects of biometrics in banking sector” concerns the analysis of the law applicable to usage of biometric data in banking sector. After introduction, the thesis is divided into four chapters, i.e. (i) Description of banking biometric; (ii) Legal nature of biometric data; (iii) Axiological basis for using biometric data by the bank; (iv) Evolution of limits for the use of biometric data. The aim of the work is to answer the question whether Polish law regulates biometric banking in a manner adequate to the development of biometric systems in the banks. The dissertation covers the scientific discussion in the light of current regulations regarding legitimate usage biometric data by banks. There are specified legal conditions, risks and evaluation criteria for the authentication of the client's bank’s employee identity as well as the authorization of banking operations. The legal analysis is focused on the following regulations: (i) The Constitution of the Republic of Poland (ii) The General Data Protection Regulation; (iii) The Payment Services Directive II (iv) Polish Banking Law (v) The Labour Code. Apart from the statutory provisions of the law, the thesis relates to applicable “soft law” regulations applicable to the banking sector, as well as rules resulting from the Court's case-law, needed for the purpose of assessing evolution of the barriers for the development of the biometric solutions. The conducted research allows you to state that the Polish law under the influence of changes resulting from the provisions of EU law has been supplemented by regulations that are more and more able to keep up with the current needs and the state of biometric banking development. Despite the proper direction of changes in legal norms, the regulations concerning biometrics in banking are not comprehensive. In addition, the analysis carried out in the dissertation proved that due to the fact that the bank is a public trust entity pursuing an important public interest in ensuring the security of the funds entrusted to it, the effectiveness of authentication methods has a significant impact on the security of deposits, therefore in this sector there is a strong axiological and systemic justification for the use of biometric data.