BIOMETRIC TECHNOLOGY
Fingerprint Identification Technology
Fingerprint-IT has an experienced and talented staff compliment that has developed and sourced the world’s leading biometric hardware and software products. Security is orders of magnitude greater when using biometric authentication and we have a tailored solution for most applications including Time and Attendance, Access Control, Credit Authentication and payment, Prison population control, Guard tracking, Network and Internet access security. Fingerprint-IT has offices in South Africa, North America and Zambia.
Company ownership
The company is privately owned by management who are:
Bryan Kimmel – MCSE, CNE, C.N.A
21 years experience running his own IT consultancy in the UK, Europe, US and Africa. 12 years experience managing worldwide networks for major multinational companies including BP, Daimler Chrysler and Discovery Channel. Bryan has a comprehensive knowledge of the corporate I.T. situation worldwide. He has consistently been the leader of successful and seamless new technology rollouts for companies with international reach. Bryan provides a much-needed overview of the state of the industry as well as an experience of International I.T. issues and trends at a level that few people in the world share. Bryan is the CEO of Fingerprint-IT.
Warren Kimmel – B.Bus.Sci (hons). Marketing, Economics (UCT)
Warren has 17 years experience marketing in a number of fields from property to I.T. to the arts. He has formulated and implemented the marketing strategies for a number of companies in the UK, Canada and South Africa. Warren is Vice President for marketing for the company and is the founder and CEO of the North American office. Warren’s key knowledge of property development and finance has been an invaluable asset to the company. Under Warren’s management, The North American office has deployed the biggest residential Biometric installation in Vancouver to date.
Gary Kimmel – MCSE
12 years experience at all levels of IT for companies in Canada and South Africa, including his current position at Microsoft Toronto. Founder and MD of Promax and Open House computing. Gary has extensive experience both in I.T. and in running his own companies. He is aware of all of the non-essential pitfalls that accompany the founding and growing of a technology company in a fast-moving field. He is Chief Technology consultant for the company and has ensured that we have survived and thrived while many of our competitors are no longer around.
Using Biometrics In The Global War on Terrorism\
John D. Woodward, Jr.Director, Department of Defense Biometrics Management Office West Virginia University Biometric Studies Program April 7, 2005
Muhammad al Kahtani
- Kahtani is captured in SW Asia in Dec 2001.
- Fingerprints matched to a foreigner denied U.S. entry in Aug 2001 at the Orlando, FL airport.
- Subsequent investigation indicates 9/11 hijacker Muhammad Atta was at the Orlando Airport at the same time.
- The operative likely intended to round out the team for [Flight 93] – The 9/11 Commission Report
Importance of interoperable biometric data is undeniable Agenda
Agenda
Background / DoD Biometrics Organization
- Identity Management Challenge
- Power of Biometric Data: Case Study
- Current Focus on the Global War on Terrorism
- Way Ahead: Identity Dominance
Biometrics
- Automated
- Measurable,
- Physiological and/or behavioral characteristics
That can be used to:
Verify the identity of an individual (1:1)
Identify an individual (1:N)
Latest Biometric Research
Rejected Biometric Technologies
Trivia Question
The FBI’s Integrated Automated Fingerprint Identification System (IAFIS) Criminal Master File has the fingerprint records of how many individuals?
DoD Biometrics Organization
Identity Management Challenge
Requirement: Force Protection, Actionable Intelligence, Law Enforcement
Bottom-line:
Using only names and official documents
- We don’t know
- We won’t know in the future.Paradigm Shift: We must leverage the power of biometric data.
Case Study: FBI “Hits” on Detainee Fingerprints
Based on fingerprint data taken to the internationally accepted standard, the FBI identified 64 military detainees (45 captured in Iraq; 19 in Southwest Asia) as having previous arrest records.
- 47 -Hits from U.S. 10 -Hits from Germany
- 7 -Hits from Other Allied Countries 64 Total Hits
The Standard — Ten Print Card
Once collected, fingerprint data is forever valuable for counter-terrorism work. U.S. military is dealing with detainees who have criminal records in the U.S. dating back 27 years.
Case Study: Identification to Support the Global War on Terrorism
In Jul, a Special Operations unit, FBI Criminal Justice Information Services (CJIS) Division, and DoD Biometrics Fusion Center (BFC) began biometric data test.
On 21 Jul, Special Operations forces apprehended terrorist suspect overseas:
Fingerprinted suspect
Requested search of suspect’s fingerprints against FBI Integrated Automated Fingerprint Identification System (IAFIS) and DoD BFC databases
BFC database consists of biometric data from detainees and other persons of interest (non-U.S. persons)
Data provided by Army G-2 and CENTCOM
No FBI match BFC matched fingerprints to fingerprints of a former detainee released from U.S. military custody in Oct 03
Suspect remains in custody
Current Focus
DoD Automated Biometric Identification System Vision
Way Ahead – Identity Dominance
How does DoD establish Identity Dominance in the Global War On Terrorism?
- Using only names and “official documents”
- We don’t know.
- We won’t know in the future
How do we best link a person to his past acts and previously used identities?
- By searching biometric data against all relevant databases.
Summary
Case studies prove the power of biometric data for identification to aid counterterrorism efforts.
Biometrics can and will improve the ability to track and identify national security threats
Establishment of the DoD ABIS will allow U. S. military to leverage the power of biometric data
Taken from: Departement of Defense
Biometrics: The future of security
What does the word “biometric” mean?
Biometrics is the science of using a person’s unique physiological characteristics to verify their identity. Or, in the official language of the U. S. Department of Homeland Security: “A measurable, physical characteristic or personal behavioral trait used to recognize the identity or verify the claimed identity [of a person].”
Biometrics measures:
- Face
- Fingerprints
- Hand geometry
- Handwriting
- Iris of the eye
- Retinal veins in the eye
- Voice
Why is biometrics being used?
Biometrics was being used to verify identity in a number of areas before the attacks on the United States on Sept. 11, 2001. After the attacks, the U.S. Congress passed the Enhanced Border Security and Visa Entry Act, which said all people entering the United States had to eventually use passports, visas and other travel documents that used “biometric identifiers recognized by domestic and international standards.”
At present, the United States uses digital fingerprints and photographs as part of its US-VISIT program for visitors who require visas. The face photograph will soon be used in conjunction with a “globally interoperable biometric” system of face recognition software that is being adopted by the International Civil Aviation Organization.
A number of large corporations and organizations, such as American Express and the New York Police Department use biometrics to confirm employee identification. Others such as Continental Airlines use biometrics for those employees who need access to secure areas.
The United States, the United Kingdom, Germany and the Netherlands are using biometric measures to help identify some immigrants and international visitors.
Canada uses biometrics in its CANPASS program for frequent travellers. More on that below.
What are the advantages and disadvantages of biometrics?
The U.S. Department of Homeland Security says digital fingerscans makes the exit and entry system to the country more efficient. Before the finger scanning system was implemented, only names and biographical data were checked with databases of suspected terrorists or criminals. The fingerscans make it easier to compare identities with watch lists.
Homeland Security also says: “Biometric identifiers make it virtually impossible for anyone else to claim their identity should their travel documents be stolen or duplicated. Biometric identifiers will also reduce fraud and abuse of the [U.S.] immigration system.
Privacy advocates are worried that biometrics and the databases that contain vast amounts of personal information will likely be used for purposes beyond simply screening for airport security and to enforce immigration laws and regulations.
As well, a conference in October 2003 sponsored by Citizenship and Immigration Canada warned: “Biometrics raises a number of additional concerns, including sovereignty, cultural values, and ethics.”
Where does Canada use biometrics?
CANPASS, used by Canada Customs, uses fingerscans to ease the flow of goods between the U.S. and Canada. Truck drivers have their fingerprints registered in order to pass through borders smoothly.
At major Canadian airports, members of CANPASS Air go to a kiosk where a digital camera captures an image of the eye. The system recognizes the iris as proof of the user’ s identity and then “expedites – passage through Customs and Immigration.”
The agency charges an annual fee of $50 for travellers who want faster customs service. The system is in place in Vancouver, Halifax, Toronto and Montreal, and is expected to arrive in Calgary, Winnipeg and Edmonton in 2005.
Frequent travellers to the U.S. from Canada have the option of using the joint Canada-U.S. NEXUS fast-track program to verify their identify and get through customs more quickly. The NEXUS iris scanners are in place at many border crossings on land and, beginning in November 2004, at Vancouver International Airport.
In October 2003, Citizenship and Immigration Canada sponsored a conference to decide how biometrics could be used in this country in the future.
The then minister of citizenship and immigration, Denis Coderre, had proposed that Canada implement a national identity card using biometric measurements. The controversial proposal was debated at the conference but so far the issue has not been a priority for the government of Prime Minister Paul Martin.
While U.S. law says that passports for those entering the country after October 2004 must contain biometric identifiers, the Canadian government has, so far, not included biometrics on the Canadian passport, although it has upgraded the security features of the passport.
Fingerprint
The most widely used biometric technology uses fingerprints.
Fingerprint scanners measure the unique, complex swirls on a person’s fingertip. They can even accommodate cuts. The swirls are characterized and produced as a template.
However, if a previous user has left an oily imprint on the scanner, or the finger isn’t placed in the right position, a false rejection may occur.
At least four counties in California, including Los Angeles, use fingerprint technology to reduce welfare fraud. Spain uses it for its social security card and it’s soon to be expanded for use in handing out pension, unemployment and health benefits.
Hand/Palm Geometry
The system maps key features of the topography of a person’s hand, measuring all the creases on the palm. This is more expensive and considered less accurate than other biometrics.
A recent creation by LiveGrip analyses the veins, arteries and fatty tissues of the hand. Sixteen scans are taken and a template of the individual’s hand is stored.
The U.S. Federal Bureau of Prisons uses hand geometry to track movements of its prisoners, staff and visitors within prisons. Once people enter the system, they must have their hands scanned. The information is put in a database and each person is issued a magnetic swipe card that must be carried at all times.
Prisoners are enrolled for access control to places such as the cafeteria, hospital and recreational lounges.
Iris
Iris recognition technology was pioneered by John Daugman of Cambridge University in England in the mid-1990s. The technology examines the unique patterns of the iris, the coloured ring around the pupil of the eye.
Iris scans are non-invasive. The person puts his face in front of a camera, which then analyses all the features. It doesn’t require people to take off their glasses.
The system can be used to check in passengers at the ticket desk, baggage check and boarding. It can also be used in conjunction with a multiple security door system. Once a person’s iris is scanned and approved, the person is allowed into an area.
Iris recognition is seen as having the highest accuracy of all the biometric technologies.
“The technology reads 266 different characteristics as opposed to fingerprint technology, which reads about 90,” says Catherine Kaliniak of EyeTicket, an American company that produces iris recognition equipment.
“The iris doesn’t change from the time you’re one year old.”
EyeTicket has pilot-tested its iris systems at the Frankfurt and Charlotte/Douglas, N.C., airports. In addition, it was used at the 2000 Olympics in Sydney, Australia.
Iris scans were used on airport staff and aircrew.
EyeTicket is launching a program with Virgin Atlantic and British Airways. Frequent fliers can choose to join the iris program, which will facilitate their passage from the ticket counter through Heathrow’s customs and immigration.
The technology is portable and can capture and code millions of scans.
At Schipol Airport in Amsterdam, frequent flyers can sign up for the “Privium Club,” which uses iris scans. The software was developed by Schipol, airport police and the immigration service.
Members have their iris data entered on a chip of an identification card. The passenger can zip through passport control and check-in by looking into a scanner. The scan is also used for airport personnel in secure areas.
Schipol authorities will test the technology for one year. After that, they may expand the program.
Retinal
Retinal scans examine the blood vessel patterns of the retina, the nerve tissue lining the inside of the eye that is sensitive to light.
An infrared light source is used to illuminate the retina of the eye. The image of the enhanced blood vessel pattern of the retina is analysed for characteristic points.
A retinal scan can produce almost the same volume of data as a fingerprint image analysis.
Retinal scan technology has several drawbacks. The retina is susceptible to disease (notably cataracts) that can change the characteristics of the eye and the method of obtaining a retinal scan is personally invasive – a laser light (or other light source) must be directed through the cornea of the eye.
Obtaining a correct retinal scan depends heavily on the skill of the operator.
Face
This technology requires a person to sit in front of a digital camera while it tracks about 80 facial characteristics. The lighting must be perfect and the camera must line up the image perfectly.
Essentially, the technology measures the peaks and valleys of the face, such as the tip of the nose and the depth of the eye sockets, which are known as nodal points – the human face has 80 nodal points, only 14 to 22 are needed for recognition – concentrating on the inner region, which runs from temple to temple and just over the lip. It then comes up with a face print.
Face prints can also be stored on a smart card that users swipe through a door without looking into a camera.
The technology has been around since the early 1990s and is used in more than 100 casinos in the United States. It got a lot of attention last February when authorities used it at Super Bowl XXXV in Tampa to search for felons among the crowd of 100,000 spectators
Voice
Voice dynamics relies on the production of a “voice template” that is used to compare with a spoken phrase. A speaker must repeat a set phrase several times as the system builds the template.
This biometrics technique relies on the behaviour of the subject rather than the physical characteristics of the voice and is considered prone to inaccuracy.
The system verifies voices through passwords and Personal Identification Numbers (PINs). A person must repeat the password and key in their PIN to gain access. The problem is that a person’s voice is susceptible to sickness, drugs and emotions.
Biometrics and Air Security
IATA, the International Air Transport Association, has a program, Simplifying Passenger Travel, to try to implement biometrics at airports around the world.
The program is trying to make sure all the different biometric systems being used are compatible, i.e. they can “talk” to each other.
IATA is primarily interested in iris technology. Though it’s very expensive, Melanie Lauckner of the SPT program says its sustained use would bring costs down over the years.
Lauckner says the benefits of biometrics override any costs.
“A passenger arrives at the airport, the system checks you in, lets you pass security and into the departure lounge, makes sure your luggage travels with you and informs your country of arrival that you are coming and that you have the proper papers.”
Lauckner says IATA has yet to put a dollar figure on implementing biometrics at international airports.
Taken from: CBC News Online
Biometric Technology Background
Access Control Approaches
The beginning of virtually any secured workflow is access control. The default logic of access control is that no one has access unless s/he is trusted and everyone else is excluded. A typical transaction, then, includes a Requestor and a Grantor. Access control technology attempts to automate the process of answering two basic questions prior to offering any kind of access:
- Who are you?
- Are you who you say you are?
The first question represents the task of identification. The second question represents the task of authentication. The importance of the distinction between identification and authentication will become clearer in later discussions about automating the process. In its simplest form, the generally accepted approach for arbitrating requests for access is through the use of a token and the assumption that possession of the token and authenticated identity are pretty much equivalent. The token can be concrete–something one has–or abstract–something one knows. Requesting access with a token is an example of single-factor security–if the requestor has the token access is granted. For example, a house key or a secret password are two common examples of tokens that are used in a single-factor scenario.
Unfortunately, a lost or stolen token will compromise single-factor security. Anyone with a house key can enter that house. Once a password isn’t secret, anyone can use it. What compromises this type of security is its anonymity–a lack of real authentication allows virtually anyone possessing the token to use it. The most common solution to this problem is to use two tokens in a combination of something one has and something one knows. This is a two-factor scenario.
Two-factor security is more resistant to compromise. ATM cards are probably the most common two-factor security scheme in use today. With the card (something you have) to identify you and the PIN (something you know) to authenticate you, you can access your bank account from pretty much anywhere in the world. Since this only works when the requestor has both factors, the security is considered strong enough to support widespread consumer use.
The strength of this approach, however, is also its key weakness–neither token is any good without the other. A lost ATM card is useless to the person who finds it–good for the owner. It is also useless to the owner because the PIN by itself is useless. So a two factor scheme works well as long as the requestor has both tokens. There are circumstances where an unauthorized third party could gain access to both tokens, but they tend to be rare enough exceptions to be considered acceptable risk.
Because of the requirement that requestors carry a physical token, traditional two-factor schemes require considerable operational infrastructure to create and issue cards and PINs as well as install and maintain electro-mechanical card readers. The approach remains practical to the extent that people only carry one or very few of these cards.
Changing Requirements
The goal of most security schemes is to reduce the risk of loss or theft to real (physical) and intangible (intellectual) property. Loss can include not only the physical loss of data but also logical loss where data is stored in the wrong place. For example, a credit card transaction inadvertently assigned to the wrong account is a type of data corruption that is the insidious equivalent of outright loss. Healthcare has grown particularly data-intensive, yet the improvements to security infrastructure surrounding applications has been limited.
Confronting several technical frontiers at a time, vendors of healthcare application software struggle to keep up with the requirements of a data-driven market. Where an application depends on the flow of transactional data about people – it could be financial or clinical data-reconciling the records authoritatively is essential to mining any useful information about the relationship between clinical actions, their costs, and their outcomes from the data. Eliminating duplicate identifiers for the same individual or preventing transactions from becoming associated with the wrong individual are a basic application challenge for designers of security infrastructure.
Biometric Technology
Technology is emerging that allows the use of biometric techniques to identify and authenticate individuals more authoritatively than has been practical in the past. Biometrics defined broadly is the scientific discipline of observing and measuring relevant attributes of living individuals or populations to identify active properties or unique characteristics. Biometrics can look for patterns of change by measuring attributes over time or look for consistency by measuring attributes of identity or unique differentiation. When looking for patterns of change, biometric technology can be considered a tool for research, diagnosis, or even medical monitoring. When looking for consistency, biometrics become a useful vehicle for security, automating the two principal steps of access control:
- Identification–who are you?
- Authentication–are you who you claim to be?
Using biometric technology for security purposes, a permanent personal attribute, unique to an individual and not easily duplicated, determines privilege or access – for example, a fingerprint, signature, iris, or voice pattern. Conceptually, a personal characteristic is yet another form of token, but it offers some unique advantages:
- The individual possesses the characteristic; the characteristic is not added to the individual (the individual essentially becomes the token)
- The attribute is a generally a permanent token–you can’t lose it, and it can’t be stolen
- The best characteristics are statistically unique to the individual
Since biometric identification/authentication can be quite authoritative, virtually no anonymity is possible in the transaction – each individual becomes self-authenticating, especially in a two-factor scenario. The approach is not without limitations however. Casual observation of the incredible variety of human forms and attributes might seem to reveal a large number of potential attributes for biometric identification. Good biometric identifiers however, share several characteristics that make them useful and reliable for recognition and identification applications:
Characteristic Description
Universal
Everyone must have the attribute. The attribute must be one that is universal and seldom lost to accident or disease.
Consistent
The attribute must not change significantly over time. The attribute should not be subject to significant differences based on age either episodic or chronic disease. Voice is a consistent measure assuming consistent health, but can vary considerably with colds and sinus. The iris of the eye changes measurably between birth and adolescence. Retinas and fingerprints change very little over a lifetime.
Unique
Each expression of the attribute must be unique to the individual. Height, weight, hair and eye color are all attributes that are unique assuming a particularly precise measure, but do not offer enough points of differentiation to be useful for more than categorizing.
Permanent
The attribute must be inseparable from the individual. The attribute must be integral and not viable for identification if removed.
Inimitable
The attribute must be irreproducible by other means. A recording of a voice could be separated from and individual just as an image of his or her face. The less reproducible the attribute, the more likely it will be authoritative.
Collectible
Must be easy to gather the attribute data passively. If a patient is unconscious, voice recognition would not be useful. If a patient is not particularly cooperative, fingerprint recognition or hand geometry would present limitations.
Tamper-resistant
The attribute should be impractical to mask or manipulate. Fingerprints cannot be changed and hiding them is difficult whereas faces can be masked or made up.
Comparable
Must be able to reduce the attribute to a state that makes it digitally comparable to others. The less probabilistic the matching involved, the more authoritative the identification.
Biometric Identification/Authentication Techniques
Certainty as Probability
When an individual’s claims of identity and privilege are verified in a truly reliable way, that identification is authoritative. The practical value of any identification/authentication scheme, however, generally exists in one of three states:
- certain and unambiguous (deterministic)
- certain based on a low probability of error (probabilistic)
- uncertain and ambiguous and therefore (for all practical purposes) false.
Unfortunately, a biometric attribute is not necessarily unambiguously permanent, so all biometric schemes are probabilistic. Design and implementation steps that can reduce the likelihood of an error are essential to orderly deployment of the technology. Biometric techniques are most reliable and effective when used as an authenticating technique as part of a multiple-factor scenario. For example, if individual makes a claim of identity at the bank with his or her name, and that claim is supported (authenticated) by a biometric identifier, the probability of error is very low. Errors are much more likely to occur where the system must figure out on its own (identify) who an individual is.
Biometric Identification
Biometric identification is a sophisticated variation on a token-based, single-factor security scheme. In this case, the token is some physical attribute of the person–fingerprint, iris, retina, face, vein pattern, etc. Biometric identification systems typically follow three high-level processing steps. First, the system must acquire an image of the attribute through an appropriate scanning technique. (Specific techniques are described in greater detail below.) Once the scanned content is acquired, it must be localized for processing purposes. During this step, extraneous informational content is discarded and minutiae are isolated and turned into a template, a sort of internal canonical form for matching attributes stored in a database. Minutiae are the uniquely differentiating characteristics of the biometric attribute. Whorls and loops and their relationship to one another on a fingerprint are and example of the minutiae that might be extracted. Finally, templates stored in the database are searched for a match with the one just presented. If a match is found, the identification is a success and the succeeding steps of the security process can begin.
Biometric Authentication
Biometric authentication virtually eliminates the risk of anonymity in a two-factor security scenario by using a physical attribute of the person to authenticate a token. The process is similar to biometric identification. First, the requestor presents a token to assert identity. For example, an ATM or credit card is inserted into a reader. (A number encoded on the card is actually the token; the card is more like a container for the token, but treating the card as a token is appropriate.) As with identification, the system must acquire an image of the personal attribute. Second, the attribute must be localized, minutiae extracted, and a matching template created. Finally, the value of the token is used to look up the template previously stored for this individual. If it matches the template presented on this occasion, the requestor is authenticated.
Limitations of Identification and Authentication
Whether biometric technology is used for identification or authentication, its main limitation is that it uses probabilistic techniques for matching. This means that every case includes some margin for error. In daily practice, false rejections are considered more acceptable than false acceptance. (More on these matters is included elsewhere under Assessment.)
Generally, biometric authentication schemes are much more reliable and efficient than pure identification schemes. This is mainly because the identification template only has to be matched once to authenticate whereas it may need to be matched against thousands, or tens of thousands of records to identify someone. Performance of identification systems is a technical matter that requires the developers’ specific attention.
Generally, biometric authentication schemes are much more reliable and efficient than pure identification schemes. This is mainly because the identification template only has to be matched once to authenticate whereas it may need to be matched against thousands, or tens of thousands of records to identify someone. Performance of identification systems is a technical matter that requires the developers’ specific attention.
Established Technologies
The current state of biometric identification technology includes numerous options, some capable of production use, others still emerging and not yet reliable or cost-effective enough for common deployment. Several approaches have entered the technical mainstream, though biometric identification has yet to cross the chasm into mass-market acceptance. Several technical approaches have gained common acceptance as capable and reliable.
Emerging Technologies
Identifying an individual using genetic patterns, while quite reliable and authoritative, remains a time-consuming scientific process and is generally reserved for forensic purposes because it is invasive and requires highly specialized equipment and expertise. This is rapidly changing, however, and technology is emerging that will allow investigators to conduct rapid DNA analysis quickly enough to be used at an actual crime scene. Even human scent identification is available as yet another, though currently quite arcane technology. The rate of change in technology guarantees that what seems impossibly complex today can become practical, even a practical necessity in just a few short years. The following technologies show mainstream promise.
Fingerprint
Fingerprint identification techniques fall into two major categories – Automated Fingerprint Identification Systems (AFIS) and fingerprint recognition systems. AFIS is typically restricted to law-enforcement use. Fingerprint recognition derives a unique template from the attributes of the fingerprint without storing the image itself or even allowing for its reconstruction.
Fingerprint recognition for identification acquires the initial image through live scan of the finger by direct contact with a reader device that can also check for validating attributes such as temperature and pulse. Since the finger actually touches the scanning device, the surface can become oily and cloudy after repeated use and reduce the sensitivity and reliability of optical scanners. Solid state sensors overcome this and other technical hurdles because the coated silicon chip itself is the sensor. Solid state devices use electrical capacitance to sense the ridges of the fingerprint and create a compact digital image, so they are less sensitive to dirt and oils. Fingerprint recognition is generally considered reliable enough for commercial use, and some vendors are already actively marketing readers as part of Local Area Network login schemes.
Hand Geometry
The essence of hand geometry is the comparative dimensions of fingers and the locations of joints. One of the earliest automated biometric systems, Indentimat, installed at the Shearson-Hamill investment bank on Wall St. during the late 60s, used hand geometry and stayed in production for almost twenty years. Some systems perform simple, two-dimensional measurements of the palm of the hand. Others attempt to construct a simple three-dimensional image from which to extract template characteristics. In one of the most popular descendants of the Identimat, a small digital camera captures top and side images of the hand. Reference marks on the platen allow calibration of the image to improve the precision of matching.
Retinal Scan
Retinal recognition creates an “eye signature” from the vascular configuration of the retina, an extremely consistent and reliable attribute with the advantage of being protected inside the eye itself. An image of the retina is captured by having the individual look through a lens at an alignment target. Diseases or injuries that would interfere with the retina are comparatively rare in the general population, so the attribute normally remains both consistent and consistently available.
Voice
Voice recognition techniques are generally categorized according to two approaches– Automatic Speaker Verification (ASV) and Automatic Speaker Identification (ASI). Speaker verification uses voice as the authenticating attribute in a two-factor scenario. Speaker identification attempts to use voice to identify who an individual actually is. Voice recognition distinguishes an individual by matching particular voice traits against templates stored in a database. Voice systems must be trained to the individual’s voice at enrollment time, and more than one enrollment session is often necessary. Feature extraction typically measures formants or sound characteristics unique to each person’s vocal tract. The pattern matching algorithms used in voice recognition are similar to those used in face recognition.
Iris
Iris scanning is less intrusive than retinal recognition because the iris is easily visible from several feet away. Responses of the iris to changes in light can provide secondary verification that the iris presented as a biometric factor is genuine. Though empirical tests with the technology will improve its reliability, it appears quite promising and even practical for many applications, especially two-factor scenarios. While some of the technical issues of iris scanning seem pedestrian, they present implementation challenges. A careful balance of light, focus, resolution, and contrast is necessary to extract the attributes or minutiae from the localized image. While the iris seems to be consistent throughout adulthood, it does vary somewhat up to adolescence.
Face/Facial Thermogram
Face recognition technology is still its early stages, and most tests and applications have been run against relatively small databases. The similarity score produced by each comparison determines the match – the highest score wins. Acquisition for biometric identification purposes requires the individual’s face to be presented to a video camera. An evident deficiency in some current schemes is the ability to fool or confuse some systems with makeup. A facial thermogram works much like face recognition except that the image is captured by way of an infrared camera, and the heat signature of the face is used to create the biometric template used for matching. This is more reliable than simple imaging.
The U.S. Army Research Laboratory conducted the FERET Database Evaluation Procedure in Sept. of 1996 comparing various technologies and algorithms side by side. While the results are promising and some approaches yielded impressive results, this technology is still considerably less reliable than some alternatives. As is the case with other technologies, practical usefulness increases dramatically in a two-factor scenario.
Hand Vein
Hand vein recognition attempts to distinguish individuals by measuring the differences in subcutaneous features of the hand using infrared imaging. Like face recognition, it must deal with the extra issues of three-dimensional space and the orientation of the hand. Like retinal scanning, it relies on the pattern of the veins in the hand to build a template with which to attempt matches against templates stored in a database. The use of infrared imaging offers some of the same advantages as hand geometry over fingerprint recognition in manufacturing or shop-floor applications where hands may not be clean enough to scan properly using a conventional video or capacitance technique.
Signature
Signature is a simple, concrete expression of the unique variations in human hand geometry. Forensic experts have developed criteria over the years for verifying the authenticity of a signature. Automating this process allows computer automation to take the place of an expert in looking for unique identifying attributes. In addition to the general shape of the signed name, a signature recognition system can also measure both the pressure and velocity of the point of the stylus across the sensor pad. (Keystroke dynamics is a variation on this technique that measures the typing rates and intervals.) Signatures, however, are difficult to model for variation, and the reliability of these systems, especially when compared with other simpler alternatives.
Assessing Biometric Technologies
Several key measures reveal the ability of a biometric identification/authentication system to function reliability. When evaluating the reliability of a system for straight identification, the predicted number of rejections should be very small, but the predicted number of false acceptances should be improbable to the point of practical impossibility. Where a system will be used for authentication as part of a two-factor scenario, balance of false rejections and acceptance is more relevant. Here the system functioning in a context with other controlling factors – asserted identity, user facilitation, and so on – that can operate conveniently in addition to reliably. Three principal reliability measures are normally described for biometric systems.
False Accept Rate (FAR)
The False Accept Rate (also called Type I error) indicates the percentage of unauthorized attempts that will be erroneously accepted. Even interpreted in terms of how many attempts are expected in the system, this number should always be as low as possible. Identification systems should have a false accept rate as close as possible to statistical zero.
False Reject Rate (FRR)
The False Reject Rate (also called Type II error) indicates the percentage of authorized attempts that will be erroneously rejected. False rejections are more acceptable than false accepts because they can usually corrected by a second attempt. This number should always be as low as possible. The more frequently authorized users are rejected, the more greater the risk to project acceptance.
Equal Error Rate (ERR)
The point where the lowest False Accept and False Reject rates intersect is the Equal Error Rate. A very low number for ERR indicates a system with a good balance of sensitivity.
The phrase “statistical zero” is used here to describe a non-zero level acceptable risk. For example, if a scenario presented a 1 in 1000 chance of false accept, the probability of compromised security would be high. If the odds were 1 in 1 billion, the probability of false accept actually occurring would be a practical zero. A two factor authentication scenario can drive the odds out even further. Probabilities are indifferent matters, however, and a failure anticipated as statistically possible only once in a billion years could still happen the next time the system is used. Every system needs to operate in a context of security policy and planning.
Issues to Consider
The issues of privacy, anonymity, and community standards surface at the center of an implementation of biometric identification. It is in the nature of the technology to excite concerns about loss of control of information or of individuality. For all practical purposes, a two-factor security biometric security scheme could eliminate the external ambiguities that cause records to become lost or associated with the wrong individual. The potential reduction in fraud alone is driving some financial institutions to introduce biometric techniques associated with credit card verification. Transaction records this authoritative would have implications for how many transactions that demand high security are automated. The consequences in terms of improved efficiency in our data-based society are already showing up in banking, the use of cash, and even taxation. The social cost can be assessed in the simple concession that authoritative identification expects – the loss of anonymity.
In healthcare, implementations of biometric identification where the scope is limited to controlling access to computer systems or to identifying employees authoritatively certain areas seem to offer the greatest immediate promise. Rolling out a biometric identification scheme to the community at large, on the other hand, must navigate the discovery and definition of local community standards and whether or not such technology would be accepted.
Where to Next?
Information about biometric technology is abundant and available through even the most casual search of the World Wide Web. The Biometric Consortium is probably the best place to begin accumulating detail about the state of the art.
Taken from: Altisinc
Bioidentification FAQ
Background
What is biometrics?
What is biometric authentication?
What are the advantages of biometric systems for authentication?
What are the requirements of a biometric feature used for authentication purposes?
What are the most well known biometric features used for authentication purposes?
What factors contribute to a biometric feature’s development?
How does the manner of formation influence the usefulness of biometric features for authentication?
How does one recognize randotypic traits?
Which biometric features are most constant over time?
Which biometric features are most suitable for authentication purposes?
Which organizations attend to standardizing biometric systems?
Which biometric standards are available now? (changed)
What is the difference between identification and verification?
What are the advantages of verification over identification?
What are the disadvantages of verification compared to identification?
What is the difference between positive and negative identification?
What are the main uses of identification and verification?
What are the fundamental methods of authentication?
What are the characteristics of the various authentication methods?
Performance
Which measures reflect the effectiveness of a biometric authentication system?
What does one need to be aware of regarding the FAR/FRR?
How is the Failure-to-Enroll rate (FER/FTE) defined in detail?
What needs to be considered in the definition of FRR?
How is FRR defined in detail?
What needs to be considered in the definition of FAR?
How is FAR defined in detail?
How are the FAR and FRR minimized in a biometric system?
How does a transition from verification to identification affect the FAR? (for specialists)
How is the False Identification Rate (FIR) calculated? (for specialists)
Is Failure to Enroll a typical problem for biometric systems?
When are FAR and FRR values statistically significant? (for specialists)
How is the probability distribution function measured for a biometric system’s authorized and unauthorized users? (for specialists)
How do the FAR/FRR paired graphs affect a biometric system? (for specialists)
How does one determine the “Receiver Operating Characteristic” (ROC) of a biometric system? (for specialists)
What is essential when comparing the ROC performance of biometric systems?
What does separability of a biometric system mean? (for specialists)
Is a biometric system’s performance dependent upon the user?
Implementation
What records biometric features?
What makes up a biometric authentication system?
What computation speeds are required by a biometric authentication system?
How do enrollment and biometric authentication work?
What are the advantages of using a chip card for biometric authentication?
What is a “template”?
What is “Template on Card”?
How may a PC access control with “Template on Card” look like?
What is “Matcher on Card”?
What are the features of Matcher on Card?
Security
What does security mean for an authentication system?
What is compromisation of a biometric feature?
Is the compromisation of biometric features a problem?
What can be done against compromisation of one’s biometric features?
What must be observed with respect to security when dealing with “Template on Card”?
Is biometrics a privacy-enhancing or a privacy-threatening technology?
Is biometrics more “secure” than passwords?
What is biometrics?
Biometrics is the science of measuring physical properties of living beings.
What is biometric authentication?
(1) Biometric authentication is the automatical recognition of a living being using suitable body characteristics.
(2) By measuring an individual’s physical features in an authentication inquiry and comparing this data with stored biometric reference data, the identity of a specific user is determined.
Remark: authentication is used here as a generic term for identification and verification.
What are the advantages of biometric systems for authentication?
Advancing automation and the development of new technological systems, such as the internet and cellular phones, have led users to more frequent use of technical means rather than human beings in receiving authentication. Personal identification has taken the form of secret passwords and PINs. Everyday examples requiring a password include the ATM, the cellular phone, or internet access on a personal computer. In order that a password cannot be guessed, it should be as long as possible, not appear in a dictionary, and include symbols such as +, -, %, or #. Moreover, for security purposes, a password should never be written down, never be given to another person, and should be changed at least every three months. When one considers that many people today need up to 30 passwords, most of which are rarely used, and that the expense and annoyance of a forgotten password is enormous, it is clear that users are forced to sacrifice security due to memory limitations. While the password is very machine friendly, it is far from user-friendly.
There is a solution that returns to the ways of nature. In order to identify an individual, humans differentiate between physical features such as facial structure or sound of the voice. Biometrics, as the science of measuring and compiling distinguishing physical features, now recognizes many further features as ideal for the definite identification of even an identical twin. Examples include a fingerprint, the iris, and vein structure. In order to perform recognition tasks at the level of the human brain (assuming that the brain would only use one single biometric trait), 100 million computations per second are required. Only recently have standard PCs reached this speed, and at the same time, the sensors required to measure traits are becoming cheaper and cheaper. Therefore, the time has come to replace the password with a more user friendly solution — biometric authentication.
What are the requirements of a biometric feature used for authentication purposes? In the development of biometric identification systems, physical and behavioral features for recognition are required which:
- are as unique as possible, that is, an identical trait won’t appear in two people: Uniqueness
- occur in as many people as possible: Universality
- don’t change over time: Permanence
- are measurable with simple technical instruments: Measurability
- are easy and comfortable to measure: User friendliness
What are the most well known biometric features used for authentication purposes?
Biometric Trait | Description |
Fingerprint | Finger lines, pore structure |
Signature (dynamic) | Writing with pressure and speed differentials |
Facial geometry | Distance of specific facial features (eyes, nose, mouth) |
Iris | Iris pattern |
Retina | Eye background (pattern of the vein structure) |
Hand geometry | Measurement of fingers and palm |
Finger geometry | Finger measurement |
Vein structure of back of hand | Vein structure of back of hand |
Ear form | Dimensions of the visible ear |
Voice | Tone or timbre |
DNA | DNA code as the carrier of human hereditary |
Odor | Chemical composition of the one’s odor |
Keyboard strokes | Rhythm of keyboard strokes (PC or other keyboard) |
What factors contribute to a biometric feature’s development?
Biometric traits develop:
- through genetics: genotypic
- through random variations in the early phases of an embryo’s development: randotypic (often called phenotypic)
- or through training: behavioral
As a rule, all three factors contribute to a biometric trait’s development, although to varying degrees. The following table rates the relative importance of each factor (o is small, ooo is large):
Biometric Trait | genotypic* | randotypic* | behavioral** |
Fingerprint | o | ooo | o |
Signature (dynamic) | oo | oo | ooo |
Facial geometry | ooo | o | o |
Iris | o | ooo | o |
Retina | o | ooo | o |
Hand geometry | ooo | o | o |
Finger geometry | ooo | o | o |
Vein structure of back of hand | o | ooo | o |
Ear form | ooo | o | o |
Voice | ooo | o | oo |
DNA | ooo | o | o |
Odor | ooo | o | o |
Keyboard strokes | o | o | ooo |
Comparison: Password | (ooo) | ||
*Randotypic patterns often show genotypic traits in their overall structure. These genotypic traits may disappear with increasing refinement (e.g., development of branches on a tree). |
How does the manner of formation influence the usefulness of biometric features for authentication?
Even though the type of developmental factor does not solely determine a feature’s usefulness, there are a few things to take into account:
- pure genotypic traits can’t differentiate between monozygotic (identical) twins or clones
- purely behavioral features are, by definition, easiest to imitate
- behavioral features are strongly affected by external influences and the disposition of the user
- normally for authentication purposes, randotypic contributions are essential due to their necessity for creating absolute uniqueness
How does one recognize randotypic features?
The following must be considered:
- Even monozygotic twins have obviously differing features.
- As a rule of thumb, random variations do NOT follow bodily symmetry. For example, the right and left iris have different details, and are not mirror symmetrical to each other.
Which biometric features are most constant over time?
Reasons for variation over time:
- Growth
- Wear and tear
- Aging
- Dirt and grime
- Injury and subsequent regeneration etc.
Biometric features, which are minimally affected by such variation are preferred. The degree to which this is possible is shown in the following table. Easily changed effects such as dirt and quickly healing injuries such as an abrasion, are not taken into consideration.
Biometric Trait | Permanence over time |
Fingerprint | oooooo |
Signature (dynamic) | oooo |
Facial geometry | ooooo |
Iris | ooooooooo |
Retina | oooooooo |
Hand geometry | oooooooo |
Finger geometry | oooooooo |
Vein structure of back of hand | oooooo |
Ear form | oooooo |
Voice | ooo |
DNA | ooooooooo |
Odor | oooooo? |
Keyboard strokes | oooo |
Comparison: Password | ooooo |
What records biometric features?
For recording and converting biometric traits to usable computer data, one needs an appropriate sensor (see table). Of course, costs can greatly vary for different sensors. However, we can’t forget that many technical devices already have sensors built in, and therefore, offer possibilities to measure biometric features nearly free of cost.
Biometric Trait | Sensor |
Fingerprint | capacitive, optic, thermal, acoustic, pressure sensitive |
Signature (dynamic) | Tablet |
Facial geometry | Camera |
Iris | Camera |
Retina | Camera |
Hand geometry | Camera |
Finger geometry | Camera |
Vein structure of back of hand | Camera |
Ear form | Camera |
Voice | Microphone |
DNA | Chemical lab |
Odor | Chemical sensors |
Keyboard strokes | Keyboard |
Comparison: Password | Keyboard |
-
Which biometric features are most suitable for authentication purposes?
Prior to comparing the relative worth of different biometric traits, we must define the appropriate criteria to be used. For these purposes, we will use four categories:- Comfort: duration of verification and the ease of use
- Accuracy: minimal error rates (clarity, consistency, measurability)
- Availability: the portion of a potential user group who can use biometrics for technical identification purposes (universal, measurable).
- Costs: essentially due to the sensors.
Note that some of the following ratings are based on current versions (status: March 2000) which could change drastically with new solutions.
Working number | Titel |
19784-1 | Biometric Application Programming Interface Part 1: The BioAPI Specification |
19784-2 | Biometric Application Programming Interface Part 2: Biometric Archive Function Provider Interface |
19784-3 | Biometric Application Programming Interface Part 3: BioGUI |
19785-1 | Common Biometric Exchange Framework Format – Part 1: Data Element Specification |
19785-2 | Common Biometric Exchange Framework Format – Part 2: Procedures for the operation of the biometric registration authority |
19785-2 | Common Biometric Exchange Framework Format – Part 3: Patron Format Specification |
19794-1 | Biometric data interchange formats Part 1: Framework |
19794-2 | Biometric data interchange formats Part 2: Finger Minutiae Data |
19794-3 | Biometric data interchange formats Part 3: Finger Pattern Spectral Data |
19794-4 | Biometric data interchange formats Part 4: Finger Image Data |
19794-5 | Biometric data interchange formats Part 5: Face Image Data |
19794-6 | Biometric data interchange formats Part 6: Iris Image Data |
19794-7 | Biometric data interchange formats Part 7: Signature/Sign Time Series Data |
19794-8 | Biometric data interchange formats Part 8: Finger Pattern Skeletal Data |
19794-9 | Biometric data interchange formats Part 9: Vascular Biometric Image Data |
19794-10 | Biometric data interchange formats Part 10: Hand Geometry Silhouette Data |
19794-11 | Biometric data interchange formats Part 11: Signature/Sign Processed Dynamic Data |
19795-1 | Biometric Performance Testing and Reporting – Part 1: Test Principles |
19795-2 | Biometric Performance Testing and Reporting – Part 2: Testing Methodologies |
19795-3 | Biometric Performance Testing and Reporting – Part 3: Specific Testing Methodologies |
19795-4 | Biometric Performance Testing and Reporting – Part 4: Specific Test Programmes |
19795-5 | Biometric Performance Testing and Reporting – Part 5: Framework For Biometric Device Performance Evaluation For Access Control |
24708 | Biometric Interworking Protocol (BIP) |
24709-1 | BioAPI Conformance Testing – Part 1: Methods and Procedures |
24709-2 | BioAPI Conformance Testing – Part 2: Test Assertions |
24713-3 | Biometric Profiles for Interoperability and Data Interchange – Part 3: Biometric-Based Verification and Identification of Seafarers |
24714 | Multi-part Technical Report Cross Jurisdictional and Societal Aspects of Implementations of Biometric Technologies |
24722 | Technical Report on Multi-Modal and Other Multi-Biometric Fusion |
24741 | Technical Report For a Biometric Tutorial |
What is the difference between identification and verification?
In an identification, the recorded biometric feature is compared to all biometric data saved in a system. If there is a match, the identification is successful, and the corresponding user name or user ID may be processed subsequently.
In a verification, the user enters her/his identity into the system (e.g., via a keypad or card), then a biometric feature is scanned. The biometric trait must only be compared to the one previously saved reference feature corresponding to the ID. If a match occurs, verification is successful.
If a system has only one saved reference trait, identification is similar to verification, but the user need not first enter his or her identity, as for example, access to a mobile phone which should only be used by its owner.
What are the advantages of verification over identification?
Verification is much faster than an identification when the number of saved reference features/users is very high.
Verification shows a better biometric performance than identification, especially when the number of reference traits/users is very high.
What are the disadvantages of verification compared to identification?
In a verification, the user must first enter his or her identity to the biometric system. User ID’s can be forgotten and cards can be lost, making access impossible. (Note, this is only relevant when a biometric system has more than one user.)
What are the main uses of identification and verification?
Fighting Crime
Comparing evidence from a crime scene with previously or subsequently recorded biometric data.
Examples: Fingerprint, DNA
Security
Verification of one’s identity and granting authentication
For example: granting access rights by voice and pass
Comfort
Identifying a person and changing personal settings accordingly
For example, setting the car seat, mirrors, etc. by facial recognition
What are the fundamental methods of authentication?
Biometrics “Who I am”
Biometrics uses nature’s oldest system to identify people — via unforgettable and unchanging physical characteristics. From time immemorial, humans have had to perform recognition tasks themselves. Today, technology is advanced enough to assist us or even relieve us of recognition tasks.
Secret Knowledge “What I know”
Here authentication takes the form of (secret!) PINs and passwords, which the user has to keep track of. The authorized has to share the secret knowledge with the authenticator. Previously, this was the simplest method of identification for machines. Secret knowledge is applied also where several persons have to be authenticated in a simple way.
Personal Possession “What I have”
Examples for authentication are having a key, ID card, or pass (with or without a chip), which allows entrance, for example, into a private room. Essential is the existence of covered or overt but unique features.
Combination Systems For security reasons, often two or all three of the above systems are combined, e.g., a bank card with a PIN. Following the definition above, a password written down on a sheet of paper exclusively belongs to the group of “personal possession”; it is no secret knowledge any more!
What are the characteristics of the various authentication methods?
Secret Knowledge | Personal Possession | Biometrics | |
Examples | Password, PIN | Key, ID card/ pass | Fingerprint, Face, DNA |
Copied | “Software” | easy to very difficult | easy to difficult |
Lost | “forgotten” | easy | very difficult |
Stolen | spied | possible | difficult |
Circulated | easy | easy | easy to difficult |
Changed | easy | easy | easy to very difficult |
What makes up a biometric authentication system?
A basic biometric system is made up of:
- a sensor to record the biometric trait
- a computer unit to process and eventually save the biometric trait
- an application, for which the user’s authentication is necessary
In detail, the processing unit comprises:
- a “feature extraction unit” which filters the uniqueness data out of the raw data coming from the sensor and combines them into the request template,
- a “matcher” which compares the request template with the reference template and delivers a “score” value as result, and a “decision unit” which takes the score value (or values) as well as the threshold to derive a two-valued decision (authorized or non-authorized).
What computation speeds are required by a biometric authentication system?
Generally, computation speeds adequate for pattern recognition are required. This is about 100 million operations per second, which have only recently been attained by affordable hardware (PC, DSP).
What does security mean for an authentication system?
Often “security” is said when the ability to prevent false authentication is meant. False authentication could happen through:
- too high a false acceptance rate (FAR)
- fraud or forgery attempts
- technical deficiencies
Perfect protection cannot exist. However, one can try to make the FAR as small as possible, forgery attempts as costly as possible, and through intensive testing minimize the technical deficiencies.
The security realm also includes protecting biometric and other personal data against misuse.
Which measures reflect the effectiveness of a biometric authentication system?
False Acceptance Rate (FAR)
The FAR is the frequency that a non authorized person is accepted as authorized. Because a false acceptance can often lead to damages, FAR is generally a security relevant measure. FAR is a non-stationary statistical quantity which does not only show a personal correlation, it can even be determined for each individual feature (called personal FAR).
False Rejection Rate (FRR)
The FRR is the frequency that an authorized person is rejected access. FRR is generally thought of as a comfort criteria, because a false rejection is most of all annoying. FRR is a non-stationary statistical quantity which does not only show a strong personal correlation, it can even be determined for each individual feature (called personal FRR).
Failure To Enroll rate (FTE, also FER)
The FER is the proportion of people who fail to be enrolled successfully. FER is a non-stationary statistical quantity which does not only show a strong personal correlation, it can even be determined for each individual feature (called personal FER).
Those who are enrolled yet but are mistakenly rejected after many verification/identification attempts count for the Failure To Acquire (FTA) rate. FTA can originate through temporarily not measurable features (“bandage”, non-sufficient sensor image quality, etc.). The FTA usually is considered within the FRR and need not be calculated separately, see also FNMR and FMR.
False Identification Rate (FIR)
The False Identification Rate is the probability in an identification that the biometric feature is falsely assigned to a reference. The exact definition depends on the assignment strategy; namely, after feature comparison, often more than one reference will exceed the decision threshold.
Further Implicit Measures
False Match Rate (FMR). The FMR is the rate which non-authorized people are falsely recognized during the feature comparison. In contrast to the FAR, attempts previously rejected due to poor (image-) quality (Failure to Acquire, FTA) are not accounted for. Whether a falsely recognized feature leads to increases in FAR or FRR depends upon the application. (There are applications, which define a successful recognition as a rejection, when, for example, double release of identification cards for a person with a false identity is prevented by comparing the actual reference features with the centrally stored reference features of all cards released so far.)
False Non-Match Rate (FNMR)
The FNMR is the rate that authorized people are falsely not recognized during feature comparison. In contrast to the FRR, attempts previously rejected due to poor (image-) quality (Failure to Acquire, FTA) are not accounted for. Whether a falsely recognized feature leads to increases in FAR or FRR depends upon the application.
What does one need to be aware of regarding the FAR/FRR?
The measurement of biometric features as well as the features themselves are subject to statistical fluctuations. Therefore, every biometric recognition system has a built-in acceptance threshold, which when raised both decreases FAR and increases FRR. It should be clear that the given FAR and FRR values are belonging to the same threshold value. Stating only the FAR or only the FRR is thus misleading.
Additionally, even the Failure-to-Enroll Rate FER must be considered when comparing the FAR/FRR values of different systems. This is because the enrollment procedure can be parametrized in such a way that only best quality feature samples are approved for reference templates while lower quality samples are dropped, thus contributing to a higher FER. Normally, the higher the FER forced by the biometric system, the better the FAR and FRR values, and vice versa!
In biometrics FAR/FRR are not theoretically ascertainable, instead they must be determined statistically in costly tests. Determining statistical significance is equally difficult. There were no standardized techniques, therefore results could vary due to differences in test conditions and sample size. Clarity was only provided by disclosure of the test conditions.
How is the Failure-to-Enroll Rate (FER/FTE) defined in detail?
Due to the statistical nature of the failure-to-enroll rate, a large number of enrollment attempts have to be undertaken to get statistical reliable results. The enrollment can be successful or unsuccessful. The probability for lack of success (FER(n)) for a certain person is measured:
FER(n) | Number of unsuccessful enrollment attempts for a person (or feature) n —————————————————————————————————————- Number of all enrollment attempts for a person (or feature) n |
These values are better with more independent attempts per person/feature. The overall FER for N participants is defined as the average of FER(n):
The values are more accurate with higher numbers of participants (N). Alternatively, the median value may be calculated.
Finally, the result of an enrollment attempt has to be defined exactly:
An enrollment attempt is successful if the user interface of the application provides a “successful”- or “finished” message.
An enrollment attempt is unsuccessful if the user interface of the application provides an “unsuccessful”-message.
In cases where no defined completion is available, a fixed enrollment time interval has to be given to ensure comparability.
If the time interval has expired the enrollment attempt is counted unsuccessful.
How do enrollment and biometric authentication work?
A prerequisite for authentication is enrollment, in which a biometric feature is saved as a personal reference either decentrally on a chip card or PC, or centrally in a data base. Since the quality of the enrollment essentially determines the performance of the authentication, it must be implemented carefully. It is obvious that enrollment must take place in a trustworthy environment.
During an authentication, a new scanning of the biometric feature is required. This time it is not saved; instead, it is compared to the reference feature. If the comparison is positive, access to the appropriate applications can be granted.
Most biometric systems show the following procedure in detail:
- Taking a data set (e.g., image or sound) which includes the features to be extracted using an appropriate sensor
- Examination of the data quality; if it is insufficient, the data are rejected immediately or appropriate user guidance is given to improve the quality
- Extraction of the desired features from the data set and generation of a template
- For enrollment: Storage of the template as “reference template” in the “reference archive”
- For authentication: Comparison of the actual (request) template with the reference template using a “matcher” and generation of a score value which determines the degree of coincidence
- For authentication: Exceeds the score value a predetermined threshold, access is granted, otherwise the request is rejected
Is Failure to Enroll a typical problem for a biometric system?
Every biometric feature can occasionally or permanently fail. Examples of temporary failures can be caused by worn down or sticky fingertips for fingerprints, medicine intake in iris identification (Atropin), hoarseness in voice recognition, or a broken arm affecting one’s signature. Well known permanent failures are, for example, cataract, which makes retina identification impossible, or rare skin diseases which permanently destroy a fingerprint. Therefore, every biometric system needs a fall-back process. One also needs a fall-back if a key is lost or a PIN is forgotten; so not only are biometric systems affected by user failure, rather all authentication systems. In fact one can see that also here, biometric systems are preferable to conventional methods.
How are the FAR and FRR minimized in a biometric system?
The false acceptance rate (FAR) can be adjusted in the recognition algorithm via the acceptance threshold – the higher the acceptance threshold, the lower the FAR. Raising the acceptance threshold, however also raises the FRR. Therefore, the goal must be to have as small an FAR as possible for any given FRR, and vice versa. There are certain factors which primarily influence the FAR, while others mainly affect the FRR. For a fixed FRR, FAR is dependent on the following factors:
- type of biometric feature
- quality of the sensors
- user behavior
- effectiveness of the recognition algorithm
- the number of biometric references in an identification system
Therewith, the optimization possibilities are clear:
- determine suitable biometric features: here the uniqueness of the feature essentially affects the FAR, whereas permanence and measurability affect the FRR
- choose the sensor with the best (picture) quality: this mainly reduces the FRR
- eliminate false operations of the user: this also reduces the FRR
- optimize the recognition algorithm
- limit the number of biometric references in an identification system: this reduces the FAR and increases the FRR
How does a transition from verification to identification affect the FAR?
In a verification a biometric feature is compared with only one reference, whereas in an identification, it is compared with N (N>1) different references. This transition to an identification results in higher FAR, and in an ideal case is as follows:
FARN = 1 – (1 – FAR1)N |
where FARN is the false acceptance rate for N different stored references. The formula is restricted to the “access control” case where the correct assignment to an identity is not essential. For an N·FAR1 significantly smaller than 1, we have approximated:
FARN ~ N·FAR1 |
Example: A data base has 100 000 different references. In an identification, FAR is raised from 10-7 to about 10-2!
If in an application the correct assignment of ID data is essential (e.g., for bank transactions), other methods have to be used, as explained under Determination of FIR.
How does a transition from verification to identification affect the FRR?
During identification a request feature is compared to all reference features. Obviously, in contrast to a verification, more than one similarity value (score) is generated. This fact complicates the decision, whether a feature is to be accepted, or not. In particular, there are multiple ways to decide, if, e.g., several scores exceed a threshold. As a result, each decision procedure needs its own definition for a false rejection. Two examples are given:
One must differentiate between applications which allow access to personal data after a successful identification (e.g., access to a personal bank account), and applications which grant general access not dependent on one’s identity (e.g., entrance to a room without a protocol of an identified person’s presence). In the first case an assignment of a biometric feature to a false identity may happen. This is called a false identification, characterized by the False Identification Rate FIR. Furthermore, it is conceivable that more than one reference template will generate a score above the threshold. This case is treated in Determination of FIR, showing that different decision strategies may yield different results.
In the second case, with increasing numbers of different references, the false rejection rate FRR decreases! How can that be? Very simply: it increases the probability that a justified user is “identified” not only from his or her own personal features, but also those of others, as normally would be considered a false acceptance. The user, however, does not notice the system’s mistake. Mathematically, under ideal conditions this appears:
FRRN = FRR1(1-FAR1)N-1 |
When are FAR and FRR values statistically significant?
A value is considered statistically significant when it is likely that is falls within a given error interval and the probability of falling outside this area by chance is relatively low. Statistical significance is dependent upon the number of trials or sample size. Because biometric values are difficult to model, the existence of statistical significance is hard to estimate. As a rule of thumb (“Doddington’s rule”), one must conduct enough tests that a minimum of 30 erroneous cases occur [Porter 1977]. Example: An FAR of 10-6 can be considered reliable, when 30 errors occur in 30 million trials. One error in a million trials also has an FAR of 10-6, but statistically is far less significant. One can see that biometric tests are very expensive if performance needs to be very high. The situation would be easier, if further information could be considered along with the yes/no questions (or accept/reject), as for example the proximity of a decision to the acceptance threshold.
How does one determine the Receiver Operating Characteristic (ROC) of a biometric system?
A biometric system test usually starts by determining the similarities of different biometric features and a saved reference feature. After many measurements, one receives a histogram or distribution for authorized users and another for unauthorized users showing the frequency of matches per similarity rating. In an ideal case, the two distribution graphs should overlap as little as possible. When setting a certain similarity rating as a threshold for determination of authorized versus non authorized users, the false acceptance rate (FAR) is the number of non authorized users whose similarity rating happens to fall above the threshold compared to all attempts. On the other hand, a false rejection rate (FRR) is the number of authorized users whose similarity ratings happen to fall below this threshold compared to all attempts. Through integration (in practice, successive summation) of these distribution graphs, FAR and FRR graphs are determined, which are dependent on the adjustable adopted threshold.
If one wants to compare different biometric systems, it is problematic that value “similarities” or, inversely, “distances” are defined very differently, and therefore threshold values often have incomparable meanings. This difficulty is avoided by ROC, in which the similarity threshold parameter is eliminated and FRR is seen as a function of FAR.
Is a biometric system’s performance dependent upon the user?
Generally, yes. This applies for false acceptance rate (FAR) as well as for false rejection rate (FRR). We experience this in our everyday lives — some faces are easy to recognize and remember, whereas others are difficult. Therefore, the statistical means of FAR and FRR, typical indicators, are not very helpful for individual users. This dependence on the individual user is also responsible for the fact that statistical properties of FAR and FRR measurements are very difficult to quantify.
What is compromisation of a biometric feature?
In this case, compromisation is the exposure of one or more biometric features allowing use for forgery purposes.
Is the compromisation of biometric features a problem?
Yes and no. Biometric features should be as unique and permanent as possible. If compromised, it is dangerous that biometric features could be misused and then, like a password, rendered unusable, except that a password is always exchangeable whereas a biometric feature isn’t. The actual danger depends upon the application and the associated precautions.
No. Almost all biometric features are more or less unconcealed and therefore public (face, fingerprint, iris, voice, etc.). It is therefore a basic requirement of biometric systems’ security, that openness to the public and the subsequent ability to be compromised cannot lead to damages. If one starts with a system whose operator highly values a correct identification, the operator must make sure that the system only evaluates features that belong to the (living) person. That means: A biometric system for high-security applications cannot just compare features, instead it must also allow accurate monitoring of the source. The input of copied data by an outside party is relatively easy to prevent. It is significantly more difficult, although possible, to make sure that the scanned feature is not a mechanical copy. (Sometimes it is said to be important that the original picture (e.g., the finger line picture) is not reconstructible from the feature’s data record. But this doesn’t help much because any copy of a person’s feature which produces the same data record is sufficient for misuse. [Bromba]) If one wants to be certain, the biometric feature must be linked or combined to another unique but changeable data set (e.g., random number). Both are verified during an authentication, with the changeable data set being used. In case of failure, the changeable data set is blocked and a new data set is combined with the original biometric feature.
Yes. Unfortunately after compromisation, dangerous misuse is possible. Such applications could include those in which an authorized user cannot control the processing of his or her biometric traits and is not aware of the processing. One example from the internet are ‘cookies’, which serve to re-recognize the identity of a surfer. These are used in online shopping when a surfer fills a shopping cart and visits another site before purchasing. The customer is recognized by marks (cookies) left by the online company on the specific surfer’s computer, which can be read at any time. Unfortunately, cookies are also used to track one’s web behavior and (as soon as the user’s email is entered) a known identity may be assigned. The release of (biometric and non biometric) ID data can in principle have the same effect as complete surveillance of a user.
This shows that exposure of biometric features is less a security problem and more a privacy problem.
What can be done against compromisation of one’s biometric features?
In private applications a compromisation is unexpected, as the user alone has access to his or her own data (e.g., a home computer). Otherwise, one should only give the feature to trustworthy applications and partners. The partner is obliged not to pass further the biometric trait and to securely store it.
What are the advantages of using a chip card for biometric authentication?
In biometrics, possession of a chip card combined with biometric methods further increases security in a verification. Not only are reference features saved on the chip card, but also identity data of the user. For authentication, the card plus entry of the biometric feature is necessary. The following advantages result:
- entry of a user ID via keypad is unnecessary
- no central data base storing reference features is necessary
- compromisation of the biometric feature without the possession of the card is not critical
- when using a chip card with an integrated crypto processor and feature matching device, systems allowing possible compromisation by decoding a readout are rendered impossible.
- if a normal chip card is stolen, it must be blocked and a new card issued. With a crypto card on the other hand, only the saved, non displayed secret key must be changed.
Still higher security is achieved when using a crypto card which integrates biometric sensors in the card. This offers more effective protection against input of compromised data records, as this sensor cannot be externally intercepted when it is the only interface for the input of biometric data. Today’s chip cards, however, don’t yet offer the computational power required to extract the feature’s data directly on the card.
For security applications, the usage of pure memory cards is not advisable, because when lost, they cannot be blocked and are especially easy for an unauthorized user to receive a printout of biometric data.
How is the probability distribution function measured for a biometric system’s authorized and unauthorized users?
In order to investigate the performance of a biometric verification system, one looks at how the system reacts to a large number of inquires for biometric features from authorized as well as unauthorized users. Due to natural fluctuations and measurement imperfections, the results of such an investigation are never absolutely certain, instead are only predictable to a certain extent. In order to determine the error rates, “false acceptance” and “false rejection,” the yes/no decisions of “authorized/unauthorized” are not used, instead the underlying degree of similarity between an inquiry and the saved reference feature. In a series of measurements, similarity ratings (“score values”) are collected for authorized and unauthorized users. Then the frequency of incidence is counted for every similarity rating. After being normalized with the total number of inquiries, both resulting histograms make up the probability distribution function. They show the measured estimation of a certain similarity rating’s (n) probability of occurring for authorized users (pB(n)) and unauthorized users (pN(n)):
pB(n) = | Number of measurements with similarity rating n for authorized user —————————————————————————————————————- Total number of measurements for authorized users |
pN(n) = | Number of measurements with the similarity rating n for unauthorized —————————————————————————————————————- Total number of measurements for unauthorized users |
The higher the total number of measurements, the more accurate the estimation. A mathematical determination of probabilities as a relationship between the relevant possibilities and the total number of possibilities fails because as opposed to dice, there are simply too many different possibilities to be able to include.)
In an ideal case (unfortunately unachievable), both distribution curves do not overlap. That means, inquiries for unauthorized users have the low similarity ratings, whereas all the high similarity ratings are for authorized users. In such a case it is easy to define a decision threshold, that clearly differentiates between authorized and unauthorized users. In practice, however, there is always an overlap when the number of users is high enough. Here comes a typical diagram:
FAR/FRR paired graphs affect a biometric system?
The error graphs of FAR and FRR are respectively defined as the probability that an unauthorized user is accepted as authorized, and that an authorized user is rejected as unauthorized. The curves are dependent upon an adjustable decision threshold for the similarity of a scanned feature to a saved reference feature. The following derivations apply under the assumption that a similarity rating value can be any whole number between 0 and K, and that, for simplicity’s sake, the probability of value K occurring is 0. It also makes sense in practical applications, when we first consider the FMR and the FNMR and later extract the threshold-independent rejections due to insufficient image quality from the FAR and FRR. Furthermore, we assume that for acceptance the coincidence of two features and for rejection the non-coincidence is required.
If a general probability distribution function p is given for discrete similarity values n, the probability PM(th) that the scanned feature with similarity rating n falls below threshold th (“misses”) is:
The sum of correct matches and mismatches must equal the number of total events. For that reason, the probability PH(th) that the similarity rating of the scanned trait reaches or exceeds threshold th (“hits”) will be:
The False Match Rate FMR(th) is the probability that the similarity of two non-identical features does not reach or exceed a certain threshold value th. Therefore:
For the False Non-Match Rate FNMR (th), applies the analogous:
where pN is the probability frequency function for non authorized users and pB is for authorized users. The limit values are:
FAR(th) = (1 – QRR) FMR(th)
FRR(th) = QRR + (1 – QRR) FNMR(th) |
To calculate FAR and FRR, the threshold-independent quality rejection rate QRR (equals FTA, depending on definition) has to be taken into consideration. Provided that a false acceptance is assigned to a false match, we obtain:
FMR(0) = 1 FMR(K) = 0
FNMR(0) = 0 FNMR(K) = 0 |
For the border values we then get:
FAR(0) = 1 – QRR FAR(K) = 0
FRR(0) = QRR FRR(K) = 1 |
Setting a similarity rating th as the threshold to differentiate between authorized and non authorized users, results in the experimental estimation of false acceptance rate FAR(th), as the number of similarity ratings of non authorized users that fall above this threshold in comparison to all trials / number of similarity ratings. Conversely, the false rejection rate FRR is the number of authorized user’s similarity ratings which fall below this same threshold compared with the total inquiries. Through integration (in practice, successive summation) of the probability distribution curves, FAR and FRR graphs are determined, which are dependent on the adjustable adopted threshold th. The following diagrams show typical results in linear and logarithmic scale:
How does one determine the Receiver Operating Characteristic (ROC) of a biometric system?
The FAR/FRR curve pair is excellently suited to set an optimal threshold for the biometric system. Further predictors of a system’s performance, however, are limited. This is partially due to the interpretation of the threshold and similarity measures. The definition of the similarity measures is a question of implementation. Almost arbitrary scaling and transformations are possible, which affect the appearance of FAR/FRR curves but not the FAR-FRR values at a certain threshold. A popular example is the use of a “distance measure” between the reference feature and the scanned feature. The greater the similarity, the smaller the distance. The result is a mirror image of the FAR/FRR curves. A favorite trick is to stretch the scale of FAR/FRR curves near the EER (Equal Error Rate: FAR(th) = FRR(th)), (i.e., using more threshold values) thus making the system appear less sensitive to threshold changes.
In order to reach an effective comparison of different systems, a description independent of threshold scaling is required. One such example from the radar technology is the Receiver Operating Characteristic (ROC), which plots FRR values directly against FAR values, thereby eliminating threshold parameters. The ROC, like the FRR, can only take on values between 0 and 1 and is limited to values between 0 and 1 on the x axis (FAR). It has the following characteristics:
- The ideal ROC only have values that lie either on the x axis (FAR) or the y axis (FRR); i.e., when the FRR is not 0, the FAR is 1, or vice versa.
- The highest point (linear scale under the definitions used here) is for all systems given by FAR=0 and FRR=1.
- The ROC cannot increase
As the ROC curves for good systems lie very near the coordinate axis, it is reasonable for one or both axis to use a logarithmic scale:
What is essential when comparing the ROC performance of biometric systems?
The accuracy performance of a verification system can be determined by exactly three statistical quantities: FAR, FER, and FRR. Since these three quantities influence each other when parameters (e.g., quality acceptance thresholds for enrollment and authentication) are changed, a comparison of one quantity between two systems makes only sense when the other two quantities are mutually equal. For example, let the FARs of different systems be compared. Then the corresponding FRRs must be equal, and the FERs must be equal, too. Regarding a ROC diagram, this condition can be easily fulfilled for all FRRs for which the curve has been measured, provided that the FERs of all curves are constant and the same. However, this is often violated since the FERs are actually different!
A solution to this problem comes from the procedure used, e.g., in the Fingerprint Verification Competition FVC2002, where different algorithms for fingerprint recognition have been tested. The idea is to consider a failure-to-enroll case as a virtual “FTE user” with the properties:
- If the virtual FTE user tries a (virtual!) authentication, the result is always a rejection, thus increasing the FRR.
- If an impostor tries an authentication attempt against a virtual FTE user, always a rejection is supposed, thus decreasing the FAR.
This way, the FER is eliminated and the ROC curves as well as the FAR/FRR values are forced to become comparable. Mathematically, we implement this method by introducing a Generalized FRR (GFRR) and a Generalized FAR (GFAR). (It will be a matter of standardization to fix these terms. Here they are used until standardization is finalized.) The calculation of GFRR and GFAR is quite simple, if we assume that each authentication trial is preceded by its own enrollment trial. This should make sense because authentication performance is not independent of enrollment: a good enrollment delivers better FRR values than a worse one. Therefore it seems to be statistically more accurate not to base a whole FRR statistics on a single enrollment!
GFAR(th) = (1 – FER) FAR(th)
GFRR(th) = FER + (1 – FER) FRR(th) |
Here (th) denotes the dependency on the decision threshold parameter th which is assumed to range between 0 and K (arbitrary), see “How do the FAR/FRR paired graphs affect a biometric system?”. These formulas show a strong relationship to those derived for FAR and FRR when including the FTA (Failure-to-Acquire).
Similarly, we get for the border values:
GFAR(0) = (1 – FER)(1 – QRR) GFAR(K) = 0
GFRR(0) = FER + (1 – FER) QRR GFRR(K) = 1 |
Both formulas are symmetric in QRR (= FTA) and FER (= FTE), showing the strong relationship between Failure to Enroll and Failure to Acquire. In some cases these two values are even equal. This happens when the biometric system uses the same quality rejection mechanisms and levels for enrollment and for authentication. In practice, higher quality requirements during enrollment, leading to a higher FTE, might be quite reasonable to prevent enrollment of nonsense features. Furthermore, too low an enrollment quality will decrease usability of the authentication systems in daily use. In many applications it is better to spend more time during enrollment than losing time by multiple authentication trials.
A ROC diagram using GFAR and GFRR will be called Generalized ROC (GROC) diagram for consistency.
What does separability of a biometric system mean?
The Receiver Operating Characteristic (ROC) offers an objective comparison of different biometric systems, in the form of a graph. More practical would be the specification of one single measured value, which forms a kind of average of all the systems settings. Therewith, only a global description of the system would be possible. One must therefore understand that a system can be better overall, despite worse local functioning, for example in an operating point.
Separability is intuitively the ability of a biometric system to differentiate authorized and unauthorized users on the basis of a biometric feature. The higher the separability, the fewer the errors while differentiating authorized and unauthorized users. The measure of the separability, like that of the ROC, cannot be dependent on implementation specific scales. Additionally, a separability measure should be easy to calculate.
A well known measure for the (inverse) separability is the Equal Error Rate (EER). Unfortunately, the EER describes only one single point of the ROC. While the definition is simple, the calculation is not so easy; the EER point does not exist as a measurement, instead it is derived through decision and approximation.
An (inverse) separability measure, which also prevents the EER disadvantages, is the area below the ROC graph. It allows easy calculation of all ROC values through summation. The only difficulty is the fact that the ROC values are not equidistant. Therefore, every y value (FAR) must be weighted by the distance between its corresponding x value (FRR) and the next value. This distance for every ROC point is just the difference (that is the gradient) of two consecutive values in the FAR graph. As a result, the distance is given by the probability distribution graph of non authorized users. (For continuous functions, in which the sum can be replaced by an integral, this would be a consequence of the substitution rule for integrals!) The ROC area, here called ROCA, is (K+1 is the number of similarity ratings considered):
This formula simply needs additions and multiplications of existing measured values. Even though implementation specific similarity ratings n are summed, the ROCA is still independent of their definition. However, one must assume that no threshold-independent rejections occurs, i.e., FRR = FNMR and FAR = FMR.
Both EER and ROCA can take on values between 0 and 1. Ideal separability of a biometric system and therewith the distribution pB and pN obviously result in EER and ROCA values of 0. But what value belongs to the ideal non separability. Intuitively, ideal non separability can only mean that both distributions pB and pN are exactly the same. But in the case:
and
(Proof for the approximation: one replaces the sum with an integral and considers pB as the derivative of FRR. Now, only the rules for partial integration are needed.)
Reasonable vales for EER and ROCA lie between the extrema: 0 for perfect separability and ½ for perfect non separability. What do values between ½ and 1 then mean? This range is left for cases, in which distributions pB and pN trade roles and change places in the diagram. For separability, this range has practically no meaning in biometrics.
What needs to be considered in the definition of FRR?
Even though the false rejection rate, FRR, is intuitively easy to understand, there can be many problems when trying to fix an unequivocal or universal definition. The following must be taken into account:
- The FRR is a statistical value whose measurement accuracy depends on the number of measurements. Now the FRR is not only dependent on the biometric system, but on the users as well. There is thus a personal FRR. If one wants to deal with large numbers of people, it is important that the end result is not negatively affected by an individual. Such could occur when the number of attempts per person differs. This problem can be avoided, if one first identifies each personal FRR curve and calculates the mean from those (or uses the median, but this provides different values!).
- The exact meaning of rejection must be clarified. Here for example, the total number of recognition attempts before the final assessment of a failed recognition play a role. There are systems, which can continuously process a verification in real time. Here a verification time slot is offered.
- Many biometric systems reject a verification due to poor picture quality (e.g., dirty or worn down fingers in a fingerprint verification, noisy surroundings in a voice recognition, poor lighting in a facial recognition, or sensor problems). When such problems are not due to a faulty operation, rejections due to picture quality problems are still false rejections. The user is indifferent to the reason for false rejections.
- Even the personal FRR can vary with time. It sinks, for example, when one frequently uses the system, which can learn to avoid false rejections. In such cases, it is only reasonable for comparisons to determine FRR during learning phases.
In the case that a life/fake recognition is also used, this needs to be considered when determining the FRR.
How is FRR defined in detail?
Due to the statistical nature of the false rejection rate, a large number of verification attempts have to be undertaken to get statistical reliable results. The verification can be successful or unsuccessful. In determining the FRR, only fingerprints from successfully enrolled users are considered. The probability for lack of success (FRR(n)) for a certain person is measured:
FRR(n) = | Number of rejected verification attempts for a qualified person (or feature) n —————————————————————————————————————- Number of all verification attempts for a qualified person (or feature) n |
These values are better with more independent attempts per person/feature. The overall FRR for N participants is defined as the average of FRR(n):
The values are more accurate with higher numbers of participants (N). Alternatively, the median value may be calculated.
Important: the determined FRR includes both poor picture quality and other rejection reasons such as finger position, rotation, etc. in the reasons for rejection. In many systems, however, rejections due to bad quality are generally independent of the threshold. The FRR after quality filtering is similarly defined:
Number of rejected “qualified” attempts —————————————————— Total number of “qualified” attempts |
An FRR defined as such, generally yields better data sheet values, but these lower numbers are not reflected in reality from a user’s perspective.
Finally, the result of a verification attempt has to be defined exactly:
A verification attempt is successful if the user interface of the application provides a “successful”-message or if the desired access is granted.
A verification attempt counts as rejected if the user interface of the application provides an “unsuccessful”-message.
In cases of no reaction, a verification time interval has to be given to ensure comparability. If the time interval has expired the verification attempt is counted unsuccessful.
What needs to be considered in the definition of FAR?
Similar to the FRR, the false acceptance rate can be defined differently.
- The FAR is a statistical value, whose measurement accuracy depends on the number of measurements. The FAR depends not only on the biometric system, but on the user as well. There is also a personal FAR. If one wants to deal with large numbers of people, it is important that one individual does not negatively affect the end result. Such could occur when the number of attempts per person differs. This problem can be avoided, if one first identifies each personal FAR curve and calculates the mean from those (or uses the median, but this provides different values!). In determining FAR, it is generally easier to limit the number of recognition attempts to 1 per person. Further attempts per person will smooth out the ROC graph, but add little to the statistical significance.
- If the biometric system has picture quality management, which happens to reject a false user due to poor picture quality already before verification, this is of course a correct rejection, and leads to an improved FAR.
- Strong behavioral biometric features (e.g., voice or signature) are often purposefully forged or copied. In investigating FAR, it needs to be determined whether tests simply recognize foreign features or also attempted forgeries. This difference can be serious.
How is FAR defined in detail?
Due to the statistical nature of the false acceptance rate, a large number of fraud attempts have to be undertaken to get statistical reliable results. The fraud trial can be successful or unsuccessful. The probability for success (FAR(n)) against a certain enrolled person n is measured:
FAR(n) = | Number of successful fraud attempts against a person (or feature) n —————————————————————————————————————- Number of all fraud attempts against a person (or feature) n |
These values are more reliable with more independent attempts per person/feature. The overall FAR for N participants is defined as the average of FAR(n):
The values are more accurate with higher numbers of participants (N). Alternatively, the median value may be calculated.
Whether a correct rejection is due to poor picture quality or really to a person’s unauthorized status, remains (just like in practice) extraneous.
The crucial number for the determination of statistic significance is the number of independent attempts. Obviously, two attempts in which alternately one person is the reference and another places the request, are not independent of each other. Likewise, multiple attempts from one unauthorized user are considered dependent and therefore have less meaning for statistical significance.
Finally, the following items have to be settled, or defined, respectively:
- What is a fraud attempt?
- How is the result of a fraud attempt defined exactly?
Usually, during FAR determination, a fraud attempt is an attack using the features of a non-authorized person. This, however, pretends a high security which is not present since there are a lot of further possibilities for promising attacks.
A fraud attempt is successful if the user interface of the application provides a “successful”-message or if the desired access is granted. A fraud attempt counts as rejected if the user interface of the application provides an “unsuccessful”-message. In cases where no “unsuccessful”-message is available, a verification time interval has to be given to ensure comparability. If the verification time interval has expired the fraud attempt is counted unsuccessful.
Is biometrics a privacy-enhancing or a privacy-threatening technology?
Recent concerns with the possible uses and misuses of biometrics has led to a discussion whether biometrics is privacy-enhancing or privacy threatening. A central question, according to Woodward (1999), is whether a user has full control over his data, knowing when, where, and why a submitted biometric feature is used. Non-intended reuse is possible in non-biometric systems, but fear is increased due to the highly personal nature of biometric data, as opposed to simply an ID number. Some biometric data, such as DNA, showing medical information can be passed along to commercial systems, insurance companies, or the government. Privacy concerns with biometrics as summarized by Wirtz (2000) are:
- Unauthorized access to biometric data
- Unauthorized disclosure of biometric data to third parties
- Use of biometric data for other than intended purpose
- Collection of biometric data without the knowledge of the individual
Meeting privacy and data protection requirements is a central concern to the success of biometric systems. Such concerns led to the formation of the IBIA (International Biometric Industry Association), an organization concerned with data protection and ID systems used in biometrics, particularly from the consumer viewpoint. Legal concerns can help ensure that biometrics are properly applied and therefore increase an individual’s security.
What is “Template on Card”?
Regarding “Template on Card”, a chip card stores the extracted reference template electronically. There are different ways of realization:
- The chip card is a simple memory card, the storage is done without encryption same as 1., however with encrypted template
- The chip card is a processing card (and offers secret storage capabilities)
- The chip card is a processing card with cryptographic functions
These possibilities fulfill increasing security requirements with increasing order. In all cases it must be noticed the communication partners of the chip card codetermine the security of the whole system.
What is “Matcher on Card”?
Chip cards with integrated matcher do not only store the reference template, they also compare (match) the reference template with the incoming request template. For that reason the card needs an internal processor (“smartcard”).
What are the features of Matcher on Card?
Advantage against other solutions
- Applications which use a PIN authentication on a smart card, may be extended to biometric authentication without changing the infra structure. Example: SIM card for mobile phones. Even in the case of a loss of the phone and/or the SIM card no unauthorized access to the net is to be feared.
- As the reference template need not leave the card, more privacy is guaranteed.
Drawback
There is only limited processing power and memory space available on the smart card. This requires some compromises with regard to biometric verification performance.
What must be observed with respect to security when dealing with “Template on Card”?
We consider the following possibilities for storage of biometric references on a chip card:
- The chip card is a pure memory card, storage is unencrypted.
- The chip card can be read by anyone who finds it.
- The chip card can be duplicated by anyone; however, only the authorized can use it.
- In principle, cards with references of non-authorized users can be produced which grant access to the system.
- If the authorized user’s (non-biometric) data is saved on the card, the danger of compromisation when lost is high.
The chip card is a pure memory card, storage is encrypted.
- The chip card can be read by anyone who finds it, but the contents cannot be interpreted.
- The chip card can be duplicated by anyone; however, only the authorized can use it.
- Authentication via cards with references of non-authorized users is generally prevented.
- Compromisation of data is prevented.
The chip card is a processor card (smart card) with crypto function
- The chip card’s stored data can only be read and interpreted by a trustworthy communication partner (e.g., a protected PC or a protected server via a non-protected PC)
- Duplication of the chip card is preventable
- Authentication via cards with references of non-authorized users is generally prevented
- Compromisation of data is prevented
It depends on a specific application which security level is necessary and what will be the possible solution.
How may a PC access control with “Template on Card” look like? We consider the following implementation possibilities:
The chip card is a pure memory card, storage is unencrypted
During enrollment, a PC connected to a biometric sensor extracts the biometric features, and subsequently stores the extracted reference on chip card. At verification, the access seeker inserts her chip card into the chip card reader and then her biometric feature is again scanned. The scanned feature is then compared to the reference stored on the chip card at the PC. If the comparison exceeds a certain level of similarity, full clearance is granted to the network by sending the decrypted password (which is stored on the PC encrypted) from the PC to the server.
The chip card is a pure memory card, storage is encrypted.
See above. Additionally, however, decryption of the reference from the card is done on the PC or better yet on the server with a securely stored key. Alternatively, the comparison process should likewise occur on the server. Thereby, the current extracted feature is transmitted securely from the PC to the server.
What is a “template”?
A template comprises the extracted unique features of the biometric data. The template is generated during the process of feature extraction, which frees the raw data coming from the biometric sensor from irrelevant information. By this way, both the storage requirements and the matching expense are reduced. Here, the definition of the template does not depend on its usage as reference or for a verification request. (Several authors only call the reference template a template, the request template is called “sample”.)
How is the False Identification Rate (FIR) calculated?
During an identification, the requested feature is compared to many reference features and possibly, the similarity value will exceed the threshold for more than one reference. This is non-critical if only granting access, but can be very problematic if the correct assignment of personal data to the biometric feature is required (Example: access to a bank account via ATM).
The probability for the identification of further (by definition false) candidates (independent of the correct reference) can be calculated from the FAR since these candidates would represent false acceptances in the case of verification. Its value is given by:
1 – (1 – FAR1)N-1 ~ (N – 1) FAR1 |
whereby FAR1 is the False Acceptance Rate for a system with one reference. N represents the number of references. The approximation (right side) applies in the case that the resulting value lies considerably under 1.
The False Identification Rate can first be calculated after selecting one of the candidates. One standard, which is often found in practical applications, could be, for example, that the candidate with the highest similarity value is chosen (presuming that there is only one). Unfortunately, the FIR is only ascertainable when the probability density functions are available for false acceptance as well as false rejection.
Easier to calculate is the rule that multiple candidates are completely rejected, which raises the FRR and lowers FAR. The following definitions apply here:
FAR: probability that a non-authorized person is identified FRR: probability that an authorized person is not identified FIR: probability that an authorized person is identified, but is assigned a false ID |
These definitions result in the following formulas under ideal conditions (statistic independence, same error rates for all people, …); where the index N is again the number of references:
FARN = N FAR1 (1 – FAR1)N-1
FRRN = 1 – (1 – FRR1 – FAR1 + N FRR1 FAR1) (1 – FAR1)N-2 FIRN = (N – 1) FRR1 FAR1 (1 – FAR1)N-2 |
What is the difference between positive and negative identification?
In a positive identification the user is interested to be identified, in the negative case the user tries to avoid successful identification. For example, the thief is not interested in being identified by comparing the latent prints from the scene of crime with his fingerprints. This is a negative identification. If I am authorized to get access to my office, I am strongly interested to be identified, e.g., by iris recognition. This is a positive identification.
The main impact of positive versus negative identification regards user cooperation. In the negative case the user is not willing to cooperate (even if he is “innocent”) at the stage of feature acquisition. Therefore, a negative identification often needs observation. Even the sensor may be affected by the type of identification: negative fingerprint identification needs full size sensors at least for the enrollment process.
Is biometrics more “secure” than passwords?
This question at least poses two problems: biometrics is not equal to biometrics, and the term “secure” is in fact commonly used, but it is not exactly defined. However, we can try to collect pros and cons in order to find at least an intuitive answer.
It is a matter of fact that the security of password protected values in particular depends on the user. If the user has to memorize too many passwords, he will use the same passwords for as many applications as possible. If this is not possible, he will go to construct very simple passwords. If this will also fail (e.g., if the construction rules are too complex), the next fall-back stage is to notify the password on paper. This would transform “secret knowledge” into “personal possession”. Of course, not every user will react this way. Rather the personal motivation plays an important role: is he aware of the potential loss caused by careless handling of the password? It is easy if the user is the owner. But often foreign possession (e.g., that of the employer) has to be guarded, whose value one often can hardly estimate. If motivation is missing, any password primarily tends to be felt bothersome. In this case, and that seems to be the normal case, it is assumed that biometrics has considerable advantages.
Contrariwise, passwords feature an unbeatable theoretic protection ability: an eight-digit password which is allowed to contain any symbol from an 8-bit alphabet offers 1020 possible combinations! This is a real challenge for any biometric feature. The requirements are obvious: such a password is maximally difficult to learn, it must not be written down, it must not be passed to anyone, the input must take place absolutely secret, it must not be extorted, and the technical implementations must be perfect. This leads us to the practical aspects: the implementation must be protected against replay attacks, keyboard dummies (e.g., false ATMs), wiretapping etc. Even biometric features have to cope with such problems. However, it can be assumed that the protection of biometric feature acquisition is not easier than the acquisition of the password, provided the implementation expense is comparable!
Conclusion: Surely, there are cases where passwords offer more security than biometric features. However, these cases are not common!
Taken from: Bromba Biometrics
Biometrics: A Little Background Information
Francis Galton remains one of the founders of biometrics, the application of statistical methods to biological phenomena. His research into mental abilities and dispositions, which included studies of identical twins, were pioneering demonstrations that many traits are inherited. Galton’s passion for measurement led him to open the Anthropometric Laboratory at the International Health Exhibition in 1884, where he collected statistics on thousands of people. In 1892, Galton invented the first system of fingerprinting. Adopted by police departments all over the world, fingerprinting was the most reliable form of identification in forensics – until the advent of DNA technology in the late twentieth century.
What are Biometrics?
A biometric is a measurable, physical characteristic or personal behavioural trait used to recognize the identity or verify the claimed identity of an enrolled user. Physical features typically used for biometric identification are fingerprint, voice, retinal or iris, facial or hand geometry.
By determining an individual’s physical features in an authentication inquiry and comparing this data with stored biometric reference data, identification for a specific user can be determined and authentication for access can be granted.
In the development of biometric identification systems, physical and behavioural features for recognition are required which:
- are as unique as possible, that is, an identical trait won’t appear in two people: Uniqueness
- occur in as many people as possible: Universality
- don’t change over time: Permanence
- are measurable with simple technical instruments: Measurability
- are easy and comfortable to measure: User friendliness
Fingerprint Identification Of all the biometric techniques being used today, fingerprint-based identification is the oldest method, which has been successfully used in numerous applications. Everyone is known to have unique, immutable fingerprints. A fingerprint is made of a series of ridges, splits, dots, valleys and furrows, as well as the minutiae points. Minutiae points are local ridge characteristics that occur at either a ridge bifurcation or a ridge ending. These characteristics are then converted to a unique ‘digital fingerprint’ template that can be stored in a smart card or central database for subsequent matching and authentication processes.
Biometrics Today
Biometrics is becoming the ‘norm’ for not only large applications and projects, but for protecting access to individual computers, cell phones, pocket sized personal computers, networks, Web servers and database applications, as well as during transactions conducted via telephone and Internet (electronic commerce and electronic banking). In automobiles, biometrics can replace keys with keyless entry and keyless ignition.
Current stringent Data Protection Regulations with regard to access control to sensitive or personal data held within Corporate network is adding to the demand for much tighter access control. Markets such as Healthcare, Banking/Finance, and Government are specifically sensitive to the problem.
Taken from: ISL – Biometrics
About Biometrics
Biometrics are best defined as measurable physiological and / or behavioural characteristics that can be utilised to verify the identity of an individual. They include fingerprints, retinal and iris scanning, hand geometry, voice patterns, facial recognition and other techniques.
They are of interest in any area where it is important to verify the true identity of an individual. Initially, these techniques were employed primarily in specialist high security applications, however we are now seeing their use and proposed use in a much broader range of public facing situations.
Biometric Background
How it all Started – It is tempting to think of biometrics as being sci-fi futuristic technology that we shall all be using together with solar powered cars, food pills and other fiendish devices some time in the near future. This popular image suggests that they are a product of the late twentieth century computer age. In fact, the basic principles of biometric verification were understood and practised somewhat earlier. Thousands of years earlier to be precise, as our friends in the Nile valley routinely employed biometric verification in a number of everyday business situations. There are many references to individuals being formally identified via unique physiological parameters such as scars, measured physical criteria or a combination of features such as complexion, eye colour, height and so on. This would often be the case in relation to transactions in the agricultural sector where grain and provisions would be supplied to a central repository and also with regard to legal proceedings of various descriptions. Of course, they didn’t have automated electronic biometric readers and computer networks (as far as we know), and they certainly were not dealing with the numbers of individuals that we have to accommodate today, but the basic principles were similar.
Later, in the nineteenth century there was a peak of interest as researchers into criminology attempted to relate physical features and characteristics with criminal tendencies. This resulted in a variety of measuring devices being produced and much data being collected. The results were not conclusive but the idea of measuring individual physical characteristics seemed to stick and the parallel development of fingerprinting became the international methodology among police forces for identity verification. The absolute uniqueness or otherwise of fingerprints is often debated, and the criteria that different countries employ to verify a fingerprint varies across the globe with a greater or lesser number of minutiae points required to be matched. Added to this is the question of personal interpretation which may be pertinent in border line cases. Never the less, this was the best methodology on offer and still the primary one for police forces, although the matching process is very often automated these days.
With this background, it is hardly surprising that for many years a fascination with the possibility of using electronics and the power of microprocessors to automate identity verification had occupied the minds of individuals and organisations both in the military and commercial sectors. Various projects were initiated to look at the potential of biometrics and one of these eventually led to a large and rather ungainly hand geometry reader being produced. It wasn’t pretty, but it worked and motivated it’s designers to further refine the concept. Eventually, a small specialist company was formed and a much smaller, and considerably enhanced hand geometry reader became one of the cornerstones of the early biometric industry.
This device worked well and found favour in numerous biometric projects around the world. In parallel, other biometric methodologies such as fingerprint verification were being steadily improved and refined to the point where they would become reliable, easily deployed devices. In recent years, we have also seen much interest in iris scanning and facial recognition techniques which offer the potential of a non contact technology, although there are additional issues involved in this respect.
The last decade has seen the biometric industry mature from a handful of specialist manufacturers struggling for sales, to a global industry shipping respectable numbers of devices and poised for significant growth as large scale applications start to unfold.
Taken from: Fingersec
Background
Introduction
Biometrics provide a highly secure way to authenticate a person’s identity. The following definition from the biometrics industry can help illustrate this claim.
The lowest level of security is something you have, such as an identification (ID) badge containing a photograph.
The second level of security is something you know, such as a password to access a computer or a Personal Identification Number (PIN) to access funds at a bank teller machine.
The highest level of security is something that you do and something that you are. This is where biometrics fit.
With biometrics, there are no cards to be lost or stolen, and no passwords to forget. A simple characteristic, such as a fingerprint, which is unique to every potential user, can securely grant access to secure resources.
How Do Biometrics Work?
All biometric devices use a four-stage procedure to grant access to its resources. The first stage is capture, where a physical or behavioral sample is captured by the system during the authentication process. The second stage is extraction, where unique characteristics are taken from the sample and a template is created. The third stage is comparison, where the template is compared to the original enrollment. The final stage is decision. In this stage the system then decides if the new sample is a match.
Distribution Statement A – Approved for public release; distribution is unlimited.
Biometrics do not guarantee an accuracy of 100%. Humans are not perfectly consistent in their physical and behavioral characteristics. For example, a finger can be cut and the resulting scar could change the overall template of the fingerprint. It becomes impossible to match the fingerprint to its corresponding template. Another problem is that a person may not always interact with a computer the same way he did at his original enrollment. His face may be in a different position or his voice may be lower due to a cold. Because of these inconsistencies, thresholds are set to allow for subtle changes in the user’s characteristics. When a sample is taken from a user, it must be close to the original template to be authenticated.
Biometric Technologies
There are a wide variety of biometric techniques being developed in industry. Each of these techniques has strengths and weaknesses, and problems to be resolved as these technologies mature. The most common biometric technologies are described in the next few pages.
Eye
Biometrics that involve the eye are considered to be the most accurate and secure of all technologies. A user cannot unwittingly leave his “eye print” like a stray fingerprint or a voice sample. The eye can be divided into two different categories: the iris and the retina.
Iris
The iris is the colored section of the eye that surrounds the pupil. The intricate pattern of filaments, freckles, and striations provide a complex structure which is unique to every individual. The probability that two irises are identical is said to be about 1 in 1078. Considering the entire population of the world is only 1010, those using iris scans can be very confident of the uniqueness of the iris.
Retina
The retina is another traithuman characteristic which is virtually impossible to replicate. This complex layer of blood vessels form a biometric which is considered even more secure than the iris.
Another advantage to the eye technologies is its long-term stability. The patterns on the iris and retina do not change over time. A sample taken today will be the same years into the future. Though the eye furnishes the most secure of biometrics, it may have problems with its implementation. It is the most intrusive device, which forces a user to hold something very close to his face and let it peer into his eye. People may not feel comfortable with such a device, or may be anxious of any health repercussions that may result.
Fingerscanning
Law enforcement has been using fingerprints for identification purposes for many years. Society is confident that fingerprints are a valid means of identification. This confidence is an advantage for the finger-print devices. Users may feel awkward or apprehensive about using unfamiliar devices or technologies. This does not apply to fingerprints. From applying for a passport to cashing a check at a bank, society is familiar with giving fingerprints. This gives fingerprint devices a distinct advantage over other, less familiar biometrics.
Certain conditions do seem to have a negative effect on this biometric. Dry or cracked fingers will negatively affect the quality of the print. Age, gender, and ethnic background have also been found to cause problems. Of course situations that require gloves render this technology inadequate, or at least inconvenient. Industry is currently developing a device which will read fingerprints through latex gloves, which will solve this problem for some users.
Fingerscans are accurate, accepted means to identify individuals. In situations where they can be implemented, fingerscans hold a distinct advantage over other biometrics.
Face
There is great potential for a reliable and accurate face recognition technology. A simple look towards the camera is all that is needed for verification. There is nothing to use, remember, or touch. There is no worry of spreading sickness through an often-touched instrument. Only one simple device is needed: a camera. This technology has the potential to sift through crowds making their way through an airport, cross-checking everyone against a database of known terrorists.
This technology does have problems to overcome. Human faces change over time. Weight loss and gain can affect one’s appearance. Glasses and facial hair likewise change a person’s face. Outside influences like lighting or water can pose problems for this technology. If these problems can be overcome, face recognition can provide an easy, non-intrusive solution to security needs.
Voice
Voice recognition is a biometric that focuses on the sound of the voice, not the actual words that are said. Like face recognition, voice recognition is a very simple and inexpensive biometric. The only hardware necessary for it is a sound card and a microphone. By simply responding to a few questions, a user’s identity can be verified. If combined with a speech recognition product, which recognizes words, this technology has the potential to enable a 100% “hands-free” computer system. It would only take a few words to logon to the computer, and voice commands would start applications.
Voice recognition could make a huge impact on telephone-based applications. This technology could easily be integrated into telephone networks, but interference and other noise may pose problems for this technology. Also, as people age, their voices tend to change in subtle ways, negatively affecting the way voice recognition can work.
Hand and Finger Geometry
Hand and finger geometry require a user to place his hand or finger on a device where a three-dimensional image is analyzed. It looks at the length of fingers, their width and height, and the location of knuckles and other distinguishing characteristics. It then searches for a match as it compares these attributes to the templates.
Hand and finger geometry are not the most secure of the biometrics. ItThey can, however, process a large amount of users in a short amount of time.
Signature
Signature biometrics look more at the mechanics of signing a name than the finished signature itself. Characteristics such as the angle of the pen, the time taken to sign, the pressure of the pen on the paper, and the motion and acceleration of the signature can all be extracted and form a unique template for a signature. All of these dynamics of a signature make forgery very difficult. HeA forger would not only have to trace the signature, but actually sign it in the same way.
A signature is an easy way to verify one’s identity. Since the use of a signature is so common, users will not have as many reservations about using this biometric as they will with other, more intrusive devices.
Signature biometrics do face the problem of changes to a user’s signature. This characteristic is prone to change more than any other device discussed here.
Future Biometrics
Industry is developing many other biometric technologies. A product that will analyze the chemical make-up of body odor is currently in development. Real time Deoxyribonucleic Acid (DNA) analysis is also being researched. Ear shape, keystroke, and vein patterns are all being considered for future development.
These products may never leave development stages, because improvements to the current devices may overshadow the need for any new technology.
Case Study: BioNetrix
At the TIC, we evaluated a few biometric devices to become more familiar with these technologies and to experience first-hand the challenges in implementing biometric authentication into an office environment. We chose a product called BioNetrix Authentication Suite because it offered us the opportunity to sample several biometric technologies woven together into a single authentication system.
BioNetrix is a suite of biometric devices tied together with a central database of biometric templates. The types of biometric devices included in the BioNetrix Authentication Suite are:
- Face Recognition
- Voice Recognition
- Fingerprint Scan
- Iris Scan
- Signature
These devices offer an enhancement to the normal logon to a computer or network. After supplying a username and password, a graphical user interface (GUI) leads one through the biometric authentication process. Once authenticated, the user is granted access to the computer or network resources.
BioNetrix works with Windows NT, Novell NetWare, and Entrust network operating systems. It provides enhanced authentication to network resources by tying biometric authentication to the login process. Our testing took place on a Windows NT network, with Windows 95 and NT client machines.
How It Works
When a user enters his network username and password, a request is sent to the NT domain controller. If the information is correct, a message is sent to the BioNetrix Server. It retrieves a copy of that user’s information from the database of user templates and sends it back to the client. AThe biometric authentication test is performed at the client computer, and a comparison is made. The templates are then sent back to the BioNetrix Server, where the decision for access is made. If the variance between the two templates falls complies within the threshold set by the administrators, the user is granted access. If not, the user is denied access and must try again.
The original user templates are stored in an encrypted structured query language (SQL) database. The integrity of the database is checked at a specified interval, which is every 10 minutes by default. It will lock out any account that is tampered with or corrupted. These templates are also encrypted as they are passed between the server and client. If a template is stolen, it must be decrypted within the allotted time interval. Along with the decrypted template, the user and policy information would be needed to use a stolen template for authentication, but they are not passed along with the template.
One problem found in the implementation of BioNetrix is the inability of the program to lock an account. With Windows NT, an administrator can lock an account if the wrong password is supplied x number of times. This prevents someone from making an unlimited number of guesses at a password to try and logon. With BioNetrix, if a username and password did fall into the wrong hands, he may have an unlimited number of tries to imitate a voice, or find a way through the security.
The Devices
BioNetrix is an OEM product that takes products from different vendors and integrates their technologies into one authentication product. BioNetrix has one administrator program which is used for all of the supported devices on all of the client machines. The devices can be used individually on a client or multiple devices can be installed in a multiple-device configuration. Access policies for groups can be configured to individual needs, much like policies are used in NT. For example, an administrator may have to pass an iris scan, a voice recognition, and a fingerprint device. Where a normal user may only have to pass one or two of the three. This would require a more powerful user to attain a higher level of security.
The devices currently supported by BioNetrix Authentication Suite version 3.1 are:
- ABC BioMouse Fingerprint
- Biometric ID Veriprint 1000
- BCS Password
- Cybersign Signature
- Identicator Fingerprint
- IriScan
- iros TrueFace
- Polaroid PFS-100
- TNetix Voice
- Veridicom Fingerprint
- Veritel Voice
- Visionics FaceIt
In our laboratory, we tested Veridicom Fingerpoint, Visionics FaceIt, Miros TrueFace, Veritel Voice, and IriScan. The results of these tests are described in the next few pages.
Veridicom Fingerpoint
Veridicom Fingerpoint is a device based on fingerprint verification recognizable biometric. The hardware device looks similar to a personal computer (PC) mouse, with a window where the finger is placed during the scanning process.
The installation is straightforward. It plugs into the PC’s parallel port and splits power with the keyboard. After installing the driver, the device is ready to scan fingerprints.
Enrollmenting
To enroll a user in the BioNnetrix Suite, a GUI with the outline of two hands will appear on the screen. After clicking on the tip of one of the fingers, the scanner will begin looking for a fingerprint to scan. A user then places his finger on the window, and a print is taken and displayed in the GUI. The user then has the opportunity to reject that print and retry if he thinks a better image can be obtained. The user is able to enroll multiple fingers, or just one, whichever he prefers. If multiple fingers are enrolled, he may authenticate by placing any one of those fingers on the window and it will automatically scan each of his prints for a match. This is especially useful if a user is holding something in one hand when trying to authenticate.In other words, any of his prints will do.
In a fingerprint, there are places where ridges divide and merge, or where they just end. Veridicom stores the locations of these characteristics, and creates a map of the print. To authenticate, a certain number of these characteristics must align with the original. With BioNetrix, the authenticator can set a percentage of matched characteristics for authentication.
Our Finding results In tests at the Technology Integration Center, Veridicom Fingerpoint worked reliably pretty well. After enrollment, prints were regularly authenticated by the program. It did not have any problem recognizing any of the enrolled prints. If the finger was off-center or misaligned, it would not authenticate, but a message is displayed in the GUI directing the user to change the position of the finger. It did not seem to matter if the finger was dirty or not. Even a finger entirely covered with ink posed no problem. Obviously something that totally filled or altered the actual ridges denied access, but a lightly soiled finger did not prohibit access.
This product would work well for the Army. It could easily be integrated into current workstations now in use. It is easy to use and offers an adequate level of security while requiring a smaller investment than many other devices. One drawback to this device is in situations that require the user to wear gloves, like a soldier wearing a Mission Oriented Protective Posture (MOPP)mop suit.
Visionics FaceIt
Visionics FaceIt is a face recognition program that verifies the identity of a person and grants access to a computer and its resources.
Installation of this device is also fairly easy. The supplied camera plugs into the parallel port, and shares power with the keyboard. Simply installing the driver will set the computer up for face recognition.
Enrollement
To enroll, a GUI appears with a live shot of what the camera sees. After focusing the camera, the user only needs to press the start button. The camera tries to locate a face, and prompts the user to accept the photo as a “good picture”. Once accepted, the camera automatically starts collecting shots of the user and prompts him to vary his pose while the camera continues to take photos. The user can delete poor photos and have them retaken as he wishes. After the photos are taken, they are stored in his template to be used at authentication. The enrollment process is easy because the interface is so well done. Pop-ups appear to help the enrollment along; the user only needs to push a few buttons.
To make a template of the face, Visionics locates certain points on the face and creates a map. It analyzes the bone structure of the face so that a different hairdo or facial hair should not cause a denial. It is supposed to see through minor changes in a person like a new pair of glasses or a simple moustache. When a new image is compared to the master template, it is given a score. This score is compared to the threshold score which is set for the device by the administrator. If it meets the threshold, the user is granted access.
Our Findings
In our tests, this simply was not the case. Visionics FaceIt had a very hard time with the authentication process. Surprisingly, it was easily fooled. In our tests, two brothers could usually verify for one another. Granted, a set of identical twins would be very hard to differentiate one from the other., b But the program should not recognize one sibling who vaguely resembles another. In our tests, a set of brothers could usually verify for one another. Worse than that, a color printout of a 300 dots per inch (dpi) JPEG image of the user was able to authenticate as well. This is totally unacceptable. It is amazing that an image with resolution so poor and an overall picture so grainy can authenticate so easily. The score given to the JPEG image is very close to the score given to the actual live user. Thus, setting the threshold to a higher level will not only exclude the image, but the actual user itself.
BioNnetrix Authentication Suite includes an OEM version of Visionics FaceIt. To the credit of Visiononics, another version is available which has the option to require the subject to blink or smile. In the future, BioNetrix may want to consider including this capability.
This product has several other problems.
- It is not portable.
- A difference in light will change the “face map” enough to prevent access. It is unreasonable to expect the lighting conditions or background conditions to always be identical to the conditions at enrollment.
- There is no way to store different templates for each workstation for the user. The A single template is kept at the server. This is a problem with a configuration where multiple workstations must be used by the user.
The current implementation of Visionics FaceIt in BioNetrix cannot be recommended for authentication purposes. Considering the ease of which it can be fooled, it would be prudent to wait for the technology to mature before implementation. This implementation is unacceptable.
Miyros TrueFace
Another face recognition device tested was Miros TrueFace. This product used the same hardware camera that the previousVisionics FaceIt product did, along with a dongle. This dongle plugs into the parallel port, and the camera plugs into it. It shares power with the keyboard.
Enrollment
The enrollment on Miros TrueFacethis product was essentially the same as FaceItas the previous face recognition product. A different look to the GUI was all that separates the enrollment of the two products. As was the case before, enrollment was very simple and straightforward.
Our Findings
This product was not as easily deceived (e.g., siblings) as did not have the same problems that Visionicshad. An image placed in front of the camera was never able to verify a user,. b But the same problems with lighting and location apply to this product. Though this product scored better than Visionics, iIt would also have to be classified as an immature technology.
Veritel Voice Verification
Veritel Voice Recognition is simple to install. The user must plug a microphone into the sound card’s mic or line- in jack. There is nothing elsemore to do. Today, microphones are very common accessories. Because of this, Veritel is the least expensive and the easiest to install of all the biometric devices we tested.
Enrollment
The enrollment process is extremely simple. Not only is there a small GUI showing the user what is happening, there are voice commands that lead him through the whole process. A start button must be pressed, and then a voice prompts the user for his name. It then asks the same question a second time. This is repeated for the user’s favorite color, birthplace, mother’s name and month of birth etc. If the program does not get a good sample, it simply asks again. When the computer finishes its questions, the enrollment process is complete.
Our Findings
To verify a user with Veritel Voice Recognition, the questions asked must be answered with a voice that maps closely to the original samples. In our tests, Veritel prompted the user for five different samples: name, birthplace, month of birth, mother’s name, and favorite color. When authenticating, the program randomly asks for two of the five samples questions asked at enrollment. If the voiceprints of the responses are a close enough match, he is granted access. Veritel, like every other biometric, compares the new sample to the template and gives it a score. It simply needs to be higher then the threshold to gain access. An administrator is able to change this threshold easily.
Our tests showed that is simply knowing the answers was not enough easy for someone, knowing the answers, to verify on someone else’s account. Low scores resulted in every attempt to imitate the original voice. Unfortunately, a very simple approach easily fooled Veritel. By using a simple hand-held tape recorder, we were able to play back an audio recording of the answer to gain access to the computer. We used a typical analog tape recorder which can be found in many office closets. There were no special features to it. When prompted by the computer, the play button was pressed, and the sample was authenticated by the program. The score given to the recording is almost identical to the live subject. Though gaining voice samples are much more difficult than a photo, a recording device could be placed near the target’s computer, and samples could be gained as he accesses his own computer. This is made more cumbersome by having two random queries, but it is still relatively easy to deceive.
A test performed on this biometric, that could not be performed on fingerprint and face recognition devices, was authentication through a MOPP suit. Fingerprints cannot be taken, and there is no way to recognize a face through the mask,. bBut, speech can travel through the mask. The only drawback is that the user must have dual accounts: with and without the mask. As the voice travels through the mask, it changes becomes too much distorted for authentication,. sSo a separate user account with the mask is necessary for access.
The technology product seems to filter the voices of different people very well, but Veritel needs to find a solution to a recorded voice fooling its software. Again, like face recognition, this technology does not yet offer the level of security necessary in today’s world.
IriScan
Of the products we tested, IriScan was the most difficult to install. A new peripheral component inter-connect (PCI) card had to be placed on the motherboard of the PC, and a hand-held camera plugged into the card. Certain databases had to be installed on the computer, as well as the drivers for the hardware. The installation process is documented in the user guide, but we still needed to call the customer – support may still be needed.
Of the devices tested, IriScan would have to be the most intrusive. This is not to say that using IriScan is a negative experience, but since it is a newer technology, users will be unfamiliar with its workings. It will be awkward for the first few uses. Users may also be apprehensive about putting things near their eyes for fear of some kind of radiation, etc.
Like every other product in the BioNetrix Suite, Iriscan enrollment is clear and straightforward due to a well-made GUI. After choosing either the left or right eye, a live shot of the camera appears on screen, and the user is directed to place the camera directly in front of his eye. The user then has to find a position where the eye appears in focus, which is about three inches away. With one eye looking into the lens, and the other eye looking at the computer screen, the user can move the camera in and out to enable the program to get a valid sample. This is rather awkward for most users. Once the sample is taken, a conformation screen appears, and the user has the chance to accept or reject the image.
Our Findings
The authentication of a user is almost identical to his enrollment. He just places the camera in front of his eye and the program authenticates within a second or two. There is no way to vary the settings on this product. It either passes or fails.
Despite a few bugs in the BioNetrix Administrator Program that affected this product, the actual product worked very well. IriScan was able to enroll/authenticate users with glasses and contacts without any problems. We tried using colored contacts, which have different colors and striation patterns printed on them, and found no negative results. When tested with a gas mask, IriScan was able to authenticate the user without any difficulty.
This technology seems to be a great fit for any organization wanting to secure its resources. Though more costly than the other devices tested, IriScan can be used at individual workstations, at the entrance to secure rooms, and in the field where the use of a mopMOPP suit is required. Despite the software glitches in BioNetrix Authentication Suite, the actual IriScan product was the most versatile and secure of the devices, and would be recommended before any other of those devices.
IriScan is actively seeking to make their product easier to use. They have just released a camera version, which will replace the awkward hand-held version now in use. It is a Universal Serial Bus (USB) device, which does not require the additional PCI card. It is advertised to be less awkward, but we have not yet tested it.
BioNetrix Authentication Suite
As a whole, the BioNetrix Authentication Suite is a product which is easy to use and easily adapted to different situations. It has a central administration program which allows the administrator complete control of the entire program. He can put multiple devices on a workstation, and select which device, or chain of devices, is to be used for each individual user. He can change user groups and policies the same way he would do so in an NT domain. A significant advantage of this product is the ease and intuitiveness of the administrator program.
The BioNetrix Suite had the following problems:
- After enrolling a set of users, it is impossible to add any others to the Visionics FaceIt and IriScan products. The program would lock up, disallowing any new users to be added to the program. After sending the product back to the company, a newer version was released with a fix to the Visionics problem. They are currently working on the IriScan problem.
- BioNetrix could not lock an account. With Windows NT, an administrator can lock an account if the wrong password is supplied x number of times. This prevents someone from making an unlimited number of guesses at a password to try and log on. With BioNetrix, if a username and password fall into the wrong hands, the unauthorized person has an unlimited number of tries to imitate a voice, or find a way through the security.
Recommendations
BioNetrix Authentication Suite is close, but not yet ready for widespread use. It should be considered as a viable security measure in the future once the patch for the Administrator program is released. Of the five individual devices tested, only two seem advanced enough to be used in a security setting, Veridicom Fingerpoint and IriScan. As far as tactical situations where a MOPPmop suit is required, Veritel Voice Verification and IriScan are the only devices that make authentication possible.
Summary
Secure computers and networks of the future will include biometric devices. It is an easy and sure way to identify a user. The Army will be well served by this technology. There are devices today that can offer a very high level of security, and many other devices will attain this level in the near future.
Acronyms and Abbreviations
DNA: Deoxyribonucleic Acid
DPI: dots per inch
GUI: graphical user interface
ID: identification
MOPP: Mission Oriented Protective Posture
PC: personal computer
PIN: Personal Identification Number
SQL: structured query language
USB: Universal Serial Bus
Biometric Technology
Extract from THE ECONOMIST – SEPTEMBER 9TH 2000
The measure of man
“Biometric” technology, which can recognise people from their fingerprints, eyes or other bodily characteristics, is becoming cheaper and more powerful. Is it about to become ubiquitous?
On the Internet, goes the old gag, nobody knows you’re a dog. The usual way to prove who you are when picking up e mail, shopping online or visiting a closed area of a website is to type in a password a surprisingly old fashioned form of security that would be recognisable to a Roman soldier. But though passwords are simple, they are far from secure. Many people use the same one for everything. Worse, they may use a common word such as “hello”, their phone number or their dog’s name any of which could be guessed by an intruder. Which is why some people champion a more high tech approach. Rather than using a password to identify yourself to a computer, why not use a physical characteristic such as your voice, face or fingerprint? Such bodily measures, known as biometrics, have the appeal that they cannot be lost, forgotten or passed from one person to another, and they are very hard to forge. Proponents of biometric technology imagine a world in which you sign on to your office computer using a fingerprint scanner, take money from a cash machine that scans your eye to ensure you are the account holder, identify yourself to your bank over the telephone via a voiceprint, and check in for flights by walking past an airport camera that identifies you as a frequent traveller.
Being digital
Biometrics come in many forms. The idea is said to date back to ancient Egypt, when records of distinguishing features and bodily measurements were used to make sure that people were who they claimed to be. Modern computer based biometric systems are employed for two basic functions. The first is identification (“who is this person?”), in which a subject’s identity is determined by comparing a measured biometric against a database of stored records a one to many comparison. The second is verification (“is this person who they claim to be?”), which makes a one to one comparison between a measured biometric and one known to come from a particular person.
Fingerprints are the most widely used biometric. Ink based fingerprints have been in use for over a century, but in recent years they have gone digital. Modern electronic systems distil the arches, loops and whorls of conventional fingerprints into a numerical code. This can be compared with a database in seconds and with an extraordinary degree of accuracy. Fingerprints have the advantage of being cheaper and simpler than most other biometrics, and account for around 40% of the market (see chart). Finger scans are tipped to become the biometric of choice for logging on to corporate networks. Technology companies note that a large proportion of calls to helpdesks are due to forgotten passwords, so they are pushing finger scans as a way to reduce support costs. Polaroid’s new finger scanner, announced in May, costs around $50 and is being incorporated into some new PC keyboards.
At the other end of the scale, Argentina is spending five years and $I billion to digitise its fingerprint records, which are kept (in paper form) for every citizen, in order to combat identity fraud. Another popular biometric is hand geometry. Unlike fingerprint scanning, which is widely regarded as demeaning in America and Western Europe, it is not stigmatised by an association with law enforcement. It involves scanning the shape, size and other characteristics (such as finger length) of some or all of the hand. Users are required to make some claim about who they are by swiping a card, for example before a scan. The biometric template of the person they claim to be (which, in some cases, is stored on the card itself) is then compared with the scan. Hand geometry systems are already used to control access and verify identities at many airports, offices, factories, schools, hospitals, nuclear power plants and high security government buildings. They are also used in “time and attendance” systems, in which shift workers clock on and off using their handprints preventing time card fraud through “buddy punching”. The best known example of the technology is the INSPASS programme, which allows frequent travellers to the United States to skip immigration queues at seven big airports by swiping a card and placing their hand on a scanner. Recognition Systems of Campbell, California, which supplies the scanners for the INSPASS programme, says that over 35,000 of them are in use around the world.
An eye for an eye
Then there are the eye scanning systems familiar from spy thrillers. Scanning the fibres, furrows and freckles in the iris (the coloured part of the eye) using a video camera at arm’s length from the eye provides enough information to identify somebody. But while the technology is regarded as by far the most reliable biometric, it is relatively expensive. Some users also consider having their eyes scanned as even more intrusive than fingerprinting. Not all users, however, have a choice: iris scanners supplied by IriScan of Marlton, New Jersey are used in over 20 jails in America to identify prisoners, staff and visitors and ensure the right people are let in and out. Iris scanners have also been tested by banks in Britain, Japan and America, as a way of identifying users of cash machines. Since the iris scan identifies each customer, there is no need to insert a bankcard or remember a personal identification number (PIN). In July, US Airways began trials of an iris recognition system at two airports. The idea is that passengers step up to a machine and get their boarding cards automatically.
Another biometric is facial recognition, a technology that has gained ground in recent years thanks to the falling price of computer power. It works by analysing a video image or photograph and identifying the positions of several dozen fixed “nodal points” on a person’s face. These nodal points, mostly between the forehead and the upper lip, are unaffected by expression or the presence of facial hair, says Joseph Atick of Visionics, a leading vendor of face recognition technology based in New Jersey. Facial recognition is becoming more widespread, says Dr Atick, because it can exploit existing cameras and existing databases of facial images from driving licences and passports.
Facial recognition is used mainly to verify identity. But if the database of possible matches is kept small, it can be used for identification. Unlike other biometrics, facial recognition can also operate “passively” i.e., without people realising they are being scanned. It can thus help to spot terrorists at airports, football hooligans at ports, and cheats at casinos. Visionics’ FaceIt system was also used to combat vote rigging in Mexico, by analysing the database of images from voter registration cards and identifying duplicates where the same person had registered under several different names. A list of invalid cards was drawn up to prevent multiple voting. Similar schemes have been used in some American states to identify people making multiple applications for driving licences or welfare payments.
Another form of biometric that does not require special equipment is voice recognition, which works by analysing an individual’s fundamental vocal characteristics. But while this technology is cheap, it is less reliable than other biometrics, particularly when only a few seconds of speech are available. The market share of voice recognition has fallen over the past two years, while that of facial recognition has grown.
A handwritten signature can also be a biometric, because how you sign your name is a “behavioral” characteristic. As pen based computers and personal organisers become more popular, the hardware required to capture a signature is increasingly available. Several firms are championing signature analysis as a friendly biometric that can be introduced wherever signatures are already used. But as with voice recognition, reliability can be a problem. According to Jackie Fenn of Gartner, a consultancy based in Lowell, Massachusetts, firms that experiment with signatures are likely to go on to adopt other biometrics instead.
There are a handful of other biometric technologies, including body odour recognition, thermal facial imaging, and acoustic head resonance. But although they each have advantages of their own (thermal imaging, unlike conventional facial recognition, is supposedly able to distinguish between identical twins), compared with other biometrics they are either too expensive or too impractical, and so none has been commercialised.
Searching for the killer app
This optimism stems in part from the fact that this summer America, Britain and Ireland passed laws making digital signatures legally binding. The new regulations mean that a digital signature has the same legal force as an ink based one. But a digital signature can be stolen or used by somebody other than its owner. Proponents of biometrics argue that only by protecting digital signatures with biometrics (so that a signature is released only if the owner’s finger is presented, for example) can people be sure who they are dealing with online.
Another significant development was Microsoft’s announcement in May that it would provide support for biometrics in the next big revision of its Windows operating system , to enable users to log on to their computers “and conduct secure e commerce transactions”. Dr Atick, a proponent of face recognition systems, has also welcomed the first prototype mobile phones and personal organisers with tiny built in cameras. As it becomes possible to conduct transactions from mobile devices, he argues, it will become increasingly important to be able to verify the identity of the user of a particular device. “I think this is the killer app,” he says.
The biometrics industry has done its best to allay these privacy concerns. In many applications, the spectre of an Orwellian central database can be avoided if users carry their own biometrics around on smart cards, as they do with INSPASS. Only if the biometric stored on the card matches the user’s handprint is access granted. Similarly, with face recognition systems, verifying an identity can be done by comparing the photograph in a passport with the face of its bearer; there is no need for a database.
Indeed, says Richard Norton, executive director of the IBIA biometrics can be used in ways that enhance rather than diminish privacy. A finger scanning system could, for example, be used to ensure that only authorised personnel have access to medical records in a hospital. Biometrics might even enable patients to find out who had looked at their records, and when. Part of the motivation for the formation of the IBIA was to counter the growing perception that biometrics inherently undermine privacy; the association’s policy is that government use of biometrics must be strictly regulated, and that private companies that use the technology must do so transparently.
Besides, the nightmare vision of vast computers, correlating biometric scans to monitor citizens’ activities, assumes a level of technical expertise on the part of governments that is lacking in the real world. John Woodward, a legal consultant who specialises in biometrics, has coined the term “biometric balkanisation” to describe the inability of biometric systems from different vendors to talk to each other something that, he argues, serves to protect privacy.
Scanning the future
Biometrics are sure to grow in importance for both governments and companies. In welfare offices, prisons, high security facilities or when providing access control to networks, the technology can be imposed on users, the security of the entire system is under central control, and the biometric scanners are used by many people, spreading their costs. But the outlook for voluntary adoption of biometrics by consumers is less rosy. In some fields, such as airports or banking, customers may volunteer to use them if they can see a tangible benefit such as faster service, lower charges, or points in a loyalty scheme. Systems that allow consumers to opt in will do much to dispel some of the myths surrounding the technology, and could prepare the ground for wider use.
Biometric Technology
Extract From BIOMETRICS- THE STATE OF THE ART.
By Rebecca Dornbush
The e-world has wrought amazing changes in the way we operate in our day-to-day lives. Among the most compelling is the advent and growth of e-commerce, both personal and business-to-business (B2B). Today consumers can buy everything on-line, from books and music to groceries and pharmaceuticals.
With the growth in consumer and B2B e-commerce, and the addition of Internet and network-based operations for financial, insurance, medical, and other traditionally confidentiality-protected services, the need for better security grows daily.
Efforts are under way everywhere, by governments and business alike, to improve Internet security and privacy.
Biometrics are technologies that automatically authenticate, identify, or verify an individual based on physiological or behavioural characteristics. This process is accomplished by using computer technology in a non-invasive way to match patterns of live individuals in real time against enrolled records. Examples include products that recognize faces, hands, fingers, signatures, irises or irides, voices, and fingerprints. Biometrics are most commonly used to enhance computer network security, protect financial transactions, safeguard international borders, control access to secured work sites, verify time and attendance, and prevent benefits fraud.
Biometrics work well as stand-alone safeguards in many applications and complement other means of security in other applications. To verify e-commerce transactions, protect network security, and authenticate online access, biometric technologies are particularly well suited to work in conjunction with other technologies to create a multi-layered security infrastructure.
Biometrics in Secured Personal Internet Transactions
Increasingly, the Internet is being used to conduct highly confidential personal transactions. People worldwide are filling prescriptions, consulting doctors, conducting bank transfers, paying bills, and managing stock portfolios on the Internet. A high degree of confidence in the security, privacy, and confidentiality of these transactions is an indispensable prerequisite to steady growth in personal Internet transactions.
Digital certificates provide a simple method of verifying particular personal computers, but not particular persons, as the origin of electronic transactions. Moreover, digital certificates in most cases rely upon passwords for security. Passwords are easily hacked, or simply stolen from people who tape their passwords to the bottom of a keyboard or mouse pad. Biometric identifiers, by contrast, cannot be misplaced or forgotten. When used in conjunction with digital certificates, biometric identifiers reduce administrative hassles and headaches associated with passwords, eliminate weak security links, and do so at low cost with technical ease: a small scanner can verify a fingerprint, a standard microphone can verify a voice, and a small camera can verify faces or irises.
Biometrics also helps to secure privacy. Here is what IBIA had to say in comments on proposed medical privacy regulations published by the U.S. Department of Health and Human Services: “Most biometric technologies have been designed to protect personal privacy by erecting a barrier between personal data and unauthorized access. The electronic templates used to perform the biometric verification process employ encryption and sophisticated algorithms to secure records and protect them from disclosure. Stated another way, biometrics can be thought of as a very secure key that can be used by only one person. Unless the proper bearer unlocks the biometric gate, no one can gain access to that person’s information. Biometric tools therefore can both enhance personal privacy and ensure system security when absolute confirmation of identity is required.”
Biometrics in Multi-Layered Network Security Infrastructures
B2B and other complex network transactions require the same high degree of security and protection against fraud as do personal transactions on the Internet, but the scale and complexity of networks multiply the challenge exponentially. The information to be protected can be confidential business information, pricing, or large databases of personal information about employees or customers.
The highest degree of security will be found in a system that incorporates biometrics and therefore positively verifies persons themselves who originate transactions and communications. The use of biometrics for this purpose has other positive benefits: it insures convenience and helps protect privacy. Biometrics are unique in their ability to provide protection of this breadth.
Biometric Introduction
The term biometrics has two distinct meanings: bio meaning living creature and metrics meaning the ability to measure an object quantitatively (Miller, B. 1994). The use of biometrics has been traced back as far as the Egyptians, who measured people to identify them (Miller, B. 1994). The first modern biometric device was introduced on a commercial basis over 20 years ago when a machine that measured finger length was installed for a time keeping application at Shearson Hamil on Wall Street. In the ensuing years, hundreds of these hand geometry devices were installed at high-security facilities operated by Western Electric, Naval Intelligence, the Department of Energy, and other similar organizations (Industry Information: Biometrics, 1996).
Biometrics falls under the umbrella of what is referred to as Automated Identification and Data Capture (AIDC). Automatic Identification and Data Capture is the term used to describe data collection by means other than manual notation or keyboard input (Dunlap, D. 1997). The optimum significance of automatically captured data includes a more efficiently run organization; improved and more timely decision making; and efficient use of time, people, and materials. The family of Automatic Identification and Data Capture technologies can be broken down into six categories which are: biometrics, electromagnetics, magnetics, optical, smart cards, and touch (Dunlap, D. 1997).
There are a number of discrete biometric technologies on the market today. They can include: fingerprint identification, iris identification, retinal identification, hand geometry, hand, palm, and wrist subcutaneous vein pattern identification, signature identification, voice identification, keystroke dynamics identification, facial feature identification, body salinity (salt) identification, body odor identification, and ear identification.
Biometric practices that are in wide use today fall into one of two groups: identification and/or security (Driscoll, D. 1994). According to Dunlap (1995), the underlying advantages to biometric identification include elimination of common problems such as illicitly copied keys, lost or broken mechanical locks, and forged or stolen personal identification numbers (PINs) that can lead to automatic teller machine (ATM) and checking fraud. Additionally, biometric systems can be used for identification purposes involving security access systems in management information service departments, government agencies, ATMs or banks, law enforcement, prisons, international border control, and military agencies (Dunlap, D. 1995).
Biometric Technology
Collectively, biometric technologies are defined as, “automated methods of verifying or recognizing the identity of a living person based on a physiological or behavioral characteristic” (Industry Information: Biometrics, 1996). In analyzing the definition of biometrics, several distinct terms must be elaborated upon to completely understand the framework of biometric technology. The phrase “automated methods” refers to three basic methods connected with biometric devices: (1) a mechanism to scan and capture a digital or analog image of a living personal characteristic; (2) compression, processing and comparison of the image to a database of stored images; and (3) interface with applications systems (Industry Information: Biometrics, 1996). These methods can be configured in a number of different topographies depending upon the biometric device and application. For example, a common issue is whether the stored images (reference templates) reside on a card, in the device or at a host or database. (Industry Information: Biometrics, 1996).
The term “living person” may seem obvious, but it is an important component in defining biometrics. One of the first questions newcomers to the field ask is, “What about a latex finger, digital audio tape, plaster hand, or prosthetic eye.” The answer is that biometric devices can incorporate specific algorithms that determine whether there is a live characteristic being presented. The term “living” also separates the biometric industry from the forensic identification field, although basic principles transcend both areas (Industry Information: Biometrics, 1997).
Physiological vs. Behavioral
When referring to a biometric technology, it is important to distinguish between physiological and behavioral human characteristics. A physiological characteristic is a relatively stable human physical characteristic, such as a fingerprint, hand silhouette, iris pattern, or blood vessel pattern on the back of the eye. This type of measurement is unchanging and unalterable without significant duress (Industry Information: Biometrics, 1997). Alternately, a behavioral characteristic is a reflection of an individual’s psychological makeup, although physical traits, such as size and gender, have a major influence (Industry Information: Biometrics, 1997). Examples of behavioral traits used to identify individuals include a person’s typing patterns at a keyboard, commonly referred to as keystroke dynamics, and the unique characteristics of how one speaks or speech identification and/or verification.
Identification vs. Verification
Sometimes verification and identification are interpreted as similar terms but they have two distinct meanings. Identification occurs when an individual’s characteristic is being selected from a group of stored images. Identification is the way the human brain performs most day-to-day identifications (Industry Information: Biometrics, 1997). For example, if a person encounters a familiar individual, the brain processes the information by comparing what the person is seeing to what is stored in memory. Biometric devices that implement identification techniques can be quite time consuming. Often anywhere from five to 15 seconds or more are required in identifying the appropriate individual. In many cases, verification is used to authenticate a user’s identity. A biometric device that uses verification requires that the individual make a claim of identity by presenting a code or a card. The matching formula or algorithm then needs only to compare the live and enrolled images of the user’s characteristic. The question put to the machine is, “Are you who you say you are?” instead of, “Do I know who you are?” (Industry Information: Biometrics, 1997). Verification can be viewed as adding another level of security. A good analogy is when a person goes to add a dead-bolt to a door. In this case, a dead-bolt is usually added to increase the security of the door or entrance because generally a lock of some sort that was on the door beforehand.
There are other notable details to consider in addition to the terms used to define biometrics. Other biometric performance factors that need to be thoroughly investigated include accuracy, speed, reliability, acceptability, resistance to counterfeiting, enrollment time, database storage requirements, intrusiveness, and cost.
Biometric Testing
The identifying power of a particular biometric encompasses two terms: False Rejection Rate (FRR), or a Type I Error, and False Acceptance Rate (FAR), or a Type II Error. False Rejection Rate and False Acceptance Rate are complementary in determining how stringent a biometric device is in allowing access to individuals. As a result, biometric devices commonly include features to allow for variable threshold or sensitivity settings. For example, if the false acceptance rate threshold is increased to make it more difficult for impostors to gain access, it also will become harder for authorized people to gain access. As FAR goes down, FRR rises. On the other hand, if the false acceptance threshold is lowered as to make it very easy for authorized users to gain access, then it will be more likely that an impostor will slip through (Industry Information: Biometrics, 1997). Hence, as FRR goes down, FAR rises. In understanding the impact of FRR and FAR rates consider an automated teller machine (ATM) access system: a “False Acceptance” means you may lose a few dollars, whereas a “False Rejection” means you may lose a valuable customer (FAR POINT Consulting Inc., 1997). Another good example in understanding the inverse relationship of FRR and FAR rates, involves a car alarm. When your car alarm is very sensitive, the probability of the bad guys stealing it is low. Yet the chance of your accidentally setting off the alarm is high. Reduce the sensitivity, and the number of false alarms goes down, but the chance of someone stealing your car increases (Recognition Systems, Inc. 1999).
While the terms “false reject” and “false accept” are still commonly used in quantifying a biometrics’ ability to rightfully identify an individual, the federal government has recently adopted a new standard of error rate measurement. Dr. Jim Wayman, Director of the United States National Biometric Test Center, has promoted the terms “false match” and “false non-match” as the new de facto terminology in determining a biometrics identifying power. According to Dr. Wayman, the problem with the terms “false accept” and “false reject” and even more so with “Type I” and “Type II” errors is that their meaning depends upon the claim of the user. For example, depending upon the biometric application, users make either a positive or a negative claim to identity. In a positive identification system, a rejection occurs if a person in not matched to a claimed record. In a negative identification system, a rejection occurs if a person is matched to a non-claimed record. Consequently, the words “false reject/accept” have opposite meanings, depending upon whom you are speaking to (Wayman, J. 1999).
Biometric Applications
Biometric technology and its applications have existed longer than people believe. According to Ben Miller, founder and chairman of CardTech/SecurTech, biometric technologies have existed in commercially available products since 1968 (Bateman, S. 1998). The oldest ongoing general application of biometrics belongs to the University of Georgia which, in 1973, installed a hand-scanning system, the Identimat from Identimation, to restrict entry into its all-you-can-eat dining halls. The device measured the lengths of patrons fingers by scanning them with photoelectric cells (Computer Business Review, 1998). It is in the last decade that biometric applications have finally caught up with the technology that has been around for nearly 30 years. This growing impetus of biometric technology is a result of a myriad of beneficial factors for the consumer including decreased costs, increased accuracy rates, and improved hardware technology.
Currently, the number of biometric applications instituted around the world is increasing. In 1996, approximately 10,000 biometric devices were in use worldwide. Some estimate the number will grow to 50,000 by year 2000 (Brown, R. 1997). From Germany to Australia to Japan, companies have been investing in higher security measures using biometric technology. Biometric vendors feel that time and attendance is the biggest growth area for biometrics in the near future.
Beyond time and attendance, computer and electronic commerce security offer the greatest promise for widespread biometric use. The Internet explosion has contributed to the growth of biometrics, but so is the trend among banking institutions to offer more home-based services to their customers (Burnell, J. 1997). Future biometric applications include, “key” replacements for home or vehicle access, replacement of physical cards for credit card purchases, personalized, intelligent switches for devices (e.g. guns), and electronic signatures for transfer of custodial property such as legal evidence (Biometric Identification, 1997).
Today, fingerprint identification systems are the most popular and widely used from of biometric technology (Green, P. 1998). Because forensic applications have used fingerprints to identify people, there is a wealth of information concerning the uniqueness of fingerprint patterns (Green, P. 1998). National computerized fingerprint systems exist in several countries, the first national system having been established in Australia in 1987 (Simon, D. G. 1994). Fingerprint biometrics received a huge boost in May of 1997, when Veridicom Incorporated, a Menlo Park, California startup formed by Lucent Technologies and U.S. Venture Partners, announced the development of a stamped-sized fingerprint reader. The reader-on-a-chip, which is smaller than optical fingerprint readers, can be built into a computer keyboard or mouse, allowing verified users to gain access to a PC or notebook. Prices for this technology now reach below $100 dollars (Violino, B. 1997).
Other biometric applications are also working their way into society. The Immigration and Naturalization Service uses hand scans and voice recognition to verify the identities of some 100,000 frequent visitors to the United States. Residents of the Marshall Field Garden Apartments, a low-income housing site in Chicago, pass through a hand-geometry system to enter the building complex. Financial services giant Citibank is testing an eye-scanning system that recognizes the unique patterns found in a person’s iris for possible use in automated teller machines (ATM’s) (Brown, R. 1997). A Texas company, Mr. Payroll, uses face recognition technology to cash checks for customers using its automated check-cashing machines. In Massachusetts, the Lotus software company, uses hand scans in its day care center to identify parents picking up children (Moylan, M. J., 1997). Two of the more unique applications of biometric technology involve horses in Japan and a bar in Russia. The Japanese Racing Association is now identifying some 10,000 thoroughbreds by iris recognition in order to authenticate the owners of the valuable thoroughbreds. In Russia, patrons at a bar in the Ukraine reportedly can buy a drink with a personal identification number (PIN) verified by the geometry of their hand, which initiates a direct debit to their bank accounts (Stevens, T. 1998).
With declining prices, escalating fraud and security breeches are social issues that are bringing biometric technology to market. For example, states are looking for ways to reduce welfare fraud and prevent drivers from obtaining multiple licenses. Colleges and universities want to control access to dormitories and other facilities. Banks are fighting to reduce ATM fraud. Credit card companies want to eliminate billions of dollars in annual losses. As well, many other businesses and institutions, such as healthcare centers and prisons, are looking to control records and regulate personnel movement (Richards, D. R. 1995).
For financial and credit institutions, biometric devices are a welcomed alternative security measure. It has been estimated that in 1995 alone, fraud accounted for a staggering $1.3 billion in losses for several leading credit card companies (Woodward, J. D. 1996). Moreover, fraud in 1996 cost U.S. Visa and MasterCard issuers $751.5 million, which does not include American Express, Dean Witter, Diners Club or retail cards (Zbar, J. D. 1997). Likewise, the Federal Bureau of Investigation (FBI) can document $1.2 billion in losses annually due to loan fraud or false statement which accounts for 35 percent of the $3.3 billion financial institutions reported as crime losses (Panczyk, T. D. 1998). According to one MasterCard spokesperson in referring to biometrics, “Ultimately, this is one of the security features we have identified as something we could add to our fraud-prevention programs for credit. If you can cut that even in half with a technology like biometrics, that’s a significant change.” (Zbar, J. D. 1997). Much evidence supports this claim. According to Visa U.S.A., credit- and debit-card fraud has fallen for the fourth straight year, beginning in 1994. Fraud losses fell to 0.08 percent of dollar volume, or 8 cents for every $100 transacted (Panczyk, T. D. 1998). Even more astonishing is the reduction in fraud committed by people when companies have implemented a form of biometric technology. When Connecticut required welfare recipients to have their fingerprints scanned almost 25 percent of their applicants disappeared from its rolls, according to the state’s Department of Social Services. Installing a similar system, Los Angeles County reported the disappearance of 8,000 names from its register, resulting in annual savings of $12 million (Computer Business Review, 1998).
The application of biometric technology is limitless. Four to five years ago biometric technology was still considered too “fictional” for many. Now, these same individuals are asking where and how they can purchase biometric technology.
Biometric Outlook
Over the last several years, biometric devices and applications have experienced substantial growth in the United States and abroad. Total sales of biometric hardware, excluding sales to law enforcement and hardware integration revenue, amounted to $16.2 million in 1996. Sales are expected to hit $50 million in 1999 (Moylan, M. 1997). Furthermore, according to the report entitled, World Biometrics Identification Markets, the compound annual growth rate for the 1996 to 2003 period is projected to reach 7.5 percent, meaning the biometric equipment and software markets are expected to generate $170 million by 2003 (Security Management, 1998). Propelling the expansion and use of applied biometrics is a combination of the falling cost of biometric devices, increasing sophistication of the technology, development of biometrics as a peripheral to common computer platforms, and efforts by the United States government (Stevens, T. 1998). For instance, United States biometric identification and verification device sales are expected to total an estimated 50,000 units in 1999, versus 13,500 units in 1997 and 2,000 units in 1992, according to Bethesda, Maryland based CardTech/SecurTech Incorporated. Furthermore, the average end-user price for a standalone physical security device utilized for identity verification, without installation, was estimated at $1,600-1,700 in 1997, versus $1,900 in 1996 and $5,100 in 1990 (Stevens, T. 1998). Donna Gustafson, director of marketing for The National Registry, which develops fingerprint-imaging technology, states, “In order to get biometrics to the public, we had to bring the price down.” (Burnell, J. 1997). In addition, advancements in computer technology have meant more personal computers have the processing power required to run biometric applications.
Biometric Perceptions
Wide spread usage, implementation, and public acceptance of biometric technology still awaits a foothold in corporate America. Ben Miller, publisher of the Personal Identification Newsletter and biometrics consultant, puts the implementation of biometrics into perspective by stating, “I think the Feds love it, they think it’s cool, whereas if you tried to impose biometrics in a creative workplace, like Apple Computer, they might see it as Big Brother.” (O’Sullivan, O. 1996). Biometrics introduces not just financial concerns but psychological issues as well. In a day and age were most people feel that they are monitored for one reason or another, biometrics can be seen as an invasion of privacy by some. Providing the neighborhood bank with a Social Security number and a password is accepted by nearly all of us, but providing a retinal pattern or computerized fingerprint to an international credit card company might seem too Orwellian for comfort.
An example of people’s perceptions of biometrics being altered by false claims and data occurred several years ago. It was reported that military pilots refused to use a retina scan system, believing that it might impair their visual acuity. Although no evidence that system affected eyesight existed, the system was removed. In other reported cases, retina scan users with watery eyes sometimes left data collection sensors moist, leading to concerns about eye diseases, transfer of body fluids, and AIDS. Although there is no known, or even alleged, case of injury or disease resulting from such a system, user concerns became so great that it was withdrawn from the market (Richards, D. R. 1995). According to Peter Hawkes, executive responsible for automatic identification at British Technology Group, states, “Using a hand for identification might be far more socially acceptable than an iris because people don’t like the idea of repeatedly exposing an eye close up to a camera” (Smith, S. 1997). Likewise, many people could also be adverse to the criminal connotations of having their fingerprint taken.
There have been studies conducted that report positive findings towards the acceptance of biometrics. Banks and financial institutions have been pioneers in implementing biometric applications for their customers. Subsequently, banks and other financial institutions that have tested biometric-based security on their clientele say consumers overwhelmingly have a pragmatic response to the technology. Anything that saves the information-overloaded citizen from having to remember another password or personal identification number comes as a welcome respite. Adding a statistical footing to this anecdotal evidence, a nationwide survey by Columbia University reported that 83 percent of people approve the use of finger imaging, and don’t feel it treats people as criminals (O’Sullivan, O. 1997).
The fundamental fear behind biometrics is the fear of the unknown. Raj Nanavati of the International Biometric Group, a consulting firm in New York City, states that much of the wariness [of biometrics] may come from the strangeness of a new technology. A poll conducted by the International Biometric Group asked approximately 100 people how they would react to a finger scan at a bank. According to Nanavati 60 percent of the people who only heard a description of the procedure reacted positively toward the idea, but once they tried it, favorability shot up to 90 percent (Corinna, W. 1998).
Biometric Standards
A critical element that has been absent in the world of biometrics has been the lack of standards. There are virtually no standards in place for automated biometrics, including minutiae analysis, the method used by human experts to analyze fingerprints (Markowitz, J. 1997). Cynthia Way, Associate Consultant at Higgins & Associates, states, “While there are ANSI-NIST (American National Standards Institute – National Institute of Standards and Technology) fingerprint minutiae standards, they don’t seem to be of sufficient information density to be usable for all automated biometrics; thus vendors typically use proprietary minutiae algorithms” (Markowitz, J. 1997).
However, it now seems that the first step in forming some kind of environment of standards has been initiated by leading computer and software vendors including Compaq Computer Corporation, IBM Corporation, Microsoft Corporation, and Novell Incorporated. During the CardTech/SecureTech Conference in April 1998, it was announced that the newly formed BioAPI Consortium would leverage work done by several companies to create a common application programming interface (API) for existing and emerging biometric technologies. The resulting new API standard will free system designers and integrators from developing different programs for each vendor’s biometric hardware (Costlow, T. 1998). According to Thomas Rowely, chief executive officer at Veridicom Incorporated, a Lucent Technologies spin-off that creates fingerprint sensors, peripheral devices and software, “Standards are very important for this business [biometrics] to take off. We want VAR’s (value added resellers) and VAD’s (value added dealers) to get comfortable with an API so they can adopt our products more easily. Without a proven reliable API, it’s very risky for them to design around.” (Costlow, T. 1998).
In combination with the announcement at CardTech/SecurTech 1998 of a common API standard for biometrics, the International Computer Security Association (ICSA) also announced the first six biometric products to meet its new certification standards. The ICSA tested more than 100 biometric products before certifying six that performed as advertised with real humans in real-world environments. The certifications went to Hi-Key Technologies, Mytec Technologies, National Registry, and SAC Technologies for fingerprint recognition systems. In addition, Intelitrak Technologies was certified for voiceprint recognition and a Miros product was certified as able to recognize faces. Dr. Peter Tippett, ICSA president declared, “We’re here today to announce that biometrics is real. It is here and now.” (Menefee, C. 1998). Frost and Sullivan, a Mountain View, California based market research firm, asserts that bearing the ICSA’s stamp of approval gives the six manufacturers a marketing advantage in a global market that is expected to surpass $100 billion by next year (1999) (Guly, C. 1998).
Standards are a key facet in making biometrics a widespread technology. Standards reduce the differences between products. This decreases the risk of using automated biometrics. By reducing the risk of development, standards help grow the market, which benefits vendors. Standards also promote an aura of stability and maturity attractive to investors (Markowitz, J. 1997).
Proponents of biometric standards include a number of corporations and organizations. Standards for Automated Fingerprint Identification Systems (AFIS) has been a leader in establishing fingerprint standards. They are responsible for two standards: for the interchange of finger image data and for finger image compression (ICSA Biometric Buyer’s Guide, 1998). The Biometric Consortium has led United States government-coordinated biometric efforts since 1993. Their main push has been the development of the Human Authentication Application Program Interface (HA-API). The first HA-API specification was announced in late 1997. The project itself is essentially divided into two parts: the creation of a generic biometric API and a proof of concept implementation, integrating the API within a commercial network authentication system (ICSA Biometric Buyer’s Guide, 1998). International Business Machines (IBM) has also taken an interest in instituting biometric standards. International Business Machine’s staff in Great Britain developed the Advanced Identification Services (AIS) API, based on a number of biometric applications using IBM solutions. The API was first announced in November 1997. Version 1.01 of AIS supports the C programming language and essentially provides programming calls, which support the capture, storage, query and retrieval of biometric data.
Finally, the United States National Biometric Test Center (NBCT) was established by the United States Department of Defense’s Biometric Consortium in the second quarter of 1997. The NBTC is situated at San Jose State University under the directorship of Biometric Identification Research Director, Jim Wayman. The main goal of the NBTC is to further the United States government’s efforts in standardizing biometric testing procedures and focusing on the ‘real world’ performance standards. The NBTC is particularly focused on developing standard testing methodologies so that biometrics can be compared (ICSA Biometric Buyer’s Guide, 1998).