Survey: Biometrics Overview
22 November 2010 17:12 GMT

Getting Started

There is nothing particularly new about recognising a person by their physical and behavioural characteristics, from the way they look and sign their name, to the sound of their voice and the patterns of their fingerprint. In fact, this concept has played a central role in how society functions since time immemorial. What has changed, though, is that globalisation and technology are now driving the international impetus to replace these fairly rudimentary methods with more sophisticated identification and verification techniques which can be carried out by devices capable of remembering thousands – and even millions – of identities. And a big advantage of these latest digital methods of identifying an individual is that they are not hindered by human error. Put simply, a biometric device scanning an individual’s face in a high throughput area will not get bored, start thinking about lunch or have issues with their job, so is not likely to make the basic errors that we humans do.

One of the most common biometrics used for identification is the fingerprint, which has been used over the centuries as a means of verification. For example, in the nineteenth century the British administration in India required members of the local population to place their thumb impressions on contracts as a means of combating forgery. And there’s also evidence that inked fingerprints may have been used by the Chinese as far back as the 3rd century BC to sign official documents.
But what are biometrics? How do they work? Who is using them? How does the industry work? And what are the key challenges that stakeholders are currently working to resolve?

Technologies

A key aspect of a biometric technology is that it is stable and shouldn’t change significantly over a period of time. This is important because if you register your fingerprint or voice print to access your bank account or receive government benefits, it is essential that your finger or voice still matches that original sample when you access these facilities six months – or even six years – later.
Biometric devices can measure a whole host of physical and behavioural characteristics that are unique to an individual. Although some are unlikely to move beyond the research and development (R&D) phase, others are already making significant progress in the public and private sectors.

Physical biometrics

Biometric technologies that authenticate the physical characteristics of an individual include face recognition, fingerprint recognition, hand and finger geometry, iris pattern, retina and vein pattern recognition.
There are a number of approaches to some of these biometric types. For example, companies that deploy face recognition may talk about eigenfaces, hidden Markov models, dynamic link matching, principal component analysis, elastic bunch graph matching, linear discriminate analysis and three-dimensional face recognition. Although these approaches are all different, at its most basic level, the technology extracts features from an image of the subject’s face and the face recognition algorithm may then assess the relative position, size and/or shape of key features such as the eyes, nose, mouth and jaw.
Fingerprint technology uses optical or capacitance sensors. A recognition system must capture an image of an individual’s printand determine whether the pattern of ridges and valleys matches those in pre-scanned images.
Automated Fingerprint Identification Systems (AFIS) and the US Integrated Automated Fingerprint Identification Systems (IAFIS) are also being used to match one or many unknown fingerprints against a database of known and identified prints. AFIS technology, which is typically used for criminal identification as well as employee background checks, incorporates live scan and algorithm components and normally uses multiple fingerprint combinations. 

Geometry

Hand and finger geometry examines aspects such as the length of the finger, the width of the hand, the distances between finger joints and the hand’s overall bone structure to authenticate an individual.

Iris

Iris recognition devices use a video image of the eye, which is typically captured by a standard video camera. Once captured, iris recognition matching algorithms examine more than 240 degrees of freedom or unique characteristics in the human iris to create a 512-byte data template.

Retina

Retinal technology should not be confused with iris recognition. Every person has a unique retina because of the complex structure of capillaries that supply the retina with blood. The network of blood vessels is so complex that even identical twins do not have the same pattern.
These blood vessels absorb light more readily than the surrounding tissue and are identified with appropriate lighting. A retinal scan is performed by casting an unperceivable beam of low-energy infrared light into an individual’s eye as they look through the scanner’s eyepiece. This traces a standardized path on the retina. Because retinal blood vessels are more absorbent than the rest of the eye, the amount of reflection varies during the scan. The pattern of variations is converted into computer code and stored in a database.

Vein pattern (also known as vascular pattern recognition)

Vein pattern recognition uses near-infrared light to derive reflected or transmitted images of subcutaneous blood vessels in a person’s hand or finger.
Although there are various approaches to the technology, the basic one relies on near-infrared rays generated by a bank of light emitting diodes (LEDs) to penetrate the skin of the back of the hand. Due to the difference in absorbance between blood vessels and other tissues, the reflected rays produce an image on the sensor. The image is digitized and further processed by image processing techniques to produce the extracted vascular pattern. Various feature data such as vessel branching points, vessel thickness and branching angles are extracted from this pattern and stored as the template.

Behavioural biometrics

Behavioural biometrics look at the unique habits of an individual and include dynamic signatures, gait recognition, keystroke dynamics and voice authentication.
Dynamic signature recognition captures the distinct characteristics of an individual’s signature including the shape, speed, stroke, pen pressure and timing information. This technology has been applied to applications such as the financial sector for authenticating transactions and legal and insurance transactions.
Gait recognition – which recognises each person’s unique way of walking – has been examined extensively by university research departments. This has the advantage of being non-contact, non-invasive and perceivable at a distance. However, it remains at the R&D stage.
Keystroke dynamics examines the speed and timing information every time a user presses a key on a computer keyboard. These keystrokes rhythms are then measured to develop a unique biometric template of the user’s typing pattern for future authentication. This technology is suited to IT security-related tasks, such as PC log on.
Voice authentication detects patterns such as voice pitch and speaking style. There are several approaches to this technology: text dependent, text prompted and text independent. Text dependent systems require an individual to say a pre-determined word or phrase. Text prompted requires the user to say random words or phrases from a pre-enrolled set. Text-independent systems allow the user to speak freely.

Verification v identification

Biometric technology can be used for two types of authentication: verification ( 1:1 matching) or authentication (1:n matching). Verification compares the individual with a template already stored on a system, whereas identification involves checking the individual’s biometric against a larger database or watch list of individuals.

Biometric system accuracy

Biometric systems are showing their worth in improving security in areas such as national ID cards, employee access control and payments. However, it is essential that anyone considering using a biometric technology understands its limitations. Although it is constantly being improved, like all other forms of security, it cannot be guaranteed 100% secure. When looking at the accuracy of biometric devices, it is important to assess the error rates associated with each particular technology and device.

Thresholding and error rates

Thresholding is key to biometric deployment. Scores (or weights) are used to express the similarity between a pattern and a biometric template. The higher the score, the greater the similarity between the two. Access to a system is granted only if the score is higher than a certain threshold.
Biometric system performance is measured in terms of decision, matching or image acquisition error rates. Decision error rates include False Acceptance Rate (FAR), False Rejectance Rate (FRR) and Equal Error Rate (EER). The FAR refers to the acceptance of an impostor into a system being protected by a biometric device. It estimates the probability – expressed as a percentage – of a device failing to reject an impostor. The FRR refers to the rejection of a legitimate user from the system being protected by a biometric device. It estimates the probability – expressed as a percentage – of a device failing to accept a legitimate user. The EER is the point where the FAR and FRR are identical. The EER gives a threshold-independent performance measure. The lower the EER, the better the system’s performance.
Matching error rates include False Match Rate (FMR) – the probability that a sample will be falsely matched against a ‘non-self’ template – and False Non-Match Rate (FNMR) – the probability that a sample will not match a template of the same user.
Image acquisition error rates include failure to enrol and failure to acquire. The Failure To Enrol Rate (FTER) refers to the percentage of the population for whom the system is unable to generate repeatable templates (eg an individual who is unable to register a fingerprint due to a severe injury). The Failure To Acquire Rate (FTAR) refers to the proportion of the population for which the system is unable to capture an image of sufficient quality.

Biometric systems in action

A biometric device’s error rate settings can be tweaked to provide levels of security that match the application they are protecting. For example, a device protecting a high-security establishment may be set up with a high FRR and low FAR because it is preferable for such an establishment to double check an innocent person rather than to admit a potential terrorist. By contrast, a system that is used by customers of a corporation may not need such stringent security measures. Indeed, when customer care is paramount, it may be preferable to set up a system to provide greater consumer convenience and so have a high FAR and a low FRR. As people working in the payments sector have commented: “We can not do anything that may incorrectly brand one of our customers a thief, so it is unacceptable in our business to falsely reject an individual.
All biometric systems are slightly different, but their basic authentication process can be considered in terms of four steps: capturing, processing, enrolling and authenticating an individual’s biometric.
During the capture phase a user presents his or her biometric sample, such as a fingerprint, to a sensing device, such as a fingerprint scanner, for capture. Once the sample is captured, features are extracted from the sample and transformed into a mathematical representation of the original sample known as a template.
During enrolment, a template is created and stored in a database or a secure device (such as a smart card) for later comparison for authentication.
The authentication phase involves a biometric system checking an individual to establish whether they are who they claim to be by comparing the person’s biometric sample against the database of stored templates.

Applications

Organisations choosing to deploy biometrics are generally looking to beef up security and/or improve user convenience and drive throughput.
The technology is making in-roads in a diverse range of areas including access control, identity management, transactions and credentialing.
Access control can be considered in terms of physical access control (for example, border control, campus control, facility access, room access and container access) and logical (virtual) access control (such as distributed information systems, Local Area Network, stand-alone systems, other computer-based systems and medical, personnel and educational records).
Identity management can be broken down into watch lists, law enforcement, disaster response and benefits eligibility and fraud mitigation (driver licensing, social security benefits, welfare benefits and refugees). It can also be used for non-repudiation of classified documents, contracts, credit card fraud and cheque encashment as well as for forensics.
In the transactions market, it can be used for credit cards and point of sale.
It can also be used for credentialing systems, such as Personal Identity Verification (PIV) and the Transportation Worker Identification Credential (TWIC), and time and attendance, including collecting employee timesheets and preparing payrolls.

Issues

Other areas that need to be considered before deploying biometric technology include how the technology works and how stakeholders may react to its implementation. Get it right and you’ll have a system that improves security and aids convenience. Get it wrong and you could end up with a PR disaster as well as a system that fails to adequately protect your organisation.
Successful biometric technologies should be difficult to forge, easy to use, culturally acceptable, be appropriate for their environment and capable of either 1:1 or 1:n matching.
Basic questions to consider are:
  • Who is going to use it?
  • Where will people have to enrol?
  • How easy is it to operate?
  • How much does it cost?
  • Is it easily scalable?
  • Can it be easily integrated into other systems?
  • How future proof is it?
  • Does it comply with relevant standards and specifications?
  • Where will images be stored?
  • Does it respect user privacy?

Privacy

Anyone reading the negative stories in the media about biometrics might get the impression that the technology is an infringement of personal privacy and erodes civil liberties. This is simply not true – as long as you consider all the issues before you roll out your scheme. At the heart of the battle for hearts and minds is the question of where the biometric template or image is stored. It is important that biometric storage suits the application. For example, in some cases it may be appropriate to store an individual’s personal and biometric details in a database, but there are potential risks. Anyone implementing this type of system needs to consider who has access to that database; how they access it; what security is in place to avoid it being hacked into; and how users feel about handing over their biometric data and having it stored centrally.
An alternative is to store the biometric on a smart card, thereby handing control of the biometric over to the card holder and removing the uncertainty of matching via a network-connected device, an external server or a database. Biometrics can be used in conjunction with smart cards and applied in three distinct ways: Template on Card (TOC), Match on Card (MOC) and System on Card (SOC).
Taking the TOC approach, biometric data acquisition, feature extraction and matching is carried out on the reader side. However, during enrolment, the original template is stored on the smart card instead of the reader.
MOC involves biometric data acquisition and feature extraction being carried out at the reader while the matching is done inside the card. During enrolment, the original template is stored inside the reader. When the individual needs to be verified by his or her biometric, the matching stage comes into play. At this point, the reader constructs the query template, which is then sent to the card for matching. The final matching decision is computed inside the card itself, so the entire original template is never released from the smart card.
The SOC approach requires the smart card to incorporate the entire biometric sensor, the processor and the algorithm. The whole biometric data acquisition, feature extraction and matching process is carried out in the card itself and both the original template and the query template are computed in the card and do not leave it.
Of course, it should be remembered that the downside of this two-factor approach is that it is not suited to 1:n matching. Furthermore, the system can only work well if the cardholder remembers – and never loses – his or her smart card.

Stakeholder education

Communicating with stakeholders is key to getting their buy-in to the project. They need to be informed about the biometric system, what it is, how it works and how their biometric images are used and stored. It could also involve creating a brand and logo that the stakeholder comes to associate with the system. It is important that they are not taken for granted and that any concerns they have are met head on so they feel comfortable with the system. Typical issues include the belief that a biometric system can tell whether someone has a particular illness (it can’t), may be invasive and cause physical harm (it can’t) or may be an invasion of privacy (see above). The key thing is to be open and explain why the myths aren’t true and highlight how you have ensured the system’s safety and privacy.
It may also be necessary to consider how a particular type of biometric technology is perceived by the public. For example, in the past fingerprints were associated with criminality and some organisations decided that for this reason alone a different type of biometric technology, such as face recognition, would be more appropriate. As biometrics has moved into the mainstream, this has been less of an issue, but it remains something that anyone thinking of implementing a system has to be prepared to address.
Another issue is that certain cultures and groups of people are not comfortable with the idea of touching a device that has just been touched by another person, such as a hand geometry unit or a fingerprint device. This concern was voiced in 2009 when the international swine flu alert was in force. Again, it may be necessary to educate people that a device won’t have been touched by any more people than a door handle, or alternatively offer them antiseptic wipes to clean the equipment before use. Alternatively, it may be necessary to consider deploying a non-contact biometric system such as a vein pattern or iris recognition.
It is also important to consider the target group for the biometric system. Is it tech-savvy young people who may be naturally curious and excited by the prospect of the technology? Or is it older people with little experience of technology and a natural suspicion of how it works? Knowing your target audience will help you to assess how much assistance they’ll need to use the system successfully and will determine how many trained staff you’ll need to provide help. Device location is another factor to consider. Will it sit on a desk? Or do you need the convenience of portability? And how do you ensure its performance is optimised? Does the device have any particular light and heat requirements? Plus how do you cater for the potentially broad cross-section of people who will use the device? For example, it may need to register busy travellers seeking swift transit as well as individuals with disabilities who may have difficulty reaching a traditional countertop, so the device may need to be placed at an appropriate height and angle to deal with these mixed needs.

Spoofing

Spoofing remains a key concern. Stories about systems that have successfully been circumvented are – at the very least – a PR disaster for everyone involved.
It involves defeating a biometric system with a fake biometric sample. Artificially created biometrics include using an image of a face or iris, lifted latent fingerprints, artificial fingers and high-quality voice recordings.
Spoof attacks can be prevented through ‘liveness’ detection which recognises physiological activities as signs of life. This detection can be carried out either by processing the information already captured by a biometric reader or by acquiring life signs by using extra hardware. Alternatively, the system may introduce challenge-response mechanisms, or it could put biometric verification, in addition to enrolment, under supervision.
Using software enhancement, liveness detection may be able to detect perspiration on a fingerprint, head movements for face recognition, and pupil and eye movement for iris recognition.
Hardware may also be used for liveness detection, such as sensing temperature, detecting a fingertip pulse, pulse oximetry, electrical conductivity and ECG in fingerprint recognition systems. Voice systems may use video to match the lip movement to audio.
Challenge-response systems may challenge the user to change their facial expression for a face recognition system, while voice systems may require the user to repeat randomly generated sequences of digits and phrases.