|
“Biometrics” are automated methods of
recognizing an individual based on their physical or behavioral
characteristics. Some common commercial examples are fingerprint, face,
iris, hand geometry, voice and dynamic signature. These, as well as many
others, are in various stages of development and/or deployment. The type
of biometric that is “best ” will vary significantly from one
application to another. These methods of identification are preferred
over traditional methods involving passwords and PIN numbers for various
reasons: (i) the person to be identified is required to be physically
present at the point-of-identification; (ii) identification based on
biometric techniques obviates the need to remember a password or carry a
token. Biometric recognition can be used in identification mode, where
the biometric system identifies a person from the entire enrolled
population by searching a database for a match.
A BIOMETRIC SYSTEM:
All biometric
systems consist of three basic elements:
- Enrollment, or
the process of collecting biometric samples from an individual, known
as the enrollee, and the subsequent generation of his template.
- Templates, or
the data representing the enrollee’s biometric.
- Matching, or
the process of comparing a live biometric sample against one or many
templates in the system’s database.
Enrollment
Enrollment is the
crucial first stage for biometric authentication because enrollment
generates a template that will be used for all subsequent matching.
Typically, the device takes three samples of the same biometric and
averages them to produce an enrollment template. Enrollment is
complicated by the dependence of the performance of many biometric
systems on the users’ familiarity with the biometric device because
enrollment is usually the first time the user is exposed to the device.
Environmental conditions also affect enrollment. Enrollment should take
place under conditions similar to those expected during the routine
matching process. For example, if voice verification is used in an
environment where there is background noise, the system’s ability to
match voices to enrolled templates depends on capturing these templates
in the same environment. In addition to user and environmental issues,
biometrics themselves change over time. Many biometric systems account
for these changes by continuously averaging. Templates are averaged and
updated each time the user attempts authentication.
Templates
As the data
representing the enrollee’s biometric, the biometric device creates
templates. The device uses a proprietary algorithm to extract “features”
appropriate to that biometric from the enrollee’s samples. Templates are
only a record of distinguishing features, sometimes called minutiae
points, of a person’s biometric characteristic or trait. For example,
templates are not an image or record of the actual fingerprint or voice.
In basic terms, templates are numerical representations of key points
taken from a person’s body. The template is usually small in terms of
computer memory use, and this allows for quick processing, which is a
hallmark of biometric authentication. The template must be stored
somewhere so that subsequent templates, created when a user tries to
access the system using a sensor, can be compared. Some biometric
experts claim it is impossible to reverse-engineer, or recreate, a
person’s print or image from the biometric template.
Matching
Matching is the
comparison of two templates, the template produced at the time of
enrollment (or at previous sessions, if there is continuous updating)
with the one produced “on the spot” as a user tries to gain access by
providing a biometric via a sensor. There are three ways a match can
fail:
- Failure to
enroll.
- False match.
- False nonmatch.
Failure to enroll
(or acquire) is the failure of the technology to extract distinguishing
features appropriate to that technology. For example, a small percentage
of the population fails to enroll in fingerprint-based biometric
authentication systems. Two reasons account for this failure: the
individual’s fingerprints are not distinctive enough to be picked up by
the system, or the distinguishing characteristics of the individual’s
fingerprints have been altered because of the individual’s age or
occupation, e.g., an elderly bricklayer. In addition, the possibility of
a false match (FM) or a false nonmatch (FNM) exists. These two terms are
frequently misnomered “false acceptance” and “false rejection,”
respectively, but these terms are application-dependent in meaning. FM
and FNM are application-neutral terms to describe the matching process
between a live sample and a biometric template. A false match occurs
when a sample is incorrectly matched to a template in the database
(i.e., an imposter is accepted). A false non-match occurs when a sample
is incorrectly not matched to a truly matching template in the database
(i.e., a legitimate match is denied). Rates for FM and FNM are
calculated and used to make tradeoffs between security and convenience.
For example, a heavy security emphasis errs on the side of denying
legitimate matches and does not tolerate acceptance of imposters. A
heavy emphasis on user convenience results in little tolerance for
denying legitimate matches but will tolerate some acceptance of
imposters.
BIOMETRIC
TECHNOLOGIES:
The function of a
biometric technologies authentication system is to facilitate controlled
access to applications, networks, personal computers (PCs), and physical
facilities. A biometric authentication system is essentially a method of
establishing a person’s identity by comparing the binary code of a
uniquely specific biological or physical characteristic to the binary
code of an electronically stored characteristic called a biometric. The
defining factor for implementing a biometric authentication system is
that it cannot fall prey to hackers; it can’t be shared, lost, or
guessed. Simply put, a biometric authentication system is an efficient
way to replace the traditional password based authentication system.
While there are many possible biometrics, at least eight mainstream
biometric authentication technologies have been deployed or pilot-tested
in applications in the public and private sectors and are grouped into
two as given,
- Contact
Biometric Technologies
- fingerprint,
- hand/finger
geometry,
- dynamic
signature verification, and
- keystroke
dynamics
- Contactless
Biometric Technologies
- facial
recognition,
- voice
recognition
- iris scan,
- retinal scan,
CONTACT BIOMETRIC
TECHNOLOGIES:
For the purpose
of this study, a biometric technology that requires an individual to
make direct contact with an electronic device (scanner) will be referred
to as a contact biometric. Given that the very nature of a contact
biometric is that a person desiring access is required to make direct
contact with an electronic device in order to attain logical or physical
access. Because of the inherent need of a person to make direct contact,
many people have come to consider a contact biometric to be a technology
that encroaches on personal space and to be intrusive to personal
privacy.
Fingerprint
The fingerprint
biometric is an automated digital version of the old ink-and-paper
method used for more than a century for identification, primarily by law
enforcement agencies. The biometric device involves users placing their
finger on a platen for the print to be read. The minutiae are then
extracted by the vendor’s algorithm, which also makes a fingerprint
pattern analysis. Fingerprint template sizes are typically 50 to 1,000
bytes. Fingerprint biometrics currently have three main application
arenas: large-scale Automated Finger Imaging Systems (AFIS) generally
used for law enforcement purposes, fraud prevention in entitlement
pro-grams, and physical and computer access.
Hand/Finger Geometry
Hand or finger
geometry is an automated measurement of many dimensions of the hand and
fingers. Neither of these methods takes actual prints of the palm or
fingers. Only the spatial geometry is examined as the user puts his hand
on the sensor’s surface and uses guiding poles between the fingers to
properly place the hand and initiate the reading. Hand geometry
templates are typically 9 bytes,
and finger
geometry templates are 20 to 25 bytes. Finger geometry usually measures
two or three fingers. Hand geometry is a well-developed technology that
has been thoroughly field-tested and is easily accepted by users.
Dynamic Signature
Verification
Dynamic signature
verification is an automated method of examining an individual’s
signature. This technology examines such dynamics as speed, direction,
and pressure of writing; the time that the stylus is in and out of
contact with the “paper”; the total time taken to make the signature;
and where the stylus is raised from and lowered onto the “paper.”
Dynamic signature verification templates are typically 50 to 300 bytes.
Keystroke Dynamics
Keystroke
dynamics is an automated method of examining an individual’s keystrokes
on a keyboard. This technology examines such dynamics as speed and
pressure, the total time of typing a particular password, and the time a
user takes between hitting certain keys. This technology’s algorithms
are still being developed to improve robustness and distinctiveness. One
potentially useful application that may emerge is computer access, where
this biometric could be used to verify the computer user’s identity
continuously.
CONTACTLESS BIOMETRIC TECHNOLOGIES:
A contactless
biometric can either come in the form of a passive (biometric device
continuously monitors for the correct activation frequency) or active
(user initiates activation at will) biometric. In either event,
authentication of the user biometric should not take place until the
user voluntarily agrees to present the biometric for sampling. A
contactless biometric can be used to verify a persons identity and
offers at least two dimension that contact biometric technologies cannot
match. A contactless biometric is one that does not require undesirable
contact in order to extract the required data sample of the biological
characteristic and in that respect a contactless biometric is most
adaptable to people of variable ability levels.
Facial Recognition
Facial
recognition records the spatial geometry of distinguishing features of
the face. Different vendors use different methods of facial recognition,
however, all focus on measures of key features. Facial recognition
templates are typically 83 to 1,000 bytes. Facial recognition
technologies can encounter performance problems stemming from such
factors as no cooperative behavior of the user, lighting, and other
environmental variables. Facial recognition has been used in projects to
identify card counters in casinos, shoplifters in stores, criminals in
targeted urban areas, and terrorists overseas.
Voice
Recognition
Voice or speaker
recognition uses vocal characteristics to identify individuals using a
pass-phrase. Voice recognition can be affected by such environmental
factors as background noise. Additionally it is unclear whether the
technologies actually recognize the voice or just the pronunciation of
the pass-phrase (password) used. This technology has been the focus of
considerable efforts on the part of the telecommunications industry and
NSA, which continue to work on
improving
reliability. A telephone or microphone can serve as a sensor, which
makes it a relatively cheap and easily deployable technology.
Iris Scan
Iris scanning
measures the iris pattern in the colored part of the eye, although the
iris color has nothing to do with the biometric. Iris patterns are
formed randomly. As a result, the iris patterns in your left and right
eyes are different, and so are the iris patterns of identical-cal twins.
Iris scan templates are typically around 256 bytes. Iris scanning can be
used quickly for both identification and verification
Applications
because of its large number of degrees of freedom. Current pilot
programs and applications include ATMs (“Eye-TMs”), grocery stores (for
checking out), and the few International Airports (physical access).
Retinal Scan
Retinal scans
measure the blood vessel patterns in the back of the eye. Retinal scan
templates are typically 40 to 96 bytes. Because users perceive the
technology to be somewhat intrusive, retinal scanning has not gained
popularity with end-users. The device involves a light source shined
into the eye of a user who must be standing very still within inches of
the device. Because the retina can change with certain medical
conditions, such as pregnancy, high blood pressure, and AIDS, this
biometric might have the potential to reveal more information than just
an individual’s identity.
Emerging biometric
technologies:
Many inventors,
companies, and universities continue to search the frontier for the next
biometric that shows potential of becoming the best. Emerging biometric
is a biometric that is in the infancy stages of proven technological
maturation. Once proven, an emerging biometric will evolve in to that of
an established biometric. Such types of emerging technologies are the
following:
- Brainwave
Biometric
- DNA
Identification
- Vascular
Pattern Recognition
- Body Odor
Recognition
- Fingernail Bed
Recognition
- Gait
Recognition
- Handgrip
Recognition
- Ear Pattern
Recognition
- Body Salinity
Identification
- Infrared
Fingertip Imaging & Pattern Recognition
SECURITY ISSUES:
The most common
standardized encryption method used to secure a company’s infrastructure
is the Public Key Infrastructure (PKI) approach. This approach consists
of two keys with a binary string ranging in size from 1024-bits to
2048-bits, the first key is a public key (widely known) and the second
key is a private key (only known by the owner). However, the PKI must
also be stored and inherently it too can fall prey to the same
authentication limitation of a password, PIN, or token. It too can be
guessed, lost, stolen, shared, hacked, or circumvented; this is even
further justification for a biometric authentication system. Because of
the structure of the technology industry, making biometric security a
feature of embedded systems, such as cellular phones, may be simpler
than adding similar features to PCs. Unlike the personal computer, the
cell phone is a fixed-purpose device. To successfully incorporate
Biometrics, cell-phone developers need not gather support from nearly as
many groups as PC-application developers must.
Security has
always been a major concern for company executives and information
technology professionals of all entities. A biometric authentication
system that is correctly implemented can provide unparalleled security,
enhanced convenience, heightened accountability, superior fraud
detection, and is extremely effective in discouraging fraud. Controlling
access to logical and physical assets of a company is not the only
concern that must be addressed. Companies, executives, and security
managers must also take into account security of the biometric data
(template). There are many urban biometric legends about cutting off
someone finger or removing a body part for the purpose of gain access.
This is not true for once the blood supply of a body part is taken away,
the unique details of that body part starts to deteriorate within
minutes. Hence the unique details of the severed body part(s) is no
longer in any condition to function as an acceptable input for scanners.
The best overall way to secure an enterprise infrastructure, whether it
be small or large is to use a smart card. A smart card is a portable
device with an embedded central processing unit (CPU). The smart card
can either be fashioned to resemble a credit card, identification card,
radio frequency identification (RFID), or a Personal Computer Memory
Card International Association (PCMCIA) card. The smart card can be used
to store data of all types, but it is commonly used to store encrypted
data, human resources data, medical data, financial data, and biometric
data (template). The smart card can be access via a card reader, PCMCIA
slot, or proximity reader. In most biometric-security applications, the
system itself determines the identity of the person who presents himself
to the system. Usually, the identity is supplied to the system, often by
presenting a machine-readable ID card, and then the system asked to
confirm. This problem is "one-to- one matching." Today's PCs can conduct
a one-to-one match in, at most, a few seconds. One-to-one matching
differs significantly from one-to-many matching. In a system that stores
a million sets of prints, a one-to-many match requires comparing the
presented fingerprint with 10 million prints (1 million sets times 10
prints/set). A smart card is a must when implementing a biometric
authentication system; only by the using a smart card can an
organization satisfy all security and legal requirements. Smart cards
possess the basic elements of a computer (interface, processor, and
storage), and are therefore very capable of performing authentication
functions right on the card. The function of performing authentication
within the confines of the card is known as ‘Matching on the Card (MOC)’.
From a security prospective MOC is ideal as the biometric template,
biometric sampling and associated algorithms never leave the card and as
such cannot be intercepted or spoofed by others (Smart Card Alliance).
The problem with smart cards is the public-key infrastructure
certificates built into card does not solve the problem of someone
stealing the card or creating one. A TTP (Trusted Third Party) can be
used to verify the authenticity of a card via an encrypted MAC (Media
Access Control).
CULTURAL
BARRIERS/PERCEPTIONS:
People as diverse
as those of variable abilities are subject to many barriers, theories,
concepts, and practices that stem from the relative culture (i.e.
stigma, dignity or heritage) and perceptions (i.e. religion or
philosophical) of the international community. These factors are so
great that they could encompass a study of their own. To that end, it is
also theorized that to a certain degree that the application of
diversity factors from current theories, concepts, and practices may be
capable of providing a sturdy framework to the management of employees
with disabilities. Moreover, it has been implied that the term diversity
is a synonymous reflection of the initiatives and objectives of
affirmative action policies. The concept of diversity in the workplace
actually refers to the differences embodied by the workforce members at
large. The differences between all employees in the workforce can be
equated to those employees of different or diverse ethnic origin, racial
descent, gender, sexual orientation, chronological maturity, and
ability; in effect minorities.
ADVANTAGES OF BIOMETRIC
TECHNOLOGIES:
Biometric
technologies can be applied to areas requiring logical access solutions,
and it can be used to access applications, personal computers, networks,
financial accounts, human resource records, the telephone system, and
invoke customized profiles to enhance the mobility of the disabled. In a
business-to-business scenario, the biometric authentication system can
be linked to the business processes of a company to increase
accountability of financial systems, vendors, and supplier transactions;
the results can be extremely beneficial. The global reach of the
Internet has made the services and products of a company available 24/7,
provided the consumer has a user name and password to login. In many
cases the consumer may have forgotten his/her user name, password, or
both. The consumer must then take steps to retrieve or reset his/her
lost or forgotten login information. By implementing a biometric
authentication system consumers can opt to register their biometric
trait or smart card with a company’s business-to-consumer e-commerce
environment, which will allow a consumer to access their account and pay
for goods and services (e-commerce). The benefit is that a consumer will
never lose or forget his/her user name or password, and will be able to
conduct business at their convenience. A biometric authentications
system can be applied to areas requiring physical access solutions, such
as entry into a building, a room, a safe or it may be used to start a
motorized vehicle. Additionally, a biometric authentication system can
easily be linked to a computer-based application used to monitor time
and attendance of employees as they enter and leave company facilities.
In short, contactless biometrics can and do lend themselves to people of
all ability levels.
DISADVANTAGES OF
BIOMETRIC TECHNOLOGIES:
Some people,
especially those with disabilities may have problems with contact
biometrics. Not because they do not want to use it, but because they
endure a disability that either prevents them from maneuvering into a
position that will allow them to make use the biometric or because the
biometric authentication system (solution) is not adaptable to the user.
For example, if the user is blind a voice biometric may be more
appropriate.
BIOMETRIC APPLICATIONS:
Most biometric
applications fall into one of nine general categories:
- Financial
services (e.g., ATMs and kiosks).
- Immigration and
border control (e.g., points of entry, precleared frequent travelers,
passport and visa issuance, asylum cases).
- Social services
(e.g., fraud prevention in entitlement programs).
- Health care
(e.g., security measure for privacy of medical records).
- Physical access
control (e.g., institutional, government, and residential).
- Time and
attendance (e.g., replacement of time punch card).
- Computer
security (e.g., personal computer access, network access, Internet use,
e-commerce, e-mail, encryption).
-
Telecommunications (e.g., mobile phones, call center technology, phone
cards, televised shopping).
- Law enforcement
(e.g., criminal investigation, national ID, driver’s license,
correctional institutions/prisons, home confinement, smart gun).
CONCLUSION:
Currently, there
exist a gap between the number of feasible biometric projects and
knowledgeable experts in the field of biometric technologies. The post
September 11 th, 2002 attack (a.k.a. 9-11) on the World Trade Center has
given rise to the knowledge gap. Post 9-11 many nations have recognized
the need for increased security and identification protocols of both
domestic and international fronts. This is however, changing as studies
and curriculum associated to biometric technologies are starting to be
offered at more colleges and universities. A method of closing the
biometric knowledge gap is for knowledge seekers of biometric
technologies to participate in biometric discussion groups and biometric
standards committees. The solutions only needs the user to possess a
minimum of require user knowledge and effort. A biometric solution with
minimum user knowledge and effort would be very welcomed to both the
purchase and the end user. But, keep in mind that at the end of the day
all that the end users care about is that their computer is functioning
correctly and that the interface is friendly, for users of all ability
levels. Alternative methods of authenticating a person’s identity are
not only a good practice for making biometric systems accessible to
people of variable ability level. But it will also serve as a viable
alternative method of dealing with authentication and enrollment errors.
Auditing processes and procedures on a regular basis during and after
installation is an excellent method of ensuring that the solution is
functioning within normal parameters. A well-orchestrated biometric
authentication solution should not only prevent and detect an impostor
in instantaneous, but it should also keep a secure log of the
transaction activities for prosecution of impostors. This is especially
important, because a great deal of ID theft and fraud involves employees
and a secure log of the transaction activities will provide the means
for prosecution or quick resolution of altercations.
REFERENCES:
- Pankanti S,
Bolle R & Jain A, Biometrics:The Future of Identification
- Nalwa V,
Automatic on-line signature verification
- Biometric
Consortium homepage, WWW.biometrics.org
|
