|
“Biometrics” are automated
methods of recognizing an individual based on their physical or behavioral
characteristics. Some common commercial examples are fingerprint, face, iris,
hand geometry, voice and dynamic signature. These, as well as many others, are
in various stages of development and/or deployment. The type of biometric that
is “best ” will vary significantly from one application to another. These
methods of identification are preferred over traditional methods involving
passwords and PIN numbers for various reasons: (i) the person to be identified
is required to be physically present at the point-of-identification; (ii)
identification based on biometric techniques obviates the need to remember a
password or carry a token. Biometric recognition can be used in identification
mode, where the biometric system identifies a person from the entire enrolled
population by searching a database for a match.
A
BIOMETRIC SYSTEM:
All biometric systems
consist of three basic elements:
- Enrollment, or the
process of collecting biometric samples from an individual, known as the
enrollee, and the subsequent generation of his template.
- Templates, or the data
representing the enrollee’s biometric.
- Matching, or the process
of comparing a live biometric sample against one or many templates in the
system’s database.
Enrollment
Enrollment is the crucial
first stage for biometric authentication because enrollment generates a template
that will be used for all subsequent matching. Typically, the device takes three
samples of the same biometric and averages them to produce an enrollment
template. Enrollment is complicated by the dependence of the performance of many
biometric systems on the users’ familiarity with the biometric device because
enrollment is usually the first time the user is exposed to the device.
Environmental conditions also affect enrollment. Enrollment should take place
under conditions similar to those expected during the routine matching process.
For example, if voice verification is used in an environment where there is
background noise, the system’s ability to match voices to enrolled templates
depends on capturing these templates in the same environment. In addition to
user and environmental issues, biometrics themselves change over time. Many
biometric systems account for these changes by continuously averaging. Templates
are averaged and updated each time the user attempts authentication.
Templates
As the data representing
the enrollee’s biometric, the biometric device creates templates. The device
uses a proprietary algorithm to extract “features” appropriate to that biometric
from the enrollee’s samples. Templates are only a record of distinguishing
features, sometimes called minutiae points, of a person’s biometric
characteristic or trait. For example, templates are not an image or record of
the actual fingerprint or voice. In basic terms, templates are numerical
representations of key points taken from a person’s body. The template is
usually small in terms of computer memory use, and this allows for quick
processing, which is a hallmark of biometric authentication. The template must
be stored somewhere so that subsequent templates, created when a user tries to
access the system using a sensor, can be compared. Some biometric experts claim
it is impossible to reverse-engineer, or recreate, a person’s print or image
from the biometric template.
Matching
Matching is the
comparison of two templates, the template produced at the time of enrollment (or
at previous sessions, if there is continuous updating) with the one produced “on
the spot” as a user tries to gain access by providing a biometric via a sensor.
There are three ways a match can fail:
- Failure to enroll.
- False match.
- False nonmatch.
Failure to enroll (or
acquire) is the failure of the technology to extract distinguishing features
appropriate to that technology. For example, a small percentage of the
population fails to enroll in fingerprint-based biometric authentication
systems. Two reasons account for this failure: the individual’s fingerprints are
not distinctive enough to be picked up by the system, or the distinguishing
characteristics of the individual’s fingerprints have been altered because of
the individual’s age or occupation, e.g., an elderly bricklayer. In addition,
the possibility of a false match (FM) or a false nonmatch (FNM) exists. These
two terms are frequently misnomered “false acceptance” and “false rejection,”
respectively, but these terms are application-dependent in meaning. FM and FNM
are application-neutral terms to describe the matching process between a live
sample and a biometric template. A false match occurs when a sample is
incorrectly matched to a template in the database (i.e., an imposter is
accepted). A false non-match occurs when a sample is incorrectly not matched to
a truly matching template in the database (i.e., a legitimate match is denied).
Rates for FM and FNM are calculated and used to make tradeoffs between security
and convenience. For example, a heavy security emphasis errs on the side of
denying legitimate matches and does not tolerate acceptance of imposters. A
heavy emphasis on user convenience results in little tolerance for denying
legitimate matches but will tolerate some acceptance of imposters.
BIOMETRIC
TECHNOLOGIES:
The function of a
biometric technologies authentication system is to facilitate controlled access
to applications, networks, personal computers (PCs), and physical facilities. A
biometric authentication system is essentially a method of establishing a
person’s identity by comparing the binary code of a uniquely specific biological
or physical characteristic to the binary code of an electronically stored
characteristic called a biometric. The defining factor for implementing a
biometric authentication system is that it cannot fall prey to hackers; it can’t
be shared, lost, or guessed. Simply put, a biometric authentication system is an
efficient way to replace the traditional password based authentication system.
While there are many possible biometrics, at least eight mainstream biometric
authentication technologies have been deployed or pilot-tested in applications
in the public and private sectors and are grouped into two as given,
- Contact Biometric
Technologies
- fingerprint,
- hand/finger geometry,
- dynamic signature
verification, and
- keystroke dynamics
- Contactless Biometric
Technologies
- facial recognition,
- voice recognition
- iris scan,
- retinal scan,
CONTACT BIOMETRIC
TECHNOLOGIES:
For the purpose of this
study, a biometric technology that requires an individual to make direct contact
with an electronic device (scanner) will be referred to as a contact biometric.
Given that the very nature of a contact biometric is that a person desiring
access is required to make direct contact with an electronic device in order to
attain logical or physical access. Because of the inherent need of a person to
make direct contact, many people have come to consider a contact biometric to be
a technology that encroaches on personal space and to be intrusive to personal
privacy.
Fingerprint
The fingerprint biometric
is an automated digital version of the old ink-and-paper method used for more
than a century for identification, primarily by law enforcement agencies. The
biometric device involves users placing their finger on a platen for the print
to be read. The minutiae are then extracted by the vendor’s algorithm, which
also makes a fingerprint pattern analysis. Fingerprint template sizes are
typically 50 to 1,000 bytes. Fingerprint biometrics currently have three main
application arenas: large-scale Automated Finger Imaging Systems (AFIS)
generally used for law enforcement purposes, fraud prevention in entitlement
pro-grams, and physical and computer access.
Hand/Finger Geometry
Hand or finger geometry
is an automated measurement of many dimensions of the hand and fingers. Neither
of these methods takes actual prints of the palm or fingers. Only the spatial
geometry is examined as the user puts his hand on the sensor’s surface and uses
guiding poles between the fingers to properly place the hand and initiate the
reading. Hand geometry templates are typically 9 bytes,
and finger geometry
templates are 20 to 25 bytes. Finger geometry usually measures two or three
fingers. Hand geometry is a well-developed technology that has been thoroughly
field-tested and is easily accepted by users.
Dynamic
Signature Verification
Dynamic signature
verification is an automated method of examining an individual’s signature. This
technology examines such dynamics as speed, direction, and pressure of writing;
the time that the stylus is in and out of contact with the “paper”; the total
time taken to make the signature; and where the stylus is raised from and
lowered onto the “paper.” Dynamic signature verification templates are typically
50 to 300 bytes.
Keystroke Dynamics
Keystroke dynamics is an
automated method of examining an individual’s keystrokes on a keyboard. This
technology examines such dynamics as speed and pressure, the total time of
typing a particular password, and the time a user takes between hitting certain
keys. This technology’s algorithms are still being developed to improve
robustness and distinctiveness. One potentially useful application that may
emerge is computer access, where this biometric could be used to verify the
computer user’s identity continuously.
CONTACTLESS
BIOMETRIC TECHNOLOGIES:
A contactless biometric
can either come in the form of a passive (biometric device continuously monitors
for the correct activation frequency) or active (user initiates activation at
will) biometric. In either event, authentication of the user biometric should
not take place until the user voluntarily agrees to present the biometric for
sampling. A contactless biometric can be used to verify a persons identity and
offers at least two dimension that contact biometric technologies cannot match.
A contactless biometric is one that does not require undesirable contact in
order to extract the required data sample of the biological characteristic and
in that respect a contactless biometric is most adaptable to people of variable
ability levels.
Facial
Recognition
Facial recognition
records the spatial geometry of distinguishing features of the face. Different
vendors use different methods of facial recognition, however, all focus on
measures of key features. Facial recognition templates are typically 83 to 1,000
bytes. Facial recognition technologies can encounter performance problems
stemming from such factors as no cooperative behavior of the user, lighting, and
other environmental variables. Facial recognition has been used in projects to
identify card counters in casinos, shoplifters in stores, criminals in targeted
urban areas, and terrorists overseas.
Voice Recognition
Voice or speaker
recognition uses vocal characteristics to identify individuals using a
pass-phrase. Voice recognition can be affected by such environmental factors as
background noise. Additionally it is unclear whether the technologies actually
recognize the voice or just the pronunciation of the pass-phrase (password)
used. This technology has been the focus of considerable efforts on the part of
the telecommunications industry and NSA, which continue to work on
improving reliability. A
telephone or microphone can serve as a sensor, which makes it a relatively cheap
and easily deployable technology.
Iris
Scan
Iris scanning measures
the iris pattern in the colored part of the eye, although the iris color has
nothing to do with the biometric. Iris patterns are formed randomly. As a
result, the iris patterns in your left and right eyes are different, and so are
the iris patterns of identical-cal twins. Iris scan templates are typically
around 256 bytes. Iris scanning can be used quickly for both identification and
verification
Applications because of
its large number of degrees of freedom. Current pilot programs and applications
include ATMs (“Eye-TMs”), grocery stores (for checking out), and the few
International Airports (physical access).
Retinal
Scan
Retinal scans measure the
blood vessel patterns in the back of the eye. Retinal scan templates are
typically 40 to 96 bytes. Because users perceive the technology to be somewhat
intrusive, retinal scanning has not gained popularity with end-users. The device
involves a light source shined into the eye of a user who must be standing very
still within inches of the device. Because the retina can change with certain
medical conditions, such as pregnancy, high blood pressure, and AIDS, this
biometric might have the potential to reveal more information than just an
individual’s identity.
Emerging biometric technologies:
Many inventors,
companies, and universities continue to search the frontier for the next
biometric that shows potential of becoming the best. Emerging biometric is a
biometric that is in the infancy stages of proven technological maturation. Once
proven, an emerging biometric will evolve in to that of an established
biometric. Such types of emerging technologies are the following:
- Brainwave Biometric
- DNA Identification
- Vascular Pattern
Recognition
- Body Odor Recognition
- Fingernail Bed
Recognition
- Gait Recognition
- Handgrip Recognition
- Ear Pattern Recognition
- Body Salinity
Identification
- Infrared Fingertip
Imaging & Pattern Recognition
SECURITY ISSUES:
The most common
standardized encryption method used to secure a company’s infrastructure is the
Public Key Infrastructure (PKI) approach. This approach consists of two keys
with a binary string ranging in size from 1024-bits to 2048-bits, the first key
is a public key (widely known) and the second key is a private key (only known
by the owner). However, the PKI must also be stored and inherently it too can
fall prey to the same authentication limitation of a password, PIN, or token. It
too can be guessed, lost, stolen, shared, hacked, or circumvented; this is even
further justification for a biometric authentication system. Because of the
structure of the technology industry, making biometric security a feature of
embedded systems, such as cellular phones, may be simpler than adding similar
features to PCs. Unlike the personal computer, the cell phone is a fixed-purpose
device. To successfully incorporate Biometrics, cell-phone developers need not
gather support from nearly as many groups as PC-application developers must.
Security has always been
a major concern for company executives and information technology professionals
of all entities. A biometric authentication system that is correctly implemented
can provide unparalleled security, enhanced convenience, heightened
accountability, superior fraud detection, and is extremely effective in
discouraging fraud. Controlling access to logical and physical assets of a
company is not the only concern that must be addressed. Companies, executives,
and security managers must also take into account security of the biometric data
(template). There are many urban biometric legends about cutting off someone
finger or removing a body part for the purpose of gain access. This is not true
for once the blood supply of a body part is taken away, the unique details of
that body part starts to deteriorate within minutes. Hence the unique details of
the severed body part(s) is no longer in any condition to function as an
acceptable input for scanners. The best overall way to secure an enterprise
infrastructure, whether it be small or large is to use a smart card. A smart
card is a portable device with an embedded central processing unit (CPU). The
smart card can either be fashioned to resemble a credit card, identification
card, radio frequency identification (RFID), or a Personal Computer Memory Card
International Association (PCMCIA) card. The smart card can be used to store
data of all types, but it is commonly used to store encrypted data, human
resources data, medical data, financial data, and biometric data (template). The
smart card can be access via a card reader, PCMCIA slot, or proximity reader. In
most biometric-security applications, the system itself determines the identity
of the person who presents himself to the system. Usually, the identity is
supplied to the system, often by presenting a machine-readable ID card, and then
the system asked to confirm. This problem is "one-to- one matching." Today's PCs
can conduct a one-to-one match in, at most, a few seconds. One-to-one matching
differs significantly from one-to-many matching. In a system that stores a
million sets of prints, a one-to-many match requires comparing the presented
fingerprint with 10 million prints (1 million sets times 10 prints/set). A smart
card is a must when implementing a biometric authentication system; only by the
using a smart card can an organization satisfy all security and legal
requirements. Smart cards possess the basic elements of a computer (interface,
processor, and storage), and are therefore very capable of performing
authentication functions right on the card. The function of performing
authentication within the confines of the card is known as ‘Matching on the Card
(MOC)’. From a security prospective MOC is ideal as the biometric template,
biometric sampling and associated algorithms never leave the card and as such
cannot be intercepted or spoofed by others (Smart Card Alliance). The problem
with smart cards is the public-key infrastructure certificates built into card
does not solve the problem of someone stealing the card or creating one. A TTP
(Trusted Third Party) can be used to verify the authenticity of a card via an
encrypted MAC (Media Access Control).
CULTURAL BARRIERS/PERCEPTIONS:
People as diverse as
those of variable abilities are subject to many barriers, theories, concepts,
and practices that stem from the relative culture (i.e. stigma, dignity or
heritage) and perceptions (i.e. religion or philosophical) of the international
community. These factors are so great that they could encompass a study of their
own. To that end, it is also theorized that to a certain degree that the
application of diversity factors from current theories, concepts, and practices
may be capable of providing a sturdy framework to the management of employees
with disabilities. Moreover, it has been implied that the term diversity is a
synonymous reflection of the initiatives and objectives of affirmative action
policies. The concept of diversity in the workplace actually refers to the
differences embodied by the workforce members at large. The differences between
all employees in the workforce can be equated to those employees of different or
diverse ethnic origin, racial descent, gender, sexual orientation, chronological
maturity, and ability; in effect minorities.
ADVANTAGES OF BIOMETRIC TECHNOLOGIES:
Biometric technologies
can be applied to areas requiring logical access solutions, and it can be used
to access applications, personal computers, networks, financial accounts, human
resource records, the telephone system, and invoke customized profiles to
enhance the mobility of the disabled. In a business-to-business scenario, the
biometric authentication system can be linked to the business processes of a
company to increase accountability of financial systems, vendors, and supplier
transactions; the results can be extremely beneficial. The global reach of the
Internet has made the services and products of a company available 24/7,
provided the consumer has a user name and password to login. In many cases the
consumer may have forgotten his/her user name, password, or both. The consumer
must then take steps to retrieve or reset his/her lost or forgotten login
information. By implementing a biometric authentication system consumers can opt
to register their biometric trait or smart card with a company’s
business-to-consumer e-commerce environment, which will allow a consumer to
access their account and pay for goods and services (e-commerce). The benefit is
that a consumer will never lose or forget his/her user name or password, and
will be able to conduct business at their convenience. A biometric
authentications system can be applied to areas requiring physical access
solutions, such as entry into a building, a room, a safe or it may be used to
start a motorized vehicle. Additionally, a biometric authentication system can
easily be linked to a computer-based application used to monitor time and
attendance of employees as they enter and leave company facilities. In short,
contactless biometrics can and do lend themselves to people of all ability
levels.
DISADVANTAGES OF BIOMETRIC TECHNOLOGIES:
Some people, especially
those with disabilities may have problems with contact biometrics. Not because
they do not want to use it, but because they endure a disability that either
prevents them from maneuvering into a position that will allow them to make use
the biometric or because the biometric authentication system (solution) is not
adaptable to the user. For example, if the user is blind a voice biometric may
be more appropriate.
BIOMETRIC APPLICATIONS:
Most biometric
applications fall into one of nine general categories:
- Financial services
(e.g., ATMs and kiosks).
- Immigration and border
control (e.g., points of entry, precleared frequent travelers, passport and visa
issuance, asylum cases).
- Social services (e.g.,
fraud prevention in entitlement programs).
- Health care (e.g.,
security measure for privacy of medical records).
- Physical access control
(e.g., institutional, government, and residential).
- Time and attendance
(e.g., replacement of time punch card).
- Computer security (e.g.,
personal computer access, network access, Internet use, e-commerce, e-mail,
encryption).
- Telecommunications
(e.g., mobile phones, call center technology, phone cards, televised shopping).
- Law enforcement (e.g.,
criminal investigation, national ID, driver’s license, correctional
institutions/prisons, home confinement, smart gun).
CONCLUSION:
Currently, there exist a
gap between the number of feasible biometric projects and knowledgeable experts
in the field of biometric technologies. The post September 11 th, 2002 attack
(a.k.a. 9-11) on the World Trade Center has given rise to the knowledge gap.
Post 9-11 many nations have recognized the need for increased security and
identification protocols of both domestic and international fronts. This is
however, changing as studies and curriculum associated to biometric technologies
are starting to be offered at more colleges and universities. A method of
closing the biometric knowledge gap is for knowledge seekers of biometric
technologies to participate in biometric discussion groups and biometric
standards committees. The solutions only needs the user to possess a minimum of
require user knowledge and effort. A biometric solution with minimum user
knowledge and effort would be very welcomed to both the purchase and the end
user. But, keep in mind that at the end of the day all that the end users care
about is that their computer is functioning correctly and that the interface is
friendly, for users of all ability levels. Alternative methods of authenticating
a person’s identity are not only a good practice for making biometric systems
accessible to people of variable ability level. But it will also serve as a
viable alternative method of dealing with authentication and enrollment errors.
Auditing processes and procedures on a regular basis during and after
installation is an excellent method of ensuring that the solution is functioning
within normal parameters. A well-orchestrated biometric authentication solution
should not only prevent and detect an impostor in instantaneous, but it should
also keep a secure log of the transaction activities for prosecution of
impostors. This is especially important, because a great deal of ID theft and
fraud involves employees and a secure log of the transaction activities will
provide the means for prosecution or quick resolution of altercations.
REFERENCES:
- Pankanti S, Bolle R &
Jain A, Biometrics:The Future of Identification
- Nalwa V, Automatic
on-line signature verification
- Biometric Consortium
homepage, WWW.biometrics.org
|
