Biometrics for PC-user authentication: A primer

Feb 1, 2001 12:00 PM, By Uday O. Ali Pabrai


         Subscribe in NewsGator Online   Subscribe in Bloglines

Biometrics is about verification and identification. It is about verifying the identity of an individual based on measurable physiological and/or behavioral characteristics. Masquerade, spoofing or impersonation — in which an individual claims to be someone else — is a significant security threat. A key security service that addresses this threat in the world of computers is authentication. Authentication verifies a user's identity. An individual can be identified and authenticated by what he knows (password), or by what he owns (smart card) or by his human characteristics (biometrics). Unlike a password or a PIN, a biometric trait cannot be lost, stolen or recreated.

Consider the following statistics:

  • more than 40 percent of all helpdesk calls are password-related;

  • the worldwide annual cost of corporate fraud is $32 billion, according to Price Waterhouse.

So how does biometrics relate to e-commerce security? The pillars of e-commerce security are:

  • authentication
  • privacy (data confidentiality)
  • authorization (access control)
  • data integrity
  • non-repudiation

Biometrics is a security mechanism that supports the authentication security service.

Biometrics techniques

Examples of biometrics techniques include fingerprints, facial recognition, retinal, iris scanning, hand geometry and voice patterns.

Hand, face, and fingerprint authentication techniques are all user-friendly and accurate enough for most PC-user authentication purposes. Hand authentication is gaining acceptance for physical access and attendance checking, but it requires bulky reader hardware. Face identification requires camera equipment for user identification; thus, it is not likely to become popular until most PCs include cameras as standard equipment. This leaves fingerprint identification as the most viable and established biometric technique for verifying the identity of a PC or network user. And, in most cases, fingerprint authentication is the easiest and most economical biometric PC user authentication technique to implement.

Voice recognition is however not a good choice for PC or network user authentication since:

  • A person's voice can be easily recorded and used for unauthorized PC or network access.

  • An illness such as a cold can change a person's voice, making absolute identification difficult or impossible.

Accuracy: Retinal scanning and iris identification are both highly accurate ways of identifying individuals; however, they are both expensive to implement and most organizations do not need this level of accuracy. Hand, face, and fingerprint authentication techniques offer good accuracy for a smaller investment in scanning hardware.

Biometrics techniques may be based on physiological- or behavioral-based techniques. Physiological techniques measure the physiological characteristics of a person — examples include fingerprint verification, iris analysis, facial analysis, hand geometry-vein geometry, DNA pattern analysis and ear recognition. Behavioral-based techniques include handwritten signature verification, keystroke analysis, and speech analysis.

The advantage of using biometrics over other technologies in the areas of identification and verification is that a biometrics technique cannot be easily transferred between individuals. Further, it represents as unique an identifier as is possible at this time.

Biometrics performance measures

Key biometrics performance measures are:

  • False acceptance rates (FAR), which specify the likelihood that an imposter may be falsely accepted by the system.

  • False rejection rates (FRR), which specify the likelihood that a genuine user may be rejected by the system.

The enrollment time is the time it takes to enroll (register) a user to the biometric system. The enrollment time depends on a number of variables such as:

  • users' experience with the device;

  • use of custom software; and

  • type of information collected at the time of enrollment

For example, performance parameters associated with the Digital Persona U.are.U vertical fingerprint sensor (reader) are:

  • a false acceptance rate of less than or equal to 0.01 percent;

  • a false rejection rate of less than 1.4 percent; and

  • the image capture area is 26×14 mm.

Performance parameters associated with the SecuGen EyeD Mouse (fingerprint reader) are:

  • a false acceptance rate of less than or equal to 0.001 percent;

  • a false rejection rate of about 0.1 percent; and

  • image capture area is 21×31×59 mm (about the size of the thumb).

Biometric templates and the enrollment process

A biometric template is an individual's sample, a reference data, which is first captured from the selected biometric device. Later, the individual's identity is verified by comparing the subsequent collected data against the individual's biometric template stored in the system. Typically, during the enrollment process, three to four samples may be captured to arrive at a representative template. The resultant biometric templates, as well as the overall enrollment process, are key for the overall success of the biometric application. If the quality of the template is poor, the user will need to go through re-enrollment again.

The template may be stored:

  • within the biometric device;

  • remotely in a central repository; or

  • on a portable card.

Storing the template on the biometric device has the advantage of fast access to the data. There is no dependency on the network or another system to access the template. This method applies well in situations when there are few users of the application. However, a device malfunction would necessitate reinstallation of the template database or possibly re-enrollment of the user base.

Storing the template in a central repository is a good option in a high-performance, secure environment. Keep in mind that the size of the biometric template varies from one vendor product to the next and is typically between 9 bytes and 1.5k. For example, with the SecuGen EyeD Mouse, as a fingerprint is scanned, up to 100 minutia points are captured and run against an algorithm to create a 256-byte binary template. An ideal configuration could be one in which copies of templates related to users are stored locally for fast access, while others are downloaded from the system if the template cannot be found locally.

Storing the template on a card or a token has the advantage that the user carries his or her template with them and can use it at any authorized reader position. Users might prefer this method because they maintain control and ownership of their template. However, if the token is lost or damaged, the user would need to re-enroll. If the user base does not object to storage of the templates on the network, then an ideal solution would be to store the template on the token as well as the network. If the token is lost or damaged, the user can provide acceptable identity information to access the information based on the template that can be accessed on the network.

Challenges

A key challenge is to automate the verification process in a user-friendly manner. The user interface associated with the biometrics reader needs to be very user friendly. Further, the accuracy of biometric devices — the so-called error tolerance — is critical. Both key error measures, the false accept rate and false reject rates, should be low. Some devices provide an accuracy of 1 error for about 30,000 fingerprint impressions, while others may have an error rate of 1 in 1 million impressions. Always check with the manufacturer of the biometric sensor on the error rates.

Lack of standards especially related to the biometric application interface and independent testing of biometric devices has been a challenge in this industry. The emergence of the bioAPI framework will go a long way in addressing concerns related to the application interface associated with biometric devices.

The bioAPI framework

A key objective of bioAPI was to create a standard for biometrics that was independent of the operating system and of the biometric. Version 1.0 of the BioAPI specification is available at www.bioapi.com. More than 50 firms are members of the bioAPI consortium.

The scope of the bioAPI specification is to define the API and the Service Provider Interface for a standard biometric technology interface. The API model includes three principal high-level abstraction functions:

  • Enroll: A sample is captured from a device, processed into a usable form from which a template is constructed, and returned to the application.

  • Verify: One or more samples are captured, processed into a usable form, and then matched against an input template. The results of the comparison are returned.

  • Identify: One or more samples are captured, processed into a usable form, and matched against a set of templates. A list is generated to show how close the samples compare against the top candidates in the set.

Fingerprint-based biometric solutions

Small ridges form on a person's hands and feet before they are born and do not change throughout life. These ridges are formed during the third and fourth month of fetal development. Fingerprints of cloned monkeys, just like identical twin humans, have completely different fingerprints.

The ridges on the hands and feet have three characteristics:

  • ridge endings;

  • bifurcations — a Y-shaped split of one ridge into two; and

  • dots — short ridges that looks like dots.

Under a microscope the fingerprint has unique characteristics known as minutiae points. Common minutiae points are the intersections of bifurcations and ending points of fingerprint ridges.

In an NT system for example, each time you log in, these minutiae points are recreated and compared to the original, which is stored in the Security Account Manager (SAM) database. This process is very quick. Normally you will be logged in faster than it would take you to type the 34 characters of a traditional text password.

With the advent of Automated Fingerprint Identification Systems (AFIS), a fingerprint can be compared against every fingerprint in the entire database. No two fingerprints have been found to have the same individual characteristics in the same unit relationship.

Facts to note about fingerprints:

A fingerprint device is typically a self-contained sensor that supports two key functions:

  • a sensor for capturing a fingerprint

  • the ability to communicate the digital image to the host processor via an interface such as USB or serial.

Some key features of fingerprint sensor devices are:

  • high-speed USB interface;

  • high quality image capture and encrypted image data;

  • plug-and-play;

  • self-calibrating, rugged, small footprint;

  • no external interface or power supply required; and

  • support for Windows NT 4.0, Windows 2000, Windows 98 and 95 OSR 2.1 (USB)

Facial recognition-based biometric solutions

Facial recognition software translates the characteristics of a face into a unique set of numbers — this is referred to as “eigenface”. The eigenface is used by both identification and verification systems for facial comparisons made in real-time. Identification involves a one-to-many comparison of an individual's face against all faces in a database in order to determine identity; and verification is characterized as a one-to-one match of an individual's face to his or her stored image for the purpose of confirming identity.

The brain deals with visual information much as computer algorithms compress files. Because everyone has two eyes, a nose and lips, the brain extracts only those features that typically show deviations from the norm, such as the bridge of the nose or the upper cheekbones. The rest it fills in. Facial recognition software today can instantly calculate an individual's eigenface from either live video or a still digital image, and then search a database of millions in only a few seconds in order to find similar or matching images. The challenge is to support rapid and accurate real-time acquisition as well as its scalability to databases containing millions of faces.

Visionics is one of the leaders in facial recognition technology. Visionics develops and markets pattern recognition software called FaceIt. FaceIt verifies a person's identity based on a set of 14 facial features that are unique to the individual and unaffected by the presence of facial hair or changes in expression.

Viisage is another prominent biometrics vendor that specializes in facial recognition. For example, in 1999 Viisage completed the development and deployed the world's first large-scale drivers license face recognition system with complete database one to all search capabilities. This system provides both duplicate identity fraud reduction and identity investigation functionality. The system has been built to support growth to 20 million entries in the next 5 years.

“Early adopters and applications of facial recognition-based technology include ATM customer ID verification; casino surveillance; airports; and Internet verification for e-commerce and home workers.”

Early adopters and applications of facial recognition-based technology include:

  • ATM customer ID verification;

  • casino surveillance;

  • airports; and

  • Internet verification for e-commerce and home workers.

Conclusion

Biometrics is the technology of the millennium. Incorporating biometrics identity verification can substantially enhance authentication services. Today's biometrics technology is ready for utilization in commercial, production and end-user environments.

For the record

About the author

Uday O. Ali Pabrai, CEO of ecfirst.com and creator of the world-leading Certified Internet Webmaster (CIW) program, is a leader in the e-security, biometrics and e-learning industries. Recently, as chief knowledge officer at Nextera Enterprises, he was responsible for enhancing the firm's knowledge management system, overseeing new service development, training and employee development. Previously, as vice chairman and chief technology officer at ProsoftTraining.com, Mr. Pabrai increased the visibility of the Certified Internet Webmaster (CIW) program, which is today the standard designation for Internet professionals. Mr. Pabrai also founded Net Guru Technologies, where he developed the foundation of the current Certified Internet Webmaster program. Previously, Mr. Pabrai led the system integration group at Fermilab, U.S. Department of Energy (world's leading nuclear research facility), from 1987 to 1991 and served as network manager at Teredyne's Telecom Division from 1991 to 1992.

Want to use this article? Click here for options!
© 2014 Penton Media Inc.

Today's New Product

Product 1 Image

Privaris Biometric Verification Software

In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.

To read more...


Govt Security

Cover

This month in Access Control

Latest Jobs

Popular Stories

Back to Top