Biometric Security - Seminar Report

Biometric Security
            Now-a-days, Security is no longer a secure word, because of the recent evolutions in the IT field such as e-commerce, Internet etc., gone are the days where passwords, authentication were considered as measures for security. To help the security on the Net, there comes a new era of security namely BIOMETRICS.
             Biometrics is a means of identifying a person by measuring a particular physical or behavioral characteristic and later comparing it to those of many people that are stored in the data base. The main advantage of Biometrics is it needs the person himself for identification and these critical details cannot be lost or forged.    
  Here in this paper we present detailed walkthroughs in few types of biometrics such as:

  • Hand Scan 
  • Finger Scan
  • Facial Scan
  • Iris Scan
  • Retinal Scan
  • Voice Recognition
  • Signature Scan

This paper provides a broad overview of the subject of biometrics, their usage, how performance is measured, the typical construction of systems and practical implementation issues.

What are biometrics and why should we be concerned with them?
Biometrics are best defined as measurable physiological or behavioral characteristics that can be utilized to verify the identity of an individual. They include facial recognition, fingerprints, hand geometry, retinal and iris scanning, voice patterns, and other techniques. They are applied in the regions where it is important to verify the true identity of an individual. Initially, these techniques were employed primarily in specialist high security applications, however we are now seeing their use and proposed use in a much broader range of public facing situations.

1. HAND-SCAN:       
              Geometric Hand Measuring - The extern Hand scans, also known as hand geometry, a biometric authentication technology, which dominates an important segment of the biometric industry. Hand-scan reads the top and sides of the hands and fingers, using such metrics as the height of the fingers, distance between joints, and shape of the knuckles. Although not the most accurate physiological biometric, hand scan has proven to be an ideal solution for low-to mid-security applications where deterrence and convenience are as much a consideration as security and accuracy. 
                             The system uses infrared light to look into an individual's hand, like an x-ray it uses this image to compare to a computer database. When someone grabs the device, infrared light takes a digital picture of the inside of an individual's hand. A computer then analyzes the data and since no two hands are alike, the computer can make a positive identification of that individual.  

2. FINGER SCAN                          
            Finger scan technology is the most prominent biometric authentication technology, one used by millions of people worldwide and for decades in forensic applications. Although more accurate technologies exist, finger-scan is still considered highly accurate; and although less expensive technologies exist, prices have dropped to the point that the average home user can control his or her PC with a peripheral finger-scan device.

            Just as with hand scan biometrics, there are various methods by which facial scan technology recognizes people. All share certain commonalties, such as emphasizing those sections of the face which are less susceptible to alteration, including the upper outlines of the eye sockets, the areas surrounding one's cheekbones, and the sides of the mouth. 
            Most technologies are resistant to moderate changes in hairstyle, as they do not utilize areas of the face located near the hairline. All of the primary technologies are designed to be robust enough to conduct 1-to-many searches in the database. The system designs for facial scan verification vs. identification differ in a number of ways. The primary difference is that identification does not require a claimed identity. A second variable in identification is the dynamic between the target subjects and capture device. In verification, one assumes a cooperative audience, one comprised of subjects who are motivated to use the system correctly. 
            Facial scan systems, depending on the exact type of implementation, may also have to be optimized for non-cooperative and uncooperative subjects. Non-cooperative subjects are unaware that a biometric system is in place, or don't care, and make no effort to either be recognized or to avoid recognition. Uncooperative subjects actively avoid recognition, and may use disguises or take evasive measures. Facial scan technologies are much more capable of identifying cooperative subjects, and are almost entirely incapable of identifying uncooperative subjects. 
            Automatic Face Processing (AFP) is a more rudimentary technology, using distances and distance ratios between easily acquired features such as eyes, end of nose, and corners of mouth. Though overall not as robust as eigenfaces, feature analysis, or neural network, AFP may be more effective in dimly lit, frontal image capture situations.    

           Iris identification technology is a tremendously accurate biometric. Only retinal scan can offer nearly the security that iris scan offers, and the interface for retina scan is thought by many to be more challenging and intrusive. More common biometrics provides reasonably accurate results in verification schematics, whereby the biometric verifies a claimed identity, but they cannot be used in large-scale identification implementations like iris recognition. 
          Iris recognition leverages the unique features of the human iris to provide an unmatched identification technology. So accurate are the algorithms used in iris recognition that the entire planet could be enrolled in an iris database with only a small chance of false acceptance or false rejection.  
          The technology also addresses the FTE (failure to enroll) problems, which lessen the effectiveness of other biometrics.  The tremendous accuracy of iris recognition allows it, in many ways, to stand apart from other biometric technologies.  All iris recognition technology is based on research and patents held by Dr. John Daugman.

             Iris recognition also accounts for those ongoing changes to the eyes, which are defining aspects of living tissue. The pupil's expansion and contraction, a constant process separate from its response to light, skews and stretches the iris.
             The algorithm accounts for such alteration after having located the boundaries of the iris. Dr. Daugman draws the analogy to a "homogenous rubber sheet" which, despite its distortion, retains certain consistent qualities. Regardless of the size of the iris at any given time, the algorithm draws on the same data, and its resultant Iris Code is stored as a 512-byte template. 
               A question asked of all biometrics is their ability to determine fraudulent samples. Iris recognition can account for this in several ways: the detection of papillary (pupil) changes; reflections from the cornea; detection of contact lenses on top of the cornea; and use of infrared illumination to determine the state of the sample eye tissue. 

5. RETINAL-SCAN:             
                Iris identification technology is a tremendously accurate biometric. Only retinal scan can offer nearly the security that iris scan offers, and the interface for retina scan is thought by many to be more challenging and intrusive. 
                Retina scan devices read through the pupil - this requires the user to situate his or her eye within 1/2 inch of the capture device, and to hold still while the reader ascertains the patterns. The user looks at a rotating green light as the patterns of the retina are measured at over 400 points. This leads to a very high level off accuracy in comparison to most other biometrics. 
      Iris identification technology is a tremendously accurate biometric. Only retinal scan can offer nearly the security that iris scan offers, and the interface for retina scan is thought by many to be more challenging and intrusive. 
            No reliable statistics are available regarding the Failure to Enroll rate, or the number of users who are simply unable to perform an acceptable enrollment. Based on experience, it is fair to conclude that a statistically significant number of people, perhaps 5-10%, may be unable to perform a satisfactory enrollment.

              Voice scan, also known as voice or speaker verification, is a biometric authentication technology well suited for a handful of applications and systems in which other biometric technologies would be difficult to use. Making use of distinctive qualities of a person's voice, some of which are behaviorally determined and others of which are physiologically determined, voice scan is deployed in areas such as call centers, home imprisonment, banking, account access, home PC and network access, and many others. 
              Voice-scan is most often deployed in environments where the voice is already captured, such as telephony and call centers. If users become accustomed to speaking to their PC, especially in speech-to-text applications, voice-scan may also become a solution for PC and web access. 

            Signature scan, also known as Dynamic Signature Verification, is a biometric technology which has not seen broad usage, but may soon help address the very large demand for document authentication. 
             Measuring the manner in which one signs his or her signature or password, signature scan looks for stroke order, speed, pressure, and other factors which relate to the actual behavior of signing a tablet. Although not yet a very accurate behavioral biometric, signature scan has drawn significant interest from software companies looking to develop non-repudiated document trails. will cover the following aspects of the signature verification industry.

How Things Work Typical Device / Systems Process Map
                    Whilst individual biometric devices and systems have their own operating methodology, there are some generalizations one can make as to what typically happens within a biometric systems implementation. The following diagram depicts the process pictorially and the accompanying notes provide a more detailed explanation.             

[A] Enrolment-Obviously, before we can verify an individual’s identity via a biometric we must first capture a sample of the chosen biometric. This ‘sample’ is referred to as a biometric template and is the reference data against which subsequent samples provided at verification time are compared. A number of samples are usually captured during enrollment (typically three) in order to arrive at a truly representative template via an averaging process. The template is then referenced against an identifier (typically a PIN or card number if used in conjunction with existing access control tokens) in order to recall it ready for comparison with a live sample at the transaction point. The enrolment procedure and quality of the resultant template are critical factors in the overall success of a Biometric application. A poor quality template will often cause considerable problems for the user, often resulting in a re-enrolment.

            [B] Template storage- It is an area of interest, particularly with large scale applications which may accommodate many thousands of individuals. The possible options are as follows:
1) Store the template within the biometric reader device.
2) Store the template remotely in a central repository.
3) Store the template on a portable token such as a chip card. 
            [C] Network- There are possible variations on a theme with regard to networks. Some devices have integral networking functionality, often via RS485 or RS422 with a proprietary protocol. This may enable you to network a number of devices.  In such a case, you will almost certainly be relying on the vendor’s systems design and message functionality, together with their own software. 
            Alternatively you may design the networking, message passing and monitoring system yourself, taking advantage of the recent generic biometric API’s and accessing the reader functions directly which gives us absolute flexibility and control over systems design, providing the chosen device supports this.
            In some cases, you may have an existing network and control interface into which the biometric devices may be integrated via a common security standard such as Wiegand or ABA. In this case they will appear as just another device, although you will have to separately consider template storage and access. 
            [D] Verification- This process requires the user to claim an identity by entering a PIN and then verify this claim by providing a live biometric to be compared against the claimed reference template. There will be a resulting match or no match accordingly (the parameters involved will be discussed later under performance measures). A record of this transaction will then be generated and stored, either locally within the device or remotely via a network and host (or indeed both). With some systems, the reference template is automatically updated upon each valid transaction. 
            This allows the system to accommodate minor changes to the users live sample as a result of ageing, local abrasions etc. and may be a useful feature when dealing with large user bases.          
            [E] Transaction storage- This is an important area, as you will certainly wish to have some sort of secure audit trail with respect to the use of your system. Some devices will store a limited number of transactions internally, scrolling over as new transactions are received. This is fine as long as you are confident of retrieving all such transactions before the buffer fills up and you start losing them. In practice, this is unlikely to be a problem unless you have severe network errors.
            In some cases, you may wish to have each biometric device connected directly to a local PC which may in turn be polled periodically (over night for example) in order to download transactions to a central point. In either case, you will probably wish to adopt a local procedure to deal with error and exceptional conditions, which will in turn require some sort of local messaging. This may be as simple as a relay closure in the event of a failed transaction activating an annunciator of some description.
           [F] The network (again). How the network handles transactions may be of critical importance in some applications. For example, you may have multiple terminals distributed within a large facility, each of which requires a real time display of information. This will require fast and reliable message transmission. Each terminal user may wish to ‘hold’ a displayed transaction until a response has been initiated. This will require a separate local message buffer and possibly a message prioritization methodology to ensure that critical messages are dealt with promptly.
Performance Measures of the Biometric Devices
            False accepts, false rejects, equal error rates, enrolment and verification times - these are the typical performance measures quoted by device vendors (how they arrived at them is another matter).
            False accept rates (FAR) indicate the likelihood that an impostor may be falsely accepted by the system.
              False reject rates (FRR) indicate the likelihood that the genuine user may be rejected by the system. 
             This measure of template matching can often be manipulated by the setting of a threshold which will bias the device towards one situation or the other. Hence one may bias the device towards a larger number of false accepts but a smaller number of false rejects (user friendly) or a larger number of false rejects but a smaller number of false accepts (user unfriendly), the two parameters being mutually exclusive.
            Somewhere between the extremes is the equal error point where the two curves cross (see below) and which may represent a more realistic measure of performance than either FAR or FRR quoted in isolation. These measures are expressed in percentage (of error transactions) terms, with an equal error rate of somewhere around 0.1% being a typical figure.
            However, the quoted figures for a given device may not be realized in practice for a number of reasons. These will include user discipline and interface, familiarity with the device, user stress, individual device condition, the speed of response and other variables. We must remember that vendor quoted statistics may be based upon limited tests under controlled laboratory conditions, supplemented by mathematical theory. 
            Verification time is often misunderstood as vendors will typically describe the average time taken for the actual verification process, which will not typically include the time taken to present the live sample or undertake other processes such as the presentation of a token or keying of a PIN. Consider also an average time for user error and system response and it will be apparent that the end to end verification transaction time will be nothing like the quoted figure. 
            Given the above, it will come as no surprise that biometric device performance measures have sometimes become a controversial issue when implementing real systems. In order to provide an independent view a National Biometric Test Centre has been established in the US with a similar facility recently announced in Hong Kong. These centers are based at academic institutions and will over time no doubt provide for some interesting views. However, this does not necessarily mean that vendors will rush to conform with regard to their quoted specifications and the method used to arrive at them. 
             As a side issue to the above, there is a question concerning the uniqueness of biometric parameters such as fingerprints, irises, hands etc... The degree of individuality within a user base will naturally affect performance to some degree. It is outside the scope of this paper to examine this aspect in any detail, but suffice it to say that no one has reliable data for the world and cannot therefore say that any biometric is truly unique. 
             What we can say is that the probability of finding identical fingerprints, irises, hands etc. within a typical user base is low enough for the parameter in question to be regarded as a reliable identifier. Splitting hairs maybe, but beware of claims of absolute uniqueness - some individuals are similar enough to cause false accepts, even in finely tuned systems.

            Applications that currently uses keys, ID cards, ATM cards, or passwords for verification purposes has the potential to be converted to a biometrics application.  Also, in an age where highly sensitive personal information can be accessed through several different remote channels, the need for more accurate and fraud-proof verification methods becomes large. Below are some of the potential and commercial applications of biometrics:

  • Some of the biggest potential applications include word or PIN, a biometric trait cannot be lost, stolen, or recreated. This makes biometrics an obvious antidote to identity theft, a problem that is mushrooming alongside databases of personal information. 
  • Banks and others who have tested biometric-based security on their clientele, however, say consumers overwhelmingly have a pragmatic response to the technology. Anything that saves the information-overloaded citizen from having to remember another password or personal identification number comes as a welcome respite.
  • There are also commercial applications for computer access control, access to                                web site servers, access through firewalls, and physical access control to protect sensitive information.
  • Finger scan has the world's largest application of biometrics in the servicing of automated teller machines. There are many law enforcement applications, mostly for fingerprint recognition, at the Federal, State, and local levels. 

             The future applications of biometrics are very promising. Biometrics will play a crucial role in serving the identification needs of our future.  Listed below are some potential future verification applications of biometrics:

  • Voter Registration-verify identity at the polls to prevent fraudulent voting.
  • In-store and Online purchases- eliminate the need for credit cards to make in-store purchases.
  • Academics/Certifications- verify person’s identity prior to taking an exam.
  • Personal transportation- eliminates the need for keys for cars, boats, motorcycles, planes, etc.

          Thus Biometrics plays a very important role in present technology. In a short span of time this concept gained much importance in the world. Also, in an age where highly sensitive personal information can be accessed through several different remote channels, the need for more accurate and fraud-proof verification methods becomes large. Already many organizations are currently using some old Biometric methods, in the coming years almost each and every organization will use this modern biometric security options. 

1 comment:

  1. This article is indeed so informative. There is so much to learn from this post. Biometric security really helps so much in these modrn days. Security, safety and control are enhanced because of this innovation. Absolutely so amazing. Thanks for sharing!


leave your opinion