printer friendly version

The biometric decision

The topic of biometrics is nothing new in the pages of the Access & Identity Management Handbook. As has become the norm, this issue will examine how and where biometrics are being used in the broader access field. In this article, however, we look at the various biometric options available and their acceptance. We will also touch briefly on what is required from a biometric system to make it a reliable and accurate access and authentication mechanism for today’s end-user.

For those readers wanting more than the brief overview below, there are two resources (among many) offering insights and more information on the topic. The first is a paper by Jain, et al, 2016¹; the second is a presentation, also by Jain² which is far more concise and easier to read, covering the same data.

What biometric?

Fingerprints are by far the most widespread biometric trait used globally, primarily due to the long history of research and the ease and convenience with which fingerprints can be captured and compared. Today, however, other forms of biometrics are gaining ground and being used in various situations. Some of these include face, iris, palm or finger vein, signature, voice and even deoxyribonucleic acid (DNA).

One of the keys to biometric use is that the trait chosen must offer a high probability of identifying an individual, even when the biometric is read in different conditions (poor or bright light, dry or wet conditions, and so on). Similarly, it must have a very low probability of identifying the wrong individual. For example, no matter how similar two people’s faces are, the facial recognition system must be able to reliably tell them apart.

While all of the trait mentioned above will be able to identify an individual in the right circumstances, the research into these other traits stands at different levels of technical advancement. This means that the convenience and ease of obtaining and comparing data are very different – just take DNA, which was really only first used in 1986 as an example of a long, drawn-out process as opposed to fingerprints.

When choosing a biometric for use in one’s own environment, you therefore need to find something that fits your requirements in terms of ease of use and reliability (and speed). Jain et al, (2016) notes that the utility of a biometric trait for a specific environment “depends on the degree to which the following properties are satisfied: (i) uniqueness or distinctiveness, (ii) permanence, (iii) universality, (iv) collectability, (v) performance, (vi) user acceptance, (vii) invulnerability, and (viii) integration.”

Meeting these requirements, the most popular biometrics in use today are fingerprint, facial and iris recognition. There are other traits that are being used successfully, such as vein and/or general hand geometry systems, but the three mentioned are the primary ones used by over one billion people around the world.

Historic foundations

As noted, fingerprints have the longest history of research and use. The science of fingerprint recognition can be traced back to Henry Faulds, who published an article on fingerprints in 1880. However, fingerprints have been in use for far longer, as a fingerprint on a clay seal confirms – dated somewhere between 1000 BC and 2000 BC. Fingerprints, however, are a biometric format that requires overt acceptance from the user, who is expected to place their finger/s on a reader for a second or more. This excludes latent fingerprint gathering, for example at crime scenes.

Facial recognition goes back as far as 1964, or perhaps to the beginning of the 20th century when 35 mm still cameras started appearing. Facial biometrics is perhaps the most popular form as it doesn’t require anything from the user, they don’t touch anything and recognition and authentication is not affected by your mood or facial expression (supposedly, real life is sometimes somewhat different). Facial is also popular among governments as these readings can be taken covertly – such as in a crowd – allowing for broader identification programmes, as well as less privacy. Fortunately, the quality of these ‘readings’ is still a work in progress, but the technology will improve dramatically over the next few years.

Iris recognition got a start in 1936 when Frank Burch raised the idea of using these patterns for identification, but the first patent was only granted in 1985 (Jain, 2013.) While iris biometrics could be a covert operation, technology does not yet allow for ‘on-the-fly’ readings, although this technology is used effectively in the UAE, at airports for example.

Quality is key

In all types of biometrics, the quality of the data is critical in the ultimate accuracy of the system, both for capturing the biometric as well as comparison. For this reason, it is wise to choose your biometric trait carefully – there may be problems when using fingerprints for identity and authentication for manual labourers like miners, as their fingerprints can be worn down due to their jobs.

Similarly, it is equally, if not more important to choose your products carefully. In today’s globalised world, there is always someone with a cheaper option that promises to do everything a more expensive product will. But will these cheaper readers capture the data accurately enough and ensure accurate comparisons?

The benefits and speed of biometrics quickly turn into a disaster when, for example, using a cheaper solution results in fingerprints having to be scanned multiple times before they are recognised, or they may not be recognised at all even though they were initially captured. The worst scenario is if one person’s biometrics is mistaken for another individual’s, negating the purpose of using biometrics in the first place.

While even a cheap reader will work in ideal conditions, the day-to-day conditions of a working environment are seldom ideal. This is where better design and build delivers the goods as the companies which have put money into R&D focus on addressing those ‘non-ideal’ conditions – which will include fraudulent activity like fingerprint spoofing, or standing too far away from an iris reader or keeping your eyes half closed.

Other issues which affect quality and the ability to identify individuals include the ageing process. We all know our bodies change as we get older and this includes various biometrics, including fingerprints and our faces. Many algorithms have been developed to cater for ageing and these will improve over time to deal with the changes we all go through.

The environment is also a factor in identification, as noted, requiring significant investments in research to allow for imperfect scanning conditions.

Faking it

A final thought when it comes to selecting biometrics is the abilities of criminals to fool the readers using a fake fingerprint or some kind of mask. Jain notes that there are two primary vulnerabilities when it comes to fooling biometrics: spoofing (where a fake biometric is presented to a reader) and attacks on the template database.

“Spoof detection is a critical requirement, especially in unsupervised applications (e.g., authentication on a smartphone) where the presence of a user is not being monitored” (Jain, 2013). To prevent spoofing, the biometric product chosen must have the ability for ‘liveness detection’, in other words, proving that the biometric presented is attached to a living person and not a plastic mould, for example.

There are many ways of doing this, but they rely on measuring some physiological aspect of the person, behavioural patterns, or a challenge-response mechanism. In most cases the liveness checks are handled automatically so as not to waste time or inconvenience legitimate users, but when dealing with sensitive access, challenge-response may be required to ensure people are who they are supposed to be (such as asking for a random finger to be scanned each time the person authenticates).

When it comes to protecting the biometric templates stored in databases, smaller applications may find it worthwhile to decentralise their storage to smartcards the users carry. In other situations, a central server may be required, in which case the biometric will be stored as a key, or in a numeric format according to an algorithm which is (hopefully) secure.

Jain et al, (2016) recommends three requirements for storing a biometric template:

• Non-invertability, to prevent the conversion of a template back into a biometric feature such as a fingerprint,

• Non-linkability, meaning it should be possible to create multiple unique templates of the same biometric, and

• Discriminability, in that the template should not degrade the reader’s accuracy in recognition.

Advancing market

It’s clear that biometric technology has come a long way over the past years and is being used in a variety of situations all over the world, from time and attendance functions through to national identification databases. The research and development into this technology is also ongoing, and will allow for further rollouts and usage in more environments over time, as well as the introduction of new biometric traits as well as improvements in existing ones.

Arguably, the most effort is being focused on DNA as the unbeatable biometric trait, and we have seen advances in the time it takes to analyse DNA. This branch of biometrics has a long way to go before it is as fast and convenient as fingerprints, for example, and even longer before it is as cost-effective as fingerprint biometrics. Then of course, the other traits are also advancing, such as touchless fingerprint recognition and more. And let’s not forget how biometrics has even found a place on your smartphone, allowing the user to unlock their device or authorise payments with a fingerprint or by pointing the camera at your face.

To sum up, the choice of biometrics is therefore a reasonable one when considering identification and authentication needs in business, but it’s a case of buyer beware. Opting for the cheapest offering on the market may indeed meet your T&A requirements in a normal, small-office environment, but don’t expect exceptional or trouble-free performance. Doing your homework will enable the buyer to make better decisions based on what they require and what is available. Biometric systems aren’t cheap, but it is a competitive market and advancing technology works in the enduser’s favour.

¹ Jain, A. K., Nandakumar, K. & Ross, A., 2016. 50 years of biometric research: Accomplishments, challenges, and opportunities. Available at: http://www.cse.msu.edu/rgroups/biometrics/Publications/GeneralBiometrics/JainNandakumarRoss_50Years_PRL2016.pdf (short URL: http://securitysa.com/*cm823a).

² Jain, A., 2013. 50 Years of Biometric Research: Almost Solved, The Unsolved, and The Unexplored. Talk delivered at The International Conference on Biometrics, Madrid, Spain, 2013. Presentation available at: http://biometrics.cse.msu.edu/Presentations/AnilJain_50YearsBiometricsResearch_SolvedUnsolvedUnexplored_ICB13.pdf, (short URL: http://securitysa.com/*cm823b).

Share this article:

Further reading: