FAQ

Biometrics

Internet Telephony

Biometrics

1.       What is Biometrics ?

2.    How did Biometrics start ?

3.       Popular Biometric Methodologies available today.

4.       Applications of Biometrics – The story so far.

5.       Performance Measures for Biometrics – What do they 

       really mean ?

6.       Verification Vs Identification – The distinction.  

1. What is Biometrics?

Biometrics is a method of recognizing a person based on a physiological or behavioral characteristic using automated / embedded identification tools.

Biometrics includes fingerprints, iris scanning, hand geometry, voice patterns, facial recognition, and other advanced techniques to identify an individual. This technology is the solution for the highly secure identification and personal verification solutions in current times.

Biometrics has it’s applications beyond the conventional security methods and addresses the need of a customized security for Access control, desktop security, Enterprise-wide network security infrastructures, Secure electronic banking, investing and other financial transactions, Retail sales, Law enforcement, and Health and social services

Biometrics has also found its application in diverse industries like amusement parks, banks, financial organizations, Enterprise and Government networks, passport authorities, driving  license, colleges, physical access to multiple facilities (e.g., nightclubs), etc..

Biometric-based authentication applications include workstation, network, and domain access, single sign-on, application logon, data protection, remote access to resources, transaction security and Web security.

The industry is now offering integrated biometric solutions with other technologies such as smart cards, encryption keys and digital signatures. These change in Global scenario and the increasing need for data and physical security are set to change the way world looks at Security.

Biometric Authentication systems are more convenient and offer considerably more accurate and secured environment than current methods (such as passwords or PINs). This is because biometrics links the event to a particular individual (a password or token may be used by someone other than the authorized user), is convenient (nothing to carry or remember, you are your own password ), accurate (it provides for positive authentication), can provide an audit trail and is becoming socially acceptable and inexpensive. 

Top

2. Biometric Background - How it all started??

It is tempting to think of biometrics as being sci-fi futuristic technology that we shall all be using together with solar powered cars, food pills and other fiendish devices some time in the near future. This popular image suggests that they are a product of the late twentieth century computer age.

In fact, the basic principles of biometric verification were understood and practiced somewhat earlier. Thousands of years earlier to be precise, as our friends in the Nile valley routinely employed biometric verification in a number of everyday business situations. There are many references to individuals being formally identified via unique physiological parameters such as scars, measured physical criteria or a combination of features such as complexion, eye colour, height and so on. This would often be the case in relation to transactions in the agricultural sector where grain and provisions would be supplied to a central repository and also with regard to legal proceedings of various descriptions. Of course, they didn’t have automated electronic biometric readers and computer networks (as far as we know), and they certainly were not dealing with the numbers of individuals that we have to accommodate today, but the basic principles were similar.

Later, in the nineteenth century there was a peak of interest as researchers into criminology attempted to relate physical features and characteristics with criminal tendencies. This resulted in a variety of measuring devices being produced and much data being collected. The results were not conclusive but the idea of measuring individual physical characteristics seemed to stick and the parallel development of fingerprinting became the international methodology among police forces for identity verification.

The absolute uniqueness or otherwise of fingerprints is often debated, and the criteria that different countries employ to verify a fingerprint varies across the globe with a greater or lesser number of minutiae points required to be matched. Added to this is the question of personal interpretation which may be pertinent in border line cases. Never the less, this was the best methodology on offer and still the primary one for police forces, although the matching process is very often automated these days.

With this background, it is hardly surprising that for many years a fascination with the possibility of using electronics and the power of microprocessors to automate identity verification had occupied the minds of individuals and organizations both in the military and commercial sectors. Various projects were initiated to look at the potential of biometrics and one of these eventually led to a large and rather ungainly hand geometry reader being produced. It wasn’t pretty, but it worked and motivated it’s designers to further refine the concept. Eventually, a small specialist company was formed and a much smaller and considerably enhanced hand geometry reader became one of the cornerstones of the early biometric industry. This device worked well and found favour in numerous biometric projects around the world.

In parallel, other biometric methodologies such as fingerprint verification were being steadily improved and refined to the point where they would become reliable, easily deployed devices. In recent years, we have also seen much interest in iris scanning and facial recognition techniques which offer the potential of a non contact technology, although there are additional issues involved in this respect.

The last decade has seen the biometric industry mature from a handful of specialist manufacturers struggling for sales, to a global industry shipping respectable numbers of devices and poised for significant growth as large scale applications start to unfold.  

Top

3. Popular Biometric Methodologies

You will see reference to a number of biometrics, some of which are rather impractical even if technically interesting. The ‘popular’ biometrics seems to gravitate at present around the following methodologies. 

Fingerprint verification.

There are a variety of approaches to fingerprint verification. Some of them try to emulate the traditional police method of matching minutiae, others are straight pattern matching devices, and some adopt a unique approach all of their own, including moiré fringe patterns and ultrasonics. Some of them can detect when a live finger is presented, some cannot. There is a greater variety of fingerprint devices available than any other biometric at present.

Potentially capable of good accuracy (low instances of false acceptance) fingerprint devices can also suffer from usage errors among insufficiently disciplined users (higher instances of false rejection) such as might be the case with large user bases. One must also consider the transducer / user interface and how this would be affected by large scale usage in a variety of environments. Fingerprint verification may be a good choice for in house systems where adequate explanation and training can be provided to users and where the system is operated within a controlled environment. It is not surprising that the workstation access application area seems to be based almost exclusively around fingerprints, due to the relatively low cost, small size (easily integrated into keyboards) and ease of integration.

Hand geometry.

As the name suggests, hand geometry is concerned with measuring the physical characteristics of the users hand and fingers, from a three dimensional perspective in the case of the leading product. One of the most established methodologies, hand geometry offers a good balance of performance characteristics and is relatively easy to use. This methodology may be suitable where we have larger user bases or users who may access the system infrequently and may therefore be less disciplined in their approach to the system. Accuracy can be very high if desired, whilst flexible performance tuning and configuration can accommodate a wide range of applications. Hand geometry readers are deployed in a wide range of scenarios, including time and attendance recording where they have proved extremely popular. Ease of integration into other systems and processes, coupled to ease of use makes hand geometry an obvious first step for many biometric projects.

Voice verification.

A potentially interesting technique bearing in mind how much voice communication takes place with regard to everyday business transactions. Some designs have concentrated on wall mounted readers whilst others have sought to integrate voice verification into conventional telephone handsets. Whilst there have been a number of voice verification products introduced to the market, many of them have suffered in practice due to the variability of both transducers and local acoustics. In addition, the enrolment procedure has often been more complicated than with other biometrics leading to the perception of voice verification as unfriendly in some quarters. However, much work has been and continues to be undertaken in this context and it will be interesting to monitor progress accordingly.

Retinal scanning.

An established technology where the unique patterns of the retina are scanned by a low intensity light source via an optical coupler. Retinal scanning has proved to be quite accurate in use but does require the user to look into a receptacle and focus on a given point. This is not particularly convenient if you are a spectacle wearer or have concerns about intimate contact with the reading device. For these reasons retinal scanning has a few user acceptance problems although the technology itself can work well. The leading product underwent a redesign in the mid nineties, providing enhanced connectivity and an improved user interface, however this is still a relatively marginal biometric technology.

Iris scanning.

Iris scanning is undoubtedly the less intrusive of the eye related biometrics. It utilises a fairly conventional ccd camera element and requires no intimate contact between user and reader. In addition it has the potential for higher than average template matching performance. As a technology it has attracted the attention of various third party integrators and one would expect to see additional products launched in due course as a result. It has been demonstrated to work with spectacles in place and with a variety of ethnic groups and is one of the few devices which can work well in identification mode. Ease of use and system integration have not traditionally been strong points with the iris scanning devices, but we can expect to see improvements in these areas as new products are introduced.

Signature verification.

Signature verification enjoys a synergy with existing processes that other biometrics do not. People are used to signatures as a means of transaction related identity verification and would mostly see nothing unusual in extending this to encompass biometrics. Signature verification devices have proved to be reasonably accurate in operation and obviously lend themselves to applications where the signature is an accepted identifier. Curiously, there have been relatively few significant applications to date in comparison with other biometric methodologies. If your application fits, it is a technology worth considering, although signature verification vendors have tended to have a somewhat chequered history.

Facial recognition.

A technique which has attracted considerable interest and whose capabilities have often been misunderstood. Extravagant claims have sometimes been made for facial recognition devices which have been difficult if not impossible to substantiate in practice. It is one thing to match two static images (all that some systems actually do - not in fact biometrics at all), it is quite another to unobtrusively detect and verify the identity of an individual within a group (as some systems claim). It is easy to understand the attractiveness of facial recognition from the user perspective, but one needs to be realistic in ones expectations of the technology. To date, facial recognition systems have had limited success in practical applications. However, progress continues to be made in this area and it will be interesting to see how future implementations perform. If technical obstacles can be overcome, we may eventually see facial recognition become a primary biometric methodology.

There are other biometric methodologies including the use of scent, ear lobes and various other parameters. Whilst these may be technically interesting, they are not considered at this stage to be workable solutions in everyday applications. Those listed above represent the majority interest and would be a good starting place for you to consider within your biometric project. The sections of this paper dealing with performance issues and user psychology offer a further insight into the application of these devices.  

Top

4. Applications - The Story so Far

The bulk of biometric applications to date are probably in areas that you will never hear of. This is because there are a very large number of relatively small security related applications undertaken by specialist security systems suppliers. These systems account for the majority of unit sales as far as the device manufacturers are concerned and are often supplied via a third party distribution chain.

The applications that you will here of are those in the public domain. These include:

Prison visitor systems, where visitors to inmates are subject to verification procedures in order that identities may not be swapped during the visit - a familiar occurrence among prisons worldwide.

Drivers licences, whereby some authorities found that drivers (particularly truck drivers) had multiple licences or swapped licences among themselves when crossing state lines or national borders.

Canteen administration, particularly on campus where subsidised meals are available to bona fide students, a system which was being heavily abused in some areas.

Benefit payment systems. In America, several states have saved significant amounts of money by implementing biometric verification procedures. Not surprisingly, the numbers of individuals claiming benefit has dropped dramatically in the process, validating the systems as an effective deterrent against multiple claims.

Border control. A notable example being the INSPASS trial in America where travellers were issued with a card enabling them to use the strategically based biometric terminals and bypass long immigration queues. There are other pilot systems operating in S.E. Asia and elsewhere in this respect.

Voting systems, where eligible politicians are required to verify their identity during a voting process. This is intended to stop ‘proxy’ voting where the vote may not go as expected.

Junior school areas where (mostly in America) problems had been experienced with children being either molested or kidnapped.

In addition there are numerous applications in gold and diamond mines, bullion warehouses and bank vaults, as indeed you might expect, as well as the more commonplace physical access control applications in industry.

ATM machine use.

Most of the leading banks have been experimenting with biometrics for ATM machine use and as a general means of combating card fraud. Surprisingly, these experiments have rarely consisted of carefully integrated devices into a common process, as could easily be achieved with certain biometric devices. Previous comments in this paper concerning user psychology come to mind here and one wonders why we have not seen a more professional and carefully considered implementation from this sector. The banks will of course have a view concerning the level of fraud and the cost of combating it via a technology solution such as biometrics. They will also express concern about potentially alienating customers with such an approach. However, it still surprises many in the biometric industry that the banks and financial institutions have so far failed to embrace this technology with any enthusiasm.

Workstation and network access.

For a long time this was an area often discussed but rarely implemented until recent developments saw the unit price of biometric devices fall dramatically as well as several designs aimed squarely at this application. In addition, with household names such as Sony, Compaq, KeyTronics, Samsung and others entering the market, these devices appear almost as a standard computer peripheral. Many are viewing this as the application which will provide critical mass for the biometric industry and create the transition between sci-fi device to regular systems component, thus raising public awareness and lowering resistance to the use of biometrics in general.

Travel and tourism.

There are many in this industry who have the vision of a multi application card for travelers which, incorporating a biometric, would enable them to participate in various frequent flyer and border control systems as well as paying for their air ticket, hotel room, hire care etc., all with one convenient token.

Technically this is eminently possible, but from a political and commercial point of view there are still many issues to resolve, not the least being who would own the card, be responsible for administration and so on. These may not be insurmountable problems and perhaps we may see something along these lines emerge. A notable challenge in this respect would be packaging such an initiative in a way that would be truly attractive for users.

Internet transactions.

Many immediately think of on line transactions as being an obvious area for biometrics, although there are some significant issues to consider in this context. Assuming device cost could be brought down to a level whereby a biometric (and perhaps chip card) reader could be easily incorporated into a standard build PC, we still have the problem of authenticated enrolment and template management, although there are several approaches one could take to that. Of course, if your credit card already incorporated a biometric this would simplify things considerably. It is interesting to note that certain device manufacturers have collaborated with key encryption providers to provide an enhancement to their existing services. Perhaps we shall see some interesting developments in this are in the near future.

Telephone transactions.

No doubt many telesales and call centre managers have pondered the use of biometrics. It is an attractive possibility to consider, especially for automated processes. However, voice verification is a difficult area of biometrics, especially if one does not have direct control over the transducers, as indeed you wouldn’t when dealing with the general public. The variability of telephone handsets coupled to the variability of line quality and the variability of user environments presents a significant challenge to voice verification technology, and that is before you even consider the variability in understanding among users.

The technology can work well in controlled closed loop conditions but is extraordinarily difficult to implement on anything approaching a large scale. Designing in the necessary error correction and fallback procedures to automated systems in a user friendly manner is also not a job for the faint hearted.

Perhaps we shall see further developments which will largely overcome these problems. Certainly there is a commercial incentive to do so and I have no doubt that much research is under way in this respect.

Public identity cards.

A biometric incorporated into a multi purpose public ID card would be useful in a number of scenarios if one could win public support for such a scheme. Unfortunately, in this country as in others there are huge numbers of individuals who definitely do not want to be identified. This ensures that any such proposal would quickly become a political hot potato and a nightmare for the minister concerned. You may consider this a shame or a good thing, depending on you point of view. From a dispassionate technology perspective it represents something of a lost opportunity, but this is of course nothing new. It’s interesting that certain local authorities in the UK have issued ‘citizen’ cards with which named cardholders can receive various benefits including discounts at local stores and on certain services. These do not seem to have been seriously challenged, even though they are in effect an ID card.  

Top

5. Performance Measures - What do they really mean?

False accepts, false rejects, equal error rates, enrolment and verification times - these are the typical performance measures quoted by device vendors (how they arrived at them is another matter). But what do they really mean? Are these performance statistics actually realized in real systems implementations? Can we accept them with any degree of confidence?

Let’s explore further....

False accept rates (FAR) indicate the likelihood that an impostor may be falsely accepted by the system.

False reject rates (FRR) indicate the likelihood that the genuine user may be rejected by the system. This measure of template matching can often be manipulated by the setting of a threshold which will bias the device towards one situation or the other. Hence one may bias the device towards a larger number of false accepts but a smaller number of false rejects (user friendly) or a larger number of false rejects but a smaller number of false accepts (user unfriendly), the two parameters being mutually exclusive.

Somewhere between the extremes is the equal error point where the two curves cross (see below) and which may represent a more realistic measure of performance than either FAR or FRR quoted in isolation.

However, the quoted figures for a given device may not be realised in practice for a number of reasons. These will include user discipline, familiarity with the device, user stress, individual device condition, the user interface, speed of response and other variables. We must remember that vendor quoted statistics may be based upon limited tests under controlled laboratory conditions, supplemented by mathematical theory. They should only ever be viewed as a rough guide and not relied upon for actual system performance expectations.

This situation is not because vendors are trying to mislead you (in most cases anyway) but because it is almost impossible to give an accurate indication of how a device will perform in a limitless variety of real world conditions.

Similarly, actual enrolment times will depend upon a number of variables inherent in your enrolment procedure. Are the users pre-educated? Have they used the device before? What information are you gathering? Are you using custom software? How well trained is the enrolling administrator? How many enrolment points will you be operating? What other processes are involved? And so on. The vendors cannot possibly understand these variables for every system and their quoted figure will again be based upon their own in house experiences under controlled conditions.

Verification time is often misunderstood as vendors will typically describe the average time taken for the actual verification process, which will not typically include the time taken to present the live sample or undertake other processes such as the presentation of a token or keying of a PIN. Consider also an average time for user error and system response and it will be apparent that the end to end verification transaction time will be nothing like the quoted figure.

Given the above, it will come as no surprise that biometric device performance measures have sometimes become a contentious issue when implementing real systems. In order to provide an independent view a National Biometric Test Centre has been established in the US with a similar facility recently announced in Hong Kong. These centres are based at academic institutions and will over time no doubt provide for some interesting views. However, this does not necessarily mean that vendors will rush to conform with regard to their quoted specifications and the method used to arrive at them. We should therefore continue to view such specifications as a rough guide and rely on our own trials and observations to provide a more meaningful appraisal of overall performance.

Top

6. Verification vs Identification - The Distinction

You will often come across the terms ‘verification’ and ‘identification’ which are sometimes confused when people are discussing biometrics.

The majority of available devices operate in verification mode. This means that an identity is claimed by calling a particular template from storage (by the input of a PIN or presentation of a token) and then presenting a live sample for comparison, resulting in a match or no match according to predefined parameters. Thus a simple one to one match that may be performed quickly and generate a binary yes/no result.

A few devices claim to offer biometric identification whereby the user submits his live sample and the system attempts to identify him within a database of templates. A more complex one to many match which may generate a multiple result according to the number and similarity of stored templates.

Imagine a scenario whereby you have 750’000 templates stored in a database. The user presents his live sample and the database engine starts searching. Depending on how tightly you define the likeness threshold parameter, the search may result in 10000 possible identities for your user - now what do you do? You may be able to apply filters based upon sex, ethnic origin, age and so forth in order to reduce this list to a manageable size, if indeed you can capture this information from the user. You may still end up with a sizeable list of potential identities. Of course, in a smaller database this becomes less of a problem, but it is precisely with large databases that this functionality is typically sought.

All of this assumes that the system can indeed function as claimed in identification mode. Certain devices have been demonstrated to work well in this manner with small databases of tens of users, but the situation becomes very complicated with databases of even a few hundred. The mathematical probability of finding an exact match within such a database is extremely slim (to say the least). A large database, such as might be the case with travellers across borders for example, would be almost impossible to manage in this manner with current technology. We haven’t even considered the time taken to search such a database and the impact of multiple concurrent users.

For these and other reasons, one should exercise extreme caution when considering biometric ‘identification’ systems. Whilst one can readily understand the attraction of this mode of operation, it has to date rarely been successful in practice, except in small scale carefully controlled situations.

Verification systems on the other hand are straightforward in operation and may easily be deployed within a broad cross section of applications, as indeed has been the case.  

Top