Home
Latest News Items
Body Scanner News
Archive 2009
Archive 2010
Archive 2011
All the Newsletters
Free Newsletter
Documentation
General Biometrics
Technical issues
Fingerprint
Iris
Face
Retina
Voice
Hand
DNA
Finger Geometry
Dynamic signature
Shape of ear
Vein pattern
Handpalm
Implants
Multi Modal
Identity Theft
Privacy issues
Ethical issues
Security issues
Legal issues
Social issues
Contact
Subscribe
External Links

 

  

The theory behind biometrics

1        Objectives

Biometrics is used for two different objectives, identification and verification:

Identification. This is used when a person needs to be identified without having access to any identifying information other than the biometric data. The biometric information acquired by the system is compared with every biometric template record in the list until a match is found. The likelihood that the correct person is identified will depend on the quality of the biometric information acquired and stored in the list. This method is also characterised as ‘1-to-n’ or ‘1-to-many’ matching.

Two different types of identification exist::

o        Positive identification: To check whether a person’s biometric exists in a database. If a match if found, the person is identified and access can be granted. Positive identification is also used for watch list checks.

o        Negative identification: To check whether a person’s biometric does not exist on a database. This is mostly used during enrolment to ensure that the person has not been enrolled before.

Verification. In this case, the person is identified using an identifier (e.g. PIN code or record number). The biometric mechanism is used to verify the identity of the person. The system only needs to match the biometric information with the previously stored template. This is much faster than identification, particularly when large databases are used. It is also possible for the user to supply the template by using a smart card for instance. In that case, no central databases are used and biometric verification can be carried out locally. This method is also called 1-to-1 matching

The 1-to-many matching is much more demanding for a biometrics systems than 1-to-1 matching. The 1-to-1 matching only requires one biometric match to be carried out for each verification attempt. The 1-to-many matching requires on average ½*N matches for positive searches or N matches for negative searches.

2        The matching process

Most biometrics work by digitally storing a biometric template captured during enrolment and comparing this template with the biometric data obtained during operational identification and verification processes.

The templates obtained during enrolment can be stored locally by the holder on a smart card for instance which allows for 1-to-1 matching. Alternatively, the templates can be stored in a database, which offers the choice of both 1-to-1 and 1-to-many matching.

From the raw biometric image, e.g. a JPEG picture of a face, the optical image of an eye or the scan of a finger, the biometric algorithm calculates various statistically independent points, which together form the biometric template. The accuracy of the biometric mechanism heavily depends on the number of independent points that can be derived. A low number of independent points, also called degrees-of-freedom, indicates a low accuracy and vice versa.

A match between the two templates will never be 100%, due to differences in the environment (lighting, temperature, etc.) and used equipment (cameras, scanning devices, etc.). Therefore, a percentage of the points in the templates will differ even though they are calculated from the same finger, eye or face. The system needs to determine what highest percentage of variation still constitutes a match. This is called the threshold. See section 3.3.3.

 

3        Error rates

The accuracy of biometric systems is determined by their error rates. The most important error rates are:

§         False Rejection Rate (FRR) or false non-match rate

§         False Acceptance Rate (FAR) or false match rate

§         Equal Error Rate (EER) or Cross-over Error Rate (CER).

 

3.1       False Non-match rate

The likelihood that a biometric system cannot match the correct biometric information with the correct previously stored template, i.e. belonging to the same person, is called the False Non-match Rate. This causes a person who should have been accepted to be rejected by the system.

The False Non-match Rate is also called the False Reject Rate, however it depends on the particular objective of the match, whether that is appropriate:

·         For a verification attempt, this means that the claimed identity cannot be matched with the biometric template associated with the provided identifier and therefore a false non-match will cause a rejection by the system.

·         For a negative identification database search to ensure the biometric does not already exist in the database during enrolment (see section 3.3), a False Non-match will allow an impostor to be enrolled illegally, which is the opposite of a rejection.

False non-matches are also called a Type 1 Error.

3.2       False Match Rate

The likelihood that the biometric system matches the acquired biometric information of an impostor with the biometric template of a different, legally enrolled person is called False Match Rate. The False Match Rate can also be called the False Accept Rate depending on the objective of the match as explained above, but the other way around.

·         For verification, this implies that an impostor claims a false identity and is successfully authenticated by the system, which is the same as a false acceptation.

·         For a negative identification database search to ensure the biometric does not already exist in the database during enrolment (see section 3.3), a False Match will detect the existence of a duplicate template, which causes the impostor to be rejected.

This is also called a Type 2 Error.

3.3       Tuning biometric systems

The error rates of a biometric system are tuneable, which allows biometric systems to be configured according to the business objectives: Low percentage of false alarms or low percentage of unauthorised access due to false accepts. The error cannot be entirely tuned down however; reducing one error rate will increase the other. A balance must be found which matches the business objectives best.

In most cases, this balance is between risk (i.e. false accept) and operability (i.e. false reject). High assurance authentication for access control (to the control room of a nuclear plant for instance) requires a very low false accept rate. In this example, a relatively high number of false rejects would have to be accepted. For more customer service oriented applications, like the authentication of persons to use ATM machines for instance, will require a very low false rejection rate whilst providing sufficient security of that person’s finances.

 

The tune ability of biometric systems is explained further with the diagram above. For most biometric mechanisms, a template comparison results in a score represented by the “Hamming Distance”, which is the percentage of bits of two compared biometric templates that are different. If this percentage is lower than a set threshold, a match decision is made and vice versa.

In this example above the threshold is set to 0.41 which means, that the system recognises a presented biometric as an authentic when no more then 41% of the previous captured bits during the enrolment phase are different from the captured bits at verification time. An authentic with more than 41% different bits is called a false non match, an impostor with less than 41% different bits is called a false match.  

The diagram shows how the configurable threshold determines the balance between false match and false non-match rates. The probability for a false match or a false non-match equals the area under the curve on either side of the threshold. By changing the threshold, one area reduces while the other increases, hence determining the balance. This balance can also be depicted with the diagram below (numbers used are fictitious):

 

If the threshold is set very high, i.e. a very small likelihood exists that an impostor is successfully authenticated (blue line in the bottom right of the diagram). In this case, the likelihood that a person is falsely rejected is high (green line in the top right), because the system might not find sufficient similarities between the acquired biometric information and the stored template.

 

If the threshold is set very low, the likelihood that the system will find a match is high. This means a high FAR (blue line in the top left) and the FRR low (green line in the bottom left).

 
 

3.4       Cross-over Error Rate

The point where the FAR and FRR cross (see the diagram) is mostly used to measure the accuracy of a biometric mechanism. This point is called Cross-over Error Rate (CER) or Equal Error Rate (EER). A low CER implies an accurate system.

To give an example: the EER of a fingerprint recognition system will be around 1 or 2 %.

An Iris recognition system can have an EER as low as 0.0001%, a huge difference compared with fingerprint.

This is why the Iris biometric can be used for 1:n identification purposes in large databases. The inaccuracy of the fingerprint biometric is the reason why this biometric can only be used in 1:1 verification systems. 

4        Enrolment

Most biometric systems require the users to enrol. Enrolment implies the capture and registration of the users’ biometrics and other relevant, mostly biographical, data. The accuracy and security of the enrolment process is essential: The security of a biometric system is as strong as the strength of the identity verification during the enrolment process.

The following issues need to be addressed during the enrolment process:

·         Does the user provide convincing proof of his or her identity?

·         Is this proof of identity genuine?

·         Can the user provide a biometric with sufficient quality? If not, is this person allowed to enrol?

·         Has this user been enrolled before using the same biometric, possibly with a different identity (i.e. does the biometric already exist in the system)?

·         How to handle a lack of biometrics?

·         What activities are required for re-enrolments?

These questions indicate that enrolment is very much a process and procedural issue, supported by technology. From a biometrics technology perspective, the most important activity during enrolment is to check whether the user has not enrolled before. A 1-to-many negative identification search on the entire database must be carried out. Particularly for large databases, this implies that the used biometric mechanism must be very accurate; otherwise, too many false matches will occur, which makes the system inoperable. The mechanism used for the 1-to-many identification search in a database size N must be about N times more accurate than a mechanism for a 1-to-1 match.

 

5     Possible technical issues with biometrics

5.1    Performance and the human factor

Most suppliers of biometric technology claim are grossly optimistic performance rates. Currently, hardly any benchmarks and evaluation criteria exist. Therefore, suppliers are free to use their own criteria and base their performance rates mostly on theoretical figures, obtained through mathematical calculation and extrapolation based on a test user group that does not resemble the user populations used for operational systems.

Test results depend very heavily on the test environment. Factors that influence the tests are:

·         The number of users or database records. Did the test use 100, 1000 or 1 Million entries?

·         The test environment. Was it in a lab or outside in the rain?

·         The demographics of the user population. Did the user group include handicapped persons, persons from ethnic minorities, elderly people and children, people that do not want to co-operate with the system, such as criminals?

The impact on the performance of biometric systems from differences in user populations is often underestimated. In principle, all target user populations for various biometric systems are different. Therefore, the performance rates claimed by the suppliers are inaccurate per definition. It is very important to know the users and their characteristics, such as the user demographics, user attitudes, user habituation, user co-operation and user motivation to defraud the system. It is important to know if the users will present the biometrics willingly and consistently or not. Particularly during the first stages of the systems operational life, the consistency will be very low. There will be a learning curve and the users will gradually become more consistent, however there will always be new and inconsistent users to deal with.

For instance, users that have developed an antipathy against systems that invade their privacy are not very likely to co-operate. They could purposefully sabotage the process. People can also get nervous when using an ATM when a long queue has built up. The nervousness causes them to present the biometric inaccurately causing a false rejection, while the queue increases steadily.

The conclusion is that performance figures depend heavily on the actual user population and their characteristics. Each biometric implementation must test the performance using a test group that represents the actual user population very accurately. Many implementations have failed because it was assumed the user population was known.

5.2        Hereditary of biometric characteristics

If hereditary biometric characteristics would be used, the system cannot distinguish between identical twins. Iris, retina and fingerprint are not hereditary and provide uniqueness in all cases. Voice and facial recognition however will encounter problems. Identical twins could play tricks in the enrolment phase and get mixed up forever.

5.3        Biometric equipment security

The security of the equipment that captures the biometric for enrolment, verification or identification is crucial. If the equipment is not secure, biometric data could be injected between the capture device and the system that carries out the matching processes, which would defeat the purpose of the system.

Replay attacks or attacks that replace the original biometric data with false data can be countered with anti-tamper capture devices and encrypted communications between capture device and matching systems. If the capture devices are not suitably secure, human supervision is required. That’s why biometric authentication in remote access is so difficult to secure. Tampering can be done in the privacy of your own home and nobody knows what’s happening exactly during authentication.

5.4        Template theft

Biometric templates or raw biometric data can be stolen, whether on a server or on a smart card. The loss of a biometric is different from any other authentication credentials. When one loses a key or password, a new one can replace them. However, an iris code cannot easily be replaced; we only have two. If it is stolen, it is lost for life.

Currently there are no real solutions, only some studies especially from Philips. The accuracy of systems need to increase significantly to re-use a stolen biometric. Alternatively, flexible security mechanisms need to be developed to be able to replace the stolen biometric. The biometric could for instance be encrypted with a personal key that is revoked after the theft of the biometric. The stolen encrypted template cannot be used after revocation.

5.5        Biometrics are not always secret

Most of the biometrics information is freely obtainable by others. People leave fingerprints are all over the place and voices, faces and irises can be recorded in every day life, possibly undetected. The retina and the shape of the finger or hand however are more difficult to copy. This means that biometrics systems must implement mechanisms to counter fraud using the obtained biometric data. Temperature, heartbeat and other lifelines measurements are needed.

5.6        Template re-use

From a securiy perspective, it is unwise to re-use biometric templates for many different applications. This is very similar to the use of the same password used to access many different systems. The compromise of this single password or biometric template facilitates unauthorised access to all of these systems. A balance must be maintained between user convenience (single sign on), system interoperability and security. If for instance the same biometric template would be used for starting your car, accessing you bank account and access to you PC, compromise would ruin you life. The conflict between security and interoperability will become more and more evident, because of the increasing requirement for interconnection of many biometric enabled identity systems.

5.7        Biometrics do not replace encryption keys

Biometrics must not be used to replace encryption keys, because biometric data can be obtained, cannot be replaced or revoked and cannot be destroyed. Biometrics should replace personal credentials like physical signatures, passwords and PIN codes. Early study on ‘Biometric Key Encryption’ has been carried out however.

5.8        Biometric authentication is never anonymous

People cannot choose their biometric credentials and if these credentials are used to authenticate users, there will always be a link to the associated individual. Already many databases are filled with, for instance, consumption and purchase behaviour, preferences and histories. If biometrics are used to authenticate these individuals an unambiguous link exists between these databases. Additionally, private behaviour will be coupled to business behaviour and the separation between private and business life will become more and more difficult. Conclusion is that biometrics should only be used if explicitly required.
Top