BiometricsQ & A
by Alvaro E. Escobar
This is the agenda for this morning.I will be showing you at two
minute, quick video that talks about biometrics in the news.Then
Ill cover an overview of biometrics, its definition,
classifications, etc.Then I will present all the biometric
technologies available, both been used today and under
research.Then I will be covering the accuracy metrics by which
biometric systems are graded and which determine how secure is a
biometric system.And finally, I will cover bioprivacy, which are
privacy concerns with the use of biometrics and how to address
them.So, first lets see the video.Now, lets get into a Biometrics
Overview.The definition of biometrics is, an automated measurement
off physiological and/or behavioral characteristics, to determine
or authenticate identity.Lets spread the definition into its three
major components, shown in diff. colors on the screen.These
components will determine what is and what is not a biometric and
also its different types and functionalities.Lets start with the
First component of the definition: Automated measurement, which
means no human intervention or involvement is required.Biometrics
are automated in as much as the processes involved in sample
acquisition, feature extraction, record retrieval, and
algorithm-based matching are computerized or machine-based.Also the
record retrieval and comparison against another measurement must
take place in Real-Time. So for an instance ,DNA sampling, is NOT a
biometric measurement because today it still requires human
intervention and its NOT done in real time.The second component of
the definition : Physiological and/or behavioral characteristics,
determine the two main biometric categories:behavioral and
physiological.The behavioral characteristics measure the movement
of a user, when users walk, speak, type on a keyboard or sign their
name.The physiological characteristics would be the physical human
traits like fingerprints, hand shape, eyes and face, veins,
etc.
And the last component of the definition is determine or
authenticate identity, which categorizes the two types of biometric
functionalities.The first type is identification systems or the
systems that answer the question who am I ? and determine the
identity of a person.The second type is verification systems or
systems that answer the question, am I who I claim to be ? and
authenticate a person.An example of an Identification System using
biometrics would be: You approach an ATM with NO card, NO claimed
identity, NO PIN.The ATM scans your iris and determines who you are
and gives you access to your money.An example of a Verification
System using biometrics would be: You approach an ATM and swipe a
card or enter an account number.The ATM scans your iris and uses it
as a password to authenticate you are the rightful owner of the
card and therefore give you access to your money.
Verification systems are more accurate, less expensive and
faster than Identification systems.However, their drawbacks are:
they are more limited in function, and they require a lot more
effort from the user, to use the system.
The benefits of biometrics are:Enable security, because it helps
protect data at the PC and/or network level.Also it may restrict
access to buildings or specific rooms.Enforce Accountability,
because can improve the audit trail and recordkeeping process. For
instance, recent HIPPA regulations require careful audit logs of
who access special data and for what reason.User Convenience,
because users no longer have to memorize passwords or carry keys or
badges that can get lost, stolen or forgotten.Improve Savings,
because Biometric implementers, no longer need to reset passwords
or reissue badges, change locks, etc.Recent primary drivers for the
use of biometrics are:Size and cost of biometric devices have
decreased dramatically, with hardware getting smaller, faster and
cheaper.All types of Biometric systems have Improved their accuracy
and reliability by improving on their metrics, like false
acceptance rate, false rejection rate and failure to enroll rate
which I will cover later on and explain what they are.We can find
today much more Mature standards and APIs (like BioAPI and BAPI)
that have made it easier and less expensive to develop Biometric
Applications.And finally, recently there has been more public
awareness of Biometric uses and their convenience.Now lets take a
look at the different Biometric Technologies out there.There are
two major classifications of biometric technologies:Those that do
identification and verification (like Finger scan, Iris scan,
Retina scan and Facial scan) and those that do verification only
(like Hand Geometry, Voice Print, Keystroke Behavior and
Signature).This classification is driven by the # of distinctive
characteristics each technology is able to consistently
measure.Therefore biometric technologies that do Identification and
verification will have more distinctive characteristics to work
with, than the ones that only do verification.There are also other
Biometric Technologies in the making, at Universities and Colleges,
which I will cover later on.
In the case of finger scan, It measures unique characteristics
in a fingerprint.These characteristics or minutiae (as they are
called), are crossover, core, bifurcations, ridge ending, island,
delta and Pores.Fingerprint samples like the one youre looking at,
typically dont have all the minutiae types available.It is
desirable but not always possible.Today we may find many automated
fingerprint identification systems or AFIS, because of the high
quality scanners available.This technique is used mostly for
forensic and background checks and is being used in both logical
and physical security.Logical security costs are aprox. $50 - $200
and physical security costs aprox. $500 $1,000 per device.
In the case of iris scan, It measures unique characteristics of
the colored part of the eye also known as the Iris.These
characteristics are: Ridges or rings , Furrows and Straitions or
freckles.This technique just like finger scan is being used in both
logical and physical security.
In the case of Retina scan, It measures unique characteristics
of the back of the eye, which is called the Retina.These
characteristics are: Blood vessel patterns and Vein patterns.Retina
scan requires significant more effort to use than Iris scan, and it
is more challenging because the slightest movement causes rejection
by the system. It also needs more sophisticated cameras than Iris
scan.In the case of facial scan, It measures facial features like
the Distance between the eyes And Distance between the eyes and
nose ridge, Angle of a cheek, Slope of the nose, thickness of the
lips, or facial temperatures.Is the most common Biometric technique
used to obtain a personal identification.Facial scan has many
challenges like changes in lightning, changes in camera angles,
etc.This technique is used at all US embassies worldwide, and
government agencies.Also used to guarantee uniqueness against an
image databases usually to prevent identity theft.Many ATMs and
casinos around the country, use this techniques to identify
users.Very recent uses of this technique have been super bowl 35 to
compare facial scans against known criminals.Or at Ybor City,
Florida in the west coast (for citizen surveillance in public
streets).
In the case of hand scan, It measures the top and side of the
hand, not the Palm as it is commonly thought.It is typically known
as the hand geometry. (Finger lengths, widths, curves etc)Is the
most widely used technique for physical access and their price
ranges from $1,200 $1,500 per door.Recent uses include the I. N. S.
pass System, which scans a hand of frequent travelers, so instead
of presenting a passport for authentication these frequent
travelers swipe a card and do a hand scan. It is both convenient to
consumers and frees up human resources to attend for more higher
risk passengers.
In the case of Voice scan, It measures the sound waves of human
speech.Voice scan could be based on either text-dependent or
text-independent speech input.If it is text-dependent, user talks
to a microphone a passphrase and will repeat the same pass phrase
when needed to be authenticated.The most common use of voice scan
biometric systems is where a telephone is already being used.For
instance home arrest verification is a very common use. Any time of
the day or night a computer calls the home of a person under home
arrest, and that person has to answer the phone and speak a
passphrase to be authenticated.Voice scan Biometrics is currently
restricted to low security applications because of high variability
in an individuals voice (depends on the user mood) and poor
accuracy performance of a typical speech-based authentication
system (affected by background noise).In the case of keystroke
scan, It Measures the time between strokes and duration of key
pressed.Most commonly used in systems where keyboard is already
being used.
In the case of signature scan, It measures the speed, pressure,
stroke order and image of a signature.So its not only the signature
image as it is commonly believed.If a signature from a user is
already captured, this biometric technology adds an extra level of
security with non-repudiation.Typically signature scan devices go
for $50.00 or less.To compare the different biometric techniques I
will use the Zephyr chart analysis.In this chart the further away
the characteristic is from the center, the better is the biometric
technique.So for instance keystroke scan and signature scan are low
cost, require very little effort, and are not intrusive at all,
however they are not distinctive.On the other end of the spectrum,
retina scan and iris scan, provide very high distinctiveness,
however they are both expensive, and intrusive.Now lets talk about
some of the accuracy metrics in biometric systems.False Acceptance
Rate (FAR): Measures how often imposters would be let in into the
system. (Type II Error) False Rejection Rate (FRR): Measures how
often legitimate users will be rejected by the system. (Type I
Error )Now all biometric systems have threshold levels to minimize
the FAR and FRR as necessary depending on the application.Failure
To Enroll Rate (FTE): Measures the percentage of the population
that are unable to enroll in the system (not only handicapped
people), but for one reason or the other the user cannot enroll in
the system.Ability To Verify (AVT) is a metric based on FTE and
FRR.This metric usually characterizes user experience, cost of the
system and level of security. The higher this ATV metric the more
users are able to be processed, the less number of exceptions,
making criminals easier to identify.Both AVT and FAR are excellent
measures of a biometric systems level of security. Finally lets
cover some of the bioprivacy concerns.There are two main categories
of biometric privacy concerns: as informational privacy concerns
and personal privacy concerns Just like your name and address,
biometric information can be sold, so there are valid concerns
about the use of this information.These concerns can be addressed
through careful system design and careful audit.Personal privacy
concerns create inherent discomfort because of cultural or
religious beliefs. These concerns can be address by educating the
users.
To help mitigate both informational privacy concerns and
personal privacy concerns the bioprivacy framework was created and
layouts the 25 best practices.These bioprivacy best practices have
been broken down into four main categories.Scope &
Capabilities, Data Protection, User Control of Personal Data and
Disclosure, Auditing and Accountability.The first category of
bioprivacy best practices is scope and capabilities:includes
limiting the system scope (slight expansion may have significant
privacy implications)limit storage of the identifiable biometric
data (actual Images and recordings should be discarded whenever
possible).
The second category is data protection:Use security tools to
protect biometric information. These tools include encryption,
private networks and secure facilities.System access should be
limited to the smallest number of operators to prevent internal
compromise.The third category of bioprivacy best practices is user
control of personal data :Systems should allow for the
un-enrollment of a user in a voluntarily way.System should allow
user to view, correct and update Information stored in the
system.
The last category of bioprivacy best practices is Disclosure,
Auditing and Accountability: Explain The purpose of The system to
operators and enrollees.Provisions should be made for third party
auditing.And now I will answer any questions you might have.
