Embed Size (px)
Citation preview
J O U R N A L O N L I N E
Copyright © 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Following the terrorist attacks of 11 September 2001 and theongoing war against terrorism, there has been a worldwideeffort by governments to develop a biometric standard that
“could be used to identify airline passengers, control access tohigh-security buildings and record the details of convictedcriminals...(implemented in) biometric technology, which uses achip to store biological information, such as face scans, irispatterns and fingerprints.”1 Terrorism, ID fraud and cybercrime arejust a few of the reasons for investigating biometrics.
The purpose of this article is to investigate the applicationof biometrics to the task of security, particularly theauthentication/verification processes. In addition to the reasonsprovided above, there is a greater emphasis on e-businesssystems, with these applications being developed fordistributed deployment and a diverse range of stakeholders.Clearly, a major issue is the authentication of remote users,that is, being reasonably certain that the individual is whomhe/she purports to be. Traditionally, a number of electronicmeans have been attempted, such as user ID/passwords,public/private keys and various forms of encryption.
As technology advances and provides more specialisedequipment, other means are becoming practical. This articlelooks at the potential of fingerprint recognition as a means ofverifying a remote user. Fingerprinting has been selected as itis the least invasive biometric system. This article looks at theadvantages and disadvantages, audit implications, and theusability of fingerprint authentication.
Like most technical fields, biometrics and its associatedsystems have a multitude of definitions. Most definitions aredependent on the context in which the subject is beingdiscussed. For the purpose of this article, biometric systemswill be defined as:
“Automated methods of verifying or recognising a living person on the basis of some physiologicalcharacteristics, such as fingerprint or iris patterns, orsome aspects of behaviour, such as handwriting orkeystroke patterns.”2
This definition has a physiological and a behaviouralaspect. The differences between using physiological andbehavioural identifiers are quite significant, especially whenconsidering accuracy, cost and acceptance by the user. Thesedifferences will be considered later.
Why Biometrics?Biometric systems use points of measurable uniqueness to
determine identities.3 This technology can act as the front endto a system that requires precise identification of thoserequesting access before the system may be used. This conceptis essentially what password systems attempt to achieve;knowing a password provides access to a system or location.There is, however, one fundamental difference between accesssystems using passwords and those using biometric methods.
Password systems are identity-nonspecific. They can bestolen, given to other users and, in some cases, guessed,meaning that there is no guarantee that the person logging on isthe owner of that password. Put simply, there is no foolproofway to prevent unauthorised intrusion or to determine useridentity beyond doubt.4 By contrast, biometric systems useidentifiers that are inexorably linked to the user in question.These range from fingerprint and voice scans to iris and retinalpattern recognition. The premise behind using such identifiers isthat they are unique, generally not subject to change, and cannotbe stolen, lost or forgotten.5 This is not to say that biometricidentifiers are infallible. They do, however, represent a usefulmethod of linking identity to specific system users.
How Biometrics WorkBiometric systems generally comprise three basic
components:6
• An automated mechanism scans and captures a digital oranalogue image of a living individual’s characteristics.
• Another mechanism handles compression, processing,storage and comparison of the collected data with the stored data.
• A third component interfaces with the application system towhich the user is attempting to gain access.
Obviously, the configuration of such a system may bealtered to suit a particular situation. However, the majority ofbiometric control systems follow this simple model.
It should be noted that there is one crucial step required insetting up a biometric system: enrolment. The only way to gainaccess to a biometrically controlled system is to enrol.Enrolment is required to generate a reference template. Themethods of enrolment vary according to the device used butusually involve scanning the required biometric data a numberof times to gain an accurate measurement. A template is thencreated and linked to the user’s identity.7 This template providesthe reference for comparison when access attempts are made. Itis the storage and risk of misuse of such templates that createthe most concern for users. This issue will be discussed later.
Types of Biometrics SystemsBiometric systems fall within two broad categories:
physiological and behavioural. Physiological characteristicsare stable physical features, such as a fingerprint, handstructure, retinal or iris pattern, or facial feature. They aregenerally unchangeable, except by surgery or accident, and areconstant over time.
In contrast, behavioural characteristics reflect anindividual’s psychological state and thus are affected by suchfactors as stress, fatigue and illness (colds included). Mostbehavioural characteristics alter over time. For example, thevoice print from a user with laryngitis can seriously confuse avoice-based access control system. Hence, systems designed to
Fingerprint Identification: An Aid to the Authentication Process
By Rodger Jamieson, Ph.D., CA, Greg Stephens and Santhosh Kumar
J O U R N A L O N L I N E
measure such characteristics often need to redefine theirreference templates to reflect these changes. This need toupdate the reference template reduces the usability andreliability of behavioural-based systems.8
There is a large number of technologies and systems thatcome under the heading of biometrics. To consider each one inturn would not do them justice within the confines of thisarticle. Consequently, one such technology, fingerprintidentification, will be considered in some detail. This articlewill outline how it works, its relative advantages anddisadvantages, and its current and future uses. Then, the ethicsof collection and maintenance of repositories of such personalidentification information will be considered.
An Example: Fingerprint IdentificationWith reference to the types of biometric systems discussed
above, fingerprint scanning is classified as a physiologicalsystem. The human fingerprint is a unique identifier that isintrinsically linked to each individual and thus cannot be lost,stolen or transferred between individuals. Moreover, no twofingerprints are identical, which greatly assists in linking theuser’s access key to the user. Finally, barring serious accidentor surgery, fingerprints are constant over time.
Although there are variations amongst the fingerprintscanners available on the market, the principle behind how theuser is identified is generally the same. A light-sensitivedevice, either a scanner or camera, takes an analogue image ofthe fingertip. The image is then digitised and compared withtemplate records that were created during the enrolmentprocess. At the most basic level, these systems work bymatching relationships amongst minutiae—the points onfingertips where print ridges end or divide. More complexscanning systems also examine other major features, such asthe arch, loop and whorl that appear on the finger.9
Despite popular misconceptions, these systems do notrequire a perfect, 100 percent match of all identifiers. Throughthe use of a number of complex mathematical techniques, ascanner requires only a match that is statistically significant.This matching process has a number of advantages, the mostobvious of which relates to storage. The actual fingerprint isnot recorded; rather, the scanning device performs a reductionof the image into data points that describe the fingerprintlayout in a statistical, rather than physical, form. This methodgreatly assists in reducing the chances of reproducing afingerprint for fraudulent use.10
Automated Fingerprint Identification System (AFIS)11
technology has been used in law enforcement over the last 25years, and the use of AFIS technology is rapidly expanding ina number of new applications areas including welfare.However, the rush to capitalize on the benefits of thistechnology, in advance of appropriate standards andtechnology validation methods, is likely to result in awidespread failure to achieve the very valuable programmaticexpectations over the long term.
For serious large-scale, positive-identification applications,no other available biometric technology comes close tofingerprints. Fingerprint identification technologies are:• Well established—Fingerprint identification has been used
in law enforcement applications over the past 100 years andhas become the de facto international standard for positiveidentification of individuals.
• Proven—AFIS technology has been developed, refined andproven in demanding law enforcement applications over thelast two decades.
• Legally accepted—Legal precedents, which have beenestablished in the US court system, make fingerprints theonly biometric proof of identification that is readily acceptedin legal proceedings.
• Mature—Fingerprint identification technologies are wellbeyond the research and development stage, as evidenced bythe fact that a number of viable manufacturers producecompeting products for a widespread and well-establishedmarketplace. In most other biometrics, the technology isavailable from only a single vendor, making any large-scale,long-term application very risky.
Recent advances in computing and digital imagingtechnology have led to the introduction of new AFISmethodologies using electronic “live-scan” plain-impressionfingerprint images as the basis for identification. Theproliferation of plain-impression AFIS systems is rapid andaccelerating at the state and national levels (US) in large-scaleapplications, including welfare, driver’s licenses, bordercontrol, immigration and military personnel identification. Formore detailed coverage of this area, refer tohttp://onin.com/fp/afis/afis/html.
Advantages and DisadvantagesAs with all biometric systems, there are a number of
advantages and disadvantages associated with using fingerprintscanning to confirm an individual’s identity. Often, weighingthe various benefits and costs associated with particularbiometric methods greatly affects which systems areimplemented by an organisation and, in some cases, whetherbiometric systems are adopted at all. In the case of fingerprintscanning, the relative advantages and disadvantages arereasonably straightforward.
The advantages include:• Acceptance—As most people are familiar with the use of
fingerprinting for identification purposes, it is generallyaccepted as a technology. Most people understand itsapplicability to access control.
• Accuracy—By and large, fingerprint technology is accurate.There is a small chance of rejection of a legitimate print,i.e., there is a chance of accepting a false print or a chance ofrejecting a legitimate print. The chances of accepting a falseprint are very low.
• Ease of use—Very little time is required for enrolment witha fingerprint scanning system. Unlike other biometricdevices, such as retina scanners, fingerprint scanners do notrequire concentrated effort on the part of the user.Accordingly, one could consider fingerprint scanning to berelatively nonintrusive.
• Installation—Changes in technology have made fingerprintscanners relatively easy to install and inexpensive. Mostfingerprint scanners are now very small and portable. Plug-and-play technologies have made installation very easy.In many cases, the scanning device has been incorporatedinto keyboards, mouse buttons and even notebook computers.
• Training—Due to the intuitive nature of scanningfingerprints, such devices require no training to use and littletraining to support.
J O U R N A L O N L I N E
• Uniqueness—As noted previously, fingerprints are a uniqueidentifier specific to the individual.
• Security—Fingerprints cannot be lost or stolen, and aredifficult to reproduce. Furthermore, storing fingerprinttemplates as statistical algorithms rather than completecopies ensures that the ability to reproduce these uniqueidentifiers is significantly reduced.12
The disadvantages include:• Acceptance—Although also an advantage, user acceptance is
not guaranteed. Fingerprint scanning crosses the fine linebetween the impersonal and nonintrusive nature of passwordsand personal identification numbers (PINs), and utilising partof an individual’s body to identify him/her. As will bediscussed, some people view this as an invasion of privacy13
or worse. • Injury—Injury, whether temporary or permanent, can
interfere with the scanning process. In some casesreenrolment is required. For example, bandaging a finger fora short period of time can impact an individual if fingerprintscanning is used in a wide variety of situations. Something assimple as a burn to the identifying finger could prevent use ofan automatic teller machine (ATM).
• Security—As some authors have argued, there is nothing tosuggest that the same technology that is used to storefingerprints as statistical algorithms cannot also be used ormodified to recreate accurate depiction of the print itself. Thisraises serious concerns related to how such data should bestored, maintained and protected to prevent fraudulent use.14
Issues With the Use of Fingerprint IdentificationTransmission and Storage
The truism that the majority of physiological characteristicsare almost impossible to alter, fingerprints being one of them,introduces a major drawback of biometric systems.15 When auser wishes to gain remote access to a device that is controlledby a biometric system, e.g., an ATM, the terminal musttransmit the biometric measurements to a host database forcomparison. This creates two potential weaknesses in thesystem. One relates to the security of the transmission methodused, and the other relates to the security of and accesspermissions controlling the database in which the referencetemplate is stored. If the security of these systems is weak, it isconceivable that the biometric measurements could in someway be copied and fraudulently used.
Considering the number of possible applications of thistechnology, the implications for such fraudulent use could bedisastrous. Unlike passwords or PINs, which can be changed ifcompromise is suspected, fingerprints are unique identifiersthat cannot be altered. Furthermore, due to their unique natureand the perceptions this creates, the existence of a fingerprintauthorisation for a fraudulent transaction represents a virtualadmission of guilt. Consequently, for such authenticationtechniques to be effective and confidently used, thetransmission of biometric data and the storage of biometrictemplates must attract tight security.16
The large number of potential applications and theconsequent variety of individuals, companies and agencies thatwould require access to stored templates make the physicalstorage requirements of biometric templates a major issue
itself. If the fingerprint scanning example was extended toinclude the population of Australia, the overhead costs ofcollecting and storing approximately 20 million uniquefingerprints would be enormous. Added to this is the questionof who and what agencies would require access to suchinformation. In the case of fingerprint templates, there are twopossible storage solutions.
First, biometric templates could be stored in a series ofcentralised databases. As noted, the overhead becomes quitelarge when considered in reference to a country’s population.Also, users may be required to interact with a number ofdatabases depending on their access needs. For example, suchtemplates could be kept by the Australia Taxation Office(ATO) for taxation purposes, the Road and Traffic Authority(RTA) for licensing information, on a server controlling accessto the user’s home, or on specific devices such as personaldigital assistants (PDAs) or even cars. The more places suchinformation is kept, the greater the possibility of unsavouryelements of the community stumbling upon a database with weak security and capturing biometric templates for fraudulent use.
An alternative to database storage is the use of smartcards.Smartcards store the biometric template and are carried by theuser. To gain access to a fingerprint-protected system, a userwould insert the smartcard containing the fingerprint templateand then have a fingerprint scan taken. The results of the scanare then compared with the information on the card todetermine authenticity. This process is conducted at the pointof access and needs no interaction with additional systems.Consequently, there is no risk of transmission interception andno requirement to hold such information centrally.17
Ethical ConsiderationsOne of the greatest concerns raised in response to the
increasing use of biometric authentication systems has beenthe issue of privacy. Organisations such as Fight theFingerprint and the Electronic Privacy Information Centreargue that there is great scope for abuse of biometric systemsby government agencies and the private sector. Coupled withthis, there are very few directives or standards established bylegislature or adopted by industry regarding the disseminationof biometric information.
By way of example, an individual is required to provide afingerprint template to an employer to gain access to a place ofemployment and the devices required to carry out his/her tasksas an employee. This template is then linked to the employee’spersonal records, which outline employment history, salaryand financial information, dependant details and residentialinformation. An unscrupulous organisation could then sell thislinked biometric data to direct marketing firms, mail-orderhouses and even government agencies, which would then haveaccess to a ready-made personal profile of each individual. Ithas been argued that when such cross-matching occurs, thefine line between relevant information tracking and an invasionof privacy is blurred.18
To take a more extreme view, fingerprinting has beendescribed as a “Big Brother” population control method (e.g.,by Fight the Fingerprint). Most people readily accept the useof PINs, signatures and photographs as legitimate methods ofidentification and access control. They are impersonal and not
J O U R N A L O N L I N E
physically connected to the individual. Biometric data, incontrast, are an intrinsic part of the human body. Therefore, anumber of organisations and individuals find such methods ofidentification repulsive and invasive.19
Conclusion Obviously, the use of biometric systems for identification
and access control purposes is a contentious issue. It is onethat requires clear and ethical consideration before adoption byany organisation or agency. Furthermore, governments need todevelop strict guidelines that restrict the dissemination ofbiometric data and the information linked to such data toprevent misuse and erosion of individuals’ rights. Informationsystem auditors and security personnel require knowledge ofthese biometric techniques, as they may be asked to eitheraudit or evaluate them for their clients or organisations.
Useful Web Resourceswww.onin.com/fp/afis/htmlwww.duke.edu/web/mms190/team3/defining.htmlwww.biometritech.com/features/smallback2.htmwww.onclickcorp.com/onclicksite/onclick.htmlwww.networkusa.org/fingerprint.shtml
Endnotes1 Lebihan, R.; “New Passport to Store Facial Biological
Information,” The Australian Financial Review, 12 February2003, p. 52
2 Kim, H.J.; “Biometrics, Is It a Viable Proposition forIdentity Authentication and Access Control?” Computers &Security, vol. 14, 1995, p. 205-214
3 Java Card Special Interest Group (JC Sig),www.javacard.org/others/biometrics_intro.htm
4 Ibid.5 “Biometrics Explained,” I/O Software,
www.iosoftware.com/pages/Products/Technologies/Biometrics/index.asp#Fingerprint
6 Op. cit., Kim7 Ibid.8 Op. cit., Java Card Special Interest Group9 Op. cit., I/O Software
10 Op. cit., Java Card Special Interest Group11 Automated Fingerprint Identification Systems (AFIS), 2002,
www.onin.com/fp/afis/html
12 Op. cit., I/O Software; Op. cit., Java Card Special InterestGroup; White, R.; “Face vs. Fingerprint Identification,”1999, www.zdnet.co.za/pccomp/stories/reviews/0,5672,396764,00.html
13 Fight the Fingerprint, www.networkusa.org/fingerprint.shtml14 Op. cit., I/O Software; Op. cit., Java Card Special Interest
Group; Op. cit., White15 Op. cit., Kim16 Ibid.17 Op. cit., I/O Software18 Op. cit., Kim19 Schneier, B.; “The Uses and Abuses of Biometrics,”
Communications of the ACM, Association for ComputingMachinery, August 1999, vol. 42, no. 8, p. 136
Rodger Jamieson, Ph.D., CAis an associate professor at the School of Information Systems,Technology and Management at the University of New SouthWales (Australia), the director of SEAR (Security, E-businessand Assurance Research) group, and director of the SAFE(Security, Assurance and Fraud-prevention for E-business)research program for the Securities Industry Research Centreof Asia-Pacific (SIRCA). He serves on international journaleditorial boards and is engaged in teaching, research andconsulting in the areas of IS assurance and security, riskmanagement, e-crime and identity fraud, computer forensicsand electronic commerce. His prior experience includesworking as an IS audit manager with Touche Ross & Co. andas a chartered accountant for Coopers & Lybrand. He also hascommercial experience with the AMP Society and Honeywell.
Greg Stephensis a lecturer in the School of Information Systems, Technologyand Management at the University of New South Wales. Hisresearch interests include audit and security concerns,computer-mediated communication and its impact on socialnetworks within organisations, and knowledge-based/expertsystems. He has previously worked as an information systemsprofessional and as an IS auditor.
Santhosh Kumaris a researcher with the SEAR group at the University of NewSouth Wales and a member of the Institute of Electrical andElectronics Engineers (IEEE). He has previously worked innetworking with Unitafe Networking Co. and TAC-Pacific inAustralia, and as an engineer for three organisations in India.
JournalOnline articles, the online-only counterpart of the Informations Systems Journal, are published by the Information Systems Audit and Control Association, Inc. Membership in the association, avoluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive online access to the JournalOnline as well as an annual subscription to theInformation Systems Control Journal.
Opinions expressed in the JournalOnline and Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of theInformation Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal.Information Systems Control Journal does not attest to the originality of authors’ content.
© Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from theassociation. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articlesowned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of theassociation or the copyright owner is expressly prohibited.
www.isaca.org
