Section 10.5. Incorporating User Factors into Testing

Considerations of age , long- term stability , gender , and ethnicity also need to be taken into account when a biometrics system is evaluated. All claims should be qualified with the user categories on which the biometrics has actually been tested .

Fully understanding the user's role in the performance and acceptance of biometrics requires the utilization of a number of research methods through different stages of development of new biometrics technologies. (The most extensive research has been carried out on iris and fingerprint verification. ^{[32] , [33]} ) These methods include focus groups to identify consumers' understanding, misconceptions, and barriers to acceptance of biometrics techniquesalthough conclusions drawn from focus groups may or may not correlate with actual user behavior. Specific studies help to understand how well a technology works with the general, untrained public, and to assess whether it can be adapted to a self-service environment.

^[32] DARPA, "Human ID at a Distance."

^[33] Thalheim, Krissler, and Ziegler.

Developers must work with an iterative design and evaluation process to create a successful biometrics application. Field trials are imperative to fully test the performance and acceptance of any self-service application, as experience with the actual technology can change people's attitudes in either a positive or a negative direction.

10.5.1. Size of User Base

Within some application areas, including the financial self-service environment, the potential size of the user base can be extraordinarily large. Even small financial institutions can have millions of customers, and with cross-institution relationships, we must consider the possibility that any biometrics system might ultimately have to be applicable to the entire banking population of the planet and all the variations within it! This drives a number of factors associated with biometrics, such as the use of verification (as opposed to recognition), template storage, accessibility, the handling of "outliers," enrollment, and user acceptance.

10.5.2. Designing a Biometrics Solution to Maximize the User Experience

Developers must take into account a number of design considerations for a biometrics solution, if it is to fully accommodate a wide range of potential users in a socially acceptable manner. Consideration must be given to the design of the enrollment process, the biometrics capture device itself, the device's user interface, and the user acceptance issues for the particular application.

10.5.3. Enrollment

Any person wishing to use a system with biometrics security first must be enrolled. The person's biometrics template must be sampled and stored along with his identification. The difficulty of this task scales with the size of the population to be identified.

Enrollment is similar to verification in that the user provides a series of biometrics measurements for the same biometrics artifact. These biometrics measurements are then processed , producing a template that is representative of the biometrics artifact. But while enrollment sounds simple, it is extremely problematic . Enrollment is often the first time a user might have seen a particular biometrics device, which can be confusing and disconcerting.

The effectiveness of biometrics depends on the quality of the enrollment image; thus, a good enrollment template is key to efficient and accurate verification. It is unfortunately difficult to obtain a high-quality image in an unattended self-service environment. ATM owners cannot afford customer dissatisfaction through false rejection , nor can they allow the ATM to become a target for fraud through false acceptance.

An attended enrollment is thus a critical part of a successful solution, as it maintains the integrity of the information stored, provides an opportunity for education and training, and dispels misconceptions. Such enrollment should include:

Education about the biometrics itself

For example, with fingerprint biometrics, users must understand the importance of the fingerprint core and where it is located on their finger.

Training to enable the consistent use of the technology

For example, users must be told how to use the technology and its limits. This might focus around, for example, accurate placement of the biometrics within the required range.

Explanation of interface support

Users need some understanding of how the software interface will support them if they have not placed their biometrics accurately.

Use of a trainer

A "trainer" should lead the user through the interaction, and the user should be provided with feedback about how to correct his placement.

Supervised "playtime"

Time is needed for the user to explore how to use the system (e.g., the pressure required, positioning the biometrics). This should continue until the user can provide consistent images.

Readers who first learned graphical user interfaces two decades ago might remember a similar situation: extensive training was required at the start, but it soon became superfluous. If biometrics becomes ubiquitous, the population will become habituated to the technology and will no longer need this level of early support. Until then, it is unlikely that unassisted enrollment will be effective.

10.5.4. Biometrics Capture

A biometrics device requires that the user actively participate in, or at least collaborate with, the biometrics system in order for the system to obtain a biometrics measurement. A user might have to provide a fingerprint imagefor example, by placing his finger on a specified device, swiping his finger across a fingerprint reader, or collaborating with a camera-based system in order for it to obtain a good picture of his face or of his iris.

Biometrics vendors assume that their systems are intuitive and easy to useperhaps because of their familiarity with their own technologybut usability evaluations are proving this not to be the case. Users find that they must interact with this new technology correctly and consistently. This may be a physical challenge for anyone until they become habituated to the technology, but may be especially problematic for elderly or disabled users. Therefore, the nature and timing of the feedback to the user are essential to capture consistent and high-quality images.

Many factors affect the quality of the data and the appropriateness. For example, a user must apply correct pressure when providing a fingerprint to a capacitive sensor. However, exact pressure varies between individuals depending on their skin. Meanwhile, users must also accurately place their fingerprint core on the device. Overall, the user's interaction with the biometrics device and the feedback provided by the system are crucial for success.

In general, approaches based on external cues (e.g., an indentation where the finger should be placed or a red line against which to position the base of the fingernail) are too general and can create problems resulting from the discrepancies between varied human finger sizes and shape. This is particularly problematic if the user does not understand what goal he is trying to achieve.

It is essential for user comprehension to provide an image of the biometrics on the screen. This image should also have a marker showing where the user's core is located relative to the ideal location of the fingerprint's core. The image also can be used to give users feedback about the amount of pressure they need to apply; for example, a very black image indicates too much pressure. Greater user feedback reduces the number of poor enrollments, and thus the subsequent percentage of false rejects. Further, the resulting images will be more consistent and of higher image quality.

10.5.5. Outliers and Fallback Strategies

There is currently no biometrics that can be used by everyone in the world, and so the system must consider how it will handle cases where it is not possible to use the biometrics system. As a result, "outliers" and those temporarily excluded from a specific biometrics system must be accommodated without causing either discrimination or weakened system security.

Exception handling offers an easy bypass to this issue if biometrics authentication is part of a security process.

10.5.5.1 Exception handling of outliers

Extreme examples of "unenrollable" users are those people who do not have the required characteristicfor example, no eyes or no fingers. Conversely, someone with a very manual job may have such poor fingerprint definition that some fingerprint systems will be unable to capture enough of the fingerprint for verification. Still others may find it physically impossible to present the required characteristics (e.g., as a result of arthritis or loose eyelids). It may be possible to deal with such cases through individually based quality acceptance levelswith the attendant security implications. Alternatively, an entirely different authentication system could be used.

10.5.5.2 Exception handling of temporary exclusions

Injury, illness , or current environmental conditions (e.g., tremors, glaucoma, traumas, or injuries such as a cut finger or a broken hand) may prevent an enrolled user, on one or more occasions, from presenting his biometrics at the required quality level for obtaining access. While ATMs might fall back on PINs, it is quite possible that a user who has become habituated to biometrics would have forgotten his PIN altogether. Fear of lack of access might even encourage the user to write down his PIN number and carry it with him so that he has it available for the few occasions on which he goes to a machine without the appropriate biometrics system. This, of course, is a terrific security risk all its ownand paradoxically defeats the security provided by the biometrics in the first place.

10.5.5.3 Exception handling of aging

Because the body changes over time, the statistical algorithms that match the live image with the template must be sufficiently flexible to continually match the two as the body ages. Some systems perform minor updating of the template over time with each successful authentication, and other systems require periodic re-enrollment.

10.5.6. User Acceptance

Users' fundamental attitude toward a technology will affect their behavior with that technology. For consumers to adopt biometrics ( assuming that they are given any choice), they must find the technology:

• Socially acceptable

• Appropriate for a given environment

• Filling a perceived need

• Fundamentally understandable

• Usable

• Not destructive to personal privacy

Further, user acceptance of biometrics varies with the biometrics being used and the application to which it is being applied. Therefore, it is essential to understand user acceptance of specific rather than general situations. Negative factors affecting user acceptance include the newness of the technology, fear of being unable to use the technology, and privacy concerns.

10.5.6.1 Promoting user acceptance

There is a general lack of public understanding of how biometrics works. This understanding gap is often expressed in terms of suspicion, distrust , or blind acceptance. However, the base level of consumer acceptance has increased over the last few years : a December 2002 study ^[34] showed that 78% of the American public would find biometrics verification at ATMs acceptable.

^[34] A. Westin, "Biometrics in the Main Stream: What Does the U.S. Public Think," Privacy and American Business Newsletter 9:8 (Dec. 2002).

A few years ago, there was little perceived need for the addition of biometrics. However, the press coverage around "shoulder surfing" and card skimming has raised worries about PIN security. Meanwhile, terrorist threats have raised even bigger security concerns in general, and biometrics is often thought to be a more secure solution to both issues. It seems that fear of these threats is driving up public acceptance without a corresponding understanding of or experience with the technology: in a recent survey of 1,067 silicon.com readers, 75% believed that biometrics is more secure than traditional security methods. ^[35]

^[35] T. Hallett, "Give Me Some Skin: Biometrics Get Thumbs Up," Silicon.com (Jan. 6 ^, 2004).

On the other hand, many consumers have difficulty believing that some "futuristic" technologies can work well. They think they stand a real chance of being rejected and not getting access, or that the technology may seem intimidating. People do not like rejection; it is embarrassing, particularly if it happens in public. Subsequent attempts to use the biometrics may be affected by the higher level of emotions created by the previous rejection. If a consumer already has a negative attitude toward the technology, any negative interaction will only serve to confirm his negativity.

Usability studies have shown that experience with an actual biometrics device can improve acceptance, ^{[36] , [37]} but a system that exhibits poor usability can equally drive acceptance down. Thus, effective user enrollment, training, and lead-through when using the system are key to maintaining usability and thus, user acceptance.

^[36] Davies.

^[37] DARPA, "Human ID at a Distance."

Some users have expressed concerns about the hygiene of touch-based fingerprint devices, and the health risks of more advanced technologies such as iris or retina recognition. Some even fear that criminals will kill them in order to steal their eyes or fingers. This view is perpetuated by films such as Mission Impossible and Minority Report .

10.5.6.2 Privacy

Privacy is a thorny issue that can generate poor user acceptance of biometrics. Any kind of biometrics technology implemented on a national scale raises all sorts of privacy and data protection issues. While there have been cases where user caution has been justified, ^[38] it is unclear if such fears are unwarranted. There are a number of ethical concerns ^[39] that biometrics advocates claim are unwarranted in general. Currently the technology is not as good as some people believe, and those technology limitations mean that privacy is maintained , at least for now. It is currently not possible to identify an individual from a large population; information is kept local because there are no interoperability standards; data capture requires cooperation and so cannot be covert; and template algorithms are built securely as the vendors want to maintain their confidentiality. But these weaknesses are slowly being eroded, as the technology is refined. In some cases, facial biometrics can be used without the person's knowledge, although this has privacy law implications as seen at Super Bowl XXXV in the U.S. in 2000. ^[40]

^[38] C. Piller, J. Meyer, and T. Gorman, "Criminal Faces in the Crowd Still Elude Hidden ID Cameras," Los Angeles Times Section 1 (Feb. 2, 2001), 1.

^[39] A. Allerman, "Ethical Issues in Biometric Identification," Ethics and Information Technology 5 (2003), 139150.

^[40] J. D. Woodward Jr., "Superbowl Surveillance: Facing Up to Biometrics," Rand Arroyo Centre (2001), 7.

Another aspect of biometrics privacy issues involves cultural or religious concerns. Some people believe that the control and use of any part of the human body is a violation of a basic moral tenet of their civilization, or of their own religious beliefs. Other people worry that giving a biometrics may reveal extremely personal informationfor example, whether an individual has a genetic disorder or HIV.

Also important is a general concern about the potential misuse of personal data, which would potentially violate both privacy and civil liberties. These views vary between countries and cultures and are reviewed extensively in Woodward (1997). ^[41] Simon Davies, executive director of Privacy International, believes that "We are on the verge of creating a biometrics system in which privacy and anonymity will vanish forever." ^[42] Some of us believe that protecting privacy in a "database nation" is the most pressing threat to liberty, particularly if there is a compulsory database encompassing everyone (e.g., national IDs with biometrics identifiers will mean constant surveillance).

^[41] J. D. Woodward, "Biometrics: Privacy's Foe or Privacy's Friend?" Proceedings of the IEEE , 85:9 (1997), 14801492.

^[42] W. Grossman, "Ever Feel You're Being Watched?" The Independent (May 14, 2003).

It is not the biometrics concept itself that is seen as a threat to individual rights and privacy, but rather, the potential danger that an unspecified third party would be able to access the data and use it for applications for which the owner had not given permission. This can be controlled by applying preventative measures including encryption and by not storing an actual image.