What Makes a Good Biometric?

A good biometric is defined in terms of:

• User acceptance

• Ease of use

• Technology costs

• Deployability

• Invasiveness of the technology

• Maturity of the technology

• Time it takes for the user to become habituated

Let's examine each of these criteria in more detail.

User Acceptance

The user acceptance of a biometric technology will decide the success of the biometric system. A user's acceptance of a biometric can be measured using quantifiable means. Quantifiable measures of acceptance are:

• Number of calls to help desk

• Number of attempted authentications

• Number of times fallback authentication mechanisms are used

Number of calls to help desk

From an initial evaluation, numerous calls to the help desk may be interpreted as a negative measurement. In actuality, a user who is making calls to the help desk may be trying to make the technology work. These users have accepted the technology and are trying to make it work, or are trying to evaluate the technology to see if it is acceptable. If the technology does not work, it is very difficult to assess its user acceptance. What we do know is that a user who calls the help desk frequently is either accepting of the technology or undecided. If the user does not support the technology, or feels that the technology is unacceptable, he/she would not call the help desk. These are the users who unplug their devices, disable the software, and never make their feelings known. These users are the hardest ones from which to get feedback. They have no vested interest in seeing the technology succeed, and thus experience no personal gain from its implementation. This type of user is difficult to quantify unless audit logs are used to look at the average number of user authentications. If a user has fewer than the average number, there is a great chance he/she is this type of user.

Number of attempted authentications

If the biometric technology being looked at has a central server or central reporting capability, the number of authentication attempts can be reported for each user. For analysis purposes, we will group users into three categories based on a population's average number of authentications for a given time period:

1. Below average

2. Average

3. Above average

Each of the above groups can be further divided into two result categories: success and failure. Let's examine each.

Below average

Before drawing conclusions from a below-average user, we need to eliminate external activities that may have reduced the user's average. The following questions need to be answered :

• Was the user away from the office during our time period?

• Is the biometric on his/her primary computing system?

• How long was the biometric installed and active on the user's computer?

• Is the user not logging out and locking his/her screens frequently?

Positive answers to the above questions could cause the collected data to be invalid and not a reliable measure of the user's acceptance of the technology. If the above questions do not explain the below-average number of authentications, then the number of failed versus successful authentications needs to be examined.

If there is a high number of successes to failures, then:

• The user may find the technology acceptable to use, but does not use his/her computer that frequently.

• The user may find the technology easy to use, but does not like using it.

• The user may not authenticate that often, but likes using the technology.

If there is a high number of failures to successes, then:

• The user may find the technology difficult to use, but is accepting of it.

• The user may not like using the technology, and this is leading to poor biometric interactions.

• The user does not accept the technology and is not trying to use the biometric properly.

In any of the above cases, the raw numbers alone are meaningless unless they are put into context. By looking at the above analysis, it could not be determined whether a user with a below-average number of authentications is accepting of the technology or not.

Average

A user with an average or near average number of authentications in a given time period is the easiest to analyze. To begin, first group the user's authentications into success and failures.

If the user is getting a higher number of successes than failures, it is very probable that the user is accepting of the technology. If the user is getting a higher number of failures than successes, it could be said that this user is accepting of the technology as well. If the user was not accepting of the technology, the user would have stopped trying to authenticate long ago. On the other hand, the user may have been undecided about the technology and trying to work with it. This user needs additional support and assistance. He/she needs to have every opportunity to decide if this is a technology he/she can accept.

Above average

A user with an above-average number of authentications for a given time period needs to have extra analysis applied. First, you should try to discover if any patterns exist in the user's audit trail. Things to look for include:

High number of sequential successes ”This is the easiest pattern to recognize. It is clear that the user is having great success with the biometric and, as such, is probably very accepting of the technology. It is wise to verify that the FAR is set to a meaningful level. While a lower FAR does not mean the user is more accepting, it could hide possible disenchantment in the future. For example, at the initial stages of a project, the FAR is usually set high so that the user experiences success, and thus high acceptance. However, when the biometric system is brought into production and the FAR is decreased, user failure may increase. This sudden change in ease of use could cause the user to have a change in acceptance toward the biometric. If the biometric system being used also provides the level of FAR that the user is authenticating at and it is equal to or lower than what is used in production, it is safe to assume this user is accepting of the technology.

High number of sequential failures followed by a success ”This user pattern would initially point to someone who would be less accepting of the technology due to a high number of failures per success. While this seems like a logical conclusion, other factors need to be examined. They include:

Did the user have a hard time in creating a reference template? ”The most important part of biometric authentication is the enrollment process. If the user has a good enrollment and template created, future authentications are much easier. If the user in question had difficulty in enrolling , then it is possible his/her reference template is difficult to match. This could have been caused by poor placement, different enrollment position versus verification position, or poor biometric traits. If the cause is poor placement or difference in position, then a re-enrollment may solve the problem and lead to better results. If the selected biometric trait is poor (e.g., worn-out ridges on fingers), a different biometric feature (e.g., a different finger) should be used.

In this situation, if the user is still keen to use the biometric and has continued with these issues, then he/she is probably accepting of the technology.

What FAR levels does the user reach when he/she is successful? ”If a user has long sequences of failures followed by a success, that can be an indication of suspicious behavior. If the successful authentication is at a very low FAR level, then the failures could be attributed to poor placement, lack of user's habituation, or the user having others try to authenticate for him/her. Any of these reasons would show that the user is accepting of the technology. Having a low FAR match means that the enrollment is good; the user has good biometric traits and can use the biometric device. It may mean that the user requires some additional remedial training.

If the successful authentication after all the failures is at a high FAR, then the user could have problems with his/her enrollment or placement, or have poor biometric traits. The resolutions for these problems were outlined earlier. It does show that the user is probably accepting of the technology. If he/she was not, the user would have complained or stopped using the technology.

Is this grouping of failures periodic or a one-time occurrence? ”If there is a pattern of failures, can it be accounted for? Do the failures occur at times when the user would be returning to his/her desk, in the mornings, after lunch , or just before leaving the office? If so, then the user may just be impatient and rushing to get authenticated. If a grouping seems to occur at times that would correlate to a user's coming from a different environment, then this could be the cause of the failures. For example, if a person is coming from a very cold and dry environment into a very warm and humid environment, this could cause problems with some biometric measurements. The user needs to be instructed on how to deal with these environmental changes. Once again, if the user still uses the technology and is not complaining, then he/she is probably accepting of the technology.

If the failures seem to be a one-time occurrence, then it is more than likely they happened during the user's habituation period. During this time, the user is getting used to using the device and tends to have a higher than normal FRR. If the frequency of this grouping of failures falls off during the sampled time period, no further action is required. If it does not, then additional remedial training may be in order. In this instance, it is clear that the user is accepting of the technology.

Number of times fallback authentication methods are used

As you will read later in the book, when conducting proofs of concept, pilots, and in the deployment phase, fallback authentication methods are often provided. These fallback authentication methods allow the user to continue functioning if his/her primary means of authentication fails. In our case, the primary means of authentication is a biometric. If the user in question is often using alternative methods for authentication, then the reasons need to be analyzed before it can be stated whether the user is accepting of the technology or not. Possible reasons for using alternate authentication methods may include:

User is not suitable for using the chosen biometric ”In any population, there is a fraction of the population (some say between 3% and 5% for a fingerprint biometric) that cannot use the chosen biometric. Some users do not have a physical trait that can be measured. For example, a small percentage of the population does not have fingerprints . Other times, the reason is psychological. This could include feelings of criminality, lack of trust in the technology, or religious beliefs. For others, the use of a biometric can be a challenge of dexterity. It does take a certain amount of coordination to place a finger or hand for scanning, or to position the head in front of a camera. For any of these reasons, a user may prefer using fallback methods of authentication. This is a user who would be classified as not accepting of the technology.

Lack of time and patience to become habituated ”In today's world of instant gratification, having to learn a new behavior or adapting to change is often resisted. This is also the case with biometrics. No matter how simple or straightforward the use of the technology is, there will always be those who will not use it. These users will not take the time to become habituated. They believe their current methods are adequate, and do not have the time to become accustomed to a new way of doing things. These users are not accepting of the technology. They may use the technology in the future if it is mandated , but they will never accept it.

Poor instruction in use ”No matter how simple and straightforward the technology appears, users will always require instructions. Some users will grasp the concepts of biometric use faster than others. Other users will require hand-holding and remedial-level instructions. A three-step approach is used to help the user fully understand the technology:

1. Formal instruction ” We all learn in different ways. The first way we learn something new is from use and experimentation. We will look at something, try to figure it out, and then use it. We may become quite proficient, but there will always be gaps in our learning. Formal instruction fills in the gaps. In formal instruction, users will be shown the basic use of the technology, which most have already mastered. There will be finer points that can be gleaned from this. At some point during the training, the user will feel re-enforced by what he/she is learning, or realize that there is more to learn. Normally, this training is rushed and does not afford the user much time to absorb the information and formulate questions. This training lays the groundwork for the user to begin using the technology. If this step is missed, the user may not enjoy as great a success as would otherwise be possible. There will always be doubt that he/she is doing things correctly. This personal lack of confidence can translate into a lack of acceptance of the technology.

2. Desk visits ” Nothing will garner more information from a user than showing up at his/her desk. First, the user will appreciate the time you are taking for the one-on-one visit. The user will also be more likely to ask questions that either he/she had from before, but did not feel comfortable bringing up in class, or has since formulated. Either way, being there to answer these questions directly with the user will raise the likelihood of his/her acceptance of the technology. In addition, a desk visit can also reveal how the user is interacting with the technology and uncover any potential problems that can be corrected or avoided. If the user had no follow-up after class and he/she does have issues, the user may feel that he/she is not smart enough to use the technology, and thus may not want to use it.

3. Leave-behind material ” After visiting the user at his/her desk and giving one-on-one attention, leaving behind a simple, easy-to-follow pamphlet is very important. The user will feel that there is still a place to go to for answers, and the supplied number on the pamphlet will connect the user with someone who understands what a biometric is and the issues the user may be facing . It is interesting that this section is not referred to as take-away material. Take-away material from courses is very rarely ever referenced again. A good, easy-to-read pamphlet will get used numerous times. This pamphlet can, in some ways, be the user's security blanket . This pamphlet will describe the basic use and goal of the technology. It will answer basic questions and, most importantly, it will provide the telephone number of a biometric expert. This type of reassurance for the user will greatly increase his/her acceptance of the technology.

Frequent failure of the biometric hardware ”It is unfortunate when hardware fails, but it is a fact of life just like anything else. There will be bad devices in any shipment received. The percentage of these should be low if the biometric company is reputable and its product is mature. If there are continuous failures of the technology, the user will lose confidence in the system, and will be less likely to accept the technology. All biometric equipment should have gone through some sort of burn-in. During this burn-in process, electronic components have a chance to adjust to their operating environment. They will also do this through normal expansion and contraction from use. It is at this point that most failures will be found. Some hardware failures are caused by users; for example, it is known that capacitive fingerprint technology does not like electrostatic discharge . So, a user who wears lots of wool and works in a low-humidity, carpeted environment should probably ground him/herself before using such a device. Also, some biometrics that rely on camera technology do not perform well with sudden changes in contrast or very bright lights. Every effort should be made to use the devices in accordance with the vendor's operating instructions. At the same time, daily use should not cause premature failure of the device. If a user does experience frequent hardware failures, he/she will be less accepting of the technology.

Ease of Use

The success of any technology depends on its ease of use. If a technology is difficult to use, consumers will not buy it. Companies wanting to have successful products have spent considerable time and resources in this area. For biometrics, the three areas that need to be addressed in terms of ease of use are:

• Ergonomics

• FRR

• Biometric software

Ergonomics

Companies define their products' ease of use in terms of ergonomics. Ergonomics describe the relationship of human interaction to the use of a product. Ergonomics in biometrics place a large emphasis on ease of use. A biometric device that does not work smoothly with the human form will find itself quickly collecting dust on a shelf. The ergonomic properties that a device needs to exhibit vary from device to device and what biometric measure is being used. In general, a device must use natural human interaction to get its measure. For example, a fingerprint reader must not require the user to rotate his/her hand in such a way that is not natural. A face recognition camera must not require the user to extend his/her neck so that the face is greatly separated from the body.

FRR

Another aspect of ease of use is the FRR of the biometric system. If the biometric algorithm being used causes a high FRR, then the user will not find that system easy to use. It will require the user to make a higher number of biometric attempts to get authenticated. This will lead to user frustration and lack of acceptance.

Biometric software

Another aspect of any biometric system is the software that controls the biometric device. If the software the user needs to interface with is not easy to use, then ease of use for the user will suffer. For example, if the software that captures the biometric image does not provide some sort of feedback to the user, the user will find it more difficult to present his/her biometric. In this case, the user will be "flying blind" in presenting the biometric. Conversely, if the software provides too much feedback, or is too exacting in its requirements for acquisition, this too can decrease ease of use.

Technology Cost

No matter how easy a biometric is to use, it will never get deployed if it is too costly. The technology cost of a biometric system is made up of the following:

• Device cost

• Deployment costs

• Support

Device cost

The cost of a biometric device varies depending on the type of biometric being measured. The cost of a biometric device can also vary within the same type of biometric. Depending on the features and functionality offered , that variation in price can be upwards of 100%. A good biometric device will provide the most functionality for the cost. Any company purchasing a biometric device should examine what features are really required. For example, does your biometric application need alive -and-well detection? Does the biometric application require a trusted device? The choice of device is a tradeoff between security features and the cost of the device. If you are securing a corporate phonebook application, you will probably require a level of device different from securing the company's trade secrets.

A good device in terms of cost will meet the requirements of the application, and not break the budget for the project.

Deployment costs

Once a biometric device has been selected and the software prepared, the device and software still need to be deployed. Depending on the biometric device and software selected, desktop hardware may need to be distributed, software pushed to the desktop, and possibly, servers may need to be installed. These soft costs are often overlooked in the selection of a biometric solution. Even if the hardware itself was affordable, the cost of deploying it could be a limiting factor.

A good biometric solution will allow for a cost-effective deployment of the hardware and software.

Support

Once the hardware and software have been deployed, there is the cost of supporting the installation. If the device is prone to failure, or generates a high level of FRR, then the costs associated with supporting it will be high. The users will be calling the help desk for support. Also, if the biometric is not reliable, then the users will need to use fallback methods of authentication. These failures and costs of support will greatly decrease the expected return on investment (ROI) of the biometric solution. Cost-cutting on the hardware and software choices during the selection stage can cause greater support costs in the end.

A good biometric solution will be easy to support and allow flexibility in choice of hardware and software.

Deployability

Before a final decision is made on the hardware and software, another factor needs to be taken into account. The deployability of the solution is where the rubber meets the road. If the proposed solution is affordable, and is accepted by the users, it still may not be feasible if it is not deployable . The deployability of a solution is determined by:

• Device size

• Environmental conditions

• Infrastructure requirements

• Minimum client/server system requirements

• Deployment methodology supported by the hardware and software selection

Device size

As anyone who has walked around corporate offices will tell you, the real estate allotted per employee is dropping. This also impacts the size of the desk or office an employee has. Having to deploy a device that requires a great deal of desk or office space is not feasible. Also, the close proximity of the employees to each other can cause some biometric devices not to function optimally. For example, a hand geometry device requiring a large amount of space may not be practical to deploy on a small, crowded desktop. A voice recognition system that requires lower levels of ambient noise may not work well in a crowded trading-floor environment.

Therefore, a good biometric device is subject to the size that can be accommodated in the user's environment.

Environmental conditions

The environment in which a user works may not be conducive to certain types of biometric devices. As seen earlier, voice recognition devices do not operate well in areas with high ambient noise. Some user environments are also influenced by temperature or humidity. In too cold/hot or too humid/dry conditions, the choice of device is affected. At the same time, certain floor treatments and humidity levels may cause a great deal of static electricity to develop. In these environments, biometric devices with exposed sensors or devices not having electrostatic discharge protection may find themselves on the receiving end of over 35,000 volts from crossing a carpet with low air humidity.

The type of work being performed by the user can also generate environmental effects on a biometric device. For example, factory workers who have high grease and solvent content on their hands are not good candidates for hand-based biometrics. A clean room also poses problems for a number of biometric devices. How does one get a biometric measure from someone wearing a " bunny suit"?

A good biometric device will take into account the working environment and jobs of the end-users.

Infrastructure requirements

A biometric system can be made up of more than device and software. It can also rely on existing corporate infrastructure or require a company to implement new infrastructure. For instance, if the chosen biometric system requires backend server authentication, server hardware needs to be provided or procured. The backend data store that the biometric system will need to utilize must therefore be ascertained. Will it be an LDAP directory or a relational database? Does the company already have one or both of these in place? If not, which one will the company put into place? The need to put in new infrastructure will not only increase costs through capital expenditures, but also through ongoing support and maintenance.

A good biometric system would utilize the existing corporate infrastructure.

Minimum client/server system requirements

Most companies go through a technological refresh every three to four years . At this time, the company will acquire state-of-the-art technology to carry it through to the next technology refresh. The chosen biometric system not only needs to clearly state what its minimum system configuration is, but also what is actually usable. For example, many operating system manufacturers list minimum operating requirements. However, these minimum operating system conditions are at times barely sufficient to load the operating system. At the same time, a biometric system may list very modest requirements. Once testing is done, it may be shown with use that the biometric system works on its minimum requirements, but that it actually takes longer to authenticate. This may not be acceptable to the end-users.

A good biometric system will provide adequate performance on the previous year's state-of-the-art technology. This way, most corporations are either one year behind this minimum or are approaching a technology refresh.

Deployment methodology supported by the hardware and software selection

Once it is time to deploy a biometric system, it is unlikely that an entire corporation can be rolled out all at once. In later chapters in the book, a proper planning process is presented. For the purposes of this discussion, it is safe to say that total rollout is not achievable in a timely fashion, nor would it be prudent to attempt one. A phased or staged rollout carries the lowest risk and is the most successful. During a staged rollout, your company will be operating in three different environments. The first will be the status quo, or no biometric system in place. The second will be a hybrid of old and new. Lastly, your company will be at total rollout. The three phases can be viewed from the perspective of a company, a line of business, or a location. The choice of rolling out company-wide, by a line of business or by geographic region, should not be dictated by the technology.

A good biometric system will allow for a flexible deployment of the solution based on the methodology that is best for the company and its users.

Invasiveness of the Technology

From a user's perspective, a good biometric device will not be invasive to use. The invasiveness of a device can be viewed from the technology used to measure the biometric or the level of involvement required by the user.

The technology used to measure the biometric trait can cause invasiveness for the user. For example, a camera used to get a fingerprint is less invasive than using a camera and light to get a retina scan. Users tend to view scans of internal biometrics as more intrusive in nature than external measurements. This is normally because the technology required to scan these biometrics is more invasive.

The level of involvement of the user in the biometric system can also influence the perception of invasiveness. A biometric that a user needs to submit to can be viewed as less invasive than one that can be taken from the user. For example, finger, hand, iris, retina, and vein require the user to actively submit to the measurement. Biometrics like voice, face, and gait are seen as more invasive. This type of invasiveness is not so much concerned with the mechanics of gathering the biometric measurement, as with the loss of control over the user's biometric measures.

Thus, a good biometric would be one that is not invasive when used or when a user's biometrics are measured.

Maturity of the Technology

When selecting a biometric system, one needs to look at the time a biometric has had in the market. It is reasonable to assume that the more mature and market- tested a biometric technology is, the better it will be to use. In general, this is the case. Each successive generation of biometric technology has improved. For some, improvement has come in the methods used to measure a biometric trait, the size of a device, the cost of a device, or ergonomics. These advances are always going to happen from year to year. At what point does the buying decision occur? Does the company wait for next year's technology before purchasing? The answer depends on the application. If the biometric trait that is to be used for measurement already has a proven and reliable device, then this is the one to buy. The cost of the device may decrease if manufacturing improvements are made, but it may also increase in price if functionality is added.

When looking at the maturity of the technology for a good biometric, the buyer must remember that the technology needs to be proven, mass-produced, and not in an initial release stage.

Time It Takes for a User to Become Habituated

The ongoing success of a biometric system will depend on the user populations becoming habituated. By becoming habituated to the technology, the user's comfort level increases , as does the user's productivity. The selection of a biometric device can influence if and how quickly this habituation occurs.

Biometric systems that are ergonomic, easy to use, and mature tend to encourage the users to become habituated more quickly than ones that are uncomfortable, not easy to use and immature. Certain features of different biometric devices can aid in this. For example, a fingerprint scanner with a large surface area will allow a user to get accustomed to using it sooner than one with a smaller imaging area. A face biometric system that does not require the user to sit as still as another will allow the user to get used to it quicker.

A good biometric, then, will have features and ergonomics that will aid the user in becoming habituated.