Conclusion

What we started in an earlier chapter as a general discussion on biometrics for network security has concluded with a choice of the best biometric for network security. This choice was based on the score that each biometric received based on the characteristics of an ideal biometric. While the iris biometric proved to be the most secure, and voice and face biometrics had the highest levels of user acceptance, it was the fingerprint biometric that offered the best overall solution.

Chapter 10. An Introduction to Statistical Measures of Biometrics

To know how well something performs , we must be able to quantify the performance. For automobiles, we measure gas consumption; for heating and cooling units, we measure effectiveness in British thermal units (BTUs). Biometrics have their own similar performance measures.

To know if a car is getting good fuel economy or if a heater or air conditioner is doing its job, we look at what the statistics mean. We then compare them to our expectations or some other accepted norm. At no time does knowing how the performance measure was calculated impact our ability to evaluate performance. Similarly, for biometrics, how a performance measure is calculated is of little value. There are exceptions to this statement, which will be discussed. In general, just knowing what a performance measurement means is sufficient. For our purposes, the statistical measures to be used for biometrics are:

• FAR (False Acceptance Rate)

• FRR (False Rejection Rate)

• FTE (Failure to Enroll)

• EER (Equal Error Rate)

A discussion of each statistical measure follows .

FAR

Definition

The FAR is defined as the probability that a user making a false claim about his/her identity will be verified as that false identity. For example, if Matt types Chris' user ID into the biometric login for Chris' PC, Matt has just made a false claim that he is Chris. Matt presents his biometric measurement for verification. If the biometric system matches Matt to Chris, then there is a false acceptance. This could happen because the matching threshold is set too high, or it could be that Matt's biometric feature is very similar to Chris'. Either way, a false acceptance has occurred.

The Simple Math

When the FAR is calculated by a biometrics vendor, it is generally very straightforward. Using our example, it is equal to the number of times that Matt has successfully authenticated as Chris divided by his total number of attempts. In this case, Chris is referred to as the "MatchUser" and Matt as the "NonMatchUser." The simple math formula for this looks like the following, where n represents a number to uniquely identify each user:

n = enrolleduser

n	value
1	Chris
2	Matt

NonMatchUser'(n) = NumberofNonMatchUserSuccessfulAuthentications

NonMatchUser(n) = NumberofNonMatchUserAttemptsToFalselyAuthenticate

FAR (n) = NonMatchUser'(n)/NonMatchUser(n)

n = 1

FAR (Chris) / Matt (Chris)

This gives us the basis for Matt and Chris. What if we have another user, David? We could say that Matt and Chris are representative of our user population and just assume that the FAR will be the same for David. Statistically, the more times something is done, the greater the confidence in the result. Thus, to ensure a high probability that the FAR we calculate is statistically significant, we would need to do this for every combination of users we have. We would need to take all the calculated FARs for each user's attempt to falsely authenticate as another, sum them up, and divide by the total number of users. For example, we could take the above formulas and do them over again for each user. We would eventually get something that looks like the following:

FAR (Chris) = (Matt'(Chris) / Matt(Chris) + David'(Chris) / David(Chris)) / 2

If we generalize the formula, we get:

n = enrolleduser

N = totalenrolleduserpopulation

NonMatchUser'(n) = NumberOfNonMatchUsersuccessfulAuthentication

NonMatchUser(n) = Numberof NonMatchUserAttemptsToFalselyAuthenticate

n	value
1	Chris
2	Matt
3	David
4	Craig
5	Peter
.	.
N	Victoria

FAR (n) = NonMatchUser'(n) / NonMatchUser(n)

Why Is This Important?

The importance of the FAR is the strength of the matching algorithm. The stronger the algorithm, the less likely that a false authentication will happen. Matt has a greater chance of falsely authenticating as Chris at 1:500 than he does at 1:10,000. An example of this would be playing a ring-toss game. In this game, the object is to throw a ring on to a particular peg. The ring represents Matt's false authentication attempt. The number of pegs represents the strength of the biometric algorithm. The gameboard itself represents Chris' biometric enrollment. In the first case, there are 500 pegs on which to throw the ring. The peg that needs to be ringed for a winner is not marked . Thus, Matt has a 1 in 500 chance of hitting the right peg. Now, if Matt is playing the same game, but this time there are 10,000 pegs in the same area, Matt now has a 1 in 10,000 chance of hitting the right peg.

Carrying this example further, Chris now needs to authenticate. He knows the layout of the board and what ring to toss his peg onto. He knows this because he is really who he says he is. In the first game, he is faced with 500 pegs. Chris knows what peg to toss his ring onto in order to get authenticated. There is a chance he could miss , which is very low. If at any time Chris does not hit his peg, then he is falsely rejected. That is to say, he has not been authenticated as himself, even though he is Chris.