6.2 Biometrics

6.2 Biometrics

Biometrics, once the domain of the James Bond style spy novel, is quickly gaining acceptance as an attractive addition to access control systems. Just recently, a report of a United Kingdom school employing iris scanning to account for student lunch purchases has come to light. If a public school in any country can afford and employ biometric authentication, we know that this technology has come of age.

As the earlier discussion of access control and passwords illustrates, it is difficult to attain reasonable authentication through the use of passwords alone. Good passwords are difficult for users to remember. Passwords that are difficult for users to remember are written down and compromised. Ideally, we would like an authentication system that is impossible to forge, steal, or give away to another user, but at the same time recognize user needs for quick and efficient access. Coincidentally, everyone carries with them a vehicle for such identification — their own bodies. Biometrics is an attempt to use an individual's own measurable and uniquely individual characteristics to authenticate their identity to a network. The most common example is the fingerprint used by police investigators to identify criminals and other individuals.

Virtually any element of a person's body or behavior can be used to facilitate biometric authentication as long as it is measurable, unique to the individual, and difficult to forge. Weight and height, for example, are not good biometric indicators because there could be tens of thousands of individuals around that are 6 ft 5 in. and 280 pounds. Worse still, someone willing to wear some platform shoes and lead weights in their pockets could fake such measurable characteristics.

Instead, we would like something like signature dynamics that identifies individuals by the way that they sign their own names. While it might be easy to replicate a signature, replicating the way that a person signs his own name is much more difficult. The speed and pressure of the pen measured during the process of signing a signature can be measured, so the measurable criteria is fulfilled; finding someone who signs the same signature in the same way when subjected to the exacting measurements of a computer is also difficult, satisfying the other two criteria of unique and difficult to forge.

No matter what a sales brochure states, biometric systems are not perfect. Biometrics can fail in one of two ways. They may, for example, reject someone who is authorized to use the system based upon a biometric identifier. When a biometric system rejects an authorized individual, that is known as a Type I error. When a biometric system accepts an unauthorized individual, that is known as a Type II error. Adjusting the sensitivity of the biometric reading device can modify Type I and Type II errors.

The tuning of biometric identification systems strives for a low CER (crossover error rate). This is a point where the number of Type I errors (false rejections) equals the the number of type II errors (false acceptances) and is generally considered the most important element in determining the accuracy of a biometric system. A biometric system with a CER of 4 is better than another biometric system with a CER of 5, for example.

Tuning a biometric system by either reducing or increasing the sensitivity of the device is the perfect example of the conflicting needs of security and usability. If the Type I errors are too high, users become frustrated and administrative overhead increases. The security, however, errs on the conservative side and the number of false acceptances is lessened. Tuning the biometric system to not be so precise decreases the number of problems that legitimate users face by decreasing Type I errors, but increases Type II errors and the chance that someone who is unauthorized will gain access to the system. As a compromise, most biometric systems will also enlist two-factor authentication, which would require a PIN along with the biometric reading. Requiring a PIN and a not so exacting thumbprint decreases the chances that an unauthorized user will gain access to network resources.

Biometric techniques vary and not all have equivalent crossover error rates. The list below identifies and describes some of the most common biometric methods in descending order of average accuracy.

• Palm scans. It may not be intuitive that this is the most effective method of authentication, but the palm contains many unique identifiers for an individual. This includes the ridges, creases, and grooves on the palm. This also includes fingerprints for each finger. Based on this fact alone, it should be clear that a fingerprint for each finger, along with all of the other information that the palm contains makes it more accurate (lower CER) than the fingerprint alone.

• Hand geometry. Unlike the palm scan, hand geometry refers only to the length and width of a person's hand and fingers.

• Iris scan. Also one of the most socially acceptable methods of biometric identification, the iris scan is concerned only with the colored portion of a person's eye. The colors, rings, furrows, and corneas all create a unique identifier for each person. This is also popular because it requires only that people look at a camera, which can be located some distance away.

• Retina scan. The retina is the back of a person's eye and matches information based on the blood vessels in the person's eyeball. To be able to access the back of a person's eye, the individual must place their eye against a specialized camera. This involves putting your eye right up to the same place where many others place their eyes. Thus, while it has a fairly low CER (which is good), it is also the least socially acceptable method of biometric authentication.

• Fingerprint. Just like in the movies or in criminal forensics, the fingerprint is a unique identifier that identifies individuals based on the patterns, ridges, and crests of a person's fingerprint.

• Voice verification. The pattern of a person's speech and other measurable differences in their voice allows individual identification based on speech.

• Facial recognition. Ironically, one of the least accurate methods of individual identification is emerging as the way that we identify criminals and terrorists at airports and sporting events. This biometric control takes into account bone structure, nose shape, eyes, forehead sizes, and chin shapes.

• Signature dynamics. This is more than just comparing a person's signature in a database. A static signature is fairly easy to copy. What is much more difficult is how a person signs his name. Signature dynamics records electrical signals on a sensor pad as a person signs his name, which is subsequently compared to a stored signature dynamic.

• Keystroke dynamics. The encryption program SSH, when generating a person's private key, looks for some type of truly random input. To create this random input, a person is asked to type on their keyboard. As with signature dynamics, the way a person types is fairly difficult to mimic — even if the typed text is known in advance, it is difficult to replicate the timing of another person.

In addition to the accuracy of a biometric solution, user resistance must also be taken into consideration. Users generally avoid any solution they find particularly uncomfortable or intrusive. A common example is the retina scan. The actual execution of a retina scan requires users to place their forehead against a device to enable the reading of the retina information. Some systems require a small puff of air to be blown into the eye. Looking around the office now, you no doubt can think of a few people that you do not want your forehead sharing the same space with day after day.

Users will naturally prefer to use biometric authentication systems that are as least intrusive as possible. For example, an iris scan, while still involving the eye, can be performed from several meters away and only require the user to look in the direction of the camera. Most of the time, this can occur without significant effort on the part of the user. Palm geometry testing, while requiring contact with a surface shared with others, is generally considered more acceptable than sharing a surface with other parts of the general public's anatomy.

Naturally, if biometric access controls are deemed necessary, you will be interested in a solution that combines a low error rate with high user acceptance. As mentioned, iris scanning, due to its very low intrusiveness, is considered the most acceptable by most users. Following this, keystroke dynamics and signature dynamics are the next most popular solutions for the simple reason that they both involve user characteristics that users are comfortable with sharing. Voice and facial recognition follow on the list of user acceptance, again due to the fact that a user's "space" is not invaded in order to take a measurement. Both of these solutions require a remote reading device that may be either a camera or a microphone. Not surprisingly, the lowest on the list of user accepted biometric readers are those that require actual physical contact. Unfortunately, these are also some of the most accurate methods of biometric identification other than the iris scan. Of the "shared physical space" solutions, the fingerprint and palm scan are the most accepted by users, followed by a hand geometry scan. The least accepted biometric identifier is the retina scan.

Ultimately, the choice of biometric identification is going to be a combination of not only accuracy and acceptance, but also price and availability. The above discussion serves only to guide you as you compare the products available for your situation.