Biometric Identification and Authentication

Biometric identification and authentication solutions are based on pattern-recognition mechanisms for determining the authenticity and credibility of a living person's physiological or behavioral characteristics. This means using proof of physical properties of a human being; a person can be identified as "Who am I" and authenticated by verifying as "Whom I claim to be." Biometric solutions are classified based on a variety of physical and behavioral characteristics. The physical characteristics include fingerprint scan, hand-geometry measurement, facial recognition, retinal scan, iris scan, and DNA verification. The behavioral characteristics include voice recognition, signature verification, and keystroke recognition. Using physiological characteristics-based biometrics is considered most reliable because they remain unaltered and unchanged unless there is illness or severe physical injury. Using behavioral characteristics are less reliable because they change according to a person's stress or health conditions.

Fingerprint-based identification and authentication are the oldest methods and are becoming more widely accepted in the IT industry to provide logical access control for security-sensitive systems and applications. Throughout this chapter, we discuss the fundamentals of fingerprint matching and how to make use of fingerprint-based biometric verification solutions.

Understanding the Biometric Verification Process

In a typical biometrics solution, a user submits multiple biometric samples (physiological or behavioral characteristics) during enrollment process that can be identifiable or recordable using a biometric acquisition device. Multiple biometric samples are acquired and processed to extract the unique features for creating a reference template. The reference template is equivalent to a user's password. Using a reference template, it is practically impossible to reverse engineer and reconstruct the original biometric sample. No two reference templates relate together or match each other as well.

During an identification or authentication process, the user submits a biometric sample that will be processed to create a template that is matched against the stored reference templates. The template matching will not be required to be 100%. The biometric verification process does not produce a success or failure result; instead, it is usually decided by a matching score that must exceed a predefined threshold limit. If the matching threshold limit is set to low, it is considered to be highly prone to impersonation; if it is set high, it is considered as robust against impersonation and fake claims.

Figure 15-3 illustrates the biometrics enrollment and identification process.

Figure 15-3. Biometrics enrollment and identification process

Identification and Authentication

The biometric verification process is usually done in two processes: identification and authentication. In the identification process (One-to-Many), the acquired biometric sample is matched against all the reference templates stored in a biometric template repository. In the authentication process (One-to-One), the acquired biometric sample is matched against a particular individual's reference templates obtained during enrollment.

Fingerprint Matching

A fingerprint consists of a series of furrows (shallow trenches) and ridges (crests) on the surface of a finger. The uniqueness of a fingerprint is determined based on the patterns of ridge-ending, bifurcations, divergences, and enclosures. These patterns are referred to as minutiae points, or typica (see Figure 15-4). A typical fingerprint can show from 30 to 40 minutiae points. A typical fingerprint template size ranges from 250 bytes to 1.2 Kbytes.

Fingerprint matching is usually done based on two common approaches: minutiae-based and correlation-based. In the minutiae-based approach, a fingerprint is identified with minutiae points and their relative placement on the finger is mapped (see Figure 15-4). In the correlation-based approach, the matching is done on the entire representation of the fingerprint based on location point. The minutiae approach is commonly adopted by most fingerprint scanner vendors.

Accuracy of a Biometric Verification Process

There are several factors and trade-offs that affect the biometric enrollment and verification process in terms of physical condition, positioning, location, weather, injury, biometric device condition, and so forth. These factors influence the accuracy of the biometric verification process because the submitted samples may match incorrectly or fail to match with the reference templates. The accuracy of a biometric verification system is usually measured in terms of the concepts outlined in the following sections.

False Non-Match Rate (FNMR) or False Reject Rate (FRR)

The FRR reflects the probability that a biometric system will falsely reject a legitimate person and deny access to the restricted resource. This problem occurs when the submitted biometric information falls below the accepted threshold score. This can also occur due to the physical condition of the person's unique features at the time of submission. FRR is considered a Type-1 error.

False Acceptance Rate (FAR) or False Match Rate (FMR)

The FAR reflects the probability that a biometric system will falsely recognize an impostor as a verified person and grant them access to entry. This problem can be controlled by usually setting a high-threshold matching score, which lowers FAR and results in better security. FAR is considered a Type-2 error.

Failure to Enroll (FTE)

The FTE is a lack of unique features or sufficient biometric data to identify and enroll a person into a biometric verification system. If the fingerprint technology requires 200 minutiae points to enroll a person and a person requiring enrollment is only able to produce 190 minutiae points, this would cause an FTE issue. For example, construction workers use their hands for heavy work, which often causes worn out and hidden fingerprints. In such cases, a manual system must be in use for those who cannot enroll in the system.

Crossover Error Rate (CER) or Equal Error Rate (EER)

The CER determines the percentage by which the FAR and FRR are equal to each other. For example, it is important to strike a balance between the FAR and FRR so that we do not set the high threshold to lower FAR but end up affecting some legitimate persons by FRR.

Ability to Verify (ATV)

This defines the probability of the overall accuracy and performance of a biometric verification system. It is a combination of FTE and FRR, which provides the total percentage of persons successfully authenticated for access to a restricted resource. The lower the ATV, the greater the accuracy and reliability of the authentication. A higher ATV results in high FMR, which decreases the reliability of the verification. ATV can be computed as follows:

ATV = (1  FTE) * (1  FRR) 

Architecture and Implementation

The architectural principles of biometric authentication are quite similar to smart card-based access control solutions. To enable biometric-based identification and authentication for physical and logical access control, the implementation model differs based on the technology options and the different approaches meant for representing the biometric samples, such as fingerprints, face (facial profile), hand geometry (shape of the hand), iris scan (colored ring of the eye), retina scan (blood vessel pattern), and others. Each option and approach has its own complexities and limitations.

The architecture is greatly influenced by the biometric environment-specific characteristics and dependencies in terms of biometric sensors to use, verification accuracy, client application type (Web-based, rich client, or desktop login), platform implementation (Java or Microsoft), and host environment (UNIX or Windows). More importantly, the architecture and implementation for enabling biometrics for physical and logical access control do not differ much from each other. This means the infrastructure components can be used for both physical and logical access in restricted locations and buildings, computers, sensitive business applications, and so forth.

In this section, we will discuss the architectural strategies for enabling biometrics-based authentication for controlling access to J2EE-based applications and desktop login for host systems such as UNIX and Windows workstations. We will use fingerprint matching as the technology of choice in our architecture discussion.

JAAS plays a vital role in incorporating biometric technology-based authentication in a J2EE environment. PAM and GINA modules enable implementation of biometrics-based desktop login in UNIX and Windows environments, respectively.

Let's take a closer look at the logical architecture and the infrastructure components necessary for building the biometrics-enabled J2EE architecture.

Logical Architecture

Figure 15-5 represents a logical architecture showing a fingerprint-based biometric authentication infrastructure involving J2EE applications, Solaris, Linux, and Windows environments.

Figure 15-5. Fingerprint-based biometric authenticationlogical architecture

Let's explore the logical architecture in terms of its infrastructure components and its role in enabling fingerprint technology-based authentication.

Fingerprint Scanner

A fingerprint scanner device scans the surface of a finger and identifies the patterns of the fingerprint in terms of valleys, ridges, ridge-ending, bifurcations, divergences, and enclosures. Using a device driver, the fingerprint scanner integrates with a computer by way of USB, Ethernet, or serial interfaces. The scanned fingerprint image is converted to a biometric template as part of enrolling a person's biometric profile, verifying against an existing template, or searching for a match against other templates. Because fingers can be soft, dry, hard, dirty, oily, or worn, it is important that the scanner is able to scan any fingerprint with a high degree of accuracy. There are a variety of devices that can acquire a fingerprint image; the most popular devices are optical scanners and capacitance scanners.

• Optical Scanner: The optical scanners are based on mechanisms quite typical to digital camera technology, which makes use of a charge-coupled device (CCD). The CCD is an array of light-sensitive photosites that generates an electrical signal in response to light. The photosite records the pixels once the light is flashed on the surface of a finger. The pixels represent the digital image of the scanned surface of the finger. The scanner also verifies the captured image for quality image definition; if the image is not dark enough, it rejects the image and attempts to scan it again.

• Capacitance Scanner: The capacitance-based scanners are sensors based on capacitors that use electrical current. The capacitors make use of two conductor plates insulated from each other. They are connected to an electrical circuit built around an inverting operational amplifier. Typical to any other amplifier, the inverting amplifier alters the supplied current based on fluctuations in another current. When a finger is placed on the scanner, the surface of the finger acts as a third capacitor plate, and it is insulated with a pocket of air. Capacitance-based scanners capture a fingerprint image as peaks and valleys that affect the electrical current. When a finger is placed on the scanner, only the peaks make contact with the scanner surface. Capacitors under the peaks thus have a higher capacitance, and the capacitance is lower in the valleys because of air pockets. Based on this difference, an image is electrically acquired.

Some fingerprint scanners provide an Ethernet interface that allows assigning an IP address to them. Using Ethernet-interface based scanners helps to identify the IP address and verify the initiating host machine and its domain. This also helps identify the user from the host machine who is privileged to access or not privileged. In addition, the scanner communication can also be secured using the SSL/TLS protocol using the certificate and keys stored in the scanner itself.

Biometrics Enrollment and Authentication System

The biometrics enrollment and authentication system is provided by a biometric vendor that facilitates enrollment, authentication, management, and integration of directory servers.

• The enrollment system is responsible for registering the personal identification information, including multiple biometric samples of a person. All enrollment information entries will be stored to an underlying directory infrastructure. The enrollment process is carried out by an enrollment officer who is authorized to register users, assign biometric scanners, set up roles and policies, and manage enrollment and termination of users.

• The authentication system is the biometric verification engine responsible for verifying an identity by matching the newly acquired image with the reference template stored in the directory. The authentication is termed successful if the matching score exceeds the predefined threshold limit. If the score is below the threshold, the authentication is considered unsuccessful. The authentication server is also responsible for monitoring and logging login attempts, access granted or denied, and user and machine information. All communication between the authentication system and the biometric scanner makes use of SSL/TLS protocols, which ensures the data transmitted is secure and tamperproof. The authentication server typically works as a security provider infrastructure for its target resource, which can be a network environment or business applications based on J2EE or Microsoft environments.

Browser Plug-in (for Web Clients)

To support Web browser-based client authentication, it is necessary to use a browser plug-in that allows interacting with a biometric scanner to acquire biometric samples (such as fingerprints). Most biometric vendors make use of plug-ins based on Java, Mozilla, or Microsoft Active-X technologies to support popular Web browsers. The plug-in may also implement native interfaces to integrate biometric scanners. The browser plug-in helps represent authentication callbacks and prompts the user for biometric samples during the authentication.

PAM Module (for UNIX Applications and Desktop Login)

To support UNIX applications and desktop login, most biometric vendors provide PAM modules for enabling biometric authentication. PAM-based biometric authentication modules can be configured to enable biometric authentication service for PAM-aware applications and the desktop environment (such as CDE, KDE, GNOME, and JDS). Refer to your UNIX provider administration guide for more information on configuring PAM modules.

GINA Module (for Windows Environment)

To support the Windows environment, most biometric vendors provide GINA modules that allow Windows Login using biometric authentication. Replacing the Microsoft-default GINA with biometric authentication-based GINA library enables biometric authentication in a Windows environment.

J2EE-Compliant Application Server

To enable biometric authentication, the J2EE platform requires an appropriate JAAS LoginModule that encapsulates the authentication mechanism provided by a biometric authentication server.

JAAS LoginModule (for J2EE and Java Applications)

To support biometric authentication for J2EE and Java applications, most vendors provide JAAS LoginModules. As we discussed earlier in this chapter, JAAS facilitates a pluggable authentication framework that allows incorporating authentication mechanisms in a Java or J2EE environment. JAAS LoginModules can also be built by encapsulating the BioAPI or custom Java APIs provided by most biometric authentication vendors.

Operational Model

The operational model of biometrics-enabled security architecture has a lot in common with smart card authentication solutions. Let's take a look at the different life-cycle operations such as biometric enrollment, authentication, and termination.

Biometric Enrollment and Termination

To enroll a user, the person to be registered must first provide the biometric samples and then personal and demographic information. The entire enrollment process is usually carried out by a designated enrollment officer who is authorized to acquire biometric samples. Before enrollment, all required personal information such as digitized photo, personal information such as address for communication, driver's license information, business responsibilities, and so forth must be collected and stored in a user directory (such as LDAP or RDBMS) that represents part of the biometric enrollment process.

Figure 15-6 shows the fingerprint-based biometric enrollment process using BiObex.

During enrollment, the system associates the biometric samples of a person (such as fingerprint images or face geometry) with the other personal information stored in the directory. Multiple samples may be acquired based on the biometric technology in use (for example, for fingerprint-based authentication, usually all fingers from both hands will be acquired). The acquired biometric samples are processed using relevant algorithms and then converted to a template format (referred to as a reference template). The enrollment system securely stores the templates in a directory. Once complete, the enrollment officer assigns the user to the privileged machines, scanners, and applications, specifying biometric authentication for that user. The enrollment officer also activates the user's access control privileges, roles, and the authorized actions specific to the user's business responsibilities. This completes the user enrollment process with a biometric-enabled authentication system.

To terminate the user, the enrollment officer deactivates the user access by disabling the user account, scanner entry, and associated privileges so that no further authentication can be done using the assigned scanner (for example, the fingerprint scanner submission of images will no longer be accepted). The user's privileges can also be temporarily revoked if the user's biometric samples do not match after multiple attempts to obtain a match are made. A revoked user account cannot be accessed without the intervention of an enrollment officer.

Biometric Authentication Process

Let's consider a working scenario, assuming that a JAAS LoginModule for biometric authentication is installed and configured as the default authentication service for all the applications deployed using a J2EE application server. To support biometric authentication, the biometric authentication server and directory server are also installed as coexisting applications. All users entitled to access the J2EE applications are enrolled by providing their biometric samples, which are stored as reference templates. When a user attempts access to a protected application using a Web browser, the JAAS LoginModule initiates authentication. During authentication, the client prompts the user to submit the required biometric samples using the assigned biometric scanner. The biometric authentication server authenticates the user by processing the acquired image(s) (such as a fingerprint) and matching them with the reference templates. Based on the matching score, the authentication server may allow or deny access to the requested application or resource.

Let's take a look at the core details of the authentication process using the sequence diagram shown in Figure 15-7.

Figure 15-7. Biometric authentication for J2EE applicationssequence diagram

Figure 15-7 represents the sequence diagram for the biometric authentication process in a J2EE environment and identifies the key participants and their activities. The key steps involved in the process are as follows:

In the case of UNIX and Windows environments, using PAM and GINA modules, respectively, play the role of JAAS LoginModule in the authentication process.

Biometric SSO Strategy

Biometric SSO allows users to access multiple applications (for example, a Web portal aggregating access to multiple partner applications) after doing a single biometric authentication. In this case, the authentication is managed by the identity provider infrastructure that provides single sign-on services to support heterogeneous applications and system environments. The identity provider infrastructure is usually a vendor solution that encapsulates access to multiple resources by making use of pluggable authentication modules from security infrastructure providers. Upon authentication, the identity provider issues an SSO token that is trusted by all participating applications. This means the identity provider grants access to the secured application or resource by issuing an SSO token that represents the user's sign-on and session information. All partner applications trust the SSO token issued by the identity provider and grant the caller request to proceed for further processing based on the policies and privileges. Figure 15-8 represents the sequence diagram for the biometric SSO in a business portal that aggregates access to multiple partner applications.

Figure 15-8. Biometric SSO for business portalsequence diagram

Let's assume that a biometric authentication server is configured as the default authentication service in an identity provider infrastructure for providing access to a business portal. When a user attempts to access the business portal managed by an identity provider, the business portal redirects the user to a biometric login that requests submission by the user of biometric samples to the identity server, which acts as a client to the biometric authentication server. The biometric authentication server authenticates the user by acquiring one or more biometric samples from the user and matching them against the user's biometric reference template. If the biometric authentication is successful, the identity provider grants access to the business portal by issuing an SSO token that represents the user's sign-on and session information. If the authentication fails, the identity provider returns an error page to the user. The identity provider makes use of the policy agents for securing the business portal by intercepting requests from unauthorized intrusions, verifying and validating the user's SSO token if it exists, and controlling access to resources based on policies assigned to the user.

To learn more about building a biometric SSO for J2EE, Web, and enterprise applications using a vendor solution, refer to http://developers.sun.com/prodtech/identserver/reference/techart/bioauthentication.html.