Technology-savvy organizations looking to develop a competitive advantage should carefully watch developments in biometrics.

Simon Liu and Mark Silverman A Practical Guide to Biometric Technology

s organizations search for more secure Of these, a biometric is the most secure and con- authentication methods for user access, venient authentication tool. It can’t be borrowed, e-commerce, and other security appli- stolen, or forgotten, and forging one is practically cations,biometrics is gaining increasing impossible. (Replacement part surgery, by the Aattention. But should your company use biomet- way, is outside the scope of this article.) rics? And,if so,which ones should you use and how Biometrics measure individuals’ unique physi- do you choose them? There is no one best bio- cal or behavioral characteristics to recognize or metric technology. Different applications require authenticate their identity.Common physical bio- different biometrics. metrics include fingerprints; hand or palm geom- To select the right biometric for your situation, etry; and retina, iris, or facial characteristics. you will need to navigate through some complex Behavioral characters include signature, voice vendor products and keep an eye on future devel- (which also has a physical component), keystroke opments in technology and standards.Your options pattern, and gait. Of this class of biometrics, tech- have never been more diverse. After years of nologies for signature and voice are the most research and development,vendors now have sev- developed. eral products to offer. Some are relatively imma- Figure 1 describes the process involved in using ture, having only recently become commercially a biometric system for security. available,but even these can substantially improve your company’s posture.We Fingerprints briefly describe some emerging biometric tech- A fingerprint looks at the patterns found on a nologies to help guide your decision making. fingertip.There are a variety of approaches to fin- gerprint verification. Some emulate the tradi- WHAT IS A BIOMETRIC? tional police method of matching minutiae; others The security field uses three different types of use straight pattern-matching devices; and still authentication: others are a bit more unique, including things like moiré fringe patterns and ultrasonics. Some ver- • something you know—a pass- ification approaches can detect when a live finger word, PIN, or piece of personal is presented; some cannot. Inside information (such as your A greater variety of fingerprint devices is mother’s maiden name); available than for any other biometric. As the Glossary • something you have—a card key, prices of these devices and processing costs fall, smart card, or token (like a using fingerprints for user verification is gain- Resources SecurID card); and/or ing acceptance—despite the common-criminal • something you are—a biometric. stigma.

1520-9202/01/$10.00 © 2001 IEEE January ❘ February 2001 IT Pro 27 SECURITY

the unique patterns of the retina. Retinal scan- Figure 1. How a biometric system works. ning can be quite accurate but does require the user to look into a receptacle and focus on a Biometric 2 Biometric 3 Template given point.This is not particularly convenient if 1 devices enrollment storage you wear glasses or are concerned about having close contact with the reading device. For these 6 reasons, retinal scanning is not warmly accepted 4 by all users, even though the technology itself can Biometric 5 Biometric 8 Template work well. devices verification storage 7 Iris Business An iris-based biometric, on the other hand, applications involves analyzing features found in the colored ring of tissue that surrounds the pupil. Iris scan- ning, undoubtedly the less intrusive of the eye- (1) Capture the chosen biometric; (2) process the biometric related biometrics, uses a fairly conventional and extract and enroll the biometric template; (3) store the camera element and requires no close contact template in a local repository,a central repository,or a portable between the user and the reader. In addition, it token such as a smart card; (4) live-scan the chosen biometric; has the potential for higher than average tem- (5) process the biometric and extract the biometric template; plate-matching performance. Iris biometrics (6) match the scanned biometric template against stored tem- work with glasses in place and is one of the few plates; (7) provide a matching score to business applications; (8) devices that can work well in identification mode. record a secure audit trail with respect to system use. Ease of use and system integration have not tra- ditionally been strong points with iris scanning devices, but you can expect improvements in Fingerprint verification may be a good choice for in- these areas as new products emerge. house systems, where you can give users adequate expla- nation and training, and where the system operates in a Face controlled environment. It is not surprising that the work- Face recognition analyzes facial characteristics. It station access application area seems to be based almost requires a digital camera to develop a facial image of the exclusively on fingerprints, due to the relatively low cost, user for authentication.This technique has attracted con- small size, and ease of integration of fingerprint authenti- siderable interest, although many people don’t completely cation devices. understand its capabilities. Some vendors have made extravagant claims—which are very difficult, if not impos- Hand geometry sible, to substantiate in practice—for facial recognition Hand geometry involves analyzing and measuring the devices. Because facial scanning needs an extra peripheral shape of the hand.This biometric offers a good balance of not customarily included with basic PCs, it is more of a performance characteristics and is relatively easy to use. niche market for network authentication. However, the It might be suitable where there are more users or where casino industry has capitalized on this technology to cre- users access the system infrequently and are perhaps less ate a facial database of scam artists for quick detection by disciplined in their approach to the system. security personnel. Accuracy can be very high if desired, and flexible per- formance tuning and configuration can accommodate a Signature wide range of applications. Organizations are using hand Signature verification analyzes the way a user signs her geometry readers in various scenarios, including time and name.Signing features such as speed,velocity,and pressure attendance recording, where they have proved extremely are as important as the finished signature’s static shape. popular. Ease of integration into other systems and Signature verification enjoys a synergy with existing processes, coupled with ease of use, makes hand geometry processes that other biometrics do not. People are used to an obvious first step for many biometric projects. signatures as a means of transaction-related identity veri- fication, and most would see nothing unusual in extending Retina this to encompass biometrics.Signature verification devices A retina-based biometric involves analyzing the layer of are reasonably accurate in operation and obviously lend blood vessels situated at the back of the eye. An estab- themselves to applications where a signature is an accepted lished technology, this technique involves using a low- identifier. Surprisingly, relatively few significant signature intensity light source through an optical coupler to scan applications have emerged compared with other biomet-

28 IT Pro January ❘ February 2001 ric methodologies. But if your application fits, it is a tech- nology worth considering. Glossary Voice Voice authentication is not based on voice recognition Crossover error rate (CER)—a comparison metric for dif- but on voice-to-print authentication, where complex tech- ferent biometric devices and technologies; the error rate nology transforms voice into text.Voice biometrics has the at which FAR equals FRR.The lower the CER, the more most potential for growth, because it requires no new hard- accurate and reliable the biometric device. ware—most PCs already contain a microphone. However, Enrollment—the initial process of collecting biometric poor quality and ambient noise can affect verification. In data from a user and then storing it in a template for later addition, the enrollment procedure has often been more comparison. complicated than with other biometrics, leading to the per- False-acceptance rate (FAR)—the percentage of ception that voice verification is not user friendly. imposters incorrectly matched to a valid user’s biometric. Therefore, voice authentication software needs improve- ment. One day,voice may become an additive technology False-rejection rate (FRR)—the percentage of incorrectly to finger-scan technology.Because many people see finger rejected valid users. scanning as a higher authentication form, voice biometrics Identification—the process by which the biometric sys- will most likely be relegated to replacing or enhancing tem identifies a person by performing a one-to-many (1:n) PINs, passwords, or account names. search against the entire enrolled population. Template—a mathematical representation of biometric USES FOR BIOMETRICS data. A template can vary in size from 9 bytes for hand Security systems use biometrics for two basic purposes: geometry to several thousand bytes for facial recognition. to verify or to identify users. Identification tends to be the Verification—the authentication process by which the more difficult of the two uses because a system must search biometric system matches a captured biometric against a database of enrolled users to find a match (a one-to-many the person’s stored template (1:1). search). The biometric that a security system employs depends in part on what the system is protecting and what it is trying to protect against. to identify and process preenrolled, low-risk frequent trav- Physical access elers through an automated immigration system.Currently For decades, many highly secure environments have used deployed in nine international airports,including Washing- biometric technology for entry access.Today, the primary ton Dulles International, this system uses an unmanned application of biometrics is in physical security: to control kiosk to perform citizenship-verification functions. access to secure locations (rooms or buildings). Unlike photo identification cards, which a must ver- Virtual access ify,biometrics permit unmanned . Biometric For a long time, biometric-based network and computer devices, typically hand geometry readers, are in office access were areas often discussed but rarely implemented. buildings, hospitals, casinos, health clubs, and even a Moose Recently,however, the unit price of biometric devices has lodge. Biometrics are useful for high-volume access con- fallen dramatically, and several designs aimed squarely at trol. For example, biometrics controlled access of 65,000 this application are on the market. Analysts see virtual people during the 1996 Olympic Games, and Disney World access as the application that will provide the critical mass uses a fingerprint scanner to verify season-pass holders to move biometrics for network and computer access from entering the theme park. the realm of science-fiction devices to regular system com- Engineers are developing several promising prototype ponents.At the same time, user demands for virtual access biometric applications to support the International Air will raise public awareness of the security risks and lower Transport Association’s Simplifying Passenger Travel resistance to the use of biometrics. (SPT) initiatives. One such program is EyeTicket, which Physical lock-downs can protect hardware,and passwords Charlotte/Douglas International Airport in North are currently the most popular way to protect data on a net- Carolina and Flughafen Frankfurt/Main Airport in work. Biometrics, however, can increase a company’s abil- Germany are evaluating. EyeTicket links a passenger’s fre- ity to protect its data by implementing a more secure key quent-flyer number to an iris scan. After the passenger than a password. Using biometrics also allows a hierarchi- enrolls in the system, an unmanned kiosk performs tick- cal structure of data protection,making the data even more eting and check-in (without luggage). secure: Passwords supply a minimal level of access to net- The US Immigration and Naturalization Service’s work data; biometrics, the next level. You can even layer Passenger Accelerated Service System uses hand geometry biometric technologies to enhance security levels.

January ❘ February 2001 IT Pro 29 SECURITY

body recognition technologies, re- searchers hope to use biometrics to auto- Resources matically identify known suspects entering buildings or traversing crowded security areas such as airports.The use of ➤ The Biometric Consortium (http://www.biometrics.org): Serves as biometrics for covert identification as the US government’s focal point for research, development, test, opposed to authentication must over- evaluation, and application of biometric-based personal identifica- come technical challenges such as simul- tion and verification technologies. taneously identifying multiple subjects in ➤ Association for Biometrics (http://www.afb.org.uk): Aims to pro- a crowd and working with uncooperative mote the awareness and development of biometric-related tech- subjects. In these situations, devices can- nologies. It provides an international forum for research and not count on consistency in pose, view- development, system design and integration, application develop- ing angle, or distance from the detector. ment, market development, and other issues. ➤ Avanti (http://homepage.ntlworld.com/avanti/):A reference site for THE FUTURE OF BIOMETRICS biometrics, Avanti contains a considerable amount of background Although companies are using bio- information about biometrics, their use in everyday business situa- metrics for authentication in a variety of tions, and how to deploy them. situations, the industry is still evolving ➤ Biometrics: Journal of the International Biometric Society (http:// and emerging. To both guide and sup- stat.tamu.edu/Biometrics/): Published quarterly, Biometrics aims to port the growth of biometrics, the promote and extend the use of mathematical and statistical methods Biometric Consortium formed in in various disciplines. It describes and exemplifies developments in December 1995. The recent Biometric these methods and their application for experimenters and those Consortium annual conference high- primarily concerned with data analysis. lighted two important areas. ➤ International Biometric Industry Association (http://www.ibia. org):A trade association founded in September 1998 in Washington, Standardization D.C., to advance, advocate, defend, and support the biometric indus- The biometrics industry includes more try’s collective international interests. Governed by and for biometric than 150 separate hardware and soft- developers, manufacturers, and integrators, IBIA aims to serve all ware vendors, each with their own pro- biometric technologies in all applications. prietary interfaces, algorithms, and data structures. Standards are emerging to provide a common software interface, to E-commerce applications allow sharing of biometric templates, and to permit effec- E-commerce developers are exploring the use of bio- tive comparison and evaluation of different biometric metrics and smart cards to more accurately verify a trad- technologies. ing party’s identity. For example, many banks are The BioAPI standard released at the conference, defines interested in this combination to better authenticate cus- a common method for interfacing with a given biometric tomers and ensure nonrepudiation of online banking, trad- application. BioAPI is an open-systems standard devel- ing, and purchasing transactions. Point-of-sales (POS) oped by a consortium of more than 60 vendors and gov- system vendors are working on the cardholder verification ernment agencies. Written in C, it consists of a set of method, which would enlist smart cards and biometrics to function calls to perform basic actions common to all bio- replace signature verification. MasterCard estimates that metric technologies, such as adding smart-card-based biometric authentication to a POS credit card payment will decrease fraud by 80 per- • enroll user, cent. • verify asserted identity (authentication), and Some are using biometrics to obtain secure services over • discover identity. the telephone through voice authentication.Developed by Nuance Communications,voice authentication systems are Not surprising, Microsoft, the original founder of the currently deployed nationwide by both the Home Shopping BioAPI Consortium, dropped out and developed its own Network and Charles Schwab.The latter’s marketing catch BAPI biometric interface standard. phrase is “No PIN to remember, no PIN to forget.” Another draft standard is the Common Biometric Exchange File Format, which defines a common means of Covert exchanging and storing templates collected from a variety One of the more challenging research areas involves of biometric devices. The Biometric Consortium has also using biometrics for covert surveillance. Using facial and presented a proposal for the Common Fingerprint Minutia

30 IT Pro January ❘ February 2001 Table 1. Comparison of biometrics

Characteristic Fingerprints Hand geometry Retina Iris Face Signature Voice Ease of Use High High Low Medium Medium High High Error incidence Dryness, dirt, Hand injury, Glasses Poor Lighting, age, Changing Noise, colds, age age lighting glasses, hair signatures weather Accuracy High High Very high Very high High High High Cost * * * * * * * User acceptance Medium Medium Medium Medium Medium Very high High Required security level High Medium High Very high Medium Medium Medium Long-term stability High Medium High High Medium Medium Medium

* The large number of factors involved makes a simple cost comparison impractical.

Exchange format, which attempts to provide a level of a smart card that contains a fingerprint sensor directly on interoperability for fingerprint technology vendors. the card.This is a stronger secure architecture because card- Biometric assurance—confidence that a biometric holders must authenticate themselves directly to the card. device can achieve the intended level of security—is PKI uses public- and private-key cryptography for user another active research area. Current metrics for com- identification and authentication. It has some advantages paring biometric technologies, such as the crossover error over biometrics: It is mathematically more secure, and it rate and the average enrollment time, are limited because can be used across the Internet.The main drawback of PKI they lack a standard test bed on which to base their val- is the management of the user’s private key.To be secure, ues. Several groups, including the US Department of the private key must be protected from compromise; to be Defense’s Biometrics Management Office, are developing useful, the private key must be portable. The solution to standard testing methodologies. Much of this work is these problems is to store the private key on a smart card occurring within the contextual framework of the and protect it with a biometric. Common Criteria, a model that the international security In the Smart Access common government ID card pro- community developed to standardize evaluation and com- gram, the US General Services Administration is explor- parison of all security products (Kimberly Caplan, ing this marriage of biometrics, smart cards, and PKI “Building an International Security Standard,” IT technology. The government of Finland is also consider- Professional, Mar.-Apr. 1999). ing using these technologies in deploying the Finnish National Electronic ID card. Hybrid technology uses One of the more interesting uses of biometrics involves SELECTING A BIOMETRIC TECHNOLOGY combining biometrics with smart cards and public-key Biometric technology is one area that no segment of the infrastructure (PKI).A major problem with biometrics is IT industry can afford to ignore. Biometrics provide secu- how and where to store the user’s template. Because the rity benefits across the spectrum, from IT vendors to end template represents the user’s personal characters, its stor- users, and from security system developers to security sys- age introduces privacy concerns. Furthermore, storing the tem users.All these industry sectors must evaluate the costs template in a centralized database leaves that template and benefits of implementing such security measures. subject to attack and compromise. On the other hand, stor- Different technologies may be appropriate for different ing the template on a smart card enhances individual pri- applications, depending on perceived user profiles, the vacy and increases protection from attack, because need to interface with other systems or databases, envi- individual users control their own templates. ronmental conditions, and a host of other application-spe- Vendors enhance security by placing more biometric func- cific parameters (see Table 1). tions directly on the smart card. Some vendors have built a fingerprint sensor directly into the smart card reader,which Ease of use in turn passes the biometric to the smart card for verifica- Some biometric devices are not user friendly.For exam- tion.At least one vendor,Biometric Associates,has designed ple, users without proper training may experience diffi-

January ❘ February 2001 IT Pro 31 SECURITY

• biometric capture hardware; Figure 2. Crossover error rate • back-end processing power to maintain the database; attempts to combine two • research and testing of the biometric system; measures of biometric accuracy. • installation, including implementation team salaries; • mounting, installation, connection, and user system inte- gration costs; • user education, often conducted through marketing Crossover error rate campaigns; • exception processing, or handling users who cannot sub- mit readable images because of missing appendages or unreadable prints; • productivity losses due to the implementation learning

False-rejection rate curve; and • system maintenance.

0 False-acceptance rate User acceptance Generally speaking, the less intrusive the biometric, the more readily it is accepted. However, certain user groups— culty aligning their head with a device for enrolling and some religious and civil-liberties groups—have rejected matching facial templates. biometric technologies because of privacy concerns.

Error incidence Required security level Two primary causes of errors affect biometric data:time Organizations should determine the level of security and environmental conditions. Biometrics may change as needed for the specific application: low,moderate, or high. an individual ages. Environmental conditions may either This decision will greatly impact which biometric is most alter the biometric directly (for example, if a finger is cut appropriate. Generally, behavioral biometrics are suffi- and scarred) or interfere with the data collection (for cient for low-to-moderate security applications; physical instance, background noise when using a voice biometric). biometrics, for high-security applications.

Accuracy Long-term stability Vendors often use two different methods to rate bio- Organizations should consider a biometric’s stability, metric accuracy: false-acceptance rate or false-rejection including maturity of the technology, degree of standard- rate. Both methods focus on the system’s ability to allow ization, level of vendor and government support, market limited entry to authorized users. However, these meas- share, and other support factors. Mature and standardized ures can vary significantly, depending on how you adjust technologies usually have stronger stability. the sensitivity of the mechanism that matches the bio- metric. For example, you can require a tighter match between the measurements of hand geometry and the iometric technology has been around for decades user’s template (increase the sensitivity).This will proba- but has mainly been for highly secretive environ- bly decrease the false-acceptance rate, but at the same time B ments with extreme security measures. The tech- can increase the false-rejection rate. So be careful to nologies behind biometrics are still emerging.This article understand how vendors arrive at quoted values of FAR gives a snapshot of the dynamics under way in this emerg- and FRR. ing biometric market, and we hope it will help you con- Because FAR and FRR are interdependent, it is more sider all the possible alternatives when acquiring new meaningful to plot them against each other, as shown in biometric technologies. Figure 2. Each point on the plot represents a hypothetical system’s performance at various sensitivity settings.With such a plot, you can compare these rates to determine the Simon Liu is director of computer and communications crossover error rate. The lower the CER, the more accu- systems at the National Library of Medicine. He is also an rate the system. adjunct professor at Johns Hopkins University. Contact him Generally, physical biometrics are more accurate than at [email protected]. behavioral biometrics. Mark Silverman is a technical advisor at the Center of Cost Information Technology, National Institutes of Health. Con- Cost components include tact him at [email protected].

32 IT Pro January ❘ February 2001