Biometric Security

A biometric is defined as “a measurable, physical characteristic or personal behavioural trait used to recognise the identity, or verify the claimed identity, of an enrolee”.

• Fingerprints
• Iris scans
• Retina scans
• Voice prints
• Facial features
• Hand Geometry
• Signatures

Biometrics can either be used to confirm a specific individual is who they say they are (one to one matching) or identifying an individual from their biometric data (one to many matching). Using a biometric to link an individual to an ID card is an example of one to one matching whilst the best example of one to many matching is using a fingerprint to track down a criminal.

In all walks of life the identification of the valid user is now a key issue and is being driven by increased security threats and the rising problem of identity theft. The debate about ID cards has raised the profile of biometrics as a method of user identification. This white paper looks at the use of different biometrics for user identification, how well they perform and how they may be applied.

Available Biometrics

Fingerprints
A fingerprint is defined by the patterns found on a fingertip. These patterns are unique to an individual and the main use of fingerprints is by the police. There are a variety of methods for using fingerprints to identify an individual. Some emulate the traditional police method of visually matching minutiae, whilst others use pattern-matching techniques. There are also some unusual techniques, including moiréfringe patterns or ultrasonics.

Iris
The iris is the coloured ring of tissue surrounding the pupil of the eye. Again, the iris is unique to an individual. To use the iris as a biometric it needs to be scanned by a device similar to a camera. An iris scan can then be matched against a library of templates to identify or authenticate an individual.

Retina
The retina biometric is based on the analysis of the blood vessels at the back of the eye which are again unique to the individual. To take a retina scan, a low intensity light is used to capture the unique patterns of the retina.

Voice
The voice biometric is based on the frequency and/or time analysis of the voice. A template of the user's voice is taken by effectively recording the voice. As with most other biometrics the recording can be compared with a series of templates to perform the biometric check.

Face
The face can be analysed by geometry of facial characteristics. The geometry is captured by taking a digital image of the face and then using software to analyse the characteristics.
Hand Geometry
In the same way as the face, the geometry of a user's hand can be analysed.

Signature
A signature biometric can be based on the image of the signature or the way it is written. A static signature biometric is solely based on image comparison, whilst dynamic analysis uses both the image and the dynamics of the signature.
Approaches to User Identification
There are three different approaches to user identification:

• Something you know - a password, PIN or piece of personal information
• Something you have - a token, a swipe card, a smart card or a passport
• Something you are (a biometric) - a fingerprint, a signature or an iris scan

Often the methods are combined for increased security, for example a swipe card will also have a PIN. Such combinations are sometimes referred to as 'two factor authentication'. 'Three factor' authentication could be a smart card containing the user's biometric data that also required the user to disclose their PIN. As various methods are combined to increase security, there is a trade off between a high level of security and usability.

PINs and passwords are vulnerable to being forgotten, given away, observed by others, or otherwise obtained (social engineering). Cards can be stolen and/or forged. A combination of these can help against fraud, however, combine either with a biometric and usability as well as security is improved. This is provided that the performance and capability of the biometric technology is sufficiently high

Use of Biometrics in Electronic Systems
The use of biometric identification has a number of driving factors:

• Level of security required
• Physical environment Performance
• User acceptance Capability
• Cost

Performance of biometrics is a measurement of 'False Negatives' against 'False Positives'. A false negative is when the biometric of the correct individual is deemed to be erroneous by the system and therefore refusing legitimate entry to the system.

A false positive is when the biometric of the wrong individual is identified by the system as being correct and therefore allowing illegitimate entry to the system.Statistically 'False Positives' can never be zero, but need to be sufficiently low to meet the level of security required.

The acceptable level of 'False Negatives' is generally driven by user acceptance, but is also a function of the level of security required and the physical environment the biometric identifier is performing in. As a 'rule of thumb' a level of 0-20% for false negatives is considered acceptable by most people for most electronic processes, providing this results close to 0% within a few authorisation attempts.

In the past it has proved difficult to produce biometric identification solutions with adequate performance within a cost to enable ubiquity of use. As a result, biometric identification has been used for specialised purposes, and most commonplace electronic user identification is implemented by giving users an ID and a password or PIN.

PINs and passwords offer minimal levels of security and are often changed on a regular basis to increase security. However this further increases the occurrence of passwords and PINs being forgotten, with it being well reported that IT help desk time is dominated by re-setting passwords. More importantly PINs and passwords get given away. A recent survey revealed that 7 out of 10 users asked at a London railway station gave out their passwords in return for a bar of chocolate.

PINs and passwords are also open to being stolen; especially if they are written down to avoid forgetting them. PINs are particularly subject to 'over the shoulder' gazing and capture by criminals. All these factors have driven the electronic biometric identification developers to drive performance up and cost down, to establish common use of biometric identification for all electronic processes.

The general increasing awareness of security and the rising problem of identity theft has meant that biometrics are now seen as the preferred method of user identification in electronic systems, and are being seriously considered in many environments. This, linked with improvements in biometric technology, means that biometrics as part of an electronic system is now a reality.

For any biometric a major issue is that of user acceptance. In a recent Mori poll 4 out of 5 users expressed a preference to use biometrics instead of passwords. This is driven by the myriad of passwords and PINs we each have to remember. However, there still are cultural and environmental issues on the selection of particular types of biometrics.

Generally people will associate fingerprints with law enforcement rather than everyday identification. Some cultures object to physical contact to devices (like fingerprint readers) that are used by the general public.

Some physical environments also make the selection of biometric identification restricted. For example, in healthcare where many processes are performed with individuals wearing gloves, fingerprints are not practical. In noisy environments voice recognition proves very difficult. Poorly lit environments make facial recognition difficult.