Biometrics Go Mainstream
With the blink of an eye, the touch of a finger,
or the uttering of a pass-phrase, colleges and schools
can now get deadly serious about physical security.
WHAT’S NEW IN AUTHENTICATION? After years of hype, biometrics may be
going mainstream! Witness these two recent news release statements, both from Washington
Technology, January 2006:
“By Oct. 27, all federal agencies must be ready to issue new identity cards that will be rich
in biometrics and other security features.”
“Homeland Security is expected to set specifications and standards for biometric features
that will be required as part of a federal mandate to improve driver’s license security.”
As you may recall from “Security: It’s Not All About Hackers,” Campus Technology, September
2005, authentication is based on something you know (e.g., a password), something
you have (e.g., a driver’s license), or something you are (e.g., a fingerprint). The last of these
refers to the use of biometrics for authentication. Common examples are based on eye (iris
and retinal) scans, fingerprints, keystroke dynamics, voice analysis, facial scans, hand geometry,
and DNA analysis.
Retinal and Iris Scans
Eye scans are the gold standard of commonly
available biometric identification
techniques. Retinal scans are performed
by shining a low-intensity beam of
infrared light into the eyeball and recording
the pattern of blood vessels in the
back of the eye. The process is somewhat
invasive (the eyeball needs to be held very
close to the device, held still, and focused
for 10 to 15 seconds) and is typically only
used in high-security facilities.
Iris scans are executed by observing
the pattern of ridges on the colored part
of the eye; they can be carried out at distances
of up to several feet, and through
eyeglasses, as well. As the cost of iris
scanners falls, the devices are starting to
be used in medium-security facilities
such as airport security checkpoints, as
well as education and corporate environments.
Panasonic, for one, markets several iris scanners with
prices ranging from several hundred dollars
all the way up to the $10,000 mark.
Still, there have been reports of “reading”
problems in a small percentage of
cases because of eye malformations,
watery eyes, and even long eyelashes.
High-resolution photographs of an iris
have also fooled some of the scanners.
These limitations not withstanding, iris
recognition systems from Eyemetric
Identity Systems have been adopted by one New Jersey
school district to control adult
access into elementary school buildings.
Though glitches with such technologies still persist,
iris recognition systems have been adopted by one
New Jersey school district to control adult access
into elementary school buildings.
Fingerprints
Fingerprint recognition has gone from
Hollywood (remember Will Smith and
Gene Hackman in the 1998 thriller
Enemy of the State?) to college-campus
and school-district dining halls and cafeterias.
Most schemes work by capturing
an image of the ridges and furrows of a
fingertip with an optical scanner and
then comparing the details—for example
where ridges end or fork—against a
database of fingerprint information.
Food Service Solutions sells fingerprint-scanning
systems to K-12 schools to speed kids
through lunch lines. The system was
recently adopted as well by Campbell
University (NC) for 1,200 voluntary
users in the university’s dining halls.
Administrators at the institution claim
that identification by fingerprint scan
takes 1.6 seconds, compared to 3.5 seconds
to swipe a student’s ID card. A digital
picture of the individual is also taken,
which is displayed on an attendant’s
screen as verification of the food service
program enrollee.
The good news: The cost of fingerprint
scanning systems has dropped to the
point where they’re now practical for controlling
access to individual computers. For example, Digital Persona sells a compact standalone
scanner and associated software
that connects to a PC via its USB port.
On the plus side, according to the FBI,
electronic fingerprint scans make the
right match 95 to 98 percent of the time.
(Detractors point to the inverse.) On the
down side, the accuracy varies depending
on gender, race, and the condition of
the finger being scanned (dry, cracked
skin can degrade accuracy).
HOW TO FAKE A FINGERPRINT
Tsutomu Matsumoto,
a Japanese mathematician,
has figured out a cheap way to fool
a fingerprint scanner. First, he uses
free-molding plastic from a hobby
shop to make a plastic mold of a
thumb or finger. Then he pours
gelatin obtained from a grocery store
into the mold and lets it harden.
The gelatin “fake” fools fingerprint
detectors about 80 percent of the
time. To read more about this, go HERE.
Voice Recognition
Voice recognition is accomplished by
comparing the vocal characteristics of a
user speaking a pass-phrase, with the
characteristics of an authorized user
speaking the same pass-phrase. This
technology is getting better, but its accuracy
still lags behind other biometric
techniques and can be affected by external
factors such as background noise, as
well as physiological factors such as a
head cold, and psychological factors
such as emotional state. Used alone,
voice recognition systems that ask the
individual to repeat a fixed phrase can be
defeated by a simple audio recording.
One advantage of voice recognition technology
is user friendliness (“please say
your pass-phrase”) and the ease with which voice recognition can be combined
with other authentication techniques to
provide two-factor identification. Another
advantage is that virtually all computers
have the appropriate hardware—a
microphone—already built in. Then too,
because voice recognition is a softwareonly
solution, the cost is relatively low.
Some popular voice authentication
products are Nuance Verifier, Voice.Trust and VoiceVault. Vocent takes a somewhat different approach
and offers a product that allows a user to
remotely reset passwords, based on
voice recognition.
Keystroke Dynamics
To identify users, keystroke dynamics
technology typically uses measurements
of the speed and pressure of typing, the
total time taken to type particular words,
and the time elapsed between hitting certain
keys. (Experienced Morse code
operators have long prided themselves in
being able to identify a sender by his
“fist,” or pattern of typing out dots and
dashes on a telegraph key.) Surprisingly,
this behavioral technology is relatively
accurate, and since it can be entirely
software-based and needn’t include
additional hardware, its cost is quite
low. Integrating keystroke dynamics
with another authentication technology
such as passwords provides very costeffective
two-factor or even three-factor
authentication.
One vendor, BioPassword, estimates that the cost of
implementing that company’s keystroke
dynamics solution is one-third the cost of
physical biometric devices, and substantially
less than tokens or smart cards.
While a single-user version is available,
the enterprise version is probably of more
interest in higher education with its highly
mobile user environment.
Facial Recognition
One of the most common facial recognition
schemes is based on analyzing a
facial image for certain “nodal points,”
such as the width of the nose or distance
between the eyes. A template is built
based upon these measurements, and then
compared against target templates. An
independently administered technology
evaluation of mature face recognition systems
done in 2002 by the Defense
Advanced Research Projects Agency
(DARPA), the National
Institute of Standards and Technology
(NIST), and NAVSEA
Crane Division found that the best of these systems
achieve 80 to 90 percent accuracy in controlled
conditions. (See “Face Recognition
Vendor Test 2002: Overview and
Summary”)
The accuracy of the results was very
dependent upon lighting, picture angle,
and the age and gender of the target. Is 80
to 90 percent good enough to be used in
practice? If the objective is to scan casino
patrons for professional gamblers, the
answer may be yes. In fact, one company,
Biometrica, has built a business around providing facial
recognition systems to the casino industry.
On the other hand, the use of facial
recognition systems has not been particularly
successful in identifying people in a
crowd or for authentication. More than
two dozen companies provide facial
recognition systems.
Surprisingly, keystroke dynamics technology
is relatively accurate, and since it can be
entirely software-based and needn’t include
additional hardware, its cost is quite low.
Hand Geometry
Authentication based on hand geometry
analyzes two optical images of the
hand—one of the palm and one of the
side—to measure parameters such as
finger width and height, the length and
distances between joints, and knuckle
shapes. These parameters are then compared
to a previously established template.
Because the geometry of our hands
isn’t highly distinctive, the system isn’t
well suited for identifying one individual
out of many. The system’s ease of use,
however, makes it attractive for matching
a token or smart card to a user. In the late
1990s, the Immigration and Naturalization
Service (now part of Homeland
Security) began experimenting
with automated hand geometry
authentication for frequent business travelers
(INS Passenger Accelerated Service
System or INSPASS), but a March 2000
audit concluded that the system wasn’t
particularly cost-effective, and additionally,
created security risks. In January 2006, the program was
transitioned into the Registered Traveler
program, which is based on iris scans and
fingerprint recognition.
DNA
DNA is the ultimate biometric identifier.
The odds of two people who aren’t identical
twins having the same DNA are 6
billion to one. The downside of DNA
analysis is that it currently requires both a
physical sample and extensive laboratory
analysis. But changes are on the horizon.
Scientists are starting to use “DNA chips”
or “DNA microarrays” to map out the
small variations in DNA that characterize
our uniqueness. (Read more on this HERE) As this
technology matures, it may be possible to
use it for authentication. But even DNA
authentication might not be foolproof: As
has been pointed out in science fiction
movies, all it takes is a strand of hair to
mimic someone
Comparing Biometric Technologies
Two criteria commonly used to
compare biometric technologies
are False Acceptance Rate
(FAR) and False Rejection Rate
(FRR). FAR determines how
often an imposter can bypass
the biometric authentication.
Thus, an FAR of 1 percent indicates
a one in a hundred chance
of fooling the system. In general,
FAR increases (becomes
less accurate) as we move from
iris scans through fingerprint
scans, keystroke dynamics,
facial recognition and, finally,
voice recognition. FRR determines
how often a valid user
will not be successfully authenticated.
Thus, an FRR of 3 percent
means that three times out
of a hundred, a user will incorrectly
be denied access and
forced to try again. As with
FAR, FRR increases (real users
rejected) as we move from iris
scans through fingerprint
scans, keystroke dynamics, facial recognition
and, finally, voice recognition.
With the exception of iris scans, which
have a very small FAR, biometric identification
techniques generally involve a
tradeoff between FAR and FRR. If we
reduce the chance of someone fooling the
system, we increase the chance of denying
access to a valid user. Most biometric
systems let the system administrator
adjust the acceptance threshold of the
FAR and FRR settings. For example, the
FRR might be decreased to make the system
more user friendly at the expense of
making it easier to fool the system.
Biometric identification isn’t absolute—
it’s probabilistic. In 2005, a crime
lab considered by many to be the finest in
the world misidentified a fingerprint
linked to the Madrid bombing case. Bottom
line: A healthy dose of skepticism is
advisable when evaluating vendor claims.
6 Items to Keep in Mind When Using Biometrics
From Who G'es There? Authentication Through the Lens of Privacy, National Research Council:
- Never design or use a biometric system that allows either remote enrollment or
re-enrollment. Such systems have no good way of connecting a user with the enrolled biometric
record other than additional authentication, so the advantage of using biometrics is lost.
- Biometric measures can reveal your identity if they are linked at enrollment or at subsequent
usage to your name, Social Security number, or other identifying information.
- Remember that biometric measures cannot be reissued if stolen or sold. Consequently,
your biometric measures will be only as secure as the most insecure site that uses them.
Do not enroll in a system that d'es not seek to preserve anonymity, unless you have complete
trust in the system administration.
- All biometric access-control systems must have exception-handling mechanisms for those
individuals who either cannot enroll or cannot reliably use the system for whatever reason. If
you are uncomfortable with enrolling in a biometric system for positive identification, insist on
routinely using the exception-handling mechanism instead.
- The most secure and most privacy-sensitive biometric systems are those in which each user
controls his own template. However, simply controlling one’s own biometric template, say by
holding it on a token, d'es not guarantee either privacy or security.
- People tracking? Because biometric measures are not perfectly repeatable, are not completely
distinctive, and require specialized data collection hardware, biometric systems are not
useful for tracking people. Anyone who wants to physically track you will use your credit card
purchases, phone records, or cell phone emanations instead. Anyone wanting to track your
Internet transactions will do so with cookies,Web logs, or other technologies.
Privacy Issues
In its comprehensive report, Who G'es
There? Authentication Through the Lens
of Privacy, the National Research Council points
out that biometrics can pose serious privacy
and security concerns, particularly
if samples are compared against templates
stored on a remote authentication
server that, potentially, can be hacked. (A
stolen password can be reset, but a fingerprint
is forever.) The report recommends
that biometric technologies not be
used to authenticate users via remote
authentication servers and suggests that
biometrics is more appropriate for local
authentication, such as access to a private
key or smart card. This advice is
often ignored, in which case the system
should encrypt all templates transmitted
over the network to ensure that the central
server is as secure as possible.
(See the box above for
common sense guidelines.)
Caveats
Biometrics can be particularly
powerful as part of a two-factor
authentication scheme. If the false
acceptance rate or FAR of one system is
0.03 (3 percent) and the FAR of a second
system is 0.02 (2 percent), the FAR of
the combined system is 0.0006 (0.06
percent)—if the systems are truly independent.
Sadly, however, that is usually
not the case. If a hardware token is used
in conjunction with a fingerprint reader,
a copy of the fingerprint just might
appear on a stolen token. Okay, biometrics
may not yet be a silver bullet, but the
technology d'es force the bad guy to get
a bigger hammer.
DON’T MISS THIS WORKSHOP! Doug Gale will present July 31 on “Cybersecurity: What Every CIO Needs to Know” at the Campus Technology 2006 conference in Boston.