Biometrics Revisited
Since our last look at biometrics, some things have changed, but alas,
some have not; hand cream can still thwart the best of readers.
DARN. LOCKED OUT AGAIN. All too often
that was my experience when experimenting
with a fingerprint-based security system back
in 1999. About one time in five I would have to
disable the fingerprint scanner to be able to
log on to my desktop computer. But biometric
identification devices have been getting better
and cheaper. The question is: Are they
ready for prime time?
About Biometric Identification
Biometric identification schemes fall into two
general categories: physiological and behavioral.
Physiological schemes are related to the
physical characteristics of our body and include
fingerprints, iris and retinal scans, as well as
hand and facial characteristics. Behavioral
schemes include keystroke dynamics, signature,
and voice. ("Biometrics Go Mainstream,"
in the April 2006 issue of Campus Technology,
provides an introductory description of the various
biometric identification systems in use.)
Yet, how does a biometric system work in practice?
First, a sensor acquires digital information about a biometric
parameter-for example, the shape of your hand.
Then, information from the sensor is processed and features
extracted-for instance, the size of your fingers and
hand. Finally, data about the features are used to construct
a template, which is the synthesis of all the characteristics
that could be extracted from the source. Authentication
is done by comparing a newly generated template
with the one on file.
How Well Do Biometrics Work?
The performance of a biometric system is measured using
two parameters: the false acceptance rate (FAR), which is
the probability that the system will incorrectly accept an
invalid user; and the false rejection rate (FRR), which is
the probability that a valid user will be rejected. Since the
FAR and FRR are inversely related, the point at which the
two values are equal, the EER, or equal error rate, is frequently
cited as a measure of the overall performance of
the system.
The National Institute of Standards and Technology conducts regular tests of commercially
available biometric identification systems. Because of
homeland security considerations, the testing focuses on
fingerprints, face recognition, and iris scans. As would be
expected, iris scans have the best overall performance.
However, because of their relatively high cost and inconvenience to users, they have seen little adoption in higher
education. Some of the NIST results for fingerprint and
face recognition systems are shown below.
The NIST studies illustrate some of the difficulties in
making apples-to-apples comparisons: The accuracy of
results varied widely among vendors, with some vendors
consistently scoring better than others. Note, for example,
the wide range of FRR results for fingerprint systems: 2 to
20 percent. Results also varied depending on test conditions
such as the number of fingers scanned, the subject's
age, or the lighting conditions when taking facial images.
And while the FRR of face recognition under controlled
lighting appears to be similar to that of fingerprints, the fingerprint
data is reported at a far more stringent FAR.
Biometric Ticket to Ride
FOR MANY YEARS, DISNEY'S four Orlando theme parks have used
biometrics to prevent sharing or resale of multi-day tickets, as an
alternative to time-consuming photo identification checks. This was
done by recording the geometry and shape of a person's fingers on a
ticket. In the fall of 2006, Disney upgraded the technology to fingerprint
scans. From an image of a person's fingerprint, the system generates
a unique number based on the fingerprint's characteristics.
While Disney has been pleased with the results, privacy advocates
have complained that Disney has used an invasive high-tech security
technology to control admissions to the theme park.
Trends in Biometric Identification
Anil Jain, distinguished professor at Michigan State University and considered one of the nation's leading researchers
in pattern recognition, sees four biometric identification
trends: 1) continuing improvement in sensor technology;
2) continuing improvements in the algorithms used to parameterize
the sensor data; 3) continuing decreases in the
costs associated with biometric identification; and 4) growing
user acceptance. Jain
also believes that widespread adoption will depend on
return on investment (ROI) and user convenience. Companies
such as AuthenTec represent
a good example of the first trend. AuthenTec's fingerprint
sensors use radio frequencies to scan a fingertip
below the surface of the skin, to avoid some of the problems
associated with surface contamination and wear.
As evidence of the second trend, Jain cites improvement
in face recognition algorithms, particularly in controlled
lighting situations. (See "The Algorithm Is Mightier
Than the Chip") Unfortunately, he notes
that face recognition technologies lack permanence as
people's features change with age, so the template on
file may need to be updated on a regular basis.
As to cost trends, we've come to expect the cost of
solid-state devices to fall, and sensors are no exception:
The cost of a fingerprint sensor on a laptop has fallen from
around $20 dollars four years ago, to under $5 in 2007. Are
improvements and lower cost helping user acceptance?
Clearly; AuthenTec shipped its 10 millionth fingerprint sensor
last year, and in the US, laptops are driving the market
as well, with 10 percent of new laptops shipping with fingerprint
readers. (In other parts of the world, mobile
phones represent the greatest use.)
Higher Ed Experiences
Although not widespread, the use of biometrics for identifi-
cation is growing in higher education, with applications
broadly grouped into two categories: 1) low-security "time
and attendance," and 2) access to relatively high-security
resources. Examples of the former include the use of fingerprint
readers to log hours worked by students in the IT department
at the University of Kansas and a similar use at Gannon
University (PA) where, according to John Crandall,
associate director of information technology services, the
school has been using a fingerprint identification product
from AIG Technology to replace
paper timecards for 60 hourly employees in two locations.
The Algorithm Is Mightier Than the Chip
THE ALGORITHMS USED to parameterize biometric information
are steadily improving. Periodically, the National Institute of Standards
and Technology conducts large-scale performance
tests on biometric technologies. The Face Recognition
Vendor Test (FRVT) 2006 results show that performance has been
steadily improving-more than an order of magnitude in the last
four years alone, as shown on the chart below. The graph reveals
the decrease in false rejection rates between 1993 and 2006, at a
constant false acceptance rate of 0.1 percent.
There is more to the story, however. These results were obtained
under controlled illumination, and performance varied between
vendors. While there were similar improvements in performance
under varied lighting conditions, under those parameters the FRR
results of the 2006 evaluations ranged from 0.1 to 0.4. Stated differently,
between 10 and 40 percent of the subjects were rejected
falsely in uncontrolled lighting. Bottom line? It's still hard to pick
out a face in the crowd.
The latter system took about two person-weeks of effort
to install, spread over a six-week period, with much of that
work centered around writing the middleware to interface
the product to the institution's payroll system. Initially,
senior management had privacy concerns. But then it was
explained that the system did not store an image of an individual's
fingerprint but, rather, a template based on the fingerprint's
characteristics. That was important, as the templates
were stored on a centralized server located in the
university's data center.
In practice, Gannon has had some problems with false
rejections, which usually have been the result of lotion on an
employee's hands, or residue on the sensor. (The system
includes a provision for manual correction by the employee's
supervisor.) Technologists also found that one person out of
60 did not scan well and required the use of an optional PIN number. But employees' reactions to the system were generally
favorable, so administrators went ahead and made use of
the system as a condition of employment. Crandall said that
the technology met their expectations and that, based on
their experience, they would recommend it to others.
As one observer points out, 'If you think identity theft is
bad now, just wait until your fingerprints wind up
in a rogue biometric reader.' And if someone steals
your fingerprint, there isn't a way to get a new one.
Examples of the use of biometrics for high-security applications
include using fingerprint readers for access to the
data center at Virginia Tech, and utilizing keystroke dynamics
at Berry College (GA), where Director of Network Operations
and Information Security Officer William Souder reports
that biometrics were adopted to improve the security of the
institution's online ERP system. While administrators had not
experienced any problems, they were concerned that over
200 users accessed the system on a regular basis, and wanted
to move to a two-factor authentication process.
The college considered a number of alternatives including
one-time tokens (which generate a temporary password that is only valid for a few moments) and fingerprint scanners,
but after instituting a testing process that included mock
intruders, administrators selected a keystroke dynamics
solution from BioPassword, largely
because of low cost and simplicity (keystroke dynamics
develops a template based upon the way a person types).
The installation, which included training classes, fine-tuning
of end users' templates, and testing with mock intruders,
was relatively easy and took one FTE (full-time equivalent)
of effort for a couple of months. They found the FAR and
FRR to be almost zero, and the user reaction was good
(i.e., ho hum). While Berry has no plans to deploy the system
beyond the ERP application, administrators feel keystroke
dynamics should be considered by other institutions
looking for an inexpensive way to add two-factor authentication
to sensitive administrative applications.
Reservations
Not everyone agrees that the widespread use of biometrics
solves our security challenges. As one observer points out,
"If you think identity theft is bad now, just wait until your fingerprints
wind up in a rogue biometric reader." One of the
advantages of biometric information-its permanence-is
also one of its problems. If someone steals your password
or Social Security number, you can get a new one. If someone
steals your fingerprint (or the template of your fingerprint),
there isn't a way to get a new one.
Two vulnerabilities are of particular concern. The first
occurs if someone steals your biometric template, either
from a local device while in transit over a network, or from
a central database. The second vulnerability is from rogue
biometric readers outside the control of the authenticator.
For instance, how does an online store know that your digital
fingerprint came from you and not from a hacker who
had access to a restaurant's credit card and fingerprint
reader? (For a description of how a local sensor can be
hacked to intercept biometric data, see eWeek.com's "The
Security of Biometrics: Two Screws and a Plastic Cover.")
A Real Hack
IS THIS WHAT we have to look forward to, if the biometrics trend
takes off? Report from the BBC, Kuala Lumpur, Thursday, March
31, 2005: "Police in Malaysia are hunting for members of a violent
gang who chopped off a car owner's finger to get round the vehicle's
hi-tech security system. The car, a Mercedes S-class, was protected
by a fingerprint recognition system".
Biometric advocates would respond that a skilled
hacker could spoof some sensors but that the risk is
much lower than that associated with password-based
authentication. They would also point to a number of
strategies that can be used to reduce the risk. One is
to never transmit biometric templates over a network;
another is to never store the templates in a central
database where they could be compromised. This
could be accomplished by authenticating against a
template stored on the local hardware. For example,
the biometric template could be stored on a TPM (trusted
platform module) chip (becoming standard on new laptops),
and compared to the output of a fingerprint sensor
(also becoming standard on new laptops). Another strategy
is to encrypt stored templates.
What's a Technologist to Do?
Indisputably, biometric identification has improved and
now may be the time to get your feet wet with some pilot
projects. I'd suggest some caveats, however. First, start
out with a relatively small user population. If you have 50
employees, a 2 percent FRR means dealing with one
exception (that is, one false rejection). On the other hand,
if you are talking about the 200,000 airline passengers
who travel through the New York City airports daily, a 2
percent FRR means dealing with 4,000 irate passengers
every day. It is essential that your identification strategy
include alternatives to biometric identification, to deal with
the exceptions resulting from false rejections. Even more
important, be very careful about how you transmit and
store biometric templates (a conversation with your institution's
legal counsel might be in order). Finally, you might
consider biometrics in conjunction with another form of
authentication, to provide two-factor authentication. Even in
the age of biometrics, fail-safe is what we continue to strive
for.
-Doug Gale is president of Information Technology Associates, an IT consultancy specializing
in higher education.