Biometrics Revisited

Since our last look at biometrics, some things have changed, but alas, some have not; hand cream can still thwart the best of readers.

Security DARN. LOCKED OUT AGAIN. All too often that was my experience when experimenting with a fingerprint-based security system back in 1999. About one time in five I would have to disable the fingerprint scanner to be able to log on to my desktop computer. But biometric identification devices have been getting better and cheaper. The question is: Are they ready for prime time?

About Biometric Identification

Biometric identification schemes fall into two general categories: physiological and behavioral. Physiological schemes are related to the physical characteristics of our body and include fingerprints, iris and retinal scans, as well as hand and facial characteristics. Behavioral schemes include keystroke dynamics, signature, and voice. ("Biometrics Go Mainstream," in the April 2006 issue of Campus Technology, provides an introductory description of the various biometric identification systems in use.) Yet, how does a biometric system work in practice?

First, a sensor acquires digital information about a biometric parameter-for example, the shape of your hand. Then, information from the sensor is processed and features extracted-for instance, the size of your fingers and hand. Finally, data about the features are used to construct a template, which is the synthesis of all the characteristics that could be extracted from the source. Authentication is done by comparing a newly generated template with the one on file.

How Well Do Biometrics Work?

The performance of a biometric system is measured using two parameters: the false acceptance rate (FAR), which is the probability that the system will incorrectly accept an invalid user; and the false rejection rate (FRR), which is the probability that a valid user will be rejected. Since the FAR and FRR are inversely related, the point at which the two values are equal, the EER, or equal error rate, is frequently cited as a measure of the overall performance of the system.

The National Institute of Standards and Technology conducts regular tests of commercially available biometric identification systems. Because of homeland security considerations, the testing focuses on fingerprints, face recognition, and iris scans. As would be expected, iris scans have the best overall performance. However, because of their relatively high cost and inconvenience to users, they have seen little adoption in higher education. Some of the NIST results for fingerprint and face recognition systems are shown below.

The NIST studies illustrate some of the difficulties in making apples-to-apples comparisons: The accuracy of results varied widely among vendors, with some vendors consistently scoring better than others. Note, for example, the wide range of FRR results for fingerprint systems: 2 to 20 percent. Results also varied depending on test conditions such as the number of fingers scanned, the subject's age, or the lighting conditions when taking facial images. And while the FRR of face recognition under controlled lighting appears to be similar to that of fingerprints, the fingerprint data is reported at a far more stringent FAR.

Biometric Ticket to Ride

FOR MANY YEARS, DISNEY'S four Orlando theme parks have used biometrics to prevent sharing or resale of multi-day tickets, as an alternative to time-consuming photo identification checks. This was done by recording the geometry and shape of a person's fingers on a ticket. In the fall of 2006, Disney upgraded the technology to fingerprint scans. From an image of a person's fingerprint, the system generates a unique number based on the fingerprint's characteristics. While Disney has been pleased with the results, privacy advocates have complained that Disney has used an invasive high-tech security technology to control admissions to the theme park.

Trends in Biometric Identification

Anil Jain, distinguished professor at Michigan State University and considered one of the nation's leading researchers in pattern recognition, sees four biometric identification trends: 1) continuing improvement in sensor technology; 2) continuing improvements in the algorithms used to parameterize the sensor data; 3) continuing decreases in the costs associated with biometric identification; and 4) growing user acceptance. Jain also believes that widespread adoption will depend on return on investment (ROI) and user convenience. Companies such as AuthenTec represent a good example of the first trend. AuthenTec's fingerprint sensors use radio frequencies to scan a fingertip below the surface of the skin, to avoid some of the problems associated with surface contamination and wear.

As evidence of the second trend, Jain cites improvement in face recognition algorithms, particularly in controlled lighting situations. (See "The Algorithm Is Mightier Than the Chip") Unfortunately, he notes that face recognition technologies lack permanence as people's features change with age, so the template on file may need to be updated on a regular basis.

As to cost trends, we've come to expect the cost of solid-state devices to fall, and sensors are no exception: The cost of a fingerprint sensor on a laptop has fallen from around $20 dollars four years ago, to under $5 in 2007. Are improvements and lower cost helping user acceptance? Clearly; AuthenTec shipped its 10 millionth fingerprint sensor last year, and in the US, laptops are driving the market as well, with 10 percent of new laptops shipping with fingerprint readers. (In other parts of the world, mobile phones represent the greatest use.)

Higher Ed Experiences

Although not widespread, the use of biometrics for identifi- cation is growing in higher education, with applications broadly grouped into two categories: 1) low-security "time and attendance," and 2) access to relatively high-security resources. Examples of the former include the use of fingerprint readers to log hours worked by students in the IT department at the University of Kansas and a similar use at Gannon University (PA) where, according to John Crandall, associate director of information technology services, the school has been using a fingerprint identification product from AIG Technology to replace paper timecards for 60 hourly employees in two locations.

The Algorithm Is Mightier Than the Chip

THE ALGORITHMS USED to parameterize biometric information are steadily improving. Periodically, the National Institute of Standards and Technology conducts large-scale performance tests on biometric technologies. The Face Recognition Vendor Test (FRVT) 2006 results show that performance has been steadily improving-more than an order of magnitude in the last four years alone, as shown on the chart below. The graph reveals the decrease in false rejection rates between 1993 and 2006, at a constant false acceptance rate of 0.1 percent.

SecurityThere is more to the story, however. These results were obtained under controlled illumination, and performance varied between vendors. While there were similar improvements in performance under varied lighting conditions, under those parameters the FRR results of the 2006 evaluations ranged from 0.1 to 0.4. Stated differently, between 10 and 40 percent of the subjects were rejected falsely in uncontrolled lighting. Bottom line? It's still hard to pick out a face in the crowd.

The latter system took about two person-weeks of effort to install, spread over a six-week period, with much of that work centered around writing the middleware to interface the product to the institution's payroll system. Initially, senior management had privacy concerns. But then it was explained that the system did not store an image of an individual's fingerprint but, rather, a template based on the fingerprint's characteristics. That was important, as the templates were stored on a centralized server located in the university's data center.

In practice, Gannon has had some problems with false rejections, which usually have been the result of lotion on an employee's hands, or residue on the sensor. (The system includes a provision for manual correction by the employee's supervisor.) Technologists also found that one person out of 60 did not scan well and required the use of an optional PIN number. But employees' reactions to the system were generally favorable, so administrators went ahead and made use of the system as a condition of employment. Crandall said that the technology met their expectations and that, based on their experience, they would recommend it to others.

As one observer points out, 'If you think identity theft is bad now, just wait until your fingerprints wind up in a rogue biometric reader.' And if someone steals your fingerprint, there isn't a way to get a new one.

Examples of the use of biometrics for high-security applications include using fingerprint readers for access to the data center at Virginia Tech, and utilizing keystroke dynamics at Berry College (GA), where Director of Network Operations and Information Security Officer William Souder reports that biometrics were adopted to improve the security of the institution's online ERP system. While administrators had not experienced any problems, they were concerned that over 200 users accessed the system on a regular basis, and wanted to move to a two-factor authentication process.

The college considered a number of alternatives including one-time tokens (which generate a temporary password that is only valid for a few moments) and fingerprint scanners, but after instituting a testing process that included mock intruders, administrators selected a keystroke dynamics solution from BioPassword, largely because of low cost and simplicity (keystroke dynamics develops a template based upon the way a person types). The installation, which included training classes, fine-tuning of end users' templates, and testing with mock intruders, was relatively easy and took one FTE (full-time equivalent) of effort for a couple of months. They found the FAR and FRR to be almost zero, and the user reaction was good (i.e., ho hum). While Berry has no plans to deploy the system beyond the ERP application, administrators feel keystroke dynamics should be considered by other institutions looking for an inexpensive way to add two-factor authentication to sensitive administrative applications.

Reservations

Not everyone agrees that the widespread use of biometrics solves our security challenges. As one observer points out, "If you think identity theft is bad now, just wait until your fingerprints wind up in a rogue biometric reader." One of the advantages of biometric information-its permanence-is also one of its problems. If someone steals your password or Social Security number, you can get a new one. If someone steals your fingerprint (or the template of your fingerprint), there isn't a way to get a new one.

Two vulnerabilities are of particular concern. The first occurs if someone steals your biometric template, either from a local device while in transit over a network, or from a central database. The second vulnerability is from rogue biometric readers outside the control of the authenticator. For instance, how does an online store know that your digital fingerprint came from you and not from a hacker who had access to a restaurant's credit card and fingerprint reader? (For a description of how a local sensor can be hacked to intercept biometric data, see eWeek.com's "The Security of Biometrics: Two Screws and a Plastic Cover.")

A Real Hack

IS THIS WHAT we have to look forward to, if the biometrics trend takes off? Report from the BBC, Kuala Lumpur, Thursday, March 31, 2005: "Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system. The car, a Mercedes S-class, was protected by a fingerprint recognition system".

Biometric advocates would respond that a skilled hacker could spoof some sensors but that the risk is much lower than that associated with password-based authentication. They would also point to a number of strategies that can be used to reduce the risk. One is to never transmit biometric templates over a network; another is to never store the templates in a central database where they could be compromised. This could be accomplished by authenticating against a template stored on the local hardware. For example, the biometric template could be stored on a TPM (trusted platform module) chip (becoming standard on new laptops), and compared to the output of a fingerprint sensor (also becoming standard on new laptops). Another strategy is to encrypt stored templates.

What's a Technologist to Do?

Indisputably, biometric identification has improved and now may be the time to get your feet wet with some pilot projects. I'd suggest some caveats, however. First, start out with a relatively small user population. If you have 50 employees, a 2 percent FRR means dealing with one exception (that is, one false rejection). On the other hand, if you are talking about the 200,000 airline passengers who travel through the New York City airports daily, a 2 percent FRR means dealing with 4,000 irate passengers every day. It is essential that your identification strategy include alternatives to biometric identification, to deal with the exceptions resulting from false rejections. Even more important, be very careful about how you transmit and store biometric templates (a conversation with your institution's legal counsel might be in order). Finally, you might consider biometrics in conjunction with another form of authentication, to provide two-factor authentication. Even in the age of biometrics, fail-safe is what we continue to strive for.

-Doug Gale is president of Information Technology Associates, an IT consultancy specializing in higher education.

Featured