Top
Browse > Home / 1B, Blog, CS Briefing, LinkedIn / BLOG: Biometric Authentication

BLOG: Biometric Authentication

October 15, 2008

Biometrics seems to be the utopia in access control with the promise of no more calls to the IT help desk complaining of forgotten passwords or lost hardware tokens but unfortunately it’s just not that simple in the real world.Biometric authentication devices are used to measure something a person is. They can compare a physical (fingerprint / voice) or behavioural (Keystrokes / Signature) trait with a stored value. Combine this with something a person knows such as a PIN or a password and it forms a strong two-factor authentication scheme.

Traditionally only used in high security military establishments, the last few years have witnessed an explosive growth in this technology for the work place. From single-user fingerprint scanners to high-tech facial recognition - biometric systems are being touted as the answer to a lot of the security problems.

Over the last ten years researchers, hardware engineers and product houses have been looking at ways to bring this technology into our everyday lives in a form that it’s speed, accuracy, reliability and user acceptability are all adequate for modern day use. Traditionally there have been two main concerns with these systems – biometric system effectiveness and social acceptance.

Below I’ve displayed a table of some example biometric systems and where they fit into these two areas. Of course these are just some of the systems available.

Devices in order of Effectiveness Devices in order of acceptance
  • Palm Scan
  • Hand Geometry
  • Iris Scan
  • Retina Pattern
  • Fingerprint
  • Voice Print
  • Signature Dynamics
  • Keystroke Dynamics
  • Iris Scan
  • Keystroke Dynamics
  • Signature Dynamics
  • Voice Print
  • Facial Recognition
  • Palm Scan
  • Hand Geometry
  • Retina Pattern
SOURCE: (ISC)2 CISSP Seminar Reviews

Biometric Effectiveness

When we talk about biometric effectiveness we think of it’s usability, it’s ability to authenticate those authorised individuals and reject those that are not authorised (accuracy and uniqueness) and finally it’s ability to work well for the given task without any degradation in performance over time.

Accuracy is the most important characteristic for a biometric system obviously, because it is this accuracy and the ability to uniquely authorize or reject individuals that form the barrier of protection we’re looking for.

Biometric systems can be tweaked to more or less restrictive in who or what they find acceptable when authenticating a user. To help understand this there are three terms used by biometric systems we can use to measure their effectiveness.

A False reject rate is the rate at which authentic enrolled users are rejected. This is typically seen as not an important problem in most environments however if your using a biometric in a customer environment such as a replacement to tickets in a theme park then false reject rates become much more important. A theme park wouldn’t want to upset it’s customers so is much happier to have a higher rate of false reject rates.

A False accept rate is the rate at which an unauthorised un-enrolled person is accepted as an authentic users. This is the most important error in the majority of environments.

The Cross-over error rate is the point at which the false reject rate and the false accept rate are equal to each other or cross over if charted (in a graph). It is a form of measurement for biometric systems usefulness and often is the default point at which a biometric system is installed and tweaked too. As time goes on the business may decided they want to be more or less strict with their authentication scheme changing the cross-over error rate position.

Biometric Acceptance

Primarily acceptance is based on a user and how they accept the system but acceptance from a business point of view must also be taken into account prior to anychoice and implementation.

A user may be concerned that a system is not be hazardous to the health of its users. It must not impeded personnel movement or cause any form of production delays and must not enable management to collect personal or health related information about individuals. Some users are also concerned about making physical contact with surfaces or devices untold numbers of other people have touched before them primarily because of a higher fear of modern day contagious diseases.

A business needs to ensure that the enrolment time (the time it takes a user tobe added/enrolled on the system) needs to be acceptable otherwise people get frustrated and queues form quickly. The industry accepted time is 2 minutes per person. Most systems on the market today can meet this standard. The speed and throughput of day-to-day use is another area of concern. Again acceptable industry standards say a system speed of 5 seconds from start-up to decision making is acceptable. It is only recently that Biometric systems have met this measure.

Today’s Biometric uses

Biometrics, despite some high priced systems, are making progress and are being rolled out in conventional businesses. Some examples of this include roll out of systems in healthcare, entertainment and finance environments.

Unfortunately the units are very specialist, don’t tend to link up to each other and often require specialists equipment be installed (physical characteristics as opposed to behavioural characteristics).

Some thoughts for choosing a biometric system

  • System performance of any biometric system should be tested independently – ideally in a live environment.
  • Potential users/businesses should always ask for reference customers and if possible request a site visit.
  • Systems may suit different sized businesses. What might work well for a mid-sized business may be a poor performer in a larger organisation.
  • System maintenance should be thought about. Some systems may need cleaning daily for example.
  • How susceptible is a system to sabotage or deliberate damage?
  • What happens if your system breaks and stops working – how do people get in a building etc.
  • Is a system acceptable from a user point of view? Would your users mind touching physical devices (given contagious diseases etc). Is the system non-intrusive

The future of biometrics

The future of biometrics is limited only by ones imagination. Imagine arriving home from work, walking open to your front door and ping it pops open because the house had recognised your face as you arrived home? Or perhaps there will be a day when you go to open your car, you pull then handle and your fingerprints are read to unlock the car. Your neighbour tries the same thing, pulls the handle and the alarm goes off because they are not authorised in your car.

There are many practical uses for biometrics in the real world, we need to get the systems to a point where the users are happy to accept the introduction of such systems, they are cheap and practical enough to use and they are resistant to damage, dirt, grease and so forth so that they can be used under all sorts of circumstances without performance degradation.

Final thoughts

Many biometric systems are available today. Some work and some work not so well. They are often very specific systems for very specific uses at the moment (such as user authentication) and we have yet to see the proliferation of a large and integrated system that does not require the user plug in the device to their USB or parallel ports and there is no doubt biometrics is the way forward, but are we there yet? Probably not.

So far it has taken over 10 years just to get the systems to a useable form andfairly inexpensive (under £100 per unit) but they still have some way to go. We will see different systems been used for different requirements and may even see the combination of different biometric systems to form a strong two factor authentication.

If biometrics are to succeed they need to match their environment and be integrated into other hardware much more and their cost per unit needs to fall much more. At the backend their systems must require low maintenance and offer ongoing protection with no system degradation.

Most importantly biometrics will succeed providing they offer continuing, transparent and positive identification in a non-intrusive manner. One such system perhaps is a camera on your PC that is programmed to check the operator identity every 30 seconds. It opens a 5 second window to acquire a good picture and if it can’t acquire the data or doesn’t authorize the individual the screen can be locked. This is ideal if someone else sits down at a PC or an individual gets up for a coffee because as soon as the individual comes back the system authenticates a valid user once more and provides access.

For the paranoid we could easily combine this system with a finger print reader on the first button of the mouse which has to authenticate a users fingerprint every 10 minutes or each time a user wants to access and encrypted file.

There is no doubt that biometrics, implemented correctly, will bring major increases in information security protection and while some systems exist today we still have some way to go before low maintenance, low cost, user acceptable, continuous, transparent and positive identification systems are brought into the real world – but we’ll get there.

Share this:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Blogosphere News
  • LinkedIn
  • Reddit
  • Slashdot
  • Technorati
  • De.lirio.us
  • E-mail this story to a friend!
  • Live
  • Print this article!
  • StumbleUpon

Written by Webmaster · Filed Under 1B, Blog, CS Briefing, LinkedIn 

Comments

Got something to say?

You must be logged in to post a comment.

Bottom