|
|
|||
|
|
|
Implementation
|
Performance
|
Security
|
Keyword search
|
|
What is biometrics? |
(1) General:
Biometrics is the science of measuring physical properties of living beings.
(2) ISO/IEC: Biometrics is the automated recognition of individuals based on their behavioral and biological characteristics. |
What is biometric recognition? |
By measuring an individual's suitable behavioral and biological characteristics in a recognition inquiry and comparing these data with the biometric reference data which had been stored during a learning procedure, the identity of a specific user is determined. |
What is a biometric characteristic? |
A biometric characteristic is biological or behavioral property of an individual that can be measured and from which distinguishing, repeatable biometric features can be extracted for the purpose of automated recognition of individuals. Example: face. |
What is a biometric sample? |
A biometric sample
is the analog or digital representation of biometric characteristics prior
to the biometric feature extraction process and obtained from a biometric
capture device or a biometric capture subsystem. Example: electronic
face photograph.
A biometric sample usually is delivered from a sensor, the main component of a biometric capture device. Generally, the biometric sample, often called raw data, comprises more information than is necessary for recognition. In many cases, the biometric sample is a direct image of the biometric characteristic such as a photograph. |
What are biometric features? |
Biometric features
are information extracted from biometric samples which can be used for
comparison with a biometric reference.
Example: characteristic measures
extracted from a face photograph such as eye distance or nose size etc.
The aim of the extraction of biometric features from a biometric sample is to remove any superfluous information which does not contribute to biometric recognition. This enables a fast comparison, an improved biometric performance, and may have privacy advantages. |
What is a biometric reference? |
A biometric reference
comprises one or more stored biometric samples, biometric templates, or
biometric models attributed to a biometric data subject which can be used
for comparison.
Stored biometric features are called a biometric template. A biometric model is a stored function (dependent on the biometric data subject) generated from biometric features which is applied to the biometric features of a recognition biometric sample during a comparison to give a comparison result. |
What is a biometric template? |
A biometric template is a special case of a biometric reference, where biometric features have been stored for the purpose of a comparison. (The comparison is done during the recognition process between the stored biometric template and the actual biometric features which have been extracted from the biometric data coming from the biometric capture device resp. sensor.) |
What is enrolment? |
To be able to recognize a person by their biometric characteristics and the derived biometric features, first a learning phase must take place. The procedure is called enrolment and comprehends the creation of an enrolment data record of the biometric data subject (the person to be enrolled) and to store it in a biometric enrolment database. The enrolment data record comprises one or multiple biometric references and arbitrary non-biometric data such as a name or a personnel number. |
|
How does biometric recognition work? |
For the purpose of recognition, the biometric data subject (the person to be recognized) presents his or her biometric characteristic to the biometric capture device which generates a recognition biometric sample from it. From the recognition biometric sample the biometric feature extraction creates biometric features which are compared with one or multiple biometric templates from the biometric enrolment database. Due to the statistical nature of biometric samples there is generally no exact match possible. For that reason, the decision process will only assign the biometric data subject to a biometric template and confirm recognition if the comparison score exceeds an adjustable threshold. |
|
What are the requirements for a biometric characteristic? |
In the development
of biometric identification systems, physical and behavioral characteristics
for recognition are required
|
What are the most well known biometric characteristics? |
Biometric characteristic | Description of the features |
Fingerprint | Finger lines, pore structure |
Signature (dynamic) | Writing with pressure and speed differentials |
Facial geometry | Distance of specific facial features (eyes, nose, mouth) |
Iris | Iris pattern |
Retina | Eye background (pattern of the vein structure) |
Hand geometry | Measurement of fingers and palm |
Finger geometry | Finger measurement |
Vein structure of hand | Vein structure of the back or palm of the hand or a finger |
Ear form | Dimensions of the visible ear |
Voice | Tone or timbre |
DNA | DNA code as the carrier of human hereditary |
Odor | Chemical composition of the one's odor |
Keyboard strokes | Rhythm of keyboard strokes (PC or other keyboard) |
Password | Sequence of letters and digits memorized in brain |
What factors contribute to a biometric characteristic's development? |
Biometric characteristics
develop:
|
Biometric characteristic |
|
|
|
Fingerprint (only minutia) |
|
|
|
Signature (dynamic) |
|
|
|
Facial geometry |
|
|
|
Iris pattern |
|
|
|
Retina (Vein structure) |
|
|
|
Hand geometry |
|
|
|
Finger geometry |
|
|
|
Vein structure of the hand |
|
|
|
Ear form |
|
|
|
Voice (Tone) |
|
|
|
DNA |
|
|
|
Odor |
|
|
|
Keyboard Strokes |
|
|
|
Comparison: Password |
|
*Randotypic patterns often show genotypic traits in their overall structure. These genotypic traits may disappear with increasing refinement (e.g., development of branches on a tree). |
**Most implementations react to learn effects to various degrees, and therefore do have behavioral contributions which cannot be neglected. |
How does the manner of formation influence the usefulness of biometric characteristics? |
Even though the
type of developmental factor does not solely determine a biometric characteristic's
usefulness, there are a few things to take into account:
|
How does one recognize randotypic characteristics? |
The following must
be considered:
|
Which biometric characteristics are most constant over time? |
Reasons for variation
over time:
|
Biometric characteristic | Permanence over time |
Fingerprint (Minutia) | oooooo |
Signature (dynamic) | oooo |
Facial structure | ooooo |
Iris pattern | ooooooooo |
Retina | oooooooo |
Hand geometry | ooooooo |
Finger geometry | ooooooo |
Vein structure of the hand | oooooo |
Ear form | oooooo |
Voice (Tone) | ooo |
DNA | ooooooooo |
Odor | oooooo? |
Keyboard strokes | oooo |
Comparison: Password | ooooo |
Which biometric characteristics are most suitable for recognition purposes? |
Prior to comparing
the relative worth of different biometric characteristics, we must define
the appropriate criteria to be used. For these purposes, we will
use four categories:
|
Biometric characteristic |
|
|
|
|
Fingerprint | ooooooo | ooooooo | oooo | ooo |
Signature (dynamic) | ooo | oooo | ooooo | oooo |
Facial geometry | ooooooooo | oooo | ooooooo | ooooo |
Iris | oooooooo | ooooooooo | oooooooo | oooooooo |
Retina | oooooo | oooooooo | ooooo | ooooooo |
Hand geometry | oooooo | ooooo | oooooo | ooooo |
Finger geometry | ooooooo | ooo | ooooooo | oooo |
Vein Structure of the hand | oooooo | oooooo | oooooo | ooooo |
Ear form | ooooo | oooo | ooooooo | ooooo |
Voice | oooo | oo | ooo | oo |
DNA | o | ooooooo | ooooooooo | ooooooooo |
Odor | ? | oo | ooooooo | ? |
Keyboard strokes | oooo | o | oo | o |
Comparison: Password | ooooo | oo | oooooooo | o |
As one can see, determining an 'optimal' biometric characteristic is hardly possible. For biometric characteristics ranking high in accuracy, fingerprints currently have the lowest costs. The iris rates high in all categories, unfortunately including cost. If the costs would sink significantly, the iris would be ideal. DNA loses points in accuracy, because it can't differentiate between monozygotic twins today (analyzing mutational information may help in the future). |
What is authentication, identification, and verification? |
Here we define authentication as
the process of determining the identity of a person and confirming his
or her authenticity.
In multi-user systems, authentication regularly accomplishes an identification and a verification. The identification part confirms that the identity, usually given by a unique identifier such as a user name, is known to the system. If identification was successful, in a next step the identity is verified using a verifier such as something like a secret, shared between the person to be authenticated and the authenticating system. Usually, identifiers are considered as public whereas verifiers are secrets like a key pattern or a password. Authentication often is combined with authorization. Authorization is the process of assigning certain rights or permissions to a person. |
What is biometric authentication? |
Authentication may take advantage of biometrics by using a biometric characteristic as identifier or as verifier. When using biometrics as an identifier, uniqueness (very low FAR) is an essential requirement especially for large user numbers. When using biometrics as a verifier, the biometric characteristic may be either viewed as a secret or as public. In the latter case, it is essential that a fake detection is provided against mechanical copies of the biometric characteristic. |
What are the fundamental methods of authentication? |
Biometrics
"Who
I am"
|
What are the advantages of biometric systems for authentication? |
Advancing automation
and the development of new technological systems, such as the internet
and cellular phones, have led users to more frequent use of technical means
rather than human beings in receiving authentication. Personal identification
has taken the form of secret passwords and PINs. Everyday examples
requiring a password include the ATM, the cellular phone, or internet access
on a personal computer. In order that a password cannot be guessed, it
should be as long as possible, not appear in a dictionary, and include
special symbols such as +, -, %, or #. Moreover, for security purposes,
a password should never be written down, never be given to another person,
and should be changed at least every three months. When one considers
that many people today need up to 30 passwords, most of which are rarely
used, and that the expense and annoyance of a forgotten password is enormous,
it is clear that users are forced to sacrifice security due to memory limitations.
While the password is very machine friendly, it is far from user-friendly.
There is a solution that returns to the ways of nature. In order to identify an individual, humans differentiate between physical characteristics such as facial structure or sound of the voice. Biometrics, as the science of measuring and compiling distinguishing physical characteristics, now recognizes many further features as ideal for the definite identification of even an identical twin. Examples include a fingerprint, the iris, and vein structure. In order to perform recognition tasks at the level of the human brain (assuming that the brain would only use one single biometric characteristic), 100 million computations per second are required. Only recently have standard PCs reached this speed, and at the same time, the sensors required to measure characteristics are becoming cheaper and cheaper. Therefore, the time has come to complement the password with a more user friendly solution - biometric authentication. Based on user friendliness, biometrics, when used as alternative authentication component, offers the chance to reduce cost significantly without loss in security. As addendum to traditional methods, biometrics even may be used in highly vulnerable areas. Since the definition of biometrics includes behavioral characteristics, one may consider the password as a limit case of a biometric characteristic. In this case the answers above relativise inasmuch as it shows the large bandwidth of properties of biometric characteristics, not only concerning the difference between biological characteristics and passwords. |
What are the characteristics of the various authentication methods? |
|
|
|
|
Examples |
|
|
|
Copied |
|
|
|
Lost |
|
|
|
Stolen |
|
|
|
Circulated |
|
|
|
Changed |
|
|
|
What is the difference between biometric identification and biometric verification? |
In a biometric
identification,
the recognition biometric features are compared to many or all biometric
references stored in the system.
In a biometric verification, the recognition biometric features are only compared to one biometric reference stored in the system. If a system has only one saved biometric reference, identification is similar to verification. Otherwise, biometric verification is a limit case of biometric identification. |
What are the advantages of biometric verification over biometric identification? |
|
What is the difference between positive and negative identification? |
In a positive identification the user
is interested to be identified, in the negative case the user tries to
avoid successful identification. For example, the thief is not interested
in being identified by comparing the latent prints from the scene of crime
with his fingerprints. This is a negative identification. If I am authorized
to get access to my office, I am strongly interested to be identified,
e.g., by iris recognition. This is a positive identification.
The main impact of positive versus negative identification regards user cooperation. In the negative case the user is not willing to cooperate (even if he is "innocent") at the stage of feature acquisition. Therefore, a negative identification often needs observation. Even the sensor may be affected by the type of identification: For example, negative fingerprint identification needs full size sensors and ten-print treatment at least for the enrolment process. |
What are the main uses of biometric identification and biometric verification? |
Fighting Crime
Security Comfort
|
Which organizations attend to standardizing biometric systems? |
|
Which biometric standards are available now? |
The actual status of biometric standards is found on the iso.org page (found under Information Sources). |
Is there any standard for biometric terms? |
Yes. Within working group 1 of ISO/IEC JTC 1 SC37 a document called "Harmonized Biometric Vocabulary" (ISO/IEC 2382-37) has been prepared. An HTML version of this vocabulary is found under Information Sources. For translations the national bodies are responsible. |
What captures biometric characteristics? |
For recording and converting biometric characteristics to usable computer data, one needs a biometric capture device with an appropriate sensor (see table). Of course, costs can greatly vary for different sensors. However, we can't forget that many technical devices already have sensors built in, and therefore, offer possibilities to measure biometric characteristics nearly free of cost. |
Biometric characteristic | Sensor |
Fingerprint (Minutia) | capacitive, optic, thermal, acoustic, pressure sensitive |
Signature (dynamic) | Tablet |
Facial Structure | Camera |
Iris pattern | Camera |
Retina | Camera |
Hand geometry | Camera |
Finger geometry | Camera |
Vein structure of the the hand | Camera (infrared) |
Ear form | Camera |
Voice (Timbre) | Microphone |
DNA | Chemical Lab |
Odor | Chemical sensors |
Keyboard Strokes | Keyboard |
Comparison: Password | Keyboard |
What makes up a biometric authentication system? |
A basic biometric
system is made up of:
|
What computation speeds are required by a biometric authentication system? |
Generally, computation speeds adequate for pattern recognition [Wikipedia] are required. This is about 100 million operations per second, which have been attained by affordable hardware (PC, DSP [Wikipedia]) since about 1998. |
How do enrolment and biometric authentication work? |
A prerequisite for
authentication is enrolment,
in which the biometric features
are saved as a personal reference either decentrally on a chip card or
PC, or centrally in a data base. Since the quality of the enrolment
essentially determines the performance of the authentication, it must be
implemented carefully. It is obvious that enrolment
must take place in a trustworthy environment.
During an authentication, a new scanning of the biometric characteristic is required. This time it is not saved; instead, it is compared to the biometric reference(s). If the comparison shows sufficient similarity, for example, access to the appropriate applications can be granted. Most biometric systems show the following procedure in detail:
|
What are the advantages of using a combination of chip card and biometrics? |
In authentication,
possession of a chip card combined with biometric methods may further increase
reliability. Not only are biometric
references saved on the chip card, but also
identity data of the user. For authentication, chip card plus capturing
of the biometric characteristic
is required. The following advantages result:
|
What is "Template on Card"? |
Regarding "Template
on Card", a chip card stores the extracted biometric
template as biometric
reference electronically. There are different
ways of realization:
|
How may a PC access control with "Template on Card" look like? |
We consider the following implementation
possibilities:
The chip card is a pure memory card, storage is unencryptedDuring enrolment, a PC connected to a biometric sensor extracts the biometric features, and subsequently stores them as biometric reference on chip card. At verification, the access seeker inserts her chip card into the chip card reader and then her biometric characteristic is again scanned. The scanned biometric characteristic is then compared to the reference stored on the chip card at the PC. If the comparison exceeds a certain level of similarity, full clearance is granted to the network by sending the decrypted password (which is stored on the PC encrypted) from the PC to the server.The chip card is a pure memory card, storage is encrypted.See above. Additionally, however, decryption of the reference from the card is done on the PC or better yet on the server with a securely stored key. Alternatively, the comparison process should likewise occur on the server. Thereby, the current extracted biometric features are transmitted securely from the PC to the server.The chip card is a processor card (smart card) with crypto functionThe communication partners of the crypto card are a PC, a biometric sensor and a protected server. During a log-on trial, the crypto card and the server create a secured connection. The server retrieves the reference data from the crypto card. Simultaneously, the PC extracts the biometric features from the sensor's raw data (biometric sample) and sends them (potentially secured by a one-time key) to the server where it is compared to the card's biometric reference. If the comparison is positive, the PC grants access to the network drives. |
What is "Matcher on Card"? |
Chip cards with integrated biometric comparator do not only store the reference, they also compare the biometric template with the incoming biometric features. For that reason the card needs an internal processor ("smartcard"). |
What are the features of Matcher on Card? |
Advantage against other solutions
DrawbackThere is only limited processing power and memory space available on the smart card. This requires some compromises with regard to biometric recognition performance. |
Which measures reflect the effectiveness of a biometric authentication system? |
False Acceptance
Rate (FAR)
|
How is the Failure-to-Enrol Rate (FER/FTE) defined in detail? |
Due to the statistical
nature of the failure-to-enrol rate, a large number of enrolment attempts
have to be undertaken to get statistical reliable results. The enrolment
can be successful or unsuccessful. The probability for lack of success
(FER(n)) for a certain person is measured:
Finally, the result of an enrolment attempt has to be defined exactly: An enrolment attempt
is successful if the user interface of the application provides
a "successful"- or "finished" message.
|
What needs to be considered in the definition of FRR? |
Even though the
false rejection rate, FRR, is intuitively easy to understand, there can
be many problems when trying to fix an unequivocal or universal definition.
The following must be taken into account:
|
How is FRR defined in detail? |
Due to the statistical
nature of the false rejection rate, a large number of verification attempts
have to be undertaken to get statistical reliable results. The verification
can be successful or unsuccessful. In determining the FRR, only fingerprints
from successfully enrolled users are considered. The probability for lack
of success (FRR(n)) for a certain person is measured:
Important: the determined FRR includes both poor picture quality and other rejection reasons such as finger position, rotation, etc. in the reasons for rejection. In many systems, however, rejections due to bad quality are generally independent of the threshold. The FRR after quality filtering is similarly defined:
Finally, the result of a verification attempt has to be defined exactly: A verification
attempt is successful if the user interface of the application provides
a "successful" message or if the desired access is granted.
|
What needs to be considered in the definition of FAR? |
Similar to the FRR,
the false acceptance rate can be defined differently.
|
How is FAR defined in detail? |
Due to the statistical
nature of the false acceptance rate, a large number of fraud attempts have
to be undertaken to get statistical reliable results. The fraud trial can
be successful or unsuccessful. The probability for success (FAR(n)) against
a certain enrolled person n is measured:
Whether a correct rejection is due to poor picture quality or really to a person's unauthorized status, remains (just like in practice) extraneous. The crucial number for the determination of statistic significance is the number of independent attempts. Obviously, two attempts in which alternately one person is the reference and another places the request, are not independent of each other. Likewise, multiple attempts from one unauthorized user are considered dependent and therefore have less meaning for statistical significance. Finally, the following items have to be settled, or defined, respectively:
A fraud attempt
is successful if the user interface of the application provides
a "successful" message or if the desired access is granted.
|
How is the probability distribution function measured for a biometric system's authorized and unauthorized users? |
In order to investigate
the performance of a biometric verification system, one looks at how the
system reacts to a large number of inquires for biometric features from
authorized as well as unauthorized users. Due to natural fluctuations
and measurement imperfections, the results of such an investigation are
never absolutely certain, instead are only predictable to a certain extent.
In order to determine the error rates, "false acceptance" and "false rejection,"
the yes/no decisions of "authorized/unauthorized" are not used, instead
the underlying degree of similarity between an inquiry and the saved reference
feature. In a series of measurements, similarity ratings ("score
values") are collected for authorized and unauthorized users. Then
the frequency of incidence is counted for every similarity rating.
After being normalized with the total number of inquiries, both resulting
histograms make up an approximation to the probability distribution function.
They show the measured estimation of a certain similarity rating's (n)
probability of occurring for authorized users (pB(n)) and unauthorized
users (pN(n)):
In an ideal case (unfortunately unachievable), both distribution curves do not overlap. That means, inquiries for unauthorized users have the low similarity ratings, whereas all the high similarity ratings are for authorized users. In such a case it is easy to define a decision threshold, that clearly differentiates between authorized and unauthorized users. In practice, however, there is always an overlap when the number of users is high enough. Here comes a typical diagram: |
How do the FAR/FRR paired graphs affect a biometric system? |
The error graphs
of FAR and FRR are respectively defined as the probability that an unauthorized
user is accepted as authorized, and that an authorized user is rejected
as unauthorized. The curves are dependent upon an adjustable decision
threshold for the similarity of a scanned biometric characteristic to a
saved reference. The following derivations apply under the assumption
that a similarity rating value can be any whole number between 0 and K,
and that, for simplicity's sake, the probability of value K occurring is
0. It also makes sense in practical applications, when we first consider
the FMR and the FNMR and later extract the threshold-independent rejections
due to insufficient image quality from the FAR and FRR. Furthermore, we
assume that for acceptance the coincidence of two features and for rejection
the non-coincidence is required.
If a general probability distribution function p is given for discrete similarity values n, the probability PM(th) that the scanned biometric characteristic with similarity rating n falls below threshold th ("misses") is:
|
How does one determine the Receiver Operating Characteristic (ROC) of a biometric system? |
The FAR/FRR curve
pair is excellently suited to set an optimal threshold for the biometric
system. Further predictors of a system's performance, however, are
limited. This is partially due to the interpretation of the threshold
and similarity measures. The definition of the similarity measures
is a question of implementation. Almost arbitrary scaling and transformations
are possible, which affect the appearance of FAR/FRR curves but not the
FAR-FRR values at a certain threshold. A popular example is the use of
a "distance measure" between the biometric reference and the scanned biometric
features. The greater the similarity, the smaller the distance.
The result is a mirror image of the FAR/FRR curves. A favorite trick
is to stretch the scale of FAR/FRR curves near the EER (Equal Error Rate:
FAR(th) = FRR(th)), (i.e., using more threshold values) thus making the
system appear less sensitive to threshold changes.
In order to reach an effective comparison of different systems, a description independent of threshold scaling is required. One such example from the radar technology is the Receiver Operating Characteristic (ROC), which plots FRR values directly against FAR values, thereby eliminating threshold parameters. The ROC, like the FRR, can only take on values between 0 and 1 and is limited to values between 0 and 1 on the x axis (FAR). It has the following characteristics:
Remark 1: Instead of "ROC", sometimes the term "DET" (Detection Error Tradeoff) is used. In those cases, the term "ROC" is reserved for the complimentary plot 1 - FRR against FAR. Remark 2: For ROC and DET often the comparison failure rates FNMR and FMR instead of the system failure rates FRR and FAR are taken. This has a few mathematical advantages. But it represents practice only then completely, if FTA (Failure to Acquire) and, in the generalized case, FTE (Failure to Enrol) actually should be 0 so that FRR = FNMR and FAR = FMR. As a consequence, ROCs and DETs on the basis of FNMR/FMR are suitable as comparison measure for complete systems only under this (exceptional) condition! Furthermore, it should be noted that EER values also depend on the definition via FNMR/FMR or FRR/FAR. A comparison of the EER of different systems is only reasonable if the definitions coincide. |
How does a transition from verification to identification affect the FAR? |
In a verification
a biometric feature is compared with only one reference, whereas
in an identification, it is compared with N (N>1) different references.
This transition to an identification results in higher FAR, and in an ideal
case is as follows:
If in an application the correct assignment of ID data is essential (e.g., for bank transactions), other methods have to be used, as explained under Determination of FIR. |
How does a transition from verification to identification affect the FRR? |
During identification
the recognition biometric features are compared to all references. Obviously,
in contrast to a verification, more than one similarity value (score) is
generated. This fact complicates the decision, whether a biometric characteristics
to be accepted, or not. In particular, there are multiple ways to decide,
if, e.g., several scores exceed a threshold. As a result, each decision
procedure needs its own definition for a false rejection. Two examples
are given:
One must differentiate between applications which allow access to personal data after a successful identification (e.g., access to a personal bank account), and applications which grant general access not dependent on one's identity (e.g., entrance to a room without a protocol of an identified person's presence). In the first case an assignment of a biometric characteristic to a false identity may happen. This is called a false identification, characterized by the False Identification Rate FIR. Furthermore, it is conceivable that more than one reference template will generate a score above the threshold. This case is treated in Determination of FIR, showing that different decision strategies may yield different results. In the second case, with increasing numbers of different references, the false rejection rate FRR decreases! How can that be? Very simply: it increases the probability that a justified user is "identified" not only from his or her own personal features, but also those of others, as normally would be considered a false acceptance. The user, however, does not notice the system's mistake. Mathematically, under ideal conditions this appears:
|
How is the False Identification Rate (FIR) calculated? |
During an identification, the recognition
biometric features are compared to many references and possibly, the similarity
value will exceed the threshold for more than one reference. This is non-critical
if only granting access, but can be very problematic if the correct assignment
of personal data to the biometric characteristic is required (Example:
access to a bank account via ATM).
The probability for the identification of further (by definition false) candidates (independent of the correct reference) can be calculated from the FAR since these candidates would represent false acceptances in the case of verification. Its value is given by:
whereby FAR1 is the False Acceptance
Rate for a system with one reference. N represents the number of references.
The approximation (right side) applies in the case that the resulting value
lies considerably
The False Identification Rate can first be calculated after selecting one of the candidates. One standard, which is often found in practical applications, could be, for example, that the candidate with the highest similarity value is chosen (presuming that there is only one). Unfortunately, the FIR is only ascertainable when the probability density functions are available for false acceptance as well as false rejection. Easier to calculate is the rule that multiple candidates are completely rejected, which raises the FRR and lowers FAR. The following definitions apply here:
|
When are FAR and FRR values statistically significant? |
A value is considered statistically significant when it is likely that is falls within a given error interval and the probability of falling outside this area by chance is relatively low. Statistical significance is dependent upon the number of trials or sample size. Because biometric values are difficult to model, the existence of statistical significance is hard to estimate. As a rule of thumb ("Doddington's rule"), one must conduct enough tests that a minimum of 30 erroneous cases occur [Porter 1977]. Example: An FAR of 10-6 can be considered reliable, when 30 errors occur in 30 million trials. One error in a million trials also has an FAR of 10-6, but statistically is far less significant. One can see that biometric tests are very expensive if performance needs to be very high. The situation would be easier, if further information could be considered along with the yes/no questions (or accept/reject), as for example the proximity of a decision to the acceptance threshold. |
What is essential when comparing the ROC performance of biometric systems? |
The accuracy performance
of a verification system can be determined by exactly three statistical
quantities: FAR, FER, and FRR. Since these three quantities influence each
other when parameters (e.g., quality acceptance thresholds for enrolment
and authentication) are changed, a comparison of one quantity between two
systems makes only sense when the other two quantities are mutually equal.
For example, let the FARs of different systems be compared. Then the corresponding
FRRs must be equal, and the FERs must be equal, too. Regarding a ROC diagram,
this condition can be easily fulfilled for all FRRs for which the curve
has been measured, provided that the FERs of all curves are constant and
the same. However, this is often violated since the FERs are actually different!
A solution to this problem comes from the procedure used, e.g., in the Fingerprint Verification Competition FVC2002, where different algorithms for fingerprint recognition have been tested. The idea is to consider a failure-to-enrol case as a virtual "FTE user" with the properties:
Similarly, we get for the border values:
A ROC diagram using GFAR and GFRR will be called Generalized ROC (GROC) diagram for consistency. |
What does separability of a biometric system mean? |
The Receiver Operating
Characteristic (ROC) offers an objective comparison of different biometric
systems, in the form of a graph. More practical would be the specification
of one single measured value, which forms a kind of average of all the
systems settings. Therewith, only a global description of the system
would be possible. One must therefore understand that a system can
be better overall, despite worse local functioning, for example in an operating
point.
Separability is intuitively the ability of a biometric system to differentiate authorized and unauthorized users on the basis of a biometric feature. The higher the separability, the fewer the errors while differentiating authorized and unauthorized users. The measure of the separability, like that of the ROC, cannot be dependent on implementation specific scales. Additionally, a separability measure should be easy to calculate. A well known measure for the (inverse) separability is the Equal Error Rate (EER). Unfortunately, the EER describes only one single point of the ROC. While the definition is simple, the calculation is not so easy; the EER point does not exist as a measurement, instead it is derived through decision and approximation. An (inverse) separability measure, which also prevents the EER disadvantages, is the area below the ROC graph. It allows easy calculation of all ROC values through summation. The only difficulty is the fact that the ROC values are not equidistant. Therefore, every y value (FAR) must be weighted by the distance between its corresponding x value (FRR) and the next value. This distance for every ROC point is just the difference (that is, the gradient) of two consecutive values in the FAR graph. As a result, the distance is given by the probability distribution graph of non authorized users. (For continuous functions, in which the sum can be replaced by an integral, this would be a consequence of the substitution rule for integrals!) The ROC area, here called ROCA, is (K+1 is the number of similarity ratings considered with pN being the probability distribution function for unauthorized users):
Both EER and ROCA can take on values between 0 and 1. Ideal separability of a biometric system and therewith the distribution pB and pN obviously result in EER and ROCA values of 0. But what value belongs to the ideal non separability. Intuitively, ideal non separability can only mean that both distributions pB and pN are exactly the same. But in the case:
Reasonable vales for EER and ROCA lie between the extremes: 0 for perfect separability and ½ for perfect non separability. What do values between ½ and 1 then mean? This range is left for cases, in which distributions pB and pN trade roles and change places in the diagram. For separability, this range has practically no meaning in biometrics. |
What does one need to be aware of regarding the FAR/FRR? |
The measurement
of biometric features as well as the features themselves are subject to
statistical fluctuations. Therefore, every biometric recognition system
has a built-in acceptance threshold, which when raised both decreases FAR
and increases FRR. It should be clear that the given FAR and FRR
values are belonging to the same threshold value. Stating only the FAR
or only the FRR is thus misleading.
Additionally, even the Failure-to-Enrol Rate FER must be considered when comparing the FAR/FRR values of different systems. This is because the enrolment procedure can be parametrized in such a way that only best quality biometric features are approved for biometric templates while lower quality samples are dropped, thus contributing to a higher FER. Normally, the higher the FER forced by the biometric system, the better the FAR and FRR values, and vice versa! In biometrics FAR/FRR are not theoretically ascertainable, instead they must be determined statistically in costly tests. Determining statistical significance is equally difficult. There were no standardized techniques, therefore results could vary due to differences in test conditions and sample size. Clarity was only provided by disclosure of the test conditions. |
Is a biometric system's performance dependent upon the user? |
Generally, yes. This applies for false acceptance rate (FAR) as well as for false rejection rate (FRR). We experience this in our everyday lives -- some faces are easy to recognize and remember, whereas others are difficult. Therefore, the statistical means of FAR and FRR, typical indicators, are not very helpful for individual users. This dependence on the individual user is also responsible for the fact that statistical properties of FAR and FRR measurements are very difficult to quantify. |
Is Failure to Enrol a typical problem for biometric systems? |
Every biometric characteristic can occasionally or permanently fail. Examples of temporary failures can be caused by worn down or sticky fingertips for fingerprints, medicine intake in iris identification (Atropin), hoarseness in voice recognition, or a broken arm affecting one's signature. Well known permanent failures are, for example, cataract, which makes retina identification impossible, or rare skin diseases which permanently destroy a fingerprint. Therefore, every biometric system needs a fall-back process. One also needs a fall-back if a key is lost or a PIN is forgotten; so not only are biometric systems affected by user failure, rather all authentication systems. In fact one can see that also here, biometric systems are preferable to conventional methods. |
How are the FAR and FRR minimized in a biometric system? |
The false acceptance
rate (FAR) can be adjusted in the recognition algorithm via the acceptance
threshold - the higher the acceptance threshold, the lower the FAR.
Raising the acceptance threshold, however also raises the FRR. Therefore,
the goal must be to have as small an FAR as possible for any given FRR,
and vice versa. There are certain factors which primarily influence
the FAR, while others mainly affect the FRR. For a fixed FRR, FAR
is dependent on the following factors:
|
Is the Equal Error Rate a robust measure for system performance? |
No. Using the threshold parameter, most practical biometric systems are not adjusted for FAR = FRR which defines the EER but for FAR << FRR. Since ROCs of different systems may behave completely different, two systems with the same EER may even differ by decades for other ROC points. To avoid such large errors, only the FAR - FRR pairs in the operating point are to be considered, e.g., by comparing the FARs at a common FRR. A consideration of the EER is only reasonable in those rare cases where the system uses the EER as operating point. |
What does security mean for an authentication system? |
Often "security"
is said when the ability to prevent false authentication is meant.
False authentication could happen through:
The security realm also includes protecting biometric and other personal data against misuse. |
What is compromisation of a biometric characteristic? |
In this case, compromisation is the exposure of one or more biometric characteristics of a person allowing use for forgery purposes. |
Is the compromisation of biometric characteristics a problem? |
Biometric characteristics
should be as unique and permanent as possible. If compromised, it
is argued that biometric characteristics could be misused and then, like
a password, rendered unusable, except that a password is always exchangeable
whereas a biometric characteristic isn't. The actual danger depends
upon the application and the associated precautions.
Yes - if the compromising in a statistical sense is able to create a mean total damage that is larger than the anticipated mean total benefit of a specific biometric application. Generally, one should expect this, when measures against compromisation are in no reasonable proportion to the possible amount of damage. Especially, this affects biometric systems which regard the biometric characteristic solely as secret, although it is easy to compromise and a fake copy can be assembled from it in a simple way. Yes - if properties of the affected person can be extracted from the biometric characteristic which could prove unfavorable for him or her. Example: genetic disease information from DNA. No - if the biometric system is able to "doubtlessly" establish the difference between the original of the biometric characteristic and the fake copy assembled from the compromised biometric characteristic. In biometric systems this is achievable up to a certain degree by a multitude of organizational and technical measures and strongly depends on the selected biometric characteristic. Sometimes it is said to be important that the original picture (e.g., the finger line picture) is not reconstructible from the characteristics' data record. But this doesn't help much because any reconstruction trial of a person's biometric characteristic which produces the same data record as the original is sufficient for misuse [Bromba 2003]. |
What can be done against compromisation of one's biometric characteristics? |
Provide your biometric
characteristics only to trustworthy applications of trustworthy system
operators. The operator must commit not to pass the biometric data to third
parties but to store them with sufficient protection, at best encrypted.
Favor biometric applications which are exclusively able to utilize your biometric data if you present a chip card which is under your control. (On this chip card the biometric references may be stored, or a secret personal key which allows a temporary decryption of your biometric data stored in the biometric system in encrypted form.) Do not publish your biometric characteristics, if these are inherently difficult to compromise and therefore could be regarded as secrets by a certain biometric application. Examples are fingerprint, iris, or vein patterns. This is critical especially in those cases where a forger is able to assign the biometric data to a designated person. |
What must be observed with respect to security when dealing with "Template on Card"? |
We consider the following possibilities
for storage of biometric references on a chip card:
The chip card is a pure memory card, storage is unencrypted.
The chip card is a pure memory card, storage is encrypted.
The chip card is a processor card (smart card) with crypto function
|
Is biometrics a privacy-enhancing or a privacy-threatening technology? |
Recent concerns
with the possible uses and misuses of biometrics has led to a discussion
whether biometrics is privacy-enhancing or privacy threatening. A
central question, according to Woodward (1999),
is whether a user has full control over his data, knowing when, where,
and why submitted biometric data are used. Non-intended reuse is
possible in non-biometric systems, but fear is increased due to the highly
personal nature of biometric data, as opposed to simply an ID number.
Some biometric data, such as DNA, showing medical information can be passed
along to commercial systems, insurance companies, or the government.
Privacy concerns with biometrics as summarized by Wirtz
(2000) are:
|
Is biometrics more "secure" than passwords? |
This question at
least poses two problems: biometrics is not equal to biometrics (in
accordance to the definition of biometrics, even passwords may be considered
as a limit case of biometrics), and the term
"secure" is in fact commonly used, but it is not exactly defined. However,
we can try to collect pros and cons in order to find at least an intuitive
answer which indicates possible differences
between different biometric characteristics.
It is a matter of fact that the security of password protected values in particular depends on the user. If the user has to memorize too many passwords, he will use the same passwords for as many applications as possible. If this is not possible, he will go to construct very simple passwords. If this will also fail (e.g., if the construction rules are too complex), the next fall-back stage is to notify the password on paper. This would transform "secret knowledge" into "personal possession". Of course, not every user will react this way. Rather the personal motivation plays an important role: is he aware of the potential loss caused by careless handling of the password? It is easy if the user is the owner. But often foreign possession (e.g., that of the employer) has to be guarded, whose value one often can hardly estimate. If motivation is missing, any password primarily tends to be felt bothersome. In this case, and that seems to be the normal case, it is assumed that biometrics has considerable advantages. Contrariwise, passwords feature an unbeatable theoretic protection ability: an eight-digit password which is allowed to contain any symbol from an 8-bit alphabet offers 1020 possible combinations! This is a real challenge for any biometric feature. The requirements are obvious: such a password is maximally difficult to learn, it must not be written down, it must not be passed to anyone, the input must take place absolutely secret, it must not be extorted, and the technical implementations must be perfect. This leads us to the practical aspects: the implementation must be protected against replay attacks, keyboard dummies (e.g., false ATMs), wiretapping etc. Even biometric features have to cope with such problems. However, it can be assumed that hijacking biometric features is not easier than sniffing a password, provided the implementation expense is comparable! Conclusion: Surely, there are cases where passwords offer more security than biometric features. However, these cases are not common! |
Publications
|
LinksInformation Sources
Non-profit Organizations
Universities and Institutes
Resource Guides
Evaluations, Testing, Certifications
|
AuthorIn 1968, Manfred U. A. Bromba began an education as electronic technician at the company Nixdorf Computer AG. It followed a study of electrical engineering and physics at Paderborn University. After obtaining a "Dr. rer. nat." degree, he researched another two years in the field of digital signal processing. In 1983, he changed to the semiconductor division of Siemens AG where he was responsible for a series of multimedia innovations:
In 1997, Bromba assumed the biometrics activities of the Siemens division "Private Networks". 1999 the worldwide first prototypes of a cell phone with fingerprint authentication and an ID card with complete sensing and processing on card had been finished and shown at the CeBIT fair. Manfred Bromba is author of numerous publications and inventions. As a member of TeleTrusT e.V., CAST Forum, and the biometrics working group NI-AHGB/NI-37 of the DIN e.V., he actively participated in the promotion and standardization of biometric systems. |
Impressum |