Automated identification of persons based on personal characteristics
1.1 The principle
The need to identify persons correctly and irrevocably has existed for a very long time. The authorisation to enter a building, to open a cupboard, to cross a border, to get money from a bank etc. is always connected to the identity of a person. It is therefore necessary to prove this identity in one way or the other. We call this procedure Verification. A person claims to be authorised or to have a certain identity, and this must then be verified.
The problem is known to the police e.g. persons presenting an ID card which is doubtful. However the police are frequently confronted with another problem: Who is the person who has left a certain trace, e.g. a fingerprint, or who is this dead body. In this case we ask for the identity of an unknown person, we do an Identification.
Biometrics specialists use the expression one-to-one in case of a verification, or one-to-many in case of an identification. The following text is dealing mostly with verification which is the more important case in non-law enforcement environments.
Probably the oldest proof of identity and authorisation based on technical means, and not on personal recognition, is the mechanical key. Here the proof of identity is based on possession. All readable plastic cards (with magnetic, electrical or optical storage systems) are examples of the same category. These methods of proof of authorisation have reached a high technical level and some of them are very difficult to copy or falsify. However there is an inherent disadvantage: The technical system is able to verify the identity and hence the authorisation of the card or key, but not the identity of the bearer. In other words: Possession may be stolen, lost or given to unauthorised persons.
Systems based on knowledge instead of possession try to avoid this problem. Passwords are the oldest form of this type of identification. Recently these methods have been automated in the form of access passwords for computers or ID codes. Misuse through theft is impossible, but not abuse by non-authorised persons somehow acquiring this information. Despite all the warnings quite a number of users write down their ID code to e.g. credit cards, and this reduces the security value of this code to zero.
Combinations of possession and knowledge systems reduce the probability of misuse further, but do not eliminate the principal problem that the bearer is not irrevocably identified.
The sole means of identifying a person irrevocably is to automatically recognise their personal characteristics. These are called biometric characteristics and the technology of this identification is called Biometrics.
There are many biometric characteristics that may be captured. Some of these you can find in written form in any passport. However automated capturing and automated comparison with previously stored data requires the following properties of biometric characteristics:
Given these properties the number of usable biometrics characteristics is reduced to a few, which have been tested in the past. The following table gives an overview.
For a detailed discussion of the pros and cons of these technologies and the state of the art see the following chapter. Other characteristics, as for example weight, size, colour of eyes and of hair and special properties, which you may find in passports, cannot be used since they do not fulfil criteria like singularity, measurability or invariance.
2.1 Enrolment and verification
Assumptions to verify a person are:
The person must be enrolled into the system as XY, and a file has to be stored which includes the biometric characteristics.
Each verification starts with an enrolment, for example in fingerprint verifications:
Now the comparison can take place, which shows if the person claiming to be XY has the same biometrics characteristics. This requires:
Important factors are:
Modern electronics cope easily with these requirements. The design of these units is based on microprocessor technology, miniaturised cameras, up-to-date light technology and more. The continuous price reduction of electronic components has enabled miniaturisationand has made the units cheaper and more efficient. Some units on the market are the result of more than 15 years development.
We can definitely say that Biometric technology today is mature.
2.2 Evaluation of biometrics systems
Four values are important in the evaluation of biometrics systems:
Although these values have been improved considerably during the development of all known systems, there are still significant differences from system to system, part of which is based upon the chosen identification method. So far no test standards exist. There are various efforts to standardise but these meet many difficulties because of the difference in nature of the systems.
The most difficult value to judge is false rejection. False rejects are, to a high degree dependent upon user behaviour, therefore a standardisation would be particularly helpful.
2.3 Capturing of biometrics characteristics (Sensors)
The most common capturing process in biometrics today is optical . In most cases miniaturised CCD cameras are used, which capture either visible or infrared light. The optical set-up is dependent on the biometric property captured.
More recent methods, particularly in fingerprint capturing, try to get away from the optical capture which requires an optical path and therefore restricts miniaturisation. These methods use temperature, pressure and/or capacitance. Capacitance particularly seems to be promising since it can be measured with a miniaturised silicon chip. As soon as these methods attain precision, stability, and low pricing, they will probably complement, if not replace, the existing optical methods.
Signature capture uses either a pressure sensitive tablet, or captures the position of the pencil with ultrasonic or electrical methods.
Voice recognition requires simply a microphone of sufficient quality.
2.4 Calculation of templates
An important step in the enrolment process is the calculation of the template. The template is used subsequently in the comparison process during verification, it is a data reduction of the original biometric characteristics, and should:
The better the algorithm is fulfilling these partly contradictory requirements, the higher the quality of the selected procedure. Enrolment and verification algorithms are therefore the most important elements in biometric.
Available microprocessors 15 years ago, at the beginning of biometrics, made it relatively difficult to find algorithms which were sufficiently rapid and precise. Even today, many units are connected to a high-speed PC running the actual comparison operation. Stand alone units, i.e. units independent from a PC as required in physical access control, were in the past equipped with ASICS (application specific integrated circuits) in which the algorithm was implemented.
Recent microprocessors however, small with low power consumption, are powerful enough to run these algorithms. Therefore it is now possible to design stand-alone units without the expense of integration into an ASIC.
2.5 Verification security
Some applications are not very critical with respect to verification security (false acceptance), either because they combine several verification processes, or by their nature not having a high security requirement.
Other applications, particularly in Government use, require very high security.
Testing the security of an algorithm is a difficult task. Usually a single user is unable to test the value of False Acceptance of a certain unit, since he is not in the possession of thousands of samples (persons) to obtain results of any statistical value.
Renowned biometric suppliers use huge databases of templates and sometimes publish their results. Unfortunately not many independent institutes exist which are able to perform valid security tests.
3.1 Hand and finger geometry
Hand geometry was one of the first methods that came to market. The unit called ID3D from Recognition Systems in the USA requires the presentation of the right hand, and the fingers are positioned by guides. The dimension of the hand is registered with camera and mirrors, and a template of 9 bytes is calculated. This template is stored together with a PIN code or name of the person.
The unit can be run in stand-alone mode and stores up to 20,000 templates. Verification consists of announcing the identity of the person (e.g. entry of a PIN) and presentation of the hand, whereby the dimensions are compared to the stored template.
The main advantages of this unit are speed of operation, a short template ,good acceptance by the users and not affecting privacy in the slightest. However some hygienic concerns have been raised (positioning of the full hand on a plate).
These are the characteristics of the unit:
Being the first with a very short verification time, the unit has been sold into many applications. However the high False Acceptance Rate (although refuted by the manufacturer) makes the unit unsuitable for certain applications. The unit accepts only the right hand.
Engineers participating in the development of the hand geometry unit have developed a unit comparing the geometry of two fingers. Its name is Digi-2, and it is manufactured in Switzerland. Of course this unit is not checking the fingerprint, but the dimensions of the fingers. The use of this unit is not yet widespread, and characteristics beyond those given by the manufacturer are yet unknown.
3.2 Vein checking
It is known that a group is working on checking the vein pattern of the back of the hand. Veins are recognised with an infrared camera and a template is calculated. No further characteristics are known.
3.3 Retina checking
A unit called Eyedentify has been around for more than 10 years. It scans the retina of the user by means of a light beam, and calculates a template of 256 bytes, which is used for verification. The unit has the following characteristics:
Verification requires a distance between unit and eye of approx. 10 cm; therefore positioning of the eye plays an important role. Glasses and contact lenses are said not to influence the function of the unit. Security against fakes is very high.
Nevertheless the unit is not very popular, since the process is not very acceptable to users.
3.4 Iris checking
The Iris of the human eye is captured with a camera. The iris includes about 6 times the amount of differentiating properties compared to the retina or the fingerprint. The procedure therefore can be made highly secure. The positioning of the eye is mostly achieved by a mirror, i.e. the user has to position the eye in a correct way. The use of this technology so far has been limited, as it is comparatively expensive to secure a door with such a unit. The technology has the advantage of working without physical contact between the user and the unit.
3.5 Face recognition
Two possibilities are known:
Today some applications are available on the mamrketplace. Since their FAR is rather high, they are less suitable for access control purpose. Most frequent use is the search for unwanted persons (blacklist comparison).
Various universities are working to improve this process.
3.6 Fingerprint recognition
In most cases up to today capturing fingerprints was achieved by optical scanning. The finger is positioned on a prism (platen). Where the skin touches the glass, light is diffused instead of reflected (frustrated reflection) and the resulting picture is captured by a CCD camera.
Other capturing devices have been developed, like thermal/pressure or capacitance capturing using semiconductor sensors, or ultra sound. Ultra sound has not been used up to now because of its high price. The semiconductor sensors are interesting because of the possibility of integration, but are often rejected because of their sensitivity towards static electricity.
Image processing and verification after the capture may be done in two ways:
Both methods result in similar security values, the first methods however may take somewhat longer at verification.
Several units of this type are known. The earliest unit of this kind is probably the equipment of Identix Inc., California, which is to date presenting the fifth generation of their units. The algorithm of these units is running in a microprocessor which makes them independent from connected PCs. Other systems are Sagem (France), Startek (Taiwan), Dermoprint (Hungary), Dermalog (Germany), etc. Most of these systems have their algorithm implemented on a PC.
Not many manufacturers offer a so-called live finger detection. The purpose of this is to inhibit the verification of a finger copy (e.g. a silicon fake) or in an extreme case a cut off finger from an enrolled person. Various properties may differentiate a live from a dead or fake finger, but not all are practical because
Known effects so far are colour of the human skin, their electrical properties and their optical reflection properties. As with the introduction of higher security through live finger detection the FRR increases, the use of this property in practice is very limited.
3.7 Other physiological properties
Many efforts have been undertaken with sometimes very exotic properties. The following have been made known:
4. Equipment to use behavioural properties
The main problem in capturing and using behavioural properties is the distinction between variable and invariant characteristics. Therefore these properties are less exact then physiological properties and are useful only in very particular applications.
The attraction of this method lies in the fact that the financial world uses the signature as its preferred method of identification. Biometric signature verifiers however not only check the image of a finished signature, but in addition the dynamics of the movements during signing.
There are several such units known. False acceptance is rather high (up to 10%), which is acceptable for applications e.g. in the banking sectors, where in parallel other means of identification are used. Many applications are unsuitable, since the process takes time and space and is useless in the case of illiterate persons (developing countries).
4.2 Voice recognition
The main advantage of voice recognition systems lies in the fact that the sensor is very simple and ubiquitous: A telephone receiver is sufficient. False acceptance rate and false reject rate however are relatively high, which means the method is only useful if other means of verification are used simultaneously. The units analyse the energy flow and spectral development of speech, in most cases a particular word. The units have either a high tolerance (hence relatively low security) or high false reject rates.
4.3 Key stroke
Various attempts have been made to use key strokes on PC keyboards as a distinguishing property. Two problems make this approach difficult:
According to information we have at this time no marketable products with this approach exist.
Reviewing the market of the last 10 years, the following products have been most successful:
Hand geometry and fingerprint verification have been used most. It looks as if the use of the hand as a means of verification is accepted by a broader public.
Retina verification has only be used in very high security environments and therefore has not been spread widely.
Serious attempts to test face and iris recognition have been made, no bigger applications are known today.
All other methods, although interesting in particular cases, have not had significant market success.
Generally speaking there are a lot of possible applications for biometric systems. Their main advantage is manifest in all cases where the requirement is to undoubtedly check the identity of a person. Why has this kind of identification not yet made its market breakthrough? There are several possible reasons:
Nevertheless in the past years some major applications have been introduced. Here are a few examples:
5.1 Access control
The very first users of biometric systems as access control means to buildings and installations were various army organisations and customers with high security levels, like banks and nuclear power stations.
More and more people realise that biometrics has advantages not only for high security applications. Ease of use (‘the key is always with you’) makes these systems very attractive to other applications as well. We know of several industries and service organisations that have introduced biometrics to control access not only of their employees, but even of customers and visitors.
We expect the number of applications in this field to grow rapidly in the next few years. This will however never be a high volume market, since the number of units is usually limited to the number of entries.
5.2 Time & attendance
Specialists assume that fraud in time & attendance installations (‘buddy punching’) amounts to approximately a loss of 1 working hour per employee per week. Many managers won’t accept this high figure, but fraud is taking place nevertheless. Particularly exposed to this type of fraud are companies with frequently changing, temporary and seasonal employees.
Biometrics in time & attendance eliminates this type of fraud completely. We have calculated examples which show that time fraud elimination has resulted in paying off the whole biometric installation within 6 months. There are estimates in the USA that in the near future some 10% of all time & attendance systems will be equipped with biometrics.
5.3 Boarder control, identity cards and passports
These applications are difficult because of the enrolment of a huge number of persons. On the other hand the compatibility of systems on different state boarders is difficult to achieve with the lack of standardisation in biometrics.
5.4 Payment of social benefits
The fraud rate in paying social benefits and state pensionsis considerably high in a number of countries. Payments are made to dead persons, to non-authorised, and double payments are frequent. Thus the state is exposed to a high loss, which in certain cases has reached the size of the total money to pay out.
However we have to observe that verification systems of the above type (one-to-one) do not help to eliminate multiple enrolment of a single person. Therefore the verification method one-to-one should always be combined with a search (one-to-many) at enrolment to the system. Solutions have been developed recently that are much simpler and cheaper than the so-called AFIS (Automatic Fingerprint Identification Systems) which have been conceived for police work, but they are also less demanding since they do not have to deliver forensic quality comparisons.
The same problems have to be solved with identity cards and passports.
5.5 Security of computers and data networks
Specialists know that securing data with passwords, which is the most frequently used method today, is problematic. If not prevented from doing so, most people would use trivial passwords like their own birthday, first name and so on. If the use of trivial combinations is excluded by software, and the system asks for password changes too frequently, people develop the tendency to write down their passwords, and they can frequently be found on the underside of the keyboard or in the first drawer of the desk. This reduces the security value of a password to near zero.
Be honest with yourself: Have you ever given your password over the phone to your colleag%e or secretary do enable them to look up something on your PC?
We know of examples in non-European countries where passwords in banking systems have given raise to massive fraud. This is potentially possible in the Western world as well.
Card based systems give a little more security, and have therefore been introduced in a number of cases, not least because of the low price of card readers. Security systems based on possession have, as has been explained before, inherent disadvantages.
Recently fingerprint systems have been made known in connection with data security in computers. This could open up a high volume market for biometric systems.
There are three main application fields:
5.6 Other verification applications
Many new application have appeared du2ing the last couple of years. Biometric systems are useful in every case where a reliable verification of a person should be achieved.
6. Economic considerations
Are biometric systems expensive?
The use of biometric properties in order to verify identities of persons will always be more expensive than purely reading badges with a magnetic stripe or other physical storage media. This can be derived from the complexity of this task. It is clear that cost comparisons can only be drawn with similar manufacturing volumes, and in this respect biometric units today have still a clear disadvantage.
Comparison of the unit costs of this technology however does not tell you the whole story. Other factors should be included in the calculation as well, such as:
Installation costs are generally neither higher nor lower than conventional systems.
Introduction costs probably are higher, because all users have been enrolled first, and users are not familar with this type of system. However do not forget that e.g. with the introduction of magnetic stripe cards there was an introductory period as well with a lot of false rejects, which nobody mentions today since now the bigger part of the population is used to these systems. We expect the same to happen with the wider spread of biometric systems.
Contrary to possession based systems running costs of biometric systems are much smaller. There is no more replacement, new edition or administration of cards. Biometric properties are stored digitally and can easily be validated, devaluated or cancelled.
Biometric systems are cheaper compared to password systems since there is no password administration required.
Lifetime and reliability of these systems are similar to conventional systems. Both kinds are subject to wear and dirt, both use electronics with its limited, but long lifetime.
A difficult subject is the estimation of savings by elimination of fraud. With credit cards, the size of fraud is usually known to the banks (although rarely discussed in public). On the other hand fraud with time and attendance systems is difficult to estimate and usually not known exactly. It is possible to calculate elimination of theft with biometric access control. A large software house calculated theft of PCs from their offices and justified the introduction of a biometric access control system.
A calculation example:
Take the already discussed case of a supermarket chain with 7,500 employees, and assume that per employee and week one hour is registered in excess due to fraud. With mean costs of a working hour of US$ 80 the payback period of this installation should not exceed 6 months. This means the total investment including introduction costs should not exceed the amount of 15 M US$. Divided by the 500 supermarket sites this means a possible investment of US$ 30'000 per site, which is more than enough a modern biometric system.
7.1 Market development
Without prophetic gifts it is possible to foresee a rapid increase of the biometric market. The availability of cheaper, smaller, easier to handle systems enables these technologies to not entirely replace, but certainly augment existing possession and knowledge based systems. In the same way the user has become familiar with passwords, magnetic stripe cards and smart cards, he will get used to biometric systems which still today have a touch of science fiction. Comfort and security of these systems will certainly convince sceptical people that this is a natural way to automatically verify the identity of a person.
Capturing biometric properties always presents some technological problems. This means a high investment in technology in order to work reliably. But this is not inhibiting widespread use, since the price decrease of electronics and miniaturisation will go on and thus continually create new application fields.
7.2 Standardisation of biometric systems
Standardisation is a difficult problem. First of all the important quality criteria (false acceptance, false reject, speed of enrolment and verification) should be standardised in a way to make the data of different manufacturers comparable. This seems to be easier than the standardisation of verification algorithms that is necessary to introduce such technology internationally (passport security, front access of ATMs). It is easy to understand that no manufacturer is willing to publish his verification algorithm, since this
We doubt that a standardisation of algorithms on a higher level would be possible given the differences between today’s systems. A solution could be that a manufacturer, chosen by a careful selection process, would licence the algorithm and thus make it accessible to other manufacturers. This issue presents some unsolved problems.
Storing of the biometric properties of a person may infringe human rights and has to be looked at in this respect. This is particularly true for fingerprint systems which raise this question due to their apparent similarity to police work. Systems not based on fingerprints are less suspicious, although the same questions can be asked.
This is what we have been made aware of:
According to Privacy commissions and specialists the storage of a biometric template does not raise concerns as long as it is done out of the free will of the person, and as long as the organisation doing this tells openly what happens to the provided information. Not all systems fulfil these requirements to the full extent. Particularly touchless systems (eye iris, face recognition) raise discussions, since they can work without the knowledge of the person verified.
With regards to fingerprint based methods, which are sometimes criticised, we can say that the stored fingerprint template should not allow reconstruction of the full fingerprint image. As soon as this is provided, the template can not be used for police work of any kind and the system therefore keeps privacy rules perfectly well, since it can only be used in co-operation with the person who is enrolled.
Particularly clean are systems where the biometric template is not held in a database, but on a badge which the user carries (e.g. a credit card).
For systems that are able to do a search (one to many) in a database the situation is different. Here we come to the limit of use of biometrics by private organisations. Those questions however depend on local laws; in this particular field the USA givesmore freedom to private organisations than for example European countries.
8. Biometric Glossary
© René Brüderlin, 1999-2001