Biometrics - Brief Introduction

This article is going to cover the basics of biometrics and show you what it really is.

Traditional Authentication

Traditionally most people identify themselves by giving the system their username or user id.

Then the individual attempts to validate that they are indeed that person by supplying the system with a valid password. Supplying the username and password to a system is called authenticating.

This traditional method of authenticating with passwords does not prove you are that person, all it proves is you know the username and password. Knowing the username and password is known as "something you know". Strong authentication has become very popular, and attempts to help prove you, are who you claim to be.

A strong authentication system will require at least two of the below, this is commonly called multi-factor authentication (sometimes dual factor if it is just two of the below)

Something you know - passwords, pin number Something you have - smart card, id badge Something you are - physiological or behavioural relating to you, biometrics The "something you are" is what this article is going to focus on.

Something You Are - Biometrics

For a system to authenticate you using biometrics the system needs to decide whether it believes you are really the user. This decision making is what makes biometric systems clever - they can never be 100% sure!

Biometrics systems can either be classified as a 'static' or 'dynamic'. A static biometric method is a feature that is consistently present on oneself. A fingerprint, or iris/retina pattern is a static biometric feature. Dynamic biometric methods require the individual to carry out an action to present their feature. The voice of a person or style a signature is written down is an example of a dynamic biometric method.

Static v.s. Dynamic

Static methods require the individual to be present to present their themselves to the system. The individual doesn't need to be conscious, or even alive to present themselves. Potentially someone can be authenticated against a system without themselves knowing if they are unconscious at the time. Although static methods have potential weaknesses, a limitation of a dynamic biometric method is the individual needs to consistently present that data, every time. If a person is unwell or becomes intoxicated may struggle to present reliably and consistently, for example writing a signature steadily.

A biometric system compares the presented biometric data, known as biometric sample, against it's database of enrolled references already stored, commonly called a reference template.

Enrolling An Individual

Enrollment in a fingerprint recognition system would follow the following steps

An individual supplies their fingerprint to the system. Normally by pressing against a reader. This reads the raw biometric data.

The system then extracts 'key' features from the raw data that was presented. What defines the 'key' features depends on the type of system being used. As only the 'key' features are needed this allows for a smaller data set to be used, speeding up the process. If the raw data does not meet a minimum quality the system will ask the user to present themselves again.

The system compares the data against the stored templates for that user. The system then calculates a match score, this score is how closely it thinks the data and template match. Every time an individual presents the same data the value may change sightly, there are so many factors affecting a match after all.

The system now decides if the score is high enough for a match.

How the tolerance threshold works

The level of acceptance for a nuclear facility compared to laptop login is going to be very different. The system calculates this threshold using the:

False Accept Rate (FAR) - Resulting in an allow when it should have rejected

False Reject Rate (FRR) - Resulting in a reject when it should have allowed

Crossover Error Rate (CER) - The point at which the FAR and FRR meet

Depending on the sensitivity of what you are protecting depends on where you need to set the CER. A nuclear facility would rather stop more people who are allowed in, than allow anyone in who should not be.

User Acceptance

One of the limitations, apart from obvious costs, with mass deployment of biometric devices is user acceptance. Unlike passwords, biometric devices are intrusive. They require you to supply very personal information about yourself. If you have a password stolen you can change it, having the scan of your iris stolen can not be changed.

Biometrics are here to stay, and they will continue to be used in increasing numbers over the years. The day of the traditional password is numbered, but will biometrics become the defacto strandard, or will something else more widely accepted take its place.