Biometrics

1
Biometrics

• Hiroki Morimoto

2
Overview

• Definition
• Advantages/Disadvantages and Ideal Biometrics
• Usage and System of Biometrics
• Current application in real world
• Biometrics Errors
• Possible Attacks
• Examples
• Fingerprint
• Hand Geometry
• Iris Scan
• Voice Recognition
• Conclusion
• References

3
Definition

• Biometrics refers to methods for uniquely
  recognizing or verifying a person based upon one
  or more physical characteristics or behavioral
  traits
• Biometrics identifies the person by what he or
  she is, not by what she knows (i.e. passwords)
  nor what he has (i.e. ID cards)?

4
Behavioral based

• Behavioral-based methods perform the
  identification task by recognizing people's
  behavioral patterns
• Examples
• signatures, keyboard typing, and voice print
• Advantage
• they are sometimes more acceptable to users and
  generally cost less to implement
• Disadvantage
• they all have high variations, which are
  difficult to cope with.
• they can be difficult to measure because of
  influences such as stress, fatigue, or illness,.

5
Physiological based

• Physiological-based methods verify a person's
  identity by means of his or her physiological
  characteristics
• Examples
• fingerprint, iris pattern (eye blood vessel
  pattern), palm geometry, DNA, or facial features
• Advantages
• in general, physiological traits are more stable
  because most physiological features are virtually
  nonalterable
• difficult to forge.
• Disadvantages
• some of them are time consuming
• some people don't feel comfortable with it

6
Comparison

• Generally, physiological characteristics provide
  higher recognition accuracy than behavioral
  features
• average error rate of behavioral methods is 10 to
  100 times higher than physiological one
• Intrusiveness measure of users psychological
  discomfort
• Convenience measure of users physical discomfort
• There is tradeoff between these two factors and
  error rate

7
Why Biometrics?

• Biometrics seen as desirable replacement for
  passwords and IDs
• Users no longer have to
• remember passwords
• carry IDs
• worry about losing/forgetting them
• update them
• More Secure because difficult to steal and forge
• Need no human resource expenses due to lockout or
  password reset. Thus, it decreases system
  management cost

8
Why Biometrics? (cont)?

• Very active area of research
• Total revenue likely to reach 1 billion in the
  year 2003
• It offers two important features
• Fraud detection easy to discover multiple
  registration
• Fraud deterrence introduce the psychological
  effect not to do multiple registration

9
Problems of Biometrics

• Biometrics are not widely accepted because
• Some devices are still costly and time consuming
• Some people find their use as intrusive and/or
  invasive
• Privacy and confidentially issues of bio records
• It can be a single point of failure so that
  secondary way must be provided (such as
  password/ID)?
• Cancelation, erase, and reset are (almost)
  impossible. Thus, once it is stolen or opened to
  public, all other systems can be
  accessed/attacked
• Forgeries are possible

10
Ideal Biometric

• Universality ? everyone should have the
  characteristic
• In reality, no biometric applies to everyone
• Uniqueness ? distinguish with certainty
• In reality, cannot hope for 100 certainty
• Permanence ? physical characteristic being
  measured never changes
• In reality, want it to remain valid for a long
  time
• Collectability ? easy to collect required data
• Depends on whether subjects are cooperative
• Acceptability ? degree of approval of a
  technology.
• In reality, everyone doesnt feel comfortable
  with it
• Safety ? assurance of confidentially and
  Integrity of collected data
• Still is a current subject
• Circumvention ? ease of use of a substitute
• Tradeoff between cost and goal

11
Biometrics Usage

• Identification ? Who goes there?
• Compare one to many
• Example The FBI fingerprint database
• Authentication ? Is that really you?
• Compare one to one
• Example Thumbprint mouse
• Identification problem more difficult (high error
  rate)?
• Because more random matches since more
  comparisons
• Authentication needs less computational resources

12
Biometrics Strategy

• The common basic process of a biometrics system
• Enrollment capture raw data
• Feature Extraction encode the raw data into the
  distinctive characteristics on the specific
  system
• Template Creation system specific template is
  created
• A template is a small file derived from the
  distinctive features of a user's bio data
• There are two types of template
• Enrollment template generated during the users
  first interaction and stored in the enrollment
  database for future use
• Matching template generated during
  identification/authentication attempts, to be
  compared with the enrollment template and
  discarded each time
• Biometrics Matching two temples compare
  statistically to determine the degree of
  correlation. The resulting score is compared
  against the threshold to determine math or
  mismatch

13
Enrollment vs. Recognition

• Enrollment phase
• Subjects biometric info put into database
• Must carefully measure the required info
• OK if slow and repeated measurement needed
• Must be very precise for good recognition
• A weak point of many biometric schemes
• Recognition phase
• Biometric detection when used in practice
• Must be quick and simple
• But must be reasonably accurate

14
Biometrics in our world

• In the past, it was used to protect highly
  sensitive information
• Now it is more familiar to us
• Palm print for secure entry
• West Virginia University implemented it at 2002
  in a dominant building
• McDonalds use for timekeeping of workers
• Fingerprint to unlock car door and log into the
  computer

15
Application of Biometrics

• Biometrics application can be categorized in
  horizontal categories and vertical markets

16
Biometrics Categories

• Citizen Identification
• identify/authenticate citizens interacting with
  government agencies
• PC/Network Access
• secure access to PCs, Network and other computer
  resource
• Physical Access / Time and Attendance
• secure access to a given area at a given time
• Surveillance and Screening
• identify/authenticate individual presence in a
  given location
• Retail ATM / Point of Sale
• provide identification/authentication for
  in-person transactions for goods/services
• E-Commerce / Telephon
• provide identification/authentication for remote
  transactions for goods/services
• Criminal Identification
• identify/verify individual in law enforcement
  application
• Descending order of estimated annual revenues
  generated 2003-2007

17
Biometrics Markets

• Government Sector
• Travel and Transportation
• Financial Sector
• Health Care
• Law Enforcement
• Descending order of estimated annual revenues
  generated 2003-2007

18
Market Share of Biometrics
19
Errors

• False acceptance rate user A miss-authenticated
  as user B
• Sometime called type1 error, fraud rate, ...
• FAR 1 sensitivity 1 TPR
• sensitivity, true positive rate (TPR), is the
  percentage that an authorized person is admitted
• False rejection rate user A not authenticated as
  user A
• Also known as type2 error, insult rate,
• FRR 1 specialty 1 TNR
• specificity, true negative rate (TNR), is the
  percentage that an unauthorized person is
  correctly rejected

20
Errors

• A good system should have both low FRR (high
  sensitivity) and low FAR (high specificity)
• However, for any biometric, there is tradeoff
• can decrease one, but other will increase
• Tradeoff is illustrated by so-called receiver
  operation characteristic (ROC) curves or by the
  detection error tradeoff (DET) curves

21

• (a) ROC, (b) (DET)?
• FAR is plotted against FRR by varying the
  threshold
• For examples
• at (), FAR and FRR are equal about 20
• at (o), FRR is 10 and FAR is 50.
• Dropping threshold will move the operating point
  toward the right of both curves,
• which means the system will be less sensitive and
  more specific
• Raising the threshold is vise versa

22
Errors

• Equal error rate rate where FAR FRR
• The best measure for comparing biometrics

23
Attacks

• Mainly, there are three possible attacks
• Presenting artificial created samples
• Eavesdropping the communication between the
  sensor device and the system
• Exploiting the template database
• The first scenario has proven to be the easiest
  and the most successful
• The other two can help to obtain data required to
  create the artificial sample

24
Fingerprints

• Fingerprints have four important features loops,
  whorls, arches, and tents
• Thus, extracting these features to create the
  minutiae

Loop
Whorl
Arch
Tent
25
Implementation of fingerprints

• Implementation Steps
• Capture image of fingerprint
• Enhance image
• Identify minutia

26
Implementation of fingerprints

• Compares the extracted minutiae with the data in
  the database
• The result is calculated by graph mating
  statically

27
Features of Fingerprints

• Advantages
• Its EER of about 5
• Unique even for identical twins (not genetics
  dependent)?
• Popular, cheap, ease of use, quick,
• Disadvantages
• Not permanent and universal due to injury, aging
  or other factors
• Less acceptable because it is often associated
  with forensic application
• Attack
• Extracting/Reproducing achieved by using bond and
  gelatin
• i.e. the Japanese mathematician, T. Mastumoto,
  succeeded in fooling a finger print device using
  an artificial gelatin finger

28
Hand Geometry

• Hand Geometry is a popular form of biometric
• Widely used for authentication but not useful for
  identification

29
Implementation of Hand Scan

• Take a picture to capture a silhouette image
• Top and side views of hand are captured
• Measures shape of hand/fingers
• Width, length, curvature, and thickness

30
Features of Hand Geometry

• Advantages
• Ease of use
• Wide public acceptance
• Disadvantages
• Hands are not unique
• Not permanent because of growing, injury, and so
  on
• Attack
• Creating the artificial hand is very easy

31
Iris Scan

• Iris Scan is utilized in highly-secure facilities
  such as bank or military
• Implantation
• Scan eye with infrared rays
• Create the b/w photo of iris
• Apply 2-D wavelet translation
• Change the data of iris into 256 bytes iris code
• Compare the created matching template with
  enrollment template in the database with hamming
  distance

32
Features of Iris

• Advantages
• Safe because it shows smallest error rate (EER of
  about 10-6) and it is difficult to spoof
• Very unique (more random than fingerprint) and
  little or no genetic influence (phenotypic)?
• Permanent where pattern is stable through
  lifetime and protected/cleared by cornea and
  eyelid
• Very quick
• Disadvantages
• Low Acceptability because some think it is
  intrusive and invasive
• Attack
• Attacks by using high-quality photo/image have
  succeeded

33
Voice Recognition

• Sometimes called speaker recognition
• Voice Recognition is both a behavioral and a
  physiologically based method
• behavioral motion of mouse, pronunciation
• physiological vocal tract
• Mostly used for remote authentication due to its
  availably of device to collect sample
• i.e. telephone network, computer microphone

34
Implementation of Voice Recognition

• Speaker says pass-phrase (fixed) or repeats a
  word (prompted)?
• Components of the voice are broken down into
  three categories called phonemes
• pitch, intonation, and pronunciation
• sometimes more duration, loudness, etc
• Compare statistically

35
Features of Voice Recognition

• Advantages
• Can be combined with password-based method
  (verbal information) by asking/answering question
  such as what is your name? or how old are
  you?
• Very quick and easy to collect sample
• Disadvantages
• Not universal
• Not permanent and reliable because it is
  sensitive to its background and environment
  illness, emotion, aging, device, and ones
  environment
• Need larger storage for its template
• Attack
• Can impersonates an authenticated users voice
• Record and playback the voice

36
Conclusion

• The attacker uses very easy and inexpensive means
  to crack biometrics systems
• No cut off finger or artificial eyes as shown
  Hollywood movie
• Templates and bio record databases need the
  highest possible degree of protection because
  renewing, resetting, and/or cancelling them are
  impossible

37
Conclusion

• Rapid advances on technology/algorithm as well as
  the availability of industry standards will
  certainly assure a bright future
• High needs for countries worldwide to protect
  border, people, organization, and resources
• However, will this be the end of traditional
  system (i.e. password) ?
• No because biometrics is not the perfect solution
• Biometrics shows the tradeoff between ease of use
  and security
• Therefore, current/future trend of security
  features combination of different technologies

38
References

• Anderson R. Security Engineering. 2001.
• Biometrics.gov. http//www.biometrics.gov/
• Boatwright, M. and Luo, X. What Do We Know About
  Biometrics Authentication? 2007.
• Bubeck, U. and Sanchez, D. Biometrics
  Authentication 2003.
• Pfleeger, C. and Pfleeger, S. Security in
  Computing. 2007.