We have all seen the movies where the retina, or a fingerprint, palm, face or some variant of this is used to secure the most vital secrets man has to hide. Moreover, unless we have been living at the South Pole, we have, likely, had the option to use some sort of biometric application. The most visible option has been its inclusion in smartphones.
Biometrics will develop at different paces for the critical applications vs. lower-end devices like, many of which will be part of the internet of everything/everyone (IoX). Today, while there is bleeding edge technology available, most of what is out there, in wide-spread use, is the simple stuff – fingerprint and face recognition.
Biometrics is an interesting field, and as the IoX emerges, especially in conjunction with 5G, it has been touted as a great solution to the clumsy password technology that is currently the mainstay of security. It can be used for identification and authentication for any number of cases, from logging on to a computer to premise access to ultra-high safekeeping for homeland security. The technology has come a long way in the last 10, or so, years.
However, it is not foolproof. There has been a flurry of conversation, lately, around how facial recognition is racially biased. And this is not the first time this specter has shown itself. In the past, there have been flaws in the software, such as when Google labeled black faces as gorillas. Cameras identified Asian faces as blinking. Facial recognition programs struggled to identify, correctly, gender for people with darker skin. There are other issues as well.
Despite this hiccup, facial recognition is coming on strong. While not the only platform, it, and fingerprint recognition are the fastest-growing segment, largely because they are the easiest to implement and have the widest verticals.
At present, governments are the largest and primary implementer of biometrics, mostly the DoD, homeland security, FBI and other agencies within the government secret security wheelhouse. Of late, consumer electronics have moved closer to the center of the radar screen, especially eyeing to the future IoX.
Other segments that are delving into biometrics are financial, healthcare and the business enterprise.
As the technology advances and it becomes more “plug-and-play,” and the cost of other biometric recognition platforms come down, other market segments are expected to get on the biometrics train, as well.
And now, with this pandemic, biometrics such as skin temperature sensing and facial recognition are being used in the fight against Covid 19, biometrics may receive some elevation in terms of development and implementation.
However, as promising as biometrics for these applications may seem, there are some fundamental challenges to biometrics. One of them is that there is not really anything secret about someone’s biometric attributes. Individuals are constantly displaying the face, eyes, other physical traits, as well as leaving fingerprints everywhere. So, capturing one’s biometric data is relatively easy.
When one thinks about it, from one perspective, it would seem biometrics makes a pretty poor security scheme. So, the question becomes how does one make the “uniqueness” of one’s physical characteristics the best passcode? Turns out that there is more to biometric security than meets the eye. For example, there is really no way to revoke a fingerprint. So, if it is compromised, how is that handled? The challenges with biometric verification are unlike those of what we have come to know as identity and password metrics.
At present, the playing field is not level, either. There is a big difference between government and consumer systems. It is not that the consumer systems are not secure, but the government systems have to be more failsafe, especially in areas such as their automatic fingerprint identification system (AFIS), which is used by law enforcement, worldwide.
For example, if a biometric system does not work on a smartphone, the manufacturer will lose a few clients and come back with a fixed version. However, in the governmental sector, it is usually a matter of national security, even life, and death, so reliability and accuracy are paramount. In that vein, to make the governmental systems reliable and failsafe they must meet certain standards and pass specific certifications.
The same is true for critical business and health care, for example. Therefore, for the foreseeable future, and especially for economies of scale, there will be two levels of biometric applications – ultra-secure (government, financial, health care, etc.) and secure (consumer).
The Base Technology
The technology is the same, whether it is the high-end or the consumer platform. It is the design, accuracy, and reliability of the technology that differentiates the two segments. However, in both cases, biometrics have the ability to be a widely implemented security platform. The reason for that is because there are so many human elements that can be used as biometric markers. Unique biometric signatures can be found in body chemistry, structure, physical elements, psychology, traits, even behavior. This diversity allows biometrics to be a very effective identifier.
These signatures make biometrics very good at two things; identification and verification – which are the two most important elements in any security profile. The diversity of biometric signatures, alone or in conjunction with other forms of identification (not just biometrics), can be used to build a very accurate identification model. One the model is built, the verification platform can be fine-tuned with little margin for error.
A High-level View; How it Works
In a biometric system setting up a biometric profile takes a number of processes, each with a specific function. It is worth noting here that the premise for all systems is that the systems are secure, both in the storage of identifying data and the access to such data. As well, the general process is the same for all types of biometric technologies.
Identification starts with a base model of the desired identification element (a fingerprint, for example, see Figure 1). The initial stage is called enrollment. This is the phase were the specific biometric information is captured, cataloged and placed into storage. Once the data has been processed, verified, and is deemed reliable, the biometric template is available for identification going forward. That part is simply comparing the captured data (fingerprint from a scanner, for example) to the stored data.
To have a high rate of success, identification uses several steps to get the most reliable “true” identity. Biometric scans, while highly accurate, still need a bit of verification and post-processing to make sure the image scanned is the same as the image stored (this is one of the metrics that determine high-end systems from consumer systems).
Scanning will introduce artifacts – added environmental data that is not relative or accurate (dirt or other contaminants on the lens or the finger, light reflections/refractions, minute movement during the scan, or other noise). The processor needs to analyze such artifacts and remove them from the image. This is where there are many of the points of failure. Going forward, AI promises to help, significantly, in analyzing images and culling the artifacts from the actual image. Then the processing can extract only the required features. In fingerprint recognition, for example, only certain characteristics are considered valid data for comparison.
The second element of biometric identification is verification. This process is where the actual authentication takes place. The system is ultimately trying to find the one-on-one match of the scanned image. It is a rather interesting process to eliminate errors.
The system searches for a set of possible matching templates, based on reference models, from which the matching algorithms generate a set of possible matches. These matches have a “score” that puts them into the ballpark. Then the images go through a series of “tests” where they are eliminated, one by one, until the final image is verified to be the “best” match. While the best case may seem a bit chaotic, it is really very accurate in high-end systems, where a higher number of samples and algorithms are employed to match the exact template.
Looking to the future, we can expect to see a lot of development happening in the biometric space. For example, ultra-high-end systems, multimodal technology can be employed, as well as artificial intelligence (AI) and machine learning (ML). The operational methodologies are the same but these systems use multiple resources, (sensors, processors and complex algorithms) to capture and process, the image. This is useful where extremely high accuracy is required (such as for international terrorist identification).
Advanced systems can overcome the limitation of unimodal systems that may not be able to recognize scarred fingerprints, for example. And for iris-type recognition, they can compensate for aging within the eye. They can also combine various biometric metrics such as fingerprint, iris, and voice, to form a more complete “image” via sequential, parallel, hierarchical, and serial integration modes. These are the systems that are used in the most critical applications.
Biometrics Tools and Techniques
While biometrics have many potential tools, presently there are only two that are in wide-scale deployment – fingerprint and facial scanning. Of those two, fingerprints account for 60 to 70 percent of all applications. Other technologies include iris, retina, face, palm or hand and venous.
One of the key issues of biometric verification is accuracy. It is worth drilling down a bit into the very interesting methodology that is used to get that “exact” match.
To get a match, the system must analyze the data, compare it to a database, and pick the best choice. That is, essentially, a process of controlled trial and error. Algorithms are used to analyze the errors, and, logically, eliminate all but the best possibility.
There are two types of veriﬁcation errors a biometric system can make. The first is by mistaking the biometric measurements from two different individuals as being from the same individual False Match Rate (FMR). The second is by mistaking two biometric measurements from the same individual to be from two different individuals False Non-Match Rate (FNMR). These are the two parameters that are characterized by the Receiver Operating Characteristic (ROC).
Algorithms are applied to these two metrics to deduce the best case match. They are also metrics that determine the level of precision (see Figure 2a/2b). They are parameters that can be varied to change the quality of verification algorithms, and the curve reflects the effect of the variations. Following is a brief description of the process .
A sample population containing matching (genuine) and non-matching (impostor) image pairs is presented to the biometric algorithm and the match score, t, calculated to estimate the genuine (g(t)) and impostor (f(t)) match score distributions.
The DET summarizes the verification performance of the biometric algorithm on the sample population on which it is calculated. Technology evaluations, such as the Face Recognition Vendor Tests (FRVT) and he Fingerprint Vendor Technology Evaluation (FpVTE) tests ,  use DET curves (the ROC), to describe their results. This methodology works for any type of biometric technology.
However, as exotic types of biometrics that are still in the developmental stages come online, this methodology will likely need some modification. Still, the basic principle is sound and will disseminate forward to these new technologies.
Security and Such
Some (iris, retina, blood vessel mapping), are, intrinsically, more secure than others (fingerprint, hand, face). The underground, as we know it today, is motivated by financial incentives, therefore its focus should always be on the areas that are most profitable and easiest to compromise.
In applications, fingerprints, irises and such should take a similar role to the kind of authentication credentials that currently one does not want to change if they are compromised Things like your name and social security number are lifelong credentials. There are very few circumstances where such things would be changed. With biometrics, exclusive to your traits, such as fingerprints, iris, and retina, cannot be changed either. Therefore, making these traits secure is high on the priority list.
Unfortunately, it is unlikely that biometrics will become a cure-all for security. All authentication methodologies have flaws. If one has a social security number, a password and a biometric in combination, each of them has significant flaws combining them does not necessarily mean you get something better than the individual benefits of each, individually. It is all about keeping identity metrics as secure as possible.
As it turns out, issues with biometric security and its hacks are the same as current applications (credit cards, computers, smartphones). The first is identity theft, the second is data compromise. The identification and verification are different, but the outcome is the same. The only difference between biometrics and conventional security is how the data is captured, and how the identity can be stolen.
That being said let us take a quick look at the most common issues that are part of the biometric environment.
· Privacy or discrimination – Data that is captured during the biometric enrollment process has the possibility of being used in ways for which that may compromise the enrolled individual. For example, biometric employee DNA could also, without consent and unknowingly, screen for genetic diseases or “undesirable” traits that DNA can reveal. This can be used by insurance companies or the government in security clearance as a red flag.
· Misuse of personal information – The concern here is that information discovered by biometric may reveal personal information, such as criminal records, derogatory credit data, or financial distress. Such information can be used to refuse an individual a position, for example, even if the data is sealed or has nothing to do with the current reason for the biometric profile.
· Identity theft – Perhaps the most disconcerting is how easy it is to fool a fingerprint sensor, which is the prevailing and cheapest technology and likely to be very pervasive for low-end consumer applications. Not so much for face or eye, but let us look at some of the methods that can thwart fingerprint biometrics.
Examples of How it is Done
Astonishingly, common rubber cement is one of the cheapest and most effective ways to copy a fingerprint. This usually requires the cooperation of the individual, but this technique has been used in criminal activities where the person is being held against their will and their fingerprint is duplicated forcefully.
Gelatin is another simple and easy way to capture a fingerprint. Gelatin has many of the same properties as human skin and can fool the more sophisticated readers that are smart enough to detect fake (rubber) fingerprints. All one needs is a laser printer and gummy bear material. They create a “shim” that can be placed over your finger and give you someone else’s fingerprint. This is not all that new, actually. It was popular in college some years back as a way to cut classes in the early fingerprint sensor era.
Other measures include things such as cellophane tape, photocopies, even “removed” phalanges. All have some measure of success in fooling fingerprint scanners. Of course, the measure of success is directly related to the sophistication of the scanning system.
However, the hardware is improving all the time, as are the layers of security. This is where the security chip vendors play a critical role. They are integrating verification and security measures in biometric sensors and processing hardware. That helps to ease some of the concerns, especially with some of the fingerprint compromises discussed.
As the next generation of technologies mature, so will biometrics. It is the perfect, convenient credential for the many applications that will require authentication.
One thing worth noting is that that biometrics, in most cases will, not be the only technology for identification and verification. There are several reasons for that, some of which were discussed, but, basically, it is fairly easy to duplicate the current biometric verification process on lower-end applications.
Facial, hand, iris, retina, voice, the ones that are working today will evolve. There are many “futuristic” solutions on the design table, but there is little hard evidence, presently, that some of them work. Others are so complex that we do not, yet, have the technology to make it happen (DNA for example). And there are the issues of forgeries. Tricking a sensor into a match is quite possible with many of today’s systems. For example, all one has to do is hold a video of the person taken on a smartphone up to the camera, and it will happily accept that as the person being present.
However, looking to the future, many other biometric vectors can be investigated. As well, technology will double a few more times as the years pass. So things such as vein scans, facial thermography, DNA matching, odor sensing, blood pulse measurements, skin pattern recognition, nailbed identification, gait recognition, even ear shape recognition, may well become more secure down the road.
Regardless, more extreme technologies such as electroencephalogram (EEG), and electrocardiogram (ECG) biometrics are intriguing. Research has shown that individuals have distinct brain and heart patterns that are unique for each individual. This futuristic technology is more fraud resistant than conventional biometrics like finger and hand prints, and eye patterns.
No doubt, this will grow more sophisticate as the technology advances. At some point, we will all be biometrically available to some degree.
1. Andy Adler and Michael E. Schuckers “Calculation of a Composite DET Curve.” Adler – School of Information Technology and Engineering, University of Ottawa, Ontario, Canada. Schuckers – St. Lawrence University, Canton, NY, USA and Center for Identification Technology Research (CITeR) West Virginia University, Morgantown, WV, USA.
2. NIST: Face Recognition Vendor test 2002 http://frvt.org/frvt2002
3. NIST: Fingerprint Vendor Technology Evaluation (FpVTE) 2003 http://fpvte.nist.gov/