Biometric Techniques – Enhancing Security Standards In High Performance Enterprise
INTRODUCTION:
In today’s digital economy, where many important activities are carried out with the help of computer, the need for reliable, simple, flexible and secure system is a great concern and a challenging issue for the organisation. Day by day security breaches and transaction fraud increases, the need for secure identification and personal verification technologies is becoming a great concern to the organisation. By measuring something unique about an individual and using that to identify, an organisation can dramatically improve their security measures. Awareness of security issues is rapidly increasing among company how they want to protect the information which is a greatest asset that the company possesses. The organisation wants to protect this information from either internal or external threat. Security plays a very important role in the organization and to make computer system secure, various biometric techniques have been developed. Today biometric techniques are a reliable method of recognising the identity of a person based on physiological or behavioral characteristics. Biometrics techniques exploit human’s unique physical or behavioral traits in order to authenticate people. The features measured are face, fingerprints, hand geometry, iris, retinal, voice etc. Biometric authentication is increasingly being used in areas like banking, retailing, defense, manufacturing, health industry, stock exchange, public sector, airport security, internet security etc. Biometric technologies are providing a highly-secure identification and personal verification solutions. Biometric techniques are an attempt in providing a robust solution to many challenging problems in security. Biometrics focuses on the analysis of physical or behavioral traits that determine individual identity. Biometrics can he used to verify the identity of an individual based on the measurement and analysis of unique physical and behavioral data. Indeed, biometrics techniques increasingly are being viewed as the preferred means to confirm an individual’s identity accurately.
The history of biometric techniques is not new, it trace its origin from the past. The ancient biometric technique which was practiced was a form of finger printing being used in China in the 14th century, as reported by the Portuguese historian Joao de Barros. The Chinese merchants were stamping children’s palm and footprints on paper with ink to distinguish the babies from one another. Biometrics the ancient Greek word is the combination of two words -bio means life, metric means measurement.It is the study of methods for uniquely recognizing humans based upon physical or behavioral characterstics. The physiological characterstics are fingerprint, face, hand geometry, DNA and iris recognition. Behavioral are related to the behavior of a person like signature, study of keystroke, voice etc. Thus a biometric system is essentially a pattern recognition system which makes a personal identification by determining the authenticity of a specific physiological or behavioral characteristic possessed by the user. Biometric characteristics are collected using a device called a sensor. These sensors are used to acquire the data needed for verification or identification and to convert the data to a digital code. The quality of the device chosen to capture data has a significant impact on the recognition results. The devices could be digital cameras for face recognition, ear recognition etc or a telephone for voice recognition etc. A biometric system operates in verification mode or identification mode. In verification mode the system validates a person identity by comparing the captured biometric data with the biometric template stored in the database and is mainly used for positive recognition. In the identification mode the system captures the biometric data of an individual and searches the biometric template of all users in the database till a match is not found.
DIFFERENT TYPES OF BIOMETRIC TECHNIQUES
o Face Recognition
The biometric system can automatically recognize a person by the face. This technology works by analyzing specific features in the face like – the distance between the eyes, width of the nose, position of cheekbones, jaw line, chin ,unique shape, pattern etc. These systems involve measurement of the eyes, nose, mouth, and other facial features for identification. To increase accuracy these systems also may measure mouth and lip movement.Face recognition captures characteristics of a face either from video or still image and translates unique characteristics of a face into a set of numbers. These data collected from the face are combined in a single unit that uniquely identifies each person. Sometime the features of the face are analyzed like the ongoing changes in the face while smiling or crying or reacting to different situation etc.The entire face of the person is taken into consideration or the different part of the face is taken into consideration for the identity of a person. It is highly complex technology. The data capture by using video or thermal imaging. The user identity is confirmed by looking at the screen. The primary benefit to using facial recognition as a biometric authenticator is that people are accustomed to presenting their faces for identification and instead of ID card or photo identity card this technique will be beneficial in identifying a person. As the person faces changes by the age or person goes for plastic surgery, in this case the facial recognition algorithm should measure the relative position of ears, noses, eyes and other facial features.
o Hand Geometry:
Hand geometry is techniques that capture the physical characteristics of a user’s hand and fingers. It analyses finger image ridge endings, bifurcations or branches made by ridges. These systems measure and record the length, width, thickness, and surface area of an individual’s hand. It is used in applications like access control and time and attendance etc. It is easy to use, relatively inexpensive and widely accepted. A camera captures a 3 dimensional image of the hand. A verification template is created and stored in the database and is compared to the template at the time of verification of a person. Fingerprint identification.Currently fingerprint readers are being built into computer memory cards for use with laptops or PCs and also in cellular telephones, and personal digital assistants. It is successfully implemented in the area of physical access control.
o Eye Recognition:
This technique involves scanning of retina and iris in eye. Retina scan technology maps the capillary pattern of the retina, a thin nerve on the back of the eye. A retina scan measures patterns at over 400 points. It analyses the iris of the eye, which is the colored ring of tissue that surrounds the pupil of the eye. This is a highly mature technology with a proven track record in a number of application areas. Retina scanning captures unique pattern of blood vessels where the iris scanning captures the iris. The user must focus on a point and when it is in that position the system uses a beam of light to capture the unique retina characterstics.It is extremely secure and accurate and used heavily in controlled environment. However, it is expensive, secure and requires perfect alignment and usually the user must look in to the device with proper concentration. Iris recognition is one of the most reliable biometric identification and verification methods. It is used in airports for travellers.Retina scan is used in military and government organization. Organizations use retina scans primarily for authentication in high-end security applications to control access, for example, in government buildings, military operations or other restricted quarters, to authorized personnel only. The unique pattern and characteristics in the human iris remain unchanged throughout one’s lifetime and no two persons in the world can have the same iris pattern.
o Voice Biometrics
Voice biometrics, uses the person’s voice to verify or identify the person. It verifies as well as identifies the speaker. A microphone on a standard PC with software is required to analyze the unique characteristics of the person. Mostly used in telephone-based applications. Voice verification is easy to use and does not require a great deal of user education. To enroll, the user speaks a given pass phrase into a microphone or telephone handset. The system then creates a template based on numerous characteristics, including pitch, tone, and shape of larynx. Typically, the enrollment process takes less than a minute for the user to complete. Voice verification is one of the least intrusive of all biometric methods. Furthermore, voice verification is easy to use and does not require a great deal of user education.
o Signature Verification
Signature verification technology is the analysis of an individual’s written signature, including the speed, acceleration rate, stroke length and pressure applied during the signature. There are different ways to capture data for analysis i.e. a special pen can be used to recognize and analyze different movements when writing a signature, the data will then be captured within the pen. Information can also be captured within a special tablet that measures time, pressure, acceleration and the duration the pen touches it .As the user writes on the tablet, the movement of the pen generates sound against paper an is used for verification. An individual’s signature can change over time, however, which can result in the system not recognizing authorized users. Signature systems rely on the device like special tablet, a special pen etc. When the user signs his name on an electronic pad, rather than merely comparing signatures, the device instead compares the direction, speed and pressure of the writing instrument as it moves across the pad.
o Keystroke
This method relies on the fact that every person has her/his own keyboard-melody, which is analysed when the user types. It measures the time taken by a user in pressing a particular key or searching for a particular key.
OTHER BIOMETRIC TECHNIQUES ARE
o Vein/vascular patterns: Analyses the
veins in, for example, the hand and the face.
o Nail identification: Analyses the tracks in the nails.
o DNA patterns: it is a very expensive technique and it takes a long time for verification/identification of a person
o Sweat pore analysis: Analyses the way pores on a finger are located.
o Ear recognition: Shape and size of an ear are unique for every person.
o Odour detection: Person is verified or identified by their smell.
o Walking recognition: It analyses the way the person walks.
METHODS OF BIOMETRIC AUTHENTICATION:
o VERIFICATION : is the process of verifying the user is who they claim to be.
o IDENTIFICATION : is the process of identifying the user from a set of known users.
WORKING OF BIOMETRICS:
All biometric systems works in a four-stage process that consists of the following steps.
o Capture: A biometric system captures the sample of biometric characteristics like fingerprint, voice etc of the person who wants to login to the system.
o Extraction: Unique data are extracted from the sample and a template is created. Unique features are then extracted by the system and converted into a digital biometric code. This sample is then stored as the biometric template for that individual.
o Comparison: The template is then compared with a new sample. The biometric data are then stored as the biometric template or template or reference template for that person.
o Match/non-match: The system then decides whether the features extracted from the new sample are a match or a non-match with the template. When identity needs checking, the person interacts with the biometric system, a new biometric sample is taken and compared with the template. If the template and the new sample match, the person’s identity is confirmed else a non-match is confirmed.
[Biometric Authentication System and its functional components]
The Biometric authentication system includes three layered architecture:
o Enroll: A sample is captured from a device, processed into a usable form from which a template is constructed, and returned to the application.
o Verify: One or more samples are captured, processed into a usable form, and then matched against an input template. The results of the comparison are returned.
o Identify: One or more samples are captured, processed into a usable form, and matched against a set of templates. A list is generated to show how close the samples compare against the top candidates in the set.
A biometric template is an individual’s sample, a reference data, which is first captured from the selected biometric device. Later, the individual’s identity is verified by comparing the subsequent collected data against the individual’s biometric template stored in the system. Typically, during the enrollment process, three to four samples may be captured to arrive at a representative template. The resultant biometric templates, as well as the overall enrollment process, are key for the overall success of the biometric application. If the quality of the template is poor, the user will need to go through re-enrollment again. The template may be stored, within the biometric device, remotely in a central repository or on a portable card.
Storing the template on the biometric device has the advantage of fast access to the data. There is no dependency on the network or another system to access the template. This method applies well in situations when there are few users of the application. Storing the template in a central repository is a good option in a high-performance, secure environment. Keep in mind that the size of the biometric template varies from one vendor product to the next and is typically between 9 bytes and 1.5k. For example, as a fingerprint is scanned, up to 100 minutia points are captured and run against an algorithm to create a 256-byte binary template. An ideal configuration could be one in which copies of templates related to users are stored locally for fast access, while others are downloaded from the system if the template cannot be found locally.
Storing the template on a card or a token has the advantage that the user carries his or her template with them and can use it at any authorized reader position. Users might prefer this method because they maintain control and ownership of their template. However, if the token is lost or damaged, the user would need to re-enroll. If the user base does not object to storage of the templates on the network, then an ideal solution would be to store the template on the token as well as the network. If the token is lost or damaged, the user can provide acceptable identity information to access the information based on the template that can be accessed on the network. The enrollment time is the time it takes to enroll or register a user to the biometric system. The enrollment time depends on a number of variables such as: users’ experience with the device or use of custom software or type of information collected at the time of enrollment
Biometric Performance Measures:
o False acceptance rate (FAR) or False match rate (FMR): the probability that the system incorrectly declares a successful match between the input pattern and a non-matching pattern in the database. It measures the percent of invalid matches. These systems are critical since they are commonly used to forbid certain actions by disallowed people.
o False reject rate (FRR) or False non-match rate (FNMR): the probability that the system incorrectly declares failure of match between the input pattern and the matching template in the database. It measures the percent of valid inputs being rejected.
o Receiver (or relative) operating characteristic (ROC): In general, the matching algorithm performs a decision using some parameters (e.g. a threshold). In biometric systems the FAR and FRR can typically be traded off against each other by changing those parameters. The ROC plot is obtained by graphing the values of FAR and FRR, changing the variables implicitly. A common variation is the Detection error trade-off (DET), which is obtained using normal deviate scales on both axes.
o Equal error rate (EER): The rates at which both accept and reject errors are equal. ROC or DET plotting is used because how FAR and FRR can be changed, is shown clearly. When quick comparison of two systems is required, the ERR is commonly used. Obtained from the ROC plot by taking the point where FAR and FRR have the same value. The lower the EER, the more accurate the system is considered to be.
o Failure to enroll rate (FTE or FER): the percentage of data input is considered invalid and fails to input into the system. Failure to enroll happens when the data obtained by the sensor are considered invalid or of poor quality.
o Failure to capture rate (FTC): Within automatic systems, the probability that the system fails to detect a biometric characteristic when presented correctly.
o Template capacity: the maximum number of sets of data which can be input in to the system.
For example, performance parameters associated with the fingerprint reader may be:
o a false acceptance rate of less than or equal to 0.01 percent
o a false rejection rate of less than 1.4 percent
o the image capture area is 26×14 mm.
Obviously, these two measures should be as low as possible to avoid authorized user rejection but keep out unauthorized users. In applications with medium security level a 10{3bb2a8e703be8d5bb7fc1289a915cd39229c5bcd006c8cdf059732c7e19a8eab} False Rejection Error will be unacceptable, where false acceptance rate error of 5{3bb2a8e703be8d5bb7fc1289a915cd39229c5bcd006c8cdf059732c7e19a8eab} is acceptable.
False Acceptance When a biometric system incorrectly identifies an individual or incorrectly verifies an impostor against a claimed identity. Also known as a Type II error. False Acceptance Rate/FAR
The probability that a biometric system will incorrectly identify an individual or will fail to reject an impostor. Also known as the Type II error rate.
It is stated as follows:
FAR = NFA / NIIA or FAR = NFA / NIVA
where FAR is the false acceptance rate
NFA is the number of false acceptances
NIIA is the number of impostor identification attempts
NIVA is the number of impostor verification attempts
False Rejection Rate/FRR The probability that a biometric system will fail to identify an enrollee, or verify the legitimate claimed identity of an enrollee. Also known as a Type I error rate.
It is stated as follows:
FRR = NFR / NEIA or FRR = NFR / NEVA
where FRR is the false rejection rate
NFR is the number of false rejections
NEIA is the number of enrollee identification attempts
NEVA is the number of enrollee verification attempts
Crossover Error Rate (CER)
Represents the point at which the false reject rate = the false acceptance rate.
Stated in percentage
Good for comparing different biometrics systems
A system with a CER of 3 will be more accurate than a system with a CER of 4
BIOMETRICS USE IN INDUSTRY
Punjab National Bank (PNB) installed its first biometric ATM at a village in Gautam Budh Nagar (UP) to spread financial inclusion. “The move would help illiterate and semi-literate customers to do banking transaction any time.
Union Bank of India biometric smart cards launched. Hawkers and small traders could avail loan from the bank using the card.
In Coca-Cola Co., hand-scanning machines are used to replace the time card monitoring for the workers. In New Jersey and six other states, fingerprint scanners are now used to crack down on people claiming welfare benefits under two different names.
In Cook County, Illinois, a sophisticated camera that analyzes the iris patterns of an individual’s eyeball is helping ensure that the right people are released from jail. At Purdue University in Indiana, the campus credit union is installing automated teller machines with a finger scanner that will eliminate the need for plastic bankcards and personal identification numbers.
MasterCard International Inc. and Visa USA Inc., the world’s two largest credit card companies, have begun to study the feasibility of using finger-scanning devices at the point of sale to verify that the card user is really the card holder. The scanners would compare fingerprints with biometric information stored on a microchip embedded in the credit card.
Walt Disney World in Orlando has started taking hand scans of people who purchase yearly passes. These visitors now must pass through a scanner when entering the park preventing them from lending their passes to other people.
The technology also received widespread attention at summer’s Olympic Games Atlanta, where 65,000 athletes, coaches and officials used a hand-scanning system to enter the Olympic Village.
Selection of Biometric Techniques:
There are a lot of decision factors for selecting a particular biometric technology for a specific application.
1. Economic Feasibility or Cost:-The cost of biometric system implementation has decreased recently; it is still a major barrier for many companies. Traditional authentication systems, such as passwords and PIN, require relatively little training, but this is not the case with the most commonly used biometric systems. Smooth operation of those systems requires training for both systems administrators and users.
2. Risk Analysis:-Error rates and the types of errors vary with the biometrics deployed and the circumstances of deployment. Certain types of errors, such as false matches, may pose fundamental risks to business security, while other types of errors may reduce productivity and increase costs. Businesses planning biometrics implementation will need to consider the acceptable error threshold.
3. Perception of Users:-Users generally view behavior-based biometrics such as voice recognition and signature verification as less intrusive and less privacy-threatening than physiology-based biometrics.
4. TechnoSocio Feasibility:-Organizations should focus on the user-technology interface and the conditions in the organizational environment that may influence the technology’s performance. The organization should create awareness among the users how to use the techniques and should overcome the psychological factors as user fears about the technology. Organization has to also consider the privacy rights of users while implementing the biometric techniques.
5. Security: Biometric techniques should have high security standards if they will be implemented in high secure environment. The biometric techniques should be evaluated on the basis of their features, potential risk and area of application, and subjected to a comprehensive risk analysis.
6. User friendly and social acceptability -Biometric techniques should be robust and user friendly to use and they should function reliably for a long period of time. The techniques should not divide the society into two group i.e. digital and non digital society.
7. Legal Feasibility-Government has to form a regulatory statutory framework for the use of biometric techniques in various commercial applications. It should form a standard regulatory framework for use of these techniques in commercial applications or transactions. If required the framework has to be regulated and changed time to time.
8. Privacy-As biometric techniques rely on personal physical characteristics, an act has to be made to protect the individual’s privacy data not to be used by other. A data protection law has to be created in order to protect the person’s privacy data.
Criteria for evaluating biometric technologies.
The reliability and acceptance of a system depends on the effectiveness of the system, how the system is protected against unauthorized modification, knowledge or use, how the systems provide solutions to the threats and its ability and effectiveness to identify system’s abuses.
These biometric methods use data compression algorithms, protocols and codes. These algorithms can be classified in three categories:
o Statistical modeling methods,
o Dynamic programming,
o Neural networks.
The mathematical tools used in biometric procedure need to be evaluated. Mathematical analysis and proofs of the algorithms need to be evaluated by experts on the particular fields. If algorithms implement “wrong” mathematics then the algorithms are wrong and the systems based on these algorithms are vulnerable. If the algorithms used in the biometric methods have “leaks”, or if efficient decoding algorithms can be found then the biometric methods themselves are vulnerable and thus the systems based on these methods become unsafe.
Different algorithms offer different degrees of security, it depends on how hard they are to break. If the cost required to break an algorithm is greater than the value of the data then we are probably safe. In our case where biometric methods are used in financial transactions where a lot of money is involved it makes it worth it for an intruder to spend the money for cryptanalysis.
The cryptographic algorithms or techniques used to implement the algorithms and protocols can be vulnerable to attacks. Attacks can also be conceived against the protocols themselves or aged standard algorithms. Thus criteria should be set for the proper evaluation of the biometric methods addressing these theoretical concerns.
The evaluation of the biometric systems is based on their implementation. There are four basic steps in the implementation of the biometric systems which impose the formation of evaluative criteria.
o Capture of the users attribute.
o Template generation of the users attribute.
o Comparison of the input with the stored template for the authorized user.
o Decision on access acceptance or rejection.
Applications of biometric techniques
Biometrics is an emerging technology which has been widely used in different organization for the security purpose. Biometrics can be used to prevent unauthorized access to ATMs, cellular phones, smart cards, desktop PCs, workstations, and computer networks. It can be used during transactions conducted via telephone and Internet (electronic commerce and electronic banking). Due to increased security threats, many countries have started using biometrics for border control and national ID cards. The use of biometric identification or verification systems are widely used in different companies as well as the government agencies. The applications where biometric technique has its presence are
o Identity cards and passports.
o Banking, using ATMs, Accessing Network Resource
o Physical access control of buildings, areas, doors and cars.
o Personal identification
o Equipment access control
o Electronic access to services (e-banking, e-commerce)
o Travel and Transportation, Sporting Event
o Border control
o Banking and finance, Shopping Mall
o Airport security
o Cyber security
o Time Management in Organization
o Voice Recognition(Telebanking)
o Prison visitor monitoring system.
o Voting System
Prospects of Biometric Techniques:
The biometric industry is at an infancy stage in India, but is growing fast to capture the entire market. This technique is expanding both into private and public areas of application. Biometric applications need to interconnect to multiple devices and legacy applications. The industry market and consumer markets are adopting biometric technologies for increased security and convenience. With the decreasing price of biometric solutions and improved technology, more organization is coming forward to implement this technology. The lack of a standard regulatory framework is a major drawback in implementing biometrics in organisation.It is not widely accepted by the users because some organization and society have the opinion that this technology is inappropriate and the privacy data of the users are lost. If proper regulatory framework is not established it will not be accepted by the organization as well as by the user. The devices manufactured for biometric techniques has to comply with standards Increased IT spending in the government and financial sector offers better opportunities for such deployments. Even though there are no global mandated or regulatory frame works as of now, they are expected to arrive very soon.
Standarad law and regulation will open a wide market for biometrics in electronic legal and commercial transactions.
The anti-terrorism act has introduced has a wide scope for the biometric techniques to be implemented.
Consumer privacy data has to be protected in order to be widely accepted by the user.
Integration of biometric with different legacy application and hardware.
Biometric technique has a great demand in the telecommunication domain.
The notebook and laptop manufacturer has already implemented the biometric techniques like finger printing for the enhancement of the security.
The biometric industry must address major challenges related to performance, real-world utility, and potential privacy impact in order for biometrics to reach their full potential
Many companies are also implementing biometric technologies to secure areas, maintain time records, and enhance user convenience.
An interesting biometric application is linking biometrics to credit cards.
Other financial transactions could benefit from biometrics, e.g., voice verification when banking by phone, fingerprint validation for e-commerce, etc. The market is huge, and covers a very wide range of hardware, applications and services.
Conclusion:
The future of this technology is booming. With the rapid increase of fraud and theft in commercial transaction; it is a great concern for the organization to use biometric as key instrument in eliminating the fraud and flaws in the traditional security approach. Both businesses and consumers are anxious for greater security in commercial transactions. The technology is increasingly reliable and affordable, and the question of the legal enforceability of electronic contracts is settled. While consumers recognize the benefits of biometric authentication, they are reluctant to fully accept the technology without adequate assurances that companies will keep their biometric information confidential and subject to various safeguards and the existing law provides a limited measure of protection for biometric information so greater protection should be offered to consumers so that their personal information is not misused. Biometrics will play vital roles in the next generation of automatic identification system. Biometric identifiers must be considered when implementing a biometric-based identification system. The applicability of specific biometric techniques depends heavily on the application domain. Biometrics must be implemented properly to be effective and the consequences considered. Biometrics will become increasingly prevalent in day-to-day activities where proper identification is required. The real future of the technology lies in creating a biometric trust infrastructure that allows private sector and the public sector to handle security needs. Ultimately, such an infrastructure would allow people to move to various locations worldwide while maintaining their security clearance as defined by their physiological and behavioral identities.