Editor's note: Judith Markowitz, PhD, joined us for a discussion on biometrics applications and implementation issues. You can review the audio event in our archive. This column serves as an introduction to get you up to speed on biometrics.
The attacks of Sept. 11 catapulted the world into a new security-oriented era. The public debate about national and physical-access security has naturally been extended to securing sensitive corporate and national data. At the same time, corporations are moving strongly to the Internet and in support of a growing number of heterogeneous remote-access channels. Thus, it is not surprising that the security discourse has focused on new technologies that promise greater protection than PINs and passwords. Among the new technologies attracting a great deal of interest is biometrics.
What is biometrics?
Biometric-based security, such as face recognition, voice authentication and fingerprinting, is one of the four primary categories of security: What you have (token, card, key); what you know (PIN, password, mother's maiden name); where you are (GPS); and who you are (biometrics).
What makes biometrics unique is that it is the only type of security that can perform positive, direct authentication of a person. "What you have" security, such as cards and keys, authenticate the card or key but not the person using them. Similarly, "What you know" security, such as PINs and passwords, cannot verify that the person entering the PIN or password is the individual authorized to use it. "Where you are" security, such as tracking sensors on cars could be applied to laptops or modems but cannot ensure that the person authorized to use the laptop/modem is co-located with it.
Virtually any unique trait can be used as a biometric identifier. Law enforcement has a long tradition of using DNA, bite patterns, footprints, tattoos and scars to help identify criminals. Research on automated biometric security includes brain prints, odor and pore configurations, which seem to offer good prospects for computer-based identification. This list of commercially-deployed automated biometrics is far less esoteric: Face recognition; keyboard dynamics; finger/hand geometry; retina; fingerprint; signature recognition; iris scan; and speaker recognition.
Unlike scars, these commercial biometrics are suitable for use with large populations of individuals. Unlike DNA, they can provide immediate, real-time security. For both reasons, they are useful for data access control.
How do biometric systems work?
There are two steps to using a biometric authentication system. The first is enrollment. Enrollment entails providing information along with a biometric sample that will be linked to the identity of that individual. The sample is digitized and certain features are extracted from it. The features used are only those that are needed to differentiate one person from another. That constellation of features is called a bioprint (fingerprint, voiceprint, etc). This bioprint is stored in a database of bioprints and is sometimes called the reference bioprint.
The second step is biometric authentication (also called verification). The process begins with an identity claim. Identity claims can consist of actively providing one of the other forms of security: supplying an ID (something you know), presenting or inserting a card (something you have). In some instances, the identity claim is extracted automatically (e.g., the ID of the cell phone/laptop you are using) or presumed if, for example, only one person is authorized to use a PC. Once the identity claim has been submitted, the system accesses the bioprint database and retrieves the bioprint associated with that identity. The person is asked to provide a biometric sample that is converted into a bioprint and compared with the stored bioprint. If the two are sufficiently similar, the identity claim is accepted. If the match is poor, the person is rejected as an impostor.
How accurate are biometrics?
The immutable truth about security: There is no such thing as 100% secure. This includes biometric authentication systems that do not perform at 100% accuracy, no matter what some marketers might suggest.
The authentication process described above involves a one-to-one comparison between the stored, reference bioprint and the newly supplied bioprint of an individual seeking access to a system. It can produce two types of errors: false acceptance (also known as false match); and false rejection (also called false non-match). False acceptance occurs when the biometric system incorrectly accepts the bioprint of an imposter as a valid user. A false rejection error occurs when the bioprint of an authorized individual is categorized as that of an imposter and rejected.
Most vendors report accuracy performance in the upper 90 percentile -- findings generally obtained from internal testing performed with co-operative users. Some third-party testing is available, but application designers should be aware of the impact that the implementation, environment, user attitudes and usability have on the performance of biometric authentication systems.
About the author
Dr. Judith A. Markowitz, Ph.D., is an independent industry analyst in voice-based biometrics (speaker authentication and identification) and independent analyst in speech recognition.