(Biometrics Consortium) Defining Biometrics Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristics (Biometrics Consortium)

Implementation Areas Identification Authentication Security Airport face recognition systems Criminal investigations AFIS (Automated Fingerprint Identification System) Fraud control Authentication Access control Employee hand scans Validation of transactions Bank withdrawals with fingerprint instead of PIN input

Example Biometrics Physiological Hand based Fingerprint or fingerscan Hand geometry Face/eye Facial pattern recognition Retinal scans Iris scans Behavioral Voice recognition Signature or keystroke recognition (includes “invisible factors” such as pressure, speed, stroke order. rather than just appearance)

Fingerprint Storage and Scans Finger print technology captures a representation of the finger; it involves storing the image of the finger and comparing. Finger print storage can be close to 250 *K* bytes AFIS “Automated Fingerprint Identification System” is the law enforcement tool used either to identify a fingerprint’s maker or to confirm prints Finger scan technology involves capturing /storing characteristics of the finger Storage requirements usually 250-1000 bytes http://www.finger-scan.com/finger-scan_technology.htm

Issues: Storing Fingerprint data One concern with the original fingerprint devices was that they gave employer a representation of your fingerprint, which might be used in other contexts. Newer technologies don’t store the fingerprint -- “Vector Line Type” representations are one solution, where the characteristics are stored (not the representation). Stored characteristics in the Vector Line model are based on the common line forms of fingerprints - whorls, arches, etc The scan is converted from raster (dots) to a vector approx.

Hand Geometry Rayco Hand geometry reader

Devices Usually Required The device collecting the data probably is proprietary and/or uses proprietary algorithms, so systems are not really interoperable Patents protect much of the technology Installation and servicing of devices like retina and iris scanners may add considerable cost to a biometrics implementation There may be considerable computation involved in computing a “validator” or template for storage (far beyond the Unix validator) that will add to the “wait time” for a match

Biometric Process Overview Enrollment: Present Biometric Store No Match Capture Process Compare Verification: Present Biometric Capture Process Match Requires enrollment, storage, and real time matching of results – all of which raise issues for performance and acceptance

Matches are statistical probabilities of <1 Identifying information is not typed in, but instead is obtained by device Characteristics usually “mapped” from analog to digital and not all of the original information is retained Devices for most common biometrics are not likely to produce identical results or even identically repeatable results Ex: fingerprint readers and hand scanners are somewhat dependent environmental factors such as the positioning of the finger, the “moisture” of the hand, oils, etc.

Every System Needs Fine-Tuning The FFR and FAR Challenge False Rejection Rate (FFR) The more precise the system is at matching characteristics, the more likely that it will have a high FFR Pros: reduced chance of imposters spoofing the system Cons: legitimate users are stopped and subject to delay or worse; frequent false rejections slows the overall throughput and creates user resistance False Acceptance Rate (FAR) Ensuring that all legitimate users will be accepted makes it highly likely that imposters will slip in unnoticed Pros: system performance is high and delays are few Cons: may negate the whole purpose of the system (unless the purpose is mainly deterrence) There is no perfect balance

Biometric Standards Mobile fingerprint sensor to ATM machine Standards are needed to move biometric data from one system/type of network to another and to validate that a particular implementation can be extended Standards support interoperability and data interchange Standards are split between industry consortiums (e.g., BioAPI Consortium) and ISO and national (Government) standards Technical Committees

Data Elements and Header Fields One Standards Effort Biometric Specific Memory Block Header Signature Security Options (e.g., plain, or encrypted) Integrity Options (e.g., signed) Patron (e.g., BioAPI) Header Version Biometric Type (e.g., facial features) Record Data Type (e.g., processed) Record Purpose (e.g., enroll) Record Data Quality Creation Date (of the biometric data) Creator (entity that created the biometric data object) Format Owner (CBEFF Requirement) Format Type Data Elements and Header Fields

Standardized Headers Allow for Different Types of Data To Be Exchanged by Compatible Systems Standard Bio Header Standard Bio Header Standard Bio Header Type=Multi Bio Standard Bio Header Type=Finger Data Data Data Type=Iris Signature

Another Standards Effort: BioAPI - An Open Systems Interface Standard for Biometric Integration A biometric API standard defines a generic way of interfacing to a broad range of biometric technologies. Benefits: Easy substitution of biometric technologies Use of biometric technology across multiple applications Easy integration of multiple biometrics using the same interface Rapid application development - increased competition (tends to lower costs) Biometric Device Service Provider BioAPI Interface Application

User Point of View: You Want My What??? While they are more convenient than a smart card or PIN (nothing to memorize or lose), privacy issues are an even greater concern than for passwords because of the personal nature of a biometric Some of the collection means and enrollment processes (collecting the original biometric) are seen as invasive or hard to use Some biometrics can change considerably over a lifetime and not all people can be identified by all biometrics

Are User Fears Justified? Acceptance Issues and What Can Go Wrong Fingerprint scans Fingerprint readers Iris scans Retinal scans Voice recognition Face pattern recognition

Some Acceptance Research According to the IBG's Consumer Response to Biometrics, people did not like facial scans as much as fingerprints as a substitute for a PIN in ATM, but both technologies rated between “somewhat comfortable” and “neutral” Reasons seemed to be these: People don’t like to look at their own images in low resolution People don’t like their picture taken People don’t recognize “facial id” as an authenticator in the same way they recognize fingerprints Facial scans don’t require consent (ie, hidden cameras) raising privacy concerns

The Ultimate Identity Theft? “Which brings us to the second major problem with biometrics -- it doesn't handle failure very well. Imagine that Alice is using her thumbprint as a biometric, and someone steals it. Now what? This isn't a digital certificate, where some trusted third party can issue her another one. This is her thumb. She only has two. Once someone steals your biometric, it remains stolen for life; there's no getting back to a secure situation.” Schneier