Biometric technology is a form of authentication used increasingly in everyday life. From taking your fingerprint at immigration to having it as a default feature in Windows 7 (which I was personally responsible for), biometric technology is increasingly used as an alternative to passwords and smart cards. Biometrics is defined as “automated methods of identifying or authenticating the identity of a living person based on a physiological or behavioral characteristic.” Or more simply, it relies on attributes of the individual instead of things the individual may have or know.

The history of using biometrics actually goes back many centuries:

  • Genesis
    • Isaac tried to ID Jacob as Esau via touch and voice
    • Book of Job (37:7) – “He sealeth up the hand of all men, that every one may know his works”
  • 3000 BC – Babylonians used fingerprints on clay tablets to seal business deals
  • 14th Century – Chinese were using palm and footprints to ID children
  • 1882 – Alphonse Bertillion developed a process (Bertillion System) for measuring individuals based on 11 different parts of the body
  • Late 1800’s – Sir Francis Galton develops fingerprint analysis technique (dactylscopy)
  • 1900’s – Richard Edward Henry developed process for measuring fingerprints
  • 1911 – Fingerprints first used in US to prove guilt
  • 1924 – FBI setup fingerprint identification group
(This site has even more historical information on the use of fingerprints around the world.)
There are now many reasons for using biometrics in today’s digital world, including:
  • Clear and irrefutable link between event and individual
  • Convenience for the user – nothing to remember or carry
  • ROI/Inexpensive – reduces system management cost
  • High accuracy – positive authentication
  • Prevents impersonation – protects against identity fraud
  • Provides for strong authentication – works well for system/network access and compliments encryption and digital certificates
  • Protects privacy
  • Provides audit trail
  • Provides a high degree of non-repudiation
There are two major categories for biometrics today: 1. physiologically based, or something that is unique to you structurally, and 2. behaviorally based, or something that is unique to your own behavior.

Physiologically based biometrics include:

  • Finger prints
    • Ridge endings and bifurcations on fingerprints
    • Dedicated devices – user places finger on scanner
  • Face
    • Position of features, shape of nose
    • PC camera – user presents face to camera
  • Iris
    • Position of features, shape of nose
    • Dedicated camera – user presents eye to camera
  • Hand
    • Height and width of bones and joints
    • Dedicated device – user places palm on device
  • Vein
    • Position and width of veins running in the palm of your hand
    • Dedicated device – user places hand on device
Behaviorally based biometrics include :
  • Voice
    • Frequency and duration of vocal patterns
    • PC microphone – user speaks enrolled pass phrase
  • Signature
    • Speed, pressure, stroke
    • Dedicated device – user writes signature in capture area of device
  • Keystroke
    • Duration between strokes
    • PC keyboard – user types password or pass phrase
  • Gait
    • Speed, distance and posture of person walking
    • Dedicated device – camera picks up person walking

Since biometrics measures and converts images of biological origins into a digital format, the capture (due to lighting, dirt, cleanliness, etc.) and conversion (optimizing for size, speed, accuracy) of this information is not always consistent or precise. Therefore, many biometric measurements have differing quality and accuracy measures that make certain trade-offs, such as sample size, speed, accuracy and time. Some common terminology used to measure these variances are as follows:

  • False Acceptance (Match) Rate (FAR or FMR) – The probability that the system will incorrectly match an identity
  • False Rejection (Non-match) Rate (FRR or FNMR) – The probability that the system will reject a valid identity. Technically known as the “piss off rate.”
  • Failure to Enroll Rate (FTER) – Amount of users who cannot enroll. Actually, this is sometimes a non-trivial percentage where up to 3% of a large population do not have measurable (with present-day technology) biometric characteristics.
  • Equal error rate (EER) – This is the point at which FAR and FRR are equal and shows the overall system performance. This measure is not as important as the other, since real-world applications also need to balance convenience.
  • Base Rate Fallacy – This is also technically known as “the boy who cried wolf” syndrome

Finally, biometric taxonomy, or the process of classifying the role of biometrics within a given biometric application, is very important as not every biometric technology is suitable for every application. Some taxonomic classifications include:

  • Cooperative vs. Non-cooperative – For certain biometrics, especially behaviorally based ones, it is important to take a large number of samples from cooperative users. For some biometrics, such as the iris, it is possible to capture the image of an iris at long distances without much cooperation from the person.
  • Overt vs. Covert – Some biometric technologies, such as facial and iris recognition, can covertly authenticate a person from distances of several meters.
  • Habituated vs. Non-habituated – Training the user to properly use a biometric technology is a TCO issue when deploying a system. For example, finger placement, speed and pressure can affect the accuracy of a fingerprint device.
  • Supervised vs. Unsupervised – Depending on the security of the installation, some biometrics require supervision when scanning. In the case of fingerprints, one can try to defeat a system by applying fake fingerprints or by filing them down.
  • Stable environment vs. Unstable environment – Many biometric systems are not suitable for outside use. Sensors that use cameras may not work in direct sunlight or at night. Fingerprint sensors may not work if they get covered in dirt.
  • Optional vs. Mandatory – In some instances (about 3%), there are people who cannot provide sufficient biometric data (i.e., they don’t have fingerprints, their eyes have cataracts) and, therefore, they need to have another option to authenticate.
  • Public vs. Private – Since biometric data is of a personal nature, it is important to determine how that information is used once it is captured. In once instance, a famous theme park stopped using fingerprint biometrics since it did not want to submit the data whenever there was a crime committed nearby.

Your comments are always welcome.