Biometrics 101 - The Basics

"Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic.

Examples of human traits used for biometric recognition include fingerprints, speech, face, retina, iris, handwritten signature, hand geometry, and wrist veins.

Biometric recognition can be used in identification mode, where the biometric system identifies a person from the entire enrolled population by searching a database for a match.

A system also can be used in verification mode, where the biometric system authenticates a person's claimed identity from his/her previously enrolled pattern.

Using biometrics for identifying and authenticating human beings offers some unique advantages. Only biometric authentication bases an identification on an intrinsic part of a human being. Tokens, such as smart cards, magnetic stripe cards, physical keys, and so forth, can be lost, stolen, duplicated, or left at home. Passwords can be forgotten, shared, or observed.

While all biometric systems have their own advantages and disadvantages, there are some common characteristics needed to make a biometric system usable.

First, the biometric must be based upon a distinguishable trait. For example, for nearly a century, law enforcement has used fingerprints to identify people. There is a great deal of scientific data supporting the idea that "no two fingerprints are alike."

Newer methods, even those with a great deal of scientific support, such as DNA-based genetic matching, sometimes do not hold up in court.

Another key aspect is how user-friendly is the system?  Most people find it acceptable to have their pictures taken by video cameras or to speak into a microphone. In the United States , using a fingerprint sensor does not seem to be much of a problem. In some other countries, however, there is strong cultural opposition to touching something that has been touched by many other people.

While cost is always a concern, most implementers today are sophisticated enough to understand that it is not only the initial cost of the sensor or the matching software that is involved. Often, the life-cycle support cost of providing system administration support and an enrollment operator can overtake the initial cost of the hardware. Also of key importance is accuracy. Some terms that are used to describe the accuracy of biometric systems include false-acceptance rate (percentage of impostors accepted), false-rejection rate (percentage of authorized users rejected), and equal-error rate (when the decision threshold is adjusted so that the false- acceptance rate equals the false-rejection rate).

When discussing the accuracy of a biometric system, it is often beneficial to talk about the equal-error rate or at least to consider the false-acceptance rate and false-rejection rate together. For many systems, the threshold can be adjusted to ensure that virtually no impostors will be accepted. Unfortunately, this often means an unreasonably high number of authorized users will be rejected.

"To summarize, a good biometric system is one that is low cost, fast, accurate, and easy to use."

From - The Biometrics Consortium http://www.biometrics.org
The Biometric Consortium's charter was formally approved on December 7, 1995, by the Facilities Protection Committee, a committee that reports to the Security Policy Board through the Security Policy Forum. The Security Policy Board was established by Presidential Decision Directive/NSC-29 on September 16, 1994, for the coordination, formulation, evaluation, and oversight of US national security policy. The Security Policy Board reports to the Assistant to the President for National Security Affairs.

Identification versus Verification

In the biometrics industry, a distinction is made among the terms identification , recognition and verification .

Identification and recognition are, essentially synonymous terms. In both processes, a sample is presented to the biometric system during enrollment. The system then attempts to find out who the sample belongs to, by comparing the sample with a database of samples in the hope of finding a match (this is known as a one-to-many comparison ).

Verification is a one-to-one comparison in which the biometric system attempts to verify an individual's identity. In this case, a new biometric sample is captured and compared with the previously stored template. If the two samples match, the biometric system confirms that the applicant is who he/she claims to be.

The same four-stage process - capture, extraction, comparison, and match/non-match - applies equally to identification, recognition and verification.

Identification and recognition involve matching a sample against a database of many, whereas verification involves matching a sample against a database of one.

The key distinction between these two approaches centers on the questions asked by the biometric system and how these fit within a given application.

During identification , the biometric system asks, "Who is this?" and establishes whether a biometric record exists, and, if so, the identity of the enrollee whose sample was matched.

During verification , the biometric system asks, "Is this person who he/she claims to be?" and attempts to verify the identity of someone who is using, say, a password or smart card.

Convenience vs Security: How Well Do Biometrics Work

Can you be absolutely certain that a biometric device will work as claimed? Will it securely keep the bad guys out, while effortlessly letting the good guys in?

In real life, security versus convenience turns out to be pretty much a non-issue, since the combination of biometric identification plus a keypad code provides virtually unbreakable security. Here's why.

Biometric devices can be adjusted to favor security or user convenience. Think of a car alarm. When your car alarm is very sensitive, the probability of the bad guys stealing it is low. Yet the chance of your accidentally setting off the alarm is high. Reduce the sensitivity, and the number of false alarms goes down, but the chance of someone stealing your car increases.

The security requirements of a national defense contractor might demand that the device at the front door be adjusted to keep the bad guys out, for example. On the other hand, if hundreds of employees will clock in using a biometric reader at a low-security facility, you'll want to adjust the unit's sensitivity to let the good guys in.

People like things that work. If the biometric doesn't allow employees effortless access, frustration will quickly rise and the biometric may never be accepted. Fortunately, this is extremely unlikely.

False Accept Rates
The probability that a biometric device will allow a bad guy to pass is called the "False Accept Rate."

This figure must be sufficiently low to present a real deterrent. False Accept Rates claimed for today's biometric access systems range from 0.0001% to 0.1%. The biometric hand readers at the front entrances of 60% of the nuclear power plants in the U.S. have a False Accept Rate of 0.1%.

It's important to remember that the only way a bad guy can get access is if a bad guy tries. Thus, the False Accept Rate must be multiplied by the number of attempts by bad guys to determine the number of possible occurrences.

False Reject Rates

For most applications, letting the good guys in is just as important as keeping the bad guys out. The probability that a biometric device won't recognize a good guy is called the "False Reject Rate."

The False Reject Rates quoted for current biometric systems range from 0.00066% to 1.0%.
A low False Reject Rate is very important for most applications, since users will become extremely frustrated if they're denied access by a device that has previously recognized them.

An example may be helpful.

A company with 100 employees has a biometric device at its front door. Each employee uses the door four times a day, yielding 400 transactions per day.
A False Reject Rate of 1.0% predicts that every day, four good guys (1% of 400) will be denied access. Over a five-day week, that means 20 problems. Reducing the False Reject Rate to 0.1% results in just two problems per week.

A low False Reject Rate is very important for most applications, since users will become extremely frustrated if they're denied access by a device that has previously recognized them. As mentioned previously, the combination of a low False Reject Rate plus a simple keypad code provides virtually unbreakable security.

Equal Error Rates

Error curves give a graphical representation of a biometric device's "personality." The point where false accept and false reject curves cross is called the "Equal Error Rate." The Equal Error Rate provides a good indicator of the unit's performance. The smaller the Equal Error Rate, the better.

Validity of Test Data

Testing biometrics is difficult, because of the extremely low error rates involved. To attain any confidence in the statistical results, thousands of transactions must be examined.
Some error rates cited by manufacturers are based on theoretical calculations. Other rates are obtained from actual field testing. Field data are usually more reliable. In the case of False Reject rates, only field test data can be considered accurate, since biometric devices require human interaction. For example, if the device is hard to use, false reject rates will tend to rise. A change in the user's biometric profile could also cause a false reject (a finger is missing, for example).

None of these conditions can be accurately quantified by purely theoretical calculations. On the other hand, False Accept Rates can be calculated with reasonable accuracy from cross-comparison of templates in large template databases.

Currently, most field test error rates have been generated by various biometric manufacturers using end-user data. Tests have also been conducted by independent laboratories such as the U.S. Department of Energy's Sandia National Laboratories. The most recent test released by Sandia was performed in 1991.

It's important to remember that error rates are statistical: they are derived from a series of transactions by a population of users. In general, the larger the population and the greater the number of transactions, the greater the confidence level in the accuracy of the results.

If the error rate is reported at 1:100,000, and only 100 transactions were included in the study, the confidence level in the results should be very low. If the same error rate was reported for 1 million transactions, the confidence level would be much higher.

The magnitude of the reported results affects the size of the sample required for a reasonable confidence level. If the reported error rate is 1:10, then a sample of 100 transactions may provide a sufficient confidence level. Conversely, a 100-transaction sample would be too small if the error rate was reported as 1:100,000.

Conclusion: Security and Convenience are a Fact

Biometric devices are extremely secure, thanks to the combination of low False Accept Rates at moderate sensitivity settings, combined with a short user keypad code.
At the same time, biometrics are extremely convenient and error-free, thanks to low False Reject Rates.

Source: Recognition Systems Inc.