Organisations have goals and therefore acquire assets to ensure these goals are met and the continuity guaranteed. Financial sector while trying to promote convenient methods such as online banking and use of ATM for their customers to access their money strives to ensure only the right person has access to the account. Also, military and national security services store high sensitive and critical information that must only be accessed by specific individual thereby deploying security measures to keep this tradition. However, achieving these goals largely depends on securing and controlling the assets as documented which means only authorised individuals have access to these environments and eventually the assets.
Sequel to the importance of access control, different security techniques have been deployed to safeguard these assets which ranges from PINs and passwords, ID cards, smart card est. Vulnerabilities to these methods have lead to the recent surge in biometrics industry as many believe this is the future. Reasons such that the physical presence of the authorized person is needed at the point of access and also, the fact that it is unique and almost impossible to duplicate emphasis the benefit of biometrics and explain its glooming popularity.
However like any other security methods, biometrics has limitations and threats which can impact its effectiveness and efficiency. It is not suitable for every application and can be a very wrong choice for certain applications. Therefore, it is essential to manage these limitations and threats properly to enhance the success factor of biometrics. Finally, it is important for any sector deploying biometrics to understand the various issues associated with biometrics such as privacy, standards and what the law requires of biometrics.
Organizations strive to secure their assets and provide means of controlling access to these assets. This process requires identification and authorization to ensure the right person is accessing the right asset. Over the years, traditional methods of authentication, mainly passwords and personal identification numbers (PINs) have been popularly used. Recently, swipe card and PINs have been deployed for more security since one is something you have and the latter something you know. However, these methods still have vulnerabilities as swipe card can be stolen. Also, bad management of passwords has left people writing them on papers and desks or simply choosing easy and general words for quick remembrance which expose the password to intruders. More recently, stronger identification and authorization technologies that can assure a person is who he claims to be are becoming prominent and biometrics can be classified to this category.
Biometric technology makes use of a person’s physiological or behavioral characteristics in identification. Every human being is unique in nature and possesses physical parts completely different from any other person. The September 11, 2001 terrorist attack did not help security concerns as governments and organizations all around the world especially the border security agencies have greatly embraced this human recognition technology. As both private and public entities continue to search for a more reliable identification and authentication methods, biometrics has been the choice and considered the future.
WHAT IS BIOMETRICS?
“Biometrics refers to the automatic identifications of a person based on his or her physiological or behavioral characteristics” (Chirillo and Blaul 2003, p. 2). It is an authorization method that verifies or identifies a user based on what they are before authorizing access. The search for a more reliable authorization method to secure assets has lead to the revelation of biometrics and many organizations have shown interest in the technology.
Two main types of biometrics have been used mainly physical and behavioral. A physical biometrics is a part of a person’s body while, a behavioral biometric is something that a person does (Lockie 2002, p. 8). He added that although there are some more unusual biometrics which may be used in the future, including a person’s unique smell, the shape of their ear or even the way they talk, the main biometrics being measured include fingerprints, hand geometry, retina scan, iris scan, facial location or recognition (all physical), voice recognition, signature, keystroke pattern and gait (Behavioral). However, it has been argued by Liu and Silverman (2001) that different applications require different biometrics as there is no supreme or best biometric technology.
HISTORY OF BIOMETRICS
According to Chirillo and Blaul (2003, p. 3) “the term biometrics is derived from the Greek words bio (life) and metric (to measure).” China is among the first known to practice biometrics back in the fourteenth century as reported by the Portuguese historian Joao de Barros. It was called member-printing where the children’s palms as well as the footprints were stamped on paper with ink to identify each baby. Alphonse Bertillon, a Paris based anthropologist and police desk clerk was trying to find a way of identifying convicts in the 1890s decided to research on biometrics. He came up with measuring body lengths and was relevant till it was proved to be prone to error as many people shared the same measurement. The police started using fingerprinting developed based on the Chinese methods used century before by Richard Edward Henry, who was working at the Scotland Yard.
Raina, Orlans and Woodward (2003, p. 25-26) stated references to biometrics as a concept could be traced back to over a thousand years in East Asia where potters placed their fingerprints on their wares as an early form of brand identity. They also pointed Egypt’s Nile Valley where traders were formally identified based on physical characteristics such as eye color, complexion and also height. The information were used by merchant to identify trusted traders whom they had successfully transacted business with in the past. Kapil et al also made references to the Bible, first pointing to the faith Gileadites had in their biometric system as reported in The Book of Judges (12:5-6) that the men of Gilead identified enemy in their midst by making suspected Ephraimites say “Shibboleth” for they could not pronounce it right. The second reference is to The Book of Genesis (27:11-28) where Jacob pretended to be Esau by putting goat skins on his hands and back of his neck so his skin would feel hairy to his blind, aged father’s touch. This illustrates a case of biometric spoofing and false acceptance. They finally wrote “Biometrics as a commercial, modern technology has been around since the early 1970’s when the first commercially available device was brought to market” (p. 26).
HOW BIOMETRICS SYSTEMS WORK
“A biometric system is essentially a pattern-recognition system that makes a personal identification by determining the authenticity of a specific physiological or behavioral characteristics possessed by the user” (Blaul 2003, p.3). Biometrics has so far been developed to work in two ways mainly verification and identification.
Verification systems are designed to give answer to the question, “Am I who I claim to be?” by requiring that a user claim an identity in order for a biometric comparison to be performed. The user provides data, which is then compared to his or her enrolled biometric data. Identification systems gives answer to the question, “who am I?” and do not require a user to claim an identity as the provided biometric data is compared to data from a number of users to find a match (Nanavati 2002, p. 12).
An illustration of a scenario using an identifying biometrics system is given below and thus gives an answer to the question “Who am I?”
In October 1998 in the United Kingdom, Newham Council introduced face recognition software to 12 town centre cameras with the sole purpose of decreasing street robbery. Images are compared against a police database of over 100 convicted street robbers known to be active in the previous 12 weeks. In August 2001, 527,000 separate faces were detected and operators confirmed 90 matches against the database. Where a face is not identified with any in the database, the image is deleted; if a match is found a human operator checks the result. The introduction of face recognition technology to Newham city centre saw a 34% decrease in street robbery. The system has not led directly to any arrests, which suggests that its effect is largely due to the deterrence/displacement of crime. The face recognition system has been widely publicised by the council and 93% of residents support its introduction (Postnote Nov 2001, p. 1).
The case study below illustrates a verifying biometrics system and supply answers to the question “Am I who I claim to be?”
The US Immigration and Naturalization Service Passenger Accelerated Service System (INSPASS) has been introduced at eight airports in order to provide a quick immigration processing for authorised frequent flyers entering the US and Canada. On arrival at an airport, a traveller inserts a card that carries a record of their hand geometry into the INSPASS kiosk and places their hand on a biometric reader. A computer cross-references the information stored on the card at registration with the live hand geometry scan. The complete process takes less than 30 seconds. If the scans match, the traveller can proceed to customs; if not, travellers are referred to an Immigration Inspector. There are more than 45,000 active INSPASS users with, on average, 20,000 automated immigration inspections conducted each month (Postnote Nov 2001, p. 1).
Verifying system is often referred to as a one-to-one process and generally takes less processing time compared to the identifying systems. This is due to the fact that in identifying systems, a user is compared to all users in the database (one-to-many). Verifying systems are also more accurate since they only have to match a user’s data against his or her stored data and do not need hundreds, thousands or even millions of comparisons like the identifying systems. However, it is important for an organization to decide the type appropriate for the applications.
The research methodology designed for this dissertation is mainly the qualitative approach. A quantitative approach has been overlooked due to limited time as designing surveys, distribution take time and response time could not be predicted. Therefore, my effort will be concentrated on critically reviewing previous literatures in order to acquire an overview of, and intakes on the topic. For more details, Journals, Books, Publications, Documentaries and previous dissertations related to the topic will be reviewed, compared and analyzed. The objectives will be achieved by purely reviewing literatures and previous researches and the literatures critically analyzed by comparing information obtained from different sources. Findings, recommendations and conclusions will be made from the analysis.
OBJECTIVES OF THE STUDY
The aim of this research is to critically analyse biometric security as an emerging and booming industry by examining the positives and negatives and providing ways of improving the method effectively and most importantly efficiently. Since biometrics applies to many applications, access control will be the main focus of this dessertation. Also, issues such as privacy, laws governing biometrics and standards will be examined.
The main objectives of this research are;
- To review biometric security and issues related to it.
- To evaluate the threats, advantages and disadvantages of biometrics.
- To propose ways of improving the effectiveness and efficiency of biometrics from previous researches.
This chapter is aimed at critically reviewing and analysis of numerous works of researchers in the area of biometrics, threats to biometrics, advantages and disadvantages and ways of improving biometrics efficiency in access control. The effect of privacy (human rights) and the need to conform to biometrics standards will also be examined and reviewed.
DEFINITION OF BIOMETRICS
According to Jain, Ross and Pankanti (2006, p. 125), one great concern in our vastly interconnected society is establishing identity. Systems need to know “Is he who he claims he is,” “Is she authorized to use this resource?” or simply “who is this?”
Therefore, a wide range of systems require reliable personal recognition schemes to either verify or identify of an individual seeking access to their services. The purpose of that scheme is to ensure that the rendered services are accessed by only the authorized and not any intruder or imposer (Ross 2004, p. 1).
“Biometric recognition, or simply biometrics, refers to the automatic recognition of individuals based on their physiological and, or behavioral characteristics” (Jain, 2004 p. 1).
Woodward (2003, p. 27) cited biometric industry guru Ben Miller’s 1987 biometric definition: “Biometric technologies are automated methods of verifying or recognizing the identity of a living person based on a physical or behavioral characteristic.”
Shoniregun and Crosier (2008, p. 10) provided several definitions of biometrics which include:
- “Biometrics is the development of statistical and mathematical methods applicable to data analysis problems in the biological science.”
- “Biometrics = identification/verification of persons based on the unique physiological or behavioral features of humans.”
- “Biometrics is the measurement and matching of biological characteristics such as fingerprint images, hand geometry, facial recognition, etc.”
- “Biometrics is strongly linked to a stored identity to the physical person.”
Nevertheless the various definitions, it can be seen that the science of biometrics is based on the fact that no two people are the same and this has a significant influence on its reliability and success factor.
THE BIOMETRICS INDUSTRY
According to Lockie (2002, p. 10), the biometric industry did not really get established until the middle of the twentieth century. The researchers at that particular time were investigating whether various human parts and characteristics, such as the iris or the voice, could be used to identify an individual. This was made public by publishing papers and as a considerable number of these strands of research began to form a piece, the biometrics industry as we know it these days was established.
“As organization search for more secure authentication methods for user access, e-commerce, and other security applications, biometrics is gaining increasing attention” (Liu 2001, p.27).
Higgins, Orlan and Woodward (2003, p. xxiii ), emphasized that even though biometrics have not become an essential part of all systems requiring controlled access, “the emerging industry has come a long way from its modern founding in 1972 with the installation of a commercial finger measurement device on Wall Street”. He made reference to the highly respected MIT Technology Review called biometrics one of the “top ten emerging technologies that will change the world.”
The growth in biometric industries is reflected in the numbers. The trio cited Rick Noton, the executive director of the International Biometric Industry Association (IBIA), who reported in the Biometrics 2002 Conference in London, United Kingdom, that the industry’s trade association has indicated the surge in biometric revenues over recent years. From $20 million in 1996, it has increased to $200 million in 2001 and Norton believes they will increase as the years pass on significantly in 5 years time.
Also, a forecast made by the International Biometric Group (IBG), which is a biometric consulting and integration firm located in New York City, estimate that biometric revenues totaled $399 million in 2000 and will increase to $1.9 billion by 2005. Both IBIA and IBG believe that the private sector will be responsible for much of the growth. These give evidence of the relevance of biometrics in organizations in modern times.
BIOMETRICS AND ACCESS CONTROL
Over the years, biometrics has evolved rapidly and many vertical markets such as governments, transport, financial sectors, security, public justice and safety, healthcare and many more have adopted biometrics. Due to this wide range of users, biometrics has been deployed to many applications.
Biometrics has been of high benefit to organization as they seek a reliable security method to safeguard assets. Fully understanding how biometrics work, it can be said that the ultimate aim of applying biometrics in the vertical markets listed above is to control access to a resource irrespective of the system used whether a verifying or an identifying process
It has been stated by S. Nanavati, Thieme and R. Nanavati (2002, p. 14), that biometric systems are deployed for two primary purposes which are physical and logical access.
LOGICAL VERSUS PHYSICAL ACCESS
“Physical access systems monitors, restricts, or grant movement of a person or object into or out of a specific area” (Thieme 2002, p. 14). This could be implemented to control entry into rooms or even the main building. Popular examples are control towers, bank vaults, server rooms and many other sensitive rooms requiring controlled access. In physical access, biometrics replaces the use of keys, PIN codes access cards and security guards although any of these could be combined with biometrics as a complementation. Common physical access application is time and attendance.
Thieme also gave a definition of logical access systems as one that monitor, restrict or grant access to data or information listing examples such as logging into a PC, accessing data stored on a network, accessing an account, or authenticating a transaction. In this case, biometrics replaces and can be designed to complement PINs, passwords and also tokens.
Basic biometric functionality precisely acquiring and comparing of biometric data is often identical in both physical and logical systems. For example, the same iris scan data can be used for both doorway and desktop applications. Thieme explained that the only difference between the two is the external system into which the biometric functionality is integrated. The biometric functionality is integrated into a larger system. This applies for both physical and logical access system and actions such as access to any desktop application or access to a room via a doorway are effected by a biometric match.
However, not every system can be classified as physical or logical access as the end result does not indicate access to data or a physical location and the result therefore may be to investigate more. An ATM secured by biometrics allows access to money, a physical entity. This is made possible by allowing the user logical access to his or her data. In the example above, the application is even difficult to classify as either physical or logical.
Thieme (2002, p. 15) suggested that the distinction between physical and logical access systems is a valuable tool in understanding biometric. He noted that key criteria such accuracy, fallback procedures, privacy requirements, costs, response time and complexity of integration all vary effectively when moving from logical to physical access.
WHAT ARE BIOMETRIC STANDARDS
Stapleton (2003, p. 167) defined a standard in a general term as “a published document, developed by a recognized authority, which defines a set of policies and practices, technical or security requirements, techniques or mechanisms, or describes some other abstract concept or model.” The growth of the biometric industry has been relatively slowed by the absence of industry wide standards and this has also impeded various types of biometric deployment. Nanavati (2002, p. 277) stated that the relative youth of the technology in use, coupled with the disunified nature of the industry, has impacted the developments of standards resulting in a sporadic and frequently redundant standards. Nanavati also noted that the live-scan fingerprint imaging is the only segment of biometric industry with widely accepted and adopted standards. Due to this absence of biometric standards, some institutions have been concerned of being tied into technologies they actually believed as not mature or even developmental.
However in an effort to actively address the standards issue, the biometric industry has finalized some blueprints and the process of getting industries to accept these standards is ongoing
WHY IS STANDARDIZATION NECESSARY?
The high rate of biometric development and rapid growth in adoption of biometric technologies in recent years has resulted in ever-increasing levels of what is expected in terms of accuracy, adaptability, and reliability in an ever-wider range of applications. Due to the adoption of biometric technologies in large-scale national and international applications, involving a potentially unlimited range of stakeholders, Farzin Deravi (2008, p. 483) stated that “it has become essential to address these expectations by ensuring agreed common frameworks for implementation and evaluation of biometric technologies through standardization activities.”
Majority of biometric systems, including both the hardware and software are made and sold by the owner of the patent at this stage in their development. They are being proprietary in numerous aspects including the manner in which biometric devices and systems as a whole communicate with applications, the method of extracting features from a biometric sample, and among many more, the method of storing and retrieving biometric data. This resulted in many companies in most cases, being wedded to a particular technology, once they agree to implement that particular technology. Nanavati (2002, p. 278) stated that in order to incorporate a new technology, the companies are required to rebuild their system from scratch upward, and in some cases duplicating much of the deployment effort.
Deravi (2008 p. 483) noted that “the need for interoperability of biometric systems across national boundaries has implied a rapid escalation of standardization efforts to the international arena”, stating that the sense of urgency for the need for standardization has been the priority of internal security concerns.
The industry wide or universal adoption of biometric standard will not make biometric technology interoperable at least, to the state where an old device can be replaced by a new device without rebuilding the system. However, Nanavati (2002 p. 278) argued the core algorithms through which vendors locate and extract biometric data are very unlikely to be interoperable or standardized, the reason being that these algorithms represents the basis of most vendors’ intellectual property.
Numerous reasons are responsible for the motivation towards standardization. These include the desire for reducing the overall cost of deploying biometrics technologies and optimize the reliability of biometric systems, to reduce the risk of deploying solutions to biometric problems, to ensure in the area of encryption and file format, that the basic building blocks of biometric data management have been developed based on best practice by industry professionals.
Nanavati (2002 p. 278) concluded that “standards ensure that, in the future, biometric technology will be developed and deployed in accordance with generally accepted principles of information technology.”
EXISTING BIOMETRIC STANDARDS
Shoniregun and Crosier (2008 p. 22) stated that the evolving interest and developments have made developments of standards a necessity with the sole aim of allowing compatibility of different systems. The detailed standards in the Biometrics Resource Centre (2002) report are summarised below:
- Common Biometric Exchange File Format (CBEFF):
The Common Biometric Exchange File Format (CBEFF) sets a standard for the data elements essential in supporting biometric technology in a common way irrespective of the application involved or the domain in use. It makes data interchange between systems and their components easier, while promoting interoperability applications, programs as well as systems based on biometrics.
- INCITS MI-Biometrics Technical Committee:
The committee which was established by the Executive Board of the International Committee for Information Technology standards (INCITS) with the responsibility to ensure a focused and reasonably comprehensive approach in the United States for the rapid development and approval of previous national and international generic biometric standards (Shoniregun ad Crosier 2008, p. 22)
- BioAPI Specification (Version 1.1):
“The BioAPI standard defines the architecture for biometric systems integration in a single computer system.” (Deravi 2008, p. 490). The Bio API specification has been one of the most popular standards efforts since it was formed in April 1998 according to Nanavati (2002, p. 279). Nnavati stated that the standard was formed to develop an API that is both widely accepted and widely available while being compatible with various biometric technologies.
Other general standards available are Human Recognition Module (HRS), ANSI/NIST-ITL 1-2000, American Association for Motor Vehicle Administration and American National Standards Institute (ANSI) which specifies the acceptable security requirements necessary for effective management of biometric data especially for the financial services industry.
BRITISH BIOMETRICS STANDARDS
The British Standards Institution (BSI) commenced work in June 2004 on biometrics standards and since then, has published according to Shoniregun and Crosier (2008, p. 24) “a set of four new BS ISO/IEC 19794 STANDARDS,” reported to have covered the science of biometrics, and using biological characteristics in identifying individuals. The objective of publishing these standards is to promote interoperability between the several products in the market.
- BS ISO/IEC 19784-2:2007:
This standard defines the interface to an archive Biometric Function Provider (BFP). The interface assumes that the collected biometrics data will be managed as a database, irrespective of its physical realization. Crosier (2008, p. 24) defined the physical realization as “smartcards, token, memory sticks, files on hard drives and any other kind of memory can be handled via an abstraction layer presenting a database interface.)”
- BS ISO/IEC 19795-2:2006:
According to Shoniregun (2008, p. 25), this standard provides recommendations and requirements on collection of data, analysis as well as reporting specific to two types of evaluation (scenario evaluation and technology evaluation). BS ISO/IEC 19795-2:2006 further specifies the requirements in the development and full description of protocols for scenario and technology evaluations and also, in executing and reporting biometric evaluations.
- BS ISO/IEC 24709-1:2007:
“ISO/IEC 24709-1:2007 specifies the concepts, framework, test methods and criteria required to test conformity of biometric products claiming conformance to BioAPI (ISO/IEC 19784-1).” (www.iso.org). Crosier (2008, p. 25) stated ISO/IEC 24709-1:2007 specifies three conformance testing models which allows conformance testing of each of the BioAPI components mainly a framework, an application and a BSP.
- BS ISO/IEC 24709-2:2007:
The standard BS ISO/IEC 247 defines a number of test assertions composed in the assertion language explicitly required in ISO/IEC 24709-1. The assertions allow a user to test the conformance of any biometric server producer (BSP) “that claims to be a conforming implementation of that International Standard” to ISO/IEC 19784-1 (BioAPI 2.0) (www.iso.org).
BIOMETRICS AND PRIVACY
The fact that biometric technologies are based on measuring physiological or behavioral and archiving these data has raised concerns on privacy risks, and also raised discussion on the role biometrics play when it comes to privacy. As stated by Nanavati (2002, p. 237), increase in the use of biometric technology in the public sector, workplace and even at home has raised the following questions:
- What are the main privacy concerns relating to biometric usage?
- What kinds of biometric deployments need stronger protections to avoid invading privacy?
- What biometric technologies are more prone to privacy-invasive usage?
- What kinds of protections are required to ensure biometrics are used in a non privacy-invasive way?
Woodward (2003, p. 197) cited President Clinton’s speech in his commencement address at Morgan State University in 1997: “The right to privacy is one of our most cherished freedoms…We must develop new protections for privacy in the face of new technological reality.”
Recently, Biometrics has been increasingly deployed to improve security and a very important tool to combat terrorism. Privacy issue is central to biometrics and many people believe that deploying biometrics poses a considerable level of risk to human rights, even though some are of the opinion that biometrics actually protect privacy.
Human factors influence the success of a biometric-based identification system to a great extent. The ease as well as comfort in interaction with a biometric system contributes to how people accept it.
Jain, Ross and Prabhakar (2004 p. 24) stated an example of a biometric system being able to measure the characteristic of a users without touching, such as those using voice, face, or iris, and concluded that it may be perceived to be a more user-friendly and hygienic system by the users. They added that on the other hand, biometric characteristics not requiring user participation or interaction can be recorded without the knowledge of the user, and this is perceived as a threat to human privacy by many individuals.
According to Sim (2009, p. 81), biometrics compared to other security technologies has significant impacts on user’s privacy (Civil Liberties). It can protect privacy when deployed in an appropriate manner; but when misused, it can result in loss of privacy.
ADVANTAGES OF BIOMETRIC OVER TRADITIONAL METHODS
Password and PINs have been the most frequently used authentication method. Their use involves controlling access to a building or a room, securing access to computers, network, the applications on the personal computers and many more. In some higher security applications, handheld tokens such as key fobs and smart cards have been deployed. Due to some problems related to these methods, the suitability and reliability of these authentication technologies have been questioned especially in this modern world with modern applications. Biometrics offer some benefits compare to these authentication technologies.
Biometric technology can provide a higher degree of security compared to traditional authentication methods. Chirillo (2003 p. 2) stated that biometrics is preferred over traditional methods for many reasons which include the fact that the physical presence of the authorized person is required at the point of identification. This means that only the authorized person has access to the resources.
Effort by people to manage several passwords has left many choosing easy or general words, with considerable