Biometric Technologies: Advantages and Disadvantages

Abstract

There have two aims of this project.

Firstly is to provide an objective analysis of available biometric technologies, to identify their strengths and weaknesses and to investigate a broad range of application scenario in where biometric techniques are better than traditional recognition and verification method.

Another aim is to develop a product. Now a day most of the online banking and financial organization are trying to convert their existing online banking in open source Java or in some other open source platform, so that it could be more reliable, secure and difficult for the hacker to hack such open source management system. Most of the systems are still using the login ID and password typing functionality which is not secure at all as anybody can steal password by using a hidden Keystroke logger or like this sort of software and another problem is user need to remember so many password and user ID for different web services. From a statistical observation it found that more than 70% people write down their Username and password, which can be stolen, lost and can be misuse by others. If the organizations could integrate secure fingerprint or any other biometrics built in functionality then it could be more secure, reliable, easier and hassle free for the user.

To get ride from such problem I have tried to develop such a model of secure web service integrating with fingerprint recognition where users no need to remember or insert anymore user name or password. Although there has lots of password replacement fingerprint software available in the market but as my knowledge such software doesn’t work for completely platform independent (Java based) secure web service. I have used platform-independent Java 2 Platform Enterprise Edition (J2EE), Netbean, Jboss server, sql data base and open source bio-sdk to develop this model.

Preface

Although this web service has integrated only with the fingerprint functionality due to limitations of hardware and other resources but in here has critically investigate about the strengths and the security hole of other biometric functionality, so that in future such biometrics functionality can be imply.

Another constraint with regard to this report is time. To provide more strength and security for that system, many features could be added like development of better algorithm to fix the security hole of the fingerprint software. To cope with the time changes are an inevitable part of the software or web service development but many have been entirely avoided in this case as they would not have added any value to the principal purpose of this project.

Problem Areas for that Project

Biometrics is a young technology, therefore relative hardware is not that available in the local market and they are so expensive to buy personally.

Unfortunately there is no biometrics hardware in the CMS’s hardware lab. As well as there is no biometrics software or equipment. It was requested to buy some hardware for this thesis purpose but unfortunately the university was not agree to buy or manage anything which is related to biometrics.

Many companies of this biometrics fields were requested personally to help or give information regarding their product but they denied for the marketing reason.

There was no biometrics related books in the university library. Moreover the library was unable to provide.

So without any technical and theoretical support it was really hard to gain new idea and to make a new product which is related to the biometrics.

Some biometrics hardware has been bought personally for this thesis. With the extraordinary help, advice and encourage from the supervisor this work has been done.

Section One: Background Literature of Biometrics

Chapter 2:

Background Literature of Biometrics

Now a day biometrics is a well known term in the information technology. The origin of the word biometrics comes from Greek language. Bio means life and metrics means measurement. So the biometrics is related to the measurement of a living thing. But in the information technology it means an automated process where a human is recognised or identified using his/her physiological or behavioural characteristics. The specific physiological characteristics is collected, quantified, measured, compared with the previous stored characteristic and decided. So it is the process for the identification not any innovation.

2.1 A short history of biometrics:

In the normal life a person has been recognised or identified based on face, body structure, height, colour, hair etc. So in that sense the history of biometrics identifiers or characteristics is as old as mankind history. In the ancient East Asia, plotters used their fingerprint on their products which is the identification of individual. In the ancient Egypt the people use some characteristics such as complexion, eye colour, hair, height to identify trusted traders. But for a long time biometrics had not been considered as a field of study.

At the late 1880, the biometrics gained the interest as a field of study. The credit was Alphonse Bertillon who was an anthropologist and police clerk. He was tried to identify convicted criminal to others. He first discovered and mentioned that some physical measurement of an adult human is invariant of time. These combinations of measurements are different to human to human. So these measurements can be used to recognize an individual from other (Scottish Criminal Record Office, 2002a). His theory was known as Bertillonage or anthropometry. That time his theory was appreciated and thought to be well established. The main measurements which he suggested are given in the picture 2.1. But in the year 1903, it was found that his theory was wrong for the identical twins. That time an identical twin was found, according to his theory they are single person. So the new theory or new characteristics were looking for the identification.

It was said that Sir Edward Henry was the first who interested on finger print for the purpose of identification. He was an Inspector General of Bengal police. In 1986, he ordered to record the prisoners fingerprint as an identification measurement. He tried to introduce the classification system of the fingerprint. In the year 1901, Sir Henry was joined as Assistant Commissioner of the Scotland Yard. After then a finger print bureau was established. That time the failure of the anthropometry system made the finger print system well known. Finger print system was started to use for the purpose of identification of a person. The system is used as same way still today.

Automated system to read finger print was first introduced in the early 1970s. The first finger-print measurement device was first used in 1972 which was known as Identimeter. This device was used at Shearson Hamil named Wall Street Company. The purpose of this device was time keeping and monitoring.

Day after day the interest of this biometric system was increased. The decrease of the hardware cost of the computer and improvement of the algorithm increase the research of the biometrics.

2.2 Biometric characteristics:

2.2.1 General requirements for a characteristic using as a biometric identifier:

In the biometric history section, it has been discussed that several characteristics were consider as an identifier of human. But many of them were rejected. According to the Amberg 2003, if a characteristic can be considered as an identifier for the biometric purpose then it should mitigate some requirements such as university (Every human should have that characteristics), uniqueness (That characteristic should be different person to person), permanence (that characteristic should be permanent) and collect ability (that characteristic should be able to collect and that should also be measurable). There are some additional requirement can be applied with a these requirement such as performance (It accuracy should be high, it should need minimum resources), acceptability (it should be accept everywhere and it should also be acceptable to the future users), fraud resistance (It should have higher security level and can be resistance to fraudulent), cost effective (it users benefit should be many times higher then its using cost).

2.2.2 Classification of the characteristics which can be used as biometric identifiers:

Biometrics characteristics or identifiers can be categorized into two groups. They are Physiological type and Behavioural type.

Physiological type: This type of characteristics is related to human body or anatomy. Finger print reading, DNA analysis and face of individual which are frequently used as biometric identifiers of this type. The use of retina and the iris will be prospective future. This type pf characteristic can be divided as genotype and phenotype. A group of people can have the same genotype characteristics. Blood group, DNA analysis these are the two most commonly used genotype characteristics. In contrast to genotype characteristics, phenotype characteristics can be having only single individual, so this type of characteristics is different from person to person. Finger print, retina and iris are this type of characteristic.

Behavioural Characteristics: This type of the characteristic is related to human behaviour. Signature is the most commonly used characteristics of this type. Human voice analysis and key stoke is another two characteristics which are now also be used. This kind of characteristics is the indirect measurement of the human body. This type of characteristics has been learned or trained; therefore these can be different from time to time. But when a human reach in a certain age, the change of behaviour is negligible, therefore these type characteristic used as identifiers. In the 2.2 the frequently used biometrics characteristics have been shown.

2.2.3 Contrast of the biometrics characteristics:

A contrast of biometrics characteristics has been given in the table 2.1.

Table 2.1: A contrast of the biometrics characteristics (Jaine et al. 1999)

From the table 2.1, it has been said that the physiological characteristics have the better performance then the behavioural characteristics.

From the table 2.1, it has also been seen that some biometrics trait can be regarded more universal, unique and permanent then the other. Such as Iris, DNA, body odour and finger print. But the Iris, DNA and body odour are promising, they need future research and Experiment. Their cost is high, so they are not cost effective. So, now in present the finger print is one of the most accepted biometric traits.

2.3 Establish Identity

Now a day society has been changed significantly. In the past, everyone of a community knew everyone. But now a day, globalization has been changed the situation. Peoples are now interconnected electronically. They are mobile all around the world. So establishing identity is one of the most important task.

2.3.1 Resolving identity of an individual:

There are two fundamental problems occurs for this purpose. They are authentication and identification.

Authentication problem: This problem is also known as verification. This problem arises to confirm or denied anyone’s claimed identity. When any person claimed an identity then this operation process required a comparison. The comparison occurs between submitted biometric samples and the stored samples for the claimed identity. This process is called a ‘one to one’ comparison. For an example an ATM (automatic teller machine) can be considered. For ATM machine the authentication problem has been solved in a two stages process. First stage is to possess a valid ATM card. The second stage is to know the PIN (Personal Identification Number). If anyone know the other person’s PIN and possess his/her correspondence ATM card then that person can claimed the identity of the original ATM card owner identity. This kind of fraud activities have been increasing day after day. According to Jain Et Al, 1999, In 1996 ATM associated swindle activities valued in USA 3 billion US dollar. In the other hand biometrics system promotes a system which can overcome this authentication problem.

Recognition problem: This is also known as identification problem. This problem occurs when a person has been identified from a set template of database. In this problem the person’s data has been compared against the data from the database. It is ‘one to many’ system. An example would help to clear the concept. To identify a criminal a law enforce officials some time lifted finger print or other data from the crime scene. After then they compare the data with the stored data of known criminal. By this way they might be able to identify the criminal.

According to the UK Biometrics Working Group (2002), all the biometric matters does not included in the title of verification and identification. Therefore three more pair of terms has been introduced. These three pairs are (1) Positive claim of identity and negative claim of identity, (2) Explicit claim of identity and implicit claim of identity, and (3) Genuine claim of identity and imposter claim of identity.

Positive claim of identity is also known as positive identification. In this process the claimed person’s identity should have to be enrolled before and known to the system. An example would help to realize the process. An online email account customer enters his or her login name and password into the system, the system compared the combination of these two against a set of data where customer data has been stored before. If the combination of the login name and password has been matched then the user has been verified. The process needs only the login and pass word nothing else. So the email provider does not know who is actually using the account.

Negative claim of identity has been known as negative identification. In this process the claimed person’s identity has not been stored before. So the claimed person can enters only one time, after entering his/her identity has been stored in the system and he or she cannot enters again. Such kind of example is American Social Security. According to the Jain Et Al, 1999, around a billon of US dollar has been taken away annually by using multiple identities from the social security welfare in USA.

In the case of Explicit Claim of Identity, a person unambiguously declares his identity to the system. The claim may be negative claim or positive claim. His/ her submitted identity has been compared with the stored data in one to one comparison. (One to one comparison has been described in the authentication section). Using ATM card is an example of the positive explicit claim of identity. To realize the negative explicit claim of identity, consider an air port where the face recognition system has been established. If a passenger is similar to a known terrorist person then the system would raise the alarm. Then the passenger needs to claim the explicit negative claim of identity. So the passengers other identity such as finger print, iris etch has been compared against that known terrorist in one to one basis comparison.

Implicit claim of identity can be positive or negative claim. In this process a person’s identity has been compared in ‘one to many’ comparison basis against all stored identities.

When anyone claims an honest claim to be himself or herself then it is called the genuine claim of identity (UK Biometric Working Group, 2002). In this case his / her identity has been truly matched with the stored identity.

Imposter Claim of Identity is the process where anyone claims to be someone else is deceit or false (UK Biometric Working Group, 2002). In this case submitted identity does not match with the stored identity.

2.3.2 Verification Technique:

According to the Mitnick, 2002, the Verification technique can be divided into three types. They are (1) Knowledge based verification technique, (2) Token based verification technique and (3) Biometric based verification technique.

Knowledge based verification system:

In this process some information has been used, that information is secret (combination of pass word/PIN/Memorable words etc), usually the person of the original identity has been supposed to be acquainted with secret information. People may travel from distance to distance, so that their memorable secret information will be with them. So it can be said that it will be suitable to use from a distance or remote place.

But this type of authentication has some serious drawbacks. By using Trojan horses and Spywares a hacker can know the others secret information. Trojan horses and Spy wares are able to send the key stoke as email. So this knowledge based verification is not a secure system. Most of the times people use their known name as secret information for the knowledge based verification system. So, it might be possible for the others to guess. Sometimes people do not change their secret information in the knowledge based verification system for a long time. Their secret information is not secure. Sometimes they keep their initial secret information, so that it might be easy to hack. Many types of hacking methods have been developed such as dictionary attack, Hybrid methods, brute force attack etc.

In comparison to other technologies, this is cheap and has a large level of security stage.

Token based verification system:

In this system the claimed identity person should have something which should be used with the secret information. ATM card is an example of the token based verification system. It can be said that it is more secure then the knowledge based verification process because if the token has been lost or stolen then its user can notify.

Biometric verification system:

In this system users biometric distinguishing characteristics such as finger print, face, signature, etc have been used which represents the user’s appearance. These characteristics are moved with the users they are more secure compare to the other two systems. It is quite impossible to use by the unauthorized person. But this system is relatively costly.

Actually no system is fully secure. All of the three systems have some serious drawbacks. Secret information can be hacked, unauthorised person can stole the token and use that and it is also possible to copy biometric information and later replay those (Woodward Et Al. 2003). In order to counter these drawbacks, multiple verification systems can be used. ATM card is an example of the combination of knowledge based verification system and token based verification system. If in the future, the iris scanner is available then it will be more secure if iris scanner has been used with the ATM card.

2.4 The components of a general biometric system and their function:

A general biometric system can be divided into five subsystems. They are: (1) Data acquisition system, (2) Data transmission system, (3) Signal processing system, (4) Data storage system and (5) Decision making system. In the 2.2 a general biometric system has been shown.

Data acquisition system: It has been assumed that every biometric system has two characteristics. They are uniqueness and repeatability. Uniqueness represents that every person’s biometric trait is different. It will not be same for the two persons. The repeatability represents that the biometric trait will be same over time. In this acquisition system the sensors measure the user’s biometric characteristics. These characteristics are said as samples which have definite attributes. The type of presentation and the reader quality can affect the sample qualities.

Data Transmission system: Most of the cases the data collection and processing is not at the same location. So there is a one subsystem which function is to transfer the data. In the data transmission system, compression and expansion has been functioned depend on the size of the sample. The standard protocol has been used for compression and expansion. When the facial image has been sent JPEG format has been used. WSQ format has been used for transferring the data of fingerprint and CELP format has been used for the voice.

Data processing system: there are three parts of signal processing system. They are: (1) feature extraction section (2) quality control section, and (3) pattern matching section. At the extraction section the appropriate biometric data has been split from the background information of the sample. This process is called segmentation. For an example, in a face detection system facial image has been separated from the wall or other back ground. After the extraction the quality has been checked. If the quality of the data is very poor then another sample has been asked. After this section, the pattern matching process has been started. After then the decision making section. Featured data from the pattern matching section has been stored to the storage section depends on the function of the overall biometric section.

Data storage section: From the pattern matching section, some featured of data has been stored as data storage section as template. The main purpose is to compare with the incoming feature. If the overall system is based on one to one matching then the data storage section can be decentralized but if the overall system has been functioned for the one to many matching then the central data base has been needed.

Decision making system: Quality score and the matching score have been sent to the decision making section from the processing section. The decision making system decide the sample has been accepted or denied. The policy is specific depends on the system security expectation. If the number of false non match incident has been increased then the number of false match will be decreased.

2.5 Performance of a biometric system:

The main focus of a biometric system is to ensure the security where only the authorised used can be accepted and non authorised users are denied. The system processing speed is usually given to less priority. The main considerable factors of a biometric system are mainly described by some terms such as Failure to En-roll Rate (FTE), Failure to Acquire Rate (FTA), False Acceptance rate (FAR), False Rejection rate (FRR), False Match Rate (FMR), False Non Match Rate (FNMR) etc.

False Match Rate (FMR): This represents the serious type of fault of a biometric system. This occurs when an authorised users biometric information match to an unauthorised person’s identity. In this case the signal processing system produces a high matching score of a non corresponding template.

False Non Match Rate (FNMR): In this case the authorised person’s biometric features are unable to produce enough high matching score to qualify. This is the opposite of FMR. One of the main reasons of FNMR is partially less quality of the biometric features.

Comparison of FMR and FNMR for the different biometric system: The main aim of a biometric security system is to reduce the rate of False Match Rate (FMR). On the other hand if the False Non Match Rate can be reduced then the system will be more fast and reliable. But all the time there is a relationship between FMR and FNMR. In the 2.4, relationships have been shown for different biometric system. Higher False Match Rate (FMR) is not acceptable, but for the low FMR the False Non Match Rate (FNMR) is considerably higher in every system.

Failure to En-roll Rate (FTE): Sometimes the biometric system cannot make a valid template for some users. Although biometric characteristics are universal but some case there are differences. For an example for a very low number of people’s finger print cannot be enrolled in the system such person who use their hands aggressively such as construction workers or carpenter. So Failure to En-roll rate is the ratio of the number of the people whose biometric features cannot be enrolled to system to the number of the total person who use the system. In the 2.5 a practical test result has been shown where Failure to En-roll (FTE) has been measured for the different system (Mansfield Et Al.2001).

Failure to Acquire Rate (FTA): Sometimes the system cannot acquire data of the desired quality due to the readers/sensors, instrumental problem, environmental problem, noise level of data, background data etc. Simply Failure to Acquire Rate (FAR) represents those biometric sample which cannot get high quality score to go the decision making section.

False Acceptance Rate (FAR) and False Rejection Rate (FRR): these two terms are related to the False Match Rate and False Non Match Rate. False Acceptance Rate (FAR) and False Rejection Rate (FRR) are related to the whole biometric system. On the other hand the False Match Rate and the False Non Match rate are related to the single matching process. So in the case of FAR and FRR, Failure to Acquire Rate of the system should be included. According to Mansfield Et Al.2001, relationships can concluded as follow:

FAR (τ) = (1-FTA) FMR (τ)

FRR (τ) = (1-FTA) FNMR (τ) + FTA

Here, FAR- False Acceptance Rate

τ- Decision threshold

FTA- Failure to Acquire Rate

FMR- False Match Rate

FRR- False Rejection Rate

FNMR- False Non Matching Rate

Each point of the receiver operating characteristics (ROC) curves is corresponded to a definite threshold decision making score which has a particular False Rejection Rate and False Acceptance Rate. For the Forensic purpose, False Rejection Rate should be lowest and for the high security access purpose, False Acceptance Rate should be lowest.

Section Two: Biometric Technology

2.1 Physiological Biometric

In this section has mentioned about the pattern of fingerprint, hand geometry, pattern of iris, facial, retinal and vascular characteristics as a possible biometric identifier.

2.1.1 Fingerprint Pattern

Fingerprint is the oldest, popular and definitely the most widely publicly acceptable mature biometric identifiers. It perfectly meets the necessary criteria for of a biometric identifier like universality, distinctively, persistent and collectability.

They are impressions of the friction ridges on the surface of the hand. In the most application and in this thesis as well, the primary concern is focused on the ridges located above the end joints of fingers. However, in certain forensic applications, the area of importance is broader including the fingers, the palm and the writer’s palm (WOODWARD ET AL. 2003).

Since early 1970 Federal Bureau of Investigation (FBI) has initiated extensive research and development efforts on fingerprint identification. Their main aim was to invent an automated fingerprint identification system (AFIS), so that it could be helpful for forensic purposes (RUGGLES 1996).

2.1.1.1 Feature and Technology

There are two main elements in fingerprint matching technique: firstly minutiae matching and secondly pattern matching.

In the bellows shows regarding the primary technique that analyzes basic minutia types:

Macroscopic overview, universal pattern matching, focus on the integral flow of ridges -these could be categorized into three groups: loops, whorls and arches. Every individual fingerprint should be fit into one of these three categories that shown in the bellow’s

Now a day most of the application depends on the minutiae matching. If a fingerprint scan device capture a typical fingerprint image then there could be identify around 30 to 60 minutia patterns. Federal Bureau of Investigation (FBI) has confirmed that it is not possible for two individuals, even for monozygotic twins also to have more than eight common minutiae. For matching minutiae are examine with type, shape, co-ordinate location (x,y) and direction. In the bellows has shown about the automated minutiae matching process based on these attributes:

In the above describes a case in where the input image (in left) is trying to match against a stored template (in right). 39 minutiae were detected in the input, while the template contained 42 different minutiae. The matching algorithm identified 36 matching data points.

(Source: Prabhakar 2001)

In the above , inputted image (in left) has detected 64 minutiae while in the template (in right) contain 65 different minutiae. The algorithm identified 25 completely non-matching data points.

There need a scanning or capture device to obtain such images. Since 1970s, lots of researches have been done to develop and improve such devices. As a result optical, capacitive, ultrasonic, thermoelectric, radio frequency and touch less scanners has invented and now a day most of them become less expensive and available in the market.

Optical device / scanner: The first method to capture the fingerprint image was the optical scanning technique. Frustrated total internal reflection is the main principle of the operation of such scanner. In that case the finger is placed on the glass platen and illuminated by the laser light. The surface of the finger reflects certain amounts of light depending on the depth of the ridges and valleys and then reflectance is captured by a CCD (charge-coupled device) camera that constitutes of an array of light sensitive diodes called photosites (O’GORMAN 1999).

The big advantage of such device is they are cheaper among all of the automated biometric devices and also available in the local market. The disadvantage for such device is: it could be easily fooled by impostors. The latent fingerprint left on the scanning surface, it’s a big drawback of such device as anybody can collect the latent fingerprint image from there to spoof.

Optical Scanner “Digital Persona” has used to integrate the fingerprint scanning support for the product of that project are using popular U.are.U fingerprint recognition systems depicted in the below . In October 2003, the US Department of Defence has chosen digital persona scanner to secure network security at desktops in its offices in Washington, D.C. (digital persona 2009).

Capacitive Scanner / devices: since their first appearance in 1990, such devices have become very popular. A capacitive scanner is a solid-state device, which incorporates a sensing surface composed of an array of about 100.000 conductive plates over which lies a dielectric surface. When a user touches the sensor, the human skin acts as the other side of the array of capacitors. The measurement of voltage at a capacitor decreases with the growing distance between the plates. Therefore, the capacitance measured at the ridges of a fingerprint will be higher than the capacitance measured at the valleys. These measurements are then analyzed in a way similar to a sonar scan of the ocean bottom, resulting in a video signal depicting the surface of the fingerprint (O’GORMAN 1999).

The advantage of capacitive scanners is its very high accuracy rate. Another big advantages that they are much harder to fool than optical scanners since the process requires living tissue. As the users need to touch the silicon chip itself, solid-state scanners are susceptible to electrostatic discharge (ESD). Recent chip designs were specifically developed to withstand high levels of ESD and frequent handling. modern capacitive device manufacturer like Veridicom claims that their chips will survive around 1 million touches (Ryan 2002).

Thermoelectric device: It is silicon based. It measures the difference of temperature between the ridges touching the surface of the sensor and the valleys distant from them (O’Gorman 1999).

Although thermal scanning is very promising but it is still an uncommon method. A company named Atmel proponents of this technique. It uses finger sweep method to capture fingerprint in a tiny si