Biometric identification

Reading Time: 6 minutes

Not everything can simply be requested digitally. A major stumbling block to the digital processing of requests is identification. Is someone really who he claims to be? Secure and reliable ways of identification make it possible to provide even more services digitally. One method that can be used for this purpose is biometrics. But what is biometric identification and what three points are important?

What is biometric identification?

Biometrics is a collection of techniques to measure and determine body characteristics of an individual. The body characteristics that biometric techniques measure should be distinctive and permanent {Jain, 2006, Biometrics: A tool for information security}. These conditions determine the accuracy and thus reliability of a technique for a given task [1].

A biometric system can be thought of as a signal detection system with pattern recognition. In this process, a raw biometric signal is detected, processed into a salient set of features (summarized in a template) and compared with the features in a database. The system validates a claimed identity or determines the identity associated with the signal [1].

Biometric recognition can be applied in two ways [1]:

• Verification (1:1 matching): The biometric data of a person is compared with the biometric data in the database of the same person. This is to verify that the person is really who they claim to be.
• Identification (1:N matching): A person’s biometric data is compared with all the biometric data in the database. This is to find the person in the database, or to rule out that they are in the database (negative identification).

Some popular biometric features are [2]:

• Face: location of and distance between facial features such as eyes, nose, lips, chin and overall shape is used for recognition.
• Fingerprint: the spatial distribution of ridges, valleys and branches on the finger and sweat pores are used for recognition.
• Iris: the striations, pits and grooves of the colored ring in the eye are used for recognition.
• Palm print: the creases (papillary lines) on the inside of the palm are used for recognition.
• Hand geometry: hand features such as finger length, thickness, circumference and spread are used for recognition.
• Voice: physiological characteristics such as shape, size of vocal cords, lips, nasal cavities, mouth, and behavioral characteristics in a spoken word are used for recognition.
• Writing/keystroke: features in the shape, speed, acceleration, pressure and arrangement during of a written word are used for recognition.
• DNA: the deoxyribonucleic acid present in every cell of the human body is used for recognition.
• Blood vessel patterns: the patterns of blood vessels under the skin are used for recognition.

Procedurally, a biometric signal must be captured and linked to an identity to create a reference template in a database (enrollment). This reference template, at a follow-up stage, allows this identity to actually be compared and recognized (authentication).

What 3 points are important?

1: Accuracy

Identification is currently still done physically (by showing a passport or identity card, for example) and digitally (by DigiD or eRecognition, for example ). These digital techniques use password and/or object authentication to provide access to encrypted data. This requires an exact match of the entered and registered password, so simple pattern recognition suffices.

In biometric recognition, the representation of the specified characteristic can vary greatly due to the method of measurement, acquisition and environment. For example, a fingerprint may be presented upside down or only partially visible due to insufficient pressure. As a result, there is no exact match but a percentage of match [1].

Because of this variation, a biometric system involves complex pattern recognition and can make the following system errors that undermine correct identification:

• Failure to enrol (FTE): A correct reference template cannot be created;
• False accept rate (FAR): A person is wrongly accepted for a reference template;
• False reject rate (FRJ): A person is wrongly rejected for a reference template.

2: User acceptance

People value ease of use, security and reliability. Users are more positive about biometrics that require little effort and of which they are aware, such as a finger scan or signature. This stands in contrast to for example iris scanning, while this is actually a much more secure solution. Convenience and the sense of reliability are thus leading factors [3][4].

To increase ease of use, biometric features should be effortlessly measured, without infringing on health or hygiene . For this purpose, techniques are under development that can measure biometric features from a distance [5] and during movement [6]. This technology can support users with easy-to-use sensors and an intuitive interfaces. This ensures that users are assisted in taking the biometric feature correctly [1].

Finally, there is societal, cultural and religious resistance in the acceptance of biometrics. People often see a biometric system as an undesirable and harmful technology. Biometric characteristics are part of a human body and behavior, which cannot be changed or are difficult to change, and it involves highly personal information and therefore can be an invasion of privacy. Finally, issuing biometric features is prohibited in some cultures and religions [2] .

3: Information security

Like any information system, a biometric system is susceptible to a variety of attacks that can undermine its operation. These can include opportunistic attacks and hostile attacks [1]:

• Opportunistic: In this case, a person’s biometric characteristics sufficiently match those of an enrolled user, allowing unintended access.
• Hostile attack: Here, a malicious person can impersonate an enrolled user by physically or digitally manipulating the system, or deliberately manipulating their own biometric characteristics to avoid detection.

These attacks are designed to bypass the security and normal operation of the system [7]:

1.  A fake biometric, such as a photograph or artificial fingerprint, is presented to the sensor.
2. Intercepted data can be re-entered into the system.
3. The feature extraction can be infected with a program that creates a set of features desirable to the intruder.
4. The actual feature template can be replaced with an artificial template.
5. The comparison system can be infected with a program that affects the scored degree of similarity.
6. Templates in the database can be modified, added or deleted.
7. Data in communication between different modules can be changed.
8. The final decision of the biometric system can be modified.

In addition to these vulnerabilities, there are other ways in which the normal functioning of a biometric system can be undermined [8][9]. The display of a biometric can be intentionally manipulated by misusing the sensor.  Authorized users, such as an administrator, can modify data or system properties and claim it was done by an intruder.  These legitimate users can also be forced to modify data by threat or blackmail.  Finally, the system is susceptible to Denial of Service (DoS), where the server is overwhelmed with requests until it can no longer handle other requests. This prevents legitimate users from using the biometric system.

Biometric identification in practice:

Schiphol Airport has been applying the iris scan in its “Privium” concept for about 15 years and made it available to regular travelers several years ago [10]. The iris scan has the advantage of reducing waiting time to a minimum. Passengers can pass through customs without being checked by a person. Passengers have to have their iris scanned and use a pass that contains their identification data. According to Schiphol, identification now takes only 10 seconds instead of half an hour.

[1] Jain, A. K., Ross, A., & Pankanti, S. (2006). Biometrics: A tool for information security. IEEE Transactions on Information Forensics and Security, 1(2), 125-143.
[2] Kumar, A., & Jain, A. K. (2012). Biometric Recognition: An Overview. In E. Mordini & D. Tzovaras (Eds.), Second Generation Biometrics: The Ethical, Legal and Social Context (Vol. 11, pp. 49-79): Springer Netherlands.
[3] Dowland, P., Furnell, S. (2007). Advances in networks, computing and communications 4 : proceedings of the MSc/MRes programmes from the School of Computing, Communications and Electronics, 2005-2006: School of Computing, Communications & Electronics, University of Plymouth.
[4] The Irish Council for Bioethics. (2009). Biometrics: Enhancing security or invading privacy? Biometrics: Enhancing security or invading privacy? Dublin.
[5] Matey, J. R., Ackerman, D., Bergen, J., & Tinker, M. (2008). Iris recognition in less constrained environments. London: Springer.
[6] Proença, H., Filipe, S., Santos, R., Oliveira, J., & Alexandre, L. A. (2009). The UBIRIS.v2: A database of visible wavelength iris images captured on-the-move and at-a-distance.
[7] Ratha, N., Connell, J. H., & Bolle, R. M. (2001). An analysis of minutiae matching strenght. Paper presented at the Proc. Int. Conf. Audio and Video-based Biometric Person Authentication, Halmstad, Sweden.
[8] Uludag, U., & Jain, A. K. (2004). Attack on biometric systems: a case study in fingerprints. Paper presented at the SPIE-EI Security, Steganography and Watermarking of Multimedia Contents, San Jose California.
[9] O’Gorman, L. (2003). Comparing passwords, tokens, and biometrics for user authentication. IEEE, 91(12), 2019-2040.
[10] Vernooij, N. (2016). Jubilerend Privium kijkt naar tweede ClubLounge. Luchtvaartnieuws.