BIOMETRICS

12

Biometrics form one of three genericapproaches to authentication, along withpasswords and tokens.6 Biometrics havealways generated a good deal of interest,and in recent years they have becomemuch more mainstream technologies.However, although generally regarded asthe most secure approach, the widespreaddeployment of biometrics has notoccurred to date, with the 2005 CSI/FBIComputer Crime survey reporting thatonly 15% of organisations are using bio-metrics.7 The reasons for the lack of wide-spread deployment go beyond simply thesecurity that can be provided, and issuessuch as cost, relevance, effort and usabilityare key limiting factors. That said howev-er, given biometrics are a security tool forensuring the validity of a user, it wouldappear prudent to ensure that biometricsare capable of providing the level of secu-rity required. But how do biometricsachieve this in practice?

The biometric processThe term biometrics is defined as “theautomated use of physiological orbehavioural characteristics to determineor verify identity”.8 Physiological bio-metrics rely upon a physical attributesuch as a fingerprint, face or iris,whereas behavioural approaches utilisesome characteristic behaviour, such as

the way we speak or sign our name.Biometric systems can be used in twodistinct modes, dependent uponwhether the system wishes to determineor verify the identity of a person.

The particular choice of biometricwill greatly depend upon which of thesetwo methods is required, as perfor-mance, usability, privacy and cost willvary. Verification, from a classificationperspective, is the simpler of the twomethods, as it requires a one-to-onecomparison between a recently capturedsample and reference sample, known as atemplate, from the claimed person.Identification requires a sample to becompared against every reference sample,a one-to-many comparison, containedwithin a database, in order to findwhether a match exists. Therefore the

characteristics used in discriminatingpeople need to be more distinct for identification than for verification.Unfortunately, biometrics are not basedupon completely unique characteristics.Instead a compromise exists between thelevel of security required and thus morediscriminating characteristics and thecomplexity, intrusiveness and cost of thesystem to deploy. It is unlikely however,in the majority of situations that achoice would exist between whichmethod to implement. Instead, differentapplications or scenarios tend to lendthemselves to a particular method. Forinstance, PC login access is typically averification task, as the legitimate userwill begin by providing their username.However, when it comes to a scenariosuch as claiming benefits, an identifica-tion system is necessary to ensure thatthe person has not previously claimedbenefits under a pseudonym.

Although the complexity of the systemand uniqueness of the biometric charac-teristic play an important role in deploy-ment, the underlying mechanism forevery biometric technique, whether inidentification or verification, is identical.Figure 1 illustrates the key processeswithin a biometric technique, ignoringall system level considerations.

The system is built up of a sensor to cap-ture the biometric sample, a data extrac-tion process to extract the relevant char-acteristic information from the sample, apattern classification engine that providesa measure of similarity between a knownsample and the new sample, and somedecision logic to finally decide whether

Computer Fraud & Security September 2005

Biometrics – The promiseversus the practiceNathan Clarke and Steven Furnell, Network Research Group, Schoolof Computing, Communications & Electronics, University ofPlymouth, Plymouth, UK

The term biometrics has been hard to escape recently, with numer-ous articles being published discussing the advantages and disadvan-tages of the technology1,2. Much of this discussion has come aboutdue to the level of research and interest shown in large scale imple-mentations of the technology by the US and UK Governments3,4 andEuropean Union.5 However, few articles to date have discussed thefundamental operation of biometrics and the subsequent issues thatarise when developing a biometric technique. This article focusesupon describing the biometric process from a lower level of abstrac-tion, and introduces a number of design features that play an inher-ent role in the security provided by a biometric approach.

Figure 1 : The Generic Biometric Process

this level of similarity is sufficient or not.At face value, this might not seem anoverly complex problem to solve, butunfortunately the devil is always in thedetail. Additionally, many of the issuesalso have a subsequent knock-on effecton the next process. For instance, issuesconcerning what sensor resolution isrequired for capturing samples has aknock-on effect on how much informa-tion can be extracted from the resultantsample. That said a key decision in whatand how much information should beextracted is dependant upon the unique-ness of the data and the capability of theclassification process. Utilising too muchinformation will simply over complicatethe pattern classification engine required,increasing cost, time to execute and stor-age. Using too little information willlimit the ability to classify between sam-ples, leading to difficulties when attempt-ing to classify for large sample popula-tions. Finally, having identified somelevel of similarity between samples, it isnecessary to apply some decision logic todetermine whether access should be per-mitted or rejected. But what level of sim-ilarity is sufficient? Setting the thresholdof acceptability too low will result insecurity being compromised, but set ittoo high and the usability will beimpaired, as the system continuallyrejects the authorized user. These issues,amongst others, are key to biometric sys-tems and will be discussed in the forth-coming sections.

How much information toextract?Although the sensor is simply a methodby which a biometric sample can be cap-tured, the level of complexity andsophistication required is dependentupon the data extraction process. Assuch, many biometric systems will onlyoperate with specific sensor hardware,whether this is fingerprint sensors, facialrecognition cameras or hand geometryhardware. The principal reason for this isto reduce the errors relating to failure toenrol and acquire samples, which wouldoccur when the feature extractionprocess is unable to extract sufficient

information due to poor sample capture.Of course, in the majority of these casesa specialised biometric sensor is requiredto capture the sample in any case, butthe need to specifically utilise a particu-lar product for use with an individualbiometric limits the availability andchoice of hardware, with system design-ers forced to purchase the hardware sug-gested and often provided by the bio-metric vendor. Moreover, should the sys-tem designer decide to adopt a different(propriety) algorithm for the biometricprocess in the future, they would alsohave to replace all the hardware. Morerecent efforts have gone into providingalgorithms that can perform the biomet-ric process independently of specifichardware through providing standardisedinterfaces, enabling implementations tochoose from a range of devices. Thispoint highlights the lack of maturity andstandardisation that exists within muchof the biometrics industry, which havetraditionally focussed upon designingbespoke solutions for clients, with fewlarge scale implementations to date.The data extraction process is an impor-tant step and often determines the com-plexity of the pattern classification stage.Certain biometrics samples lend them-selves to little data extraction effort, suchas hand geometry, where the sensor pro-vides data from which the data extrac-tion process can calculate the requiredfinger and/or hand measurements.9

Keystroke analysis is another example,where the sensor provides timing infor-mation from which the data extractionprocess calculates inter-keystroke andhold-time latencies.10 More often thannot however, the data extraction processis far more complex. A facial recognitiontechnique can utilise a standard cameraas the sensor, which provides an imageto the data extraction process. Althoughthe exact details of the data extractionprocess (and indeed the pattern classifi-cation process) are proprietary, theextraction process needs to extract andcompute the unique information fromthe image. This is often measurementssuch as the distance between the eyes,the eyes and nose, and length of the

mouth.11 In order to extract such infor-mation, such features need to be identi-fied within the image, which has givenrise to a number of location-based searchalgorithms. The effectiveness of suchsearch algorithms vary depending uponlighting conditions, image resolution,facial orientation and size, with moresophisticated approaches using threedimensional modelling. Having such awide range of factors to consider is notlimited to facial recognition, with manyother biometrics facing similar challenges. It is the assumptions that areplaced upon these factors that can oftendegrade the performance and/or usabilityof a technique.

Key criteria for what data to extract ingeneral from a biometric sample are:

• Feature invariance – to ensure thecharacteristic features that are extractedare time and environment invariant. Ifa fingerprint were to change periodi-cally, or a facial recognition systemwere to require a sunny day in order tocapture the image, then the biometricsystem would have difficulty in main-taining security and usability.

• Maximise information – reduce theamount of data and ensure only fea-tures that contribute to “uniqueness”are extracted. This also helps inreducing the number of features thepattern classification process needs tocope with, thus reducing the com-plexity of the system.

• Liveness Test – this is a more recentaddition to the criteria, based upondeficiencies experienced in earlierbiometric systems, and requires datato be extracted to determine the live-ness of the sample. Weaknesses havebeen identified in fingerprint systemsthat merely require an unauthoriseduser to gently breathe upon the sen-sor to generate a viable sample12.This was possible due to residualprints from oils in the skin remain-ing on the sensor after an authorizedperson had used it.

• Ensure the feature extraction processis a one-way function – biometricsystems store the extracted features of

BIOMETRICS

13September 2005 Computer Fraud & Security

BIOMETRICS

14Computer Fraud & Security September 2005

a user during the enrolment process.It is important for privacy and secu-rity reasons that the original samplecannot be reproduced from thisinformation.

The output of the feature extractionprocess is a feature vector containing allthe discriminative information.

Fuzzy classificationMuch of the power and capability of abiometric technique comes down to thepattern classification engine, and its abil-ity to successfully discriminate betweenuser’s samples. The field of pattern classi-fication is certainly not new, nor specificto biometrics, and has been used to solveall manner of problems in a wide rangeof industries. The operation of a patternclassification process for biometrics is tocompare two feature vectors and providea measure of similarity. Figure 2 illus-trates a simplistic two dimensional repre-sentation of the problem, with the classi-fication process required to provide ahigh level of similarity for samples thatappear to share similar characteristics andreject those with less similarity. It wouldnot be difficult to imagine how thisproblem increases in complexity givenlarge feature vectors, which exponentiallyincreases the feature space available. In order to achieve this numerous tech-nologies have been utilised, such as min-imal distance techniques, probabilistic

methods and neural networks.13 Ofthese, neural network based approachesare the newer technology and are beingincreasingly implemented as they areseen to perform better. Essentially theneural networks have the capability tolearn given feature vectors from theauthorized user and impostors, so thatthe network knows what types of featurevector to accept and reject. There are,however, a large number of considera-tions and issues associated with the useof neural networks, such as:

• Network configuration – size ofneural network determines its classi-fication ability, with the risk of bothoverly complex or too simple net-works failing to provide the perfor-mance required. Issues concerningtraining, storage and computationcapability are all key concerns.Optimising neural networks is a timeconsuming and computationallyintensive task – particularly ifapplied to large population sizes.

• Availability, suitability and storage ofimpostor data. In order to optimisethe neural network, the best impostordata to utilise is that which closelyresembles (but is not identical to) theauthorised users’ data. For example,given Figure 2, ideal impostor data totrain from would be located aroundthe dotted circle of the authorised user.

Using data which holds no relation tothe authorised user’s data is simplyincreasing the complexity and trainingtime of the classification algorithm.

A compounding problem is that theoutput from the data extraction process ishighly unlikely to ever produce an identi-cal feature vector even with the same per-son providing the sample. Due to noisein the sensor and feature extractionprocess, the resultant feature vector isoften completely unique. It does (orshould) however, have closer similaritieswith the user’s own samples than withthose of other users. Although this canhelp in ensuring replay attacks do notoccur by simply rejecting any feature vec-tor that has appeared previously, it doeshighlight the problem the classificationprocess has in discriminating betweensamples. Feature vectors from differentusers are on occasion similar – the degreeto which this occurs can depend on boththe biometric technique being utilisedand the individual biometric vendors,with their own specific proprietary algo-rithms for pattern classification whichvary in their performance.

Similarity – decision time!Depending upon the biometric process,the decision logic itself can be an inherentpart of the pattern classification process,or an additional self-contained process.The output of pattern classification stagecan vary, but can typically be evaluated tosome numerical value of similaritybetween 0-1. It is the task of the decisionlogic to determine whether this value issufficient for access or not through thedefinition of a threshold level. Above thislevel, the sample is accepted, while belowit is rejected. Much of the literature dis-cussing biometrics introduces the issue ofperformance, defining the problems offalse acceptance and false rejection errorrates (FAR and FRR) and illustrating theirrelationships using a characteristic plot asillustrated in Figure 3a. It is indeed truethat the rate at which impostors areaccepted into a system (FAR) and the rateat which authorised users are rejected(FRR) tend to share a mutually exclusiverelationship. However, this actual relation-ship and the choice of threshold value areFigure 2: The Classification Problem

BIOMETRICS

15September 2005 Computer Fraud & Security

neither as clear-cut nor as simple as por-trayed in Figure 3a.

The reality of the system is that the FARand FRR convey very uncharacteristicrelationships which can vary significantlybetween users. To illustrate this point, letssay the threshold level had been set at thepoint at which the FAR and FRR meet,referred to as the Equal Error Rate (EER)in Figure 3a, which the system designerhad deemed appropriate given the tradeoff between security and user convenience.If we introduce individual users’ character-istic plots, illustrated in Figures 3b and 3c,then it can be seen that the previousthreshold setting is not ideal for eitheruser. For the user displaying the character-istics in Figure 3b, this choice in thresholdlevel will result in a high level of userinconvenience and a higher level of securi-ty than was deemed appropriate by thesystem designer. For the user in Figure 3c,the level of security provided will be farlower than the system designer had set. So

how does this threshold level get set inpractice? There are only two choices, youeither set a system-wide setting where allauthentications are compared against thesame level for all users, or set individualthreshold levels for all users (with the lat-ter obviously providing a more optimisedconfiguration than the former). Givenappropriate risk analysis and knowledge ofthe performance characteristics it wouldbe possible to define a system-wide thresh-old level that is appropriate to meet thesecurity requirements of the system givena defined level of user inconvenience.Setting such a level on an individual basisis a far larger problem, in terms of thetime taken to set such a parameter, andwho will have the authority to set it.Remembering it is the threshold level thatends up being the key to the biometricsystem – a poorly selected threshold levelcan remove any security the biometrictechnique is deemed to have.

Given this problem, time and efforthas been put into finding methods of

normalising the output of the patternclassification process – so that an outputvalue of 0.6 means the same across apopulation of users. Other efforts havegone into finding methods of automat-ing the threshold decision based on anumber of authorised and impostor sam-ples – determining the performance ofthe biometric technique for each andevery user. At present most systemsimplement a number of sensitivity levelsthat the system designer can alter, so if auser is having difficult authenticatingthemselves the sensitivity can be reduced(and in fact, be continually reduced untilthe user is able to authenticate them-selves). However by doing this, what hasbeen done to the level of security provid-ed by the technique? It has obviouslybeen reduced for that particular user, butby how much? At this stage of imple-mentation it is not possible to go to thenice performance plots as described inFigure 3, the system designer is left withlittle to no idea of the performance they

Figure 3: The Relationship between key performance parameters

BIOMETRICS

16Computer Fraud & Security September 2005

could expect from this system should itbe attacked.

Practical implementationsto dateOne of the largest practical evaluations ofbiometric techniques to date has beenundertaken by the UK Passport service(UKPS).14 With the advent of a nationalidentification system and the requirementfrom the US to incorporate biometricinformation within passports, the studysought to evaluate the usability of suchtechnology. Although the published mate-rial provided by the UKPS explicitly stat-ed that this was not a technology study toassess the performance of biometric tech-niques, the findings do raise a number ofinteresting points that reiterate some ofthe previous issues that were highlighted.A sample population of 10,016 users wasused in the study, which sought to test theprocesses and assess attitudes and opinionsregarding the user experience. The threebiometric techniques they utilised werefacial, iris and fingerprint. Three of the 10recommendations from the study arehighlighted below:

• The camera should be manoeuvrableenough to allow it to be positioned toaccommodate wheelchair users andothers for whom the current arrange-ments limit access. Environmentdesign needs to ensure that the cameraheight can cater for full height rangefound in the UK population.

• Applicants need to remove any head-wear before facial enrolment.

• The verification process should allow alimited number of further attempts topass verification when the first attemptfails.

Each of the recommendations highlights akey problem with each stage of the bio-metric process: the inadequacies of sensortechnology in capturing the sample; theinability to extract the features from sam-ples with unforeseen additions such asheadwear, and even having extracted theinformation, the inability for the patternclassification to correctly authenticate theuser. This final recommendation has

another more worrying aspect in that,every time a user is permitted to re-verifythemselves after having been rejected, thesecurity of the system diminishes as theyare given another chance.

Concluding thoughtsThe aim of this article was to describe theunderlying mechanisms at work withinbiometrics and identify the complicationsthat are inherent within such systems. Itis considered that although biometricswill not provide a panacea for ourauthentication needs they will certainlyhave a strong role to play. Indeed, giventhe three forms of authentication, bio-metrics offers one of the most promisingpossibilities. However, further workneeds to focus upon developing moreintelligent and robust algorithms that arecapable of dealing with the large numberof variables that exist. Such issues need tobe addressed before widespread adoptionof biometrics will provide the level ofsecurity and usability that one wouldexpect from such a system.

About the authorsDr Nathan Clarke is a lecturer within theNetwork Research Group at the University ofPlymouth, where he previously completed aPhD on the topic of advanced user authenti-cation for mobile devices. His research hasgiven specific consideration to the use andapplicability of biometrics in this context, aswell as the practical implementation andevaluation of a range of related techniques.Dr Steven Furnell is the head of the NetworkResearch Group at the University ofPlymouth, UK, and an Adjunct AssociateProfessor with Edith Cowan University,Western Australia. His research has includedseveral projects in the biometrics area, partic-ularly in relation to keystroke analysis on PCsand mobile devices. Related papers can beobtained from www.plymouth.ac.uk/nrg.

References1 Furnell, S. and Clarke, N. 2005.

“Biometrics – No Silver Bullets”,Computer Fraud & Security, August2005, pp9-14.

2 Fussell, R. 2005. “Authentication:The Development of Biometric

Access Control”. The ISSA Journal.July 2004, pp24-27.

3 Home Office. 2005. Identity Cards.United Kingdom Home Office.http://www.homeoffice.gov.uk/com-race/identitycards/

4 US Department of State. “BiometricPassport Procurement MovesForward”. US Department of State.http://www.state.gov/r/pa/prs/ps/2004/34423.htm

5 IDABC. 2004. “EU VisaInformation System gets go-ahead”.eGovernment News. IDABC.http://europa.eu.int/idabc/en/docu-ment/2186/330

6 Cope, B. 1990. “Biometric Systemsof Access Control”,Electrotechnology, April/May: 71-74.

7 Gordon, L.A., Loeb, M.P., Lucyshyn,W. and Richardson, R. 2005. TenthAnnual CSI/FBI Computer Crimeand Security Survey. ComputerSecurity Institute.

8 “How is 'Biometrics' Defined?”,International Biometric Group.http://www.biometricgroup.com/reports/public/reports/biometric_definition.html

9 “Hand Geometry”,BiometricsInfo.org, http://www.bio-metricsinfo.org/handgeometry.htm.

10 Clarke, N.L, Furnell, S.M., Lines,B.M. and Reynolds, P.L. 2003. “UsingKeystroke Analysis as a Mechanism forSubscriber Authentication on MobileHandsets”, in Security and Privacy inthe age of uncertainty, D.Gritzalis et a.(eds), Kluwer Academic Publishers,pp97-108.

11 Kung, S., Mak, M., Lin, S. 2004.“Biometric authentication by face recog-nition”, in Biometric Authentication: AMachine Learning Approach. PrenticeHall, New Jersey, pp241-277.

12 Reid, P. 2004. Biometrics forNetwork Security. Prentice Hall.

13 Kung, S., Mak, M., Lin, S. 2004.Biometric Authentication: AMachine Learning Approach.Prentice Hall, New Jersey

14 UK Passport Service. 2005.Biometric Enrolment Trial. UKPS.http://www.passport.gov.uk/down-loads/UKPSBiometrics_Enrolment_Trial_Report.pdf