The History Of Biometric Authentication Systems

Published Date: 02 Nov 2017

People recognize each other according to their various characteristics

for ages. We recognize others by their face when we meet them and by their voice as we speak to them. Identity verification (authentication) in computer systems has been traditionally based on something that one has (key, magnetic or chip card) or one knows (PIN, password). Things like keys or cards, however, tend to get stolen or lost and passwords are often forgotten or disclosed.

To achieve more reliable verification or identification we should use something that really characterizes the given person. Biometrics offer automated methods of identity verification or identification on the principle of measurable physiological or behavioral characteristics such as a fingerprint or a voice sample. The characteristics are measurable and unique. These characteristics should not be duplicable, but it is unfortunately often possible to biometrics

create a copy that is accepted by the biometric system as a true sample. This is a typical situation where the level of security provided is given as the amount of money the impostor needs to gain an unauthorized access. There are biometric systems where the estimated amount required is as low as $100 as well as systems where at least a few thousand dollars are necessary.

Biometric systems can be used in two different modes. Identity verification occurs when the user claims to be already enrolled in the system (presents an ID card or login name); in this case the verification biometric data obtained from the user is compared to the user�s data already stored in the database. Identification (also called search) identification occurs when the identity of the user is a priori unknown. In this case the user�s biometric data is matched against all the records in the database as the user can be anywhere in the database or he/she actually does not have to be there at all.

It is evident that identification is technically more challenging and costly. Identification accuracy generally decreases as the size of the database grows. For this reason records in large databases are categorized according to a sufficiently discriminating characteristic in the biometric data. Subsequent searches for a particular record identification are searched within a small subset only. This lowers the number of relevant records per search and increases the accuracy (if the discriminating characteristic was properly chosen).

Before the user can be successfully verified or identified by the system, he/she must be registered with the biometric system. User�s biometric data is captured, processed and stored. As the quality of this stored biometric data is crucial for further authentications, enrollment there are often several (usually 3 or 5) biometric samples used to create user�s master template. The process of the user�s registration with the biometric system is called enrollment.

1.1 What is biometric systems?

(Biometric comes originally from the Greek words "bio" (life) and "metric" (to measure) ) .

Biometrics are automated methods of identifying a person or verifying the identity of a person based on a physiological or behavioral characteristic. Examples of physiological characteristics include hand or finger images, facial characteristics, and iris recognition. Behavioral characteristics are traits that are learned or acquired. Dynamic signature verification, speaker verification, and keystroke dynamics are examples of behavioral characteristics.

Biometric authentication requires comparing a registered or enrolled biometric sample (biometric template or identifier) against a newly captured biometric sample (for example, a fingerprint captured during a login).During Enrollment, as shown in the picture below, a sample of the biometric trait is captured, processed by a computer, and stored for later comparison.

Biometric recognition can be used in Identification mode, where the biometric system identifies a person from the entire enrolled population by searching a database for a match based solely on the biometric. For example, an entire database can be searched to verify a person has not applied for entitlement benefits under two different names. This is sometimes called �one-to-many� matching. A system can also be used in Verification mode, where the biometric system authenticates a person�s claimed identity from their previously enrolled pattern. This is also called �one-to-one� matching. In most computer access or network access environments, verification mode would be used. A user enters an account, user name, or inserts a token such as a smart card, but instead of entering a password, a simple touch with a finger or a glance at a camera is enough to authenticate the user.

2 Five types (techniques) of biometric systems

There are lots of biometric types (techniques) available nowadays. A few of them are in the stage of the research only (e.g. the odor analysis), but a significant number of technologies is already mature and commercially available (at least ten different types of biometrics are commercially available nowadays: fingerprint, finger geometry, hand geometry, palm print, iris pattern, retina pattern, facial recognition, voice comparison, signature dynamics and typing rhythm).

2.1 Fingerprint technologies

Fingerprint identification is perhaps the oldest of all the biometric techniques. Fingerprints were used already in the Old China as a means of positively identifying a person as an author of the document. Their use in law enforcement since the last century is well the oldest known and actually let to an association fingerprint = crime. This caused some worries about the user acceptance of fingerprint-based systems. The situation improves as these systems spread around

and become more common.

Systems that can automatically check details of a person�s fingerprint have been in use since the 1960s by law enforcement agencies. The U.S. Government commissioned a study by Sandia Labs to compare various biometric technologies used for identification in early seventies. This study concluded that the fingerprint tech- Sandia study nologies had the greatest potential to produce the best identification accuracy. The study is quit outdated now, but it turned the research and development focus on the fingerprint technology since its release.

Fingerprint readers

Before I can proceed any further I need to obtain the digitalized fingerprint. The traditional method uses the ink to get the fingerprint onto a piece of paper. This piece of paper is then

scanned using a traditional scanner. This method is used only rarely today when an old paper-based database is being digitalized, scanning a fingerprint found on a scene of a crime is being processed or in law enforcement AFIS systems. Otherwise modern live fingerprint

readers are used. They do not require the ink anymore. These live

fingerprint readers are most commonly based on optical, thermal,

silicon or ultrasonic principles.

Fingerprint processing

Fingerprints are not compared and usually also not stored as bitmaps. Fingerprint matching techniques can be placed into two categories: minutiae-based and correlation based. Minutiae-based techniques find the minutiae points first and then map their relative placement on the finger. Minutiae are individual unique character- minutiae is tics within the fingerprint pattern such as ridge endings, bifurcations, divergences, dots or islands (see the picture below

). In the recent years automated fingerprint comparisons have

been most often based on minutiae

Loop Arch Whorl

Source: Digital Persona [4]

The loop is the most common type of fingerprint pattern and accounts for about 65%

of all prints. The arch pattern is a more open curve than the loop. There are two types

of arch patterns: the plain arch and the tented arch. Whorl patterns occur in about 30%

of all fingerprints and are defined by at least one ridge that makes a complete circle.

The problem with minutiae is that it is difficult to extract the minutiae points accurately when the fingerprint is of low quality. This method also does not take into account the global pattern

of ridges and furrows. The correlation-based method is able to correlation overcome some of the difficulties of the minutiae-based approach. Based However, it has some of its own shortcomings. Correlation-based techniques require the precise location of a registration point and are affected by image translation and rotation

The readability of a fingerprint depends on a variety of work and environmental factors. These include age, gender, occupation and race. A young, female, Asian mine-worker is seen as the most difficult subject. A surprisingly high proportion of the population has missing fingers, with the left forefinger having the highest percentage at 0.62% (source: [10]).

2.2 Face

Facial recognition is the most natural means of biometric identification.

The method of distinguishing one individual from another is an ability of virtually every human. Until recently the facial recognition has never been treated as a science.

Any camera (with a sufficient resolution) can be used to obtain the image of the face. Any scanned picture can be used as well. Generally speaking the better the image source (i.e. camera or scanner) the more accurate results we get. The facial recognition systems usually use only the gray-scale information. Colors (if image source available) are used as a help in locating the face in the image only. The lighting conditions required are mainly dependent on the quality of the camera used. In poor light condition, individual features may not be easily discernible. There exist even infrared cameras that can be used with facial recognition systems.

Most of facial recognition systems require the user to stand a specific distance away from the camera and look straight at the camera. This ensures that the captured image of the face is within

a specific size tolerance and keeps the features (e.g., the eyes) in as similar position each time as possible.

2.3 Retina

Retina scan is based on the blood vessel pattern in the retina of the eye. Retina scan technology is older than the iris scan technology that also uses a part of the eye. The first retinal scanning systems were launched by EyeDentify in 1985.

The main drawback of the retina scan is its intrusiveness. The method of obtaining a retina scan is personally invasive. A laser light must be directed through the cornea of the eye. Also the operation of the retina scanner is not easy. A skilled operator is required and the person being scanned has to follow his/her directions.

A retina scan produces at least the same volume of data as a fingerprint image. Thus its discrimination rate is sufficient not only high discrimination rate for verification, but also for identification. In the practice, however, the retina scanning is used mostly for verification. The size of the eye signature template is 96 bytes.

The retinal scanning systems are said to be very accurate. For example the EyeDentify�s retinal scanning system has reputedly never falsely verified an unauthorized user so far. The false rejection rate, on the other side, is relatively high as it is not always easy to capture a perfect image of the retina.

Retinal scanning is used only rarely today because it is not user friendly and still remains very

expensive. Retina scan is suitable for applications where the high security is required and the user�s acceptance is not a major aspect. Retina scan systems are used in many U.S. prisons to verify the prisoners before they are released.

2.4 Hand geometry

Hand geometry is based on the fact that nearly every person�s hand is shaped differently and that the shape of a person�s hand does not Change after certain age. Hand geometry systems produce estimates of certain measurements of the hand such as the length and the width of fingers. Various methods are used to measure the hand. These methods are most commonly based either on mechanical or optical principle. The latter ones are much more common today.

Optical hand geometry scanners capture the image of the hand and using the image edge detection algorithm compute the hand�s characteristics. There are basically 2 sub-categories of optical scanners. Devices From the first category create a black-and-white bitmap image of the hand�s shape. This is easily done using a source of light and a black-and-white camera. The bitmap image is then processed by scanners the computer software. Only 2D characteristics of the hand can be used in this case. Hand geometry systems from the other category are more sophisticated. They use special guide markings to position the hand better and have two (both vertical and horizontal) sensors for the hand shape measurements. So, sensors from this category handle data from all the three dimensions.

Hand geometry scanners are easy to use. Where the hand must be placed accurately, guide markings have been incorporated and the units are mounted so that they are at a comfortable height for majority of the population. The noise factors such as dirt and grease do not pose a serious problem, as only the silhouette of the hand shape is important. The only problem with hand geometry scanners is in the countries where the public do not like to place their hand down flat on a surface where someone else�s hand has been placed.

2.5 DNA

DNA sampling is rather intrusive at present and requires a form of tissue, blood or other bodily sample. This method of capture still has to be refined. So far the DNA analysis has not been sufficiently automatic to rank the DNA analysis as a biometric technology. The analysis of human DNA is now possible within 10 minutes. As soon as the technology advances so that DNA can be matched automatically in real time, it may become more significant. At present DNA is very entrenched in crime detection and so will remain in

the law enforcement area for the time being.

3 Comparison between Biometric Techniques (Types)

Biometrics Universality Uniqueness Performance Collectability Performance Acceptability Circumvention

Finger

print M H H M H M H

Face H L M H L H L

Retina H H M L H L H

Hand

Geometry M M M H M M M

DNA M M M H M M M

H-High, M-Medium, L-Low

4. ATTACKS ON BIOMETRIC SYSTEMS

4.1 Generic Security Threats

Any system (including biometric systems) is susceptible to various types of threats. These threats are discussed below:

i. Denial of Service: An adversary overwhelms computer and network resources to the point that legitimate users can no longer access the resources.

ii. Circumvention: An adversary gains access to data or computer resources that he may not be authorized to access.

iii. Repudiation: A legitimate user accesses the resources offered by an application and then claim that an intruder had circumvented the system.

iv. Covert acquisition: An adversary compromises and abuses the means of identification without the knowledge of a legitimate user.

v. Collusion: In any system, there are different user privileges. Users with super-user privileges have access to all of the system�s resources. Collusion occurs when a user with super-user privileges abuses his privileges and modifies the system�s parameters to permit incursions by an intruder [4].

vi. Coercion: A legitimate user is forced to give an intruder access to the system. For example, an ATM user could be forced to give away her ATM card and PIN at gunpoint .

4.2 Biometric security threats

Figure 1 shows biometric system modules and nine different points of attack. These points of attack are discussed in below.

i. Type 1: This point of attack is known as �Attack at the scanner�. In this attack, the attacker can physically destroy or fake the recognition scanner and cause a denial of service as described.

ii. Type 2: This point of attack is known as �Attack on the channel between the scanner and the feature extractor� or �Replay attack�. In this attack, the attacker intercepts the communication channel between the scanner and the feature extractor to steal biometric traits and store it somewhere. The attacker can then replay the stolen biometric traits to the feature extractor to bypass the scanner.

iii. Type 3: This point of attack is known as �Attack on the feature extractor module�. In this attack, the attacker can replace the feature extractor module with a Trojan horse [6]. Trojan horses in general can be controlled remotely. Therefore, the attacker can simply send commands to the Trojan horse to send to the matcher module feature values selected by him.

iv. Type 4: This point of attack is known as �Attack on the channel between the feature extractor and matcher�. This attack is similar to the attack described. The difference is that the attacker intercepts the communication channel between the

feature extractor and the matcher to steal feature values of a legitimate user and replay them to the matcher at a later time.

v. Type 5: This point of attack is known as �Attack on the matcher�. This attack is similar to the attack described. The difference is that the attacker replaces the matcher with a Trojan horse. The attacker can send commands to the Trojan horse to produce high matching scores and send a �yes� to the application to bypass the biometric authentication mechanism. The attacker can also send commands to the Trojan horse to produce low matching scores and send a �no� to the application all the time causing a denial of service.

vi. Type 6: This point of attack is known as �Attack on the system database�. In this attack, the attacker compromises the security of the database where all the templates are stored. Compromising the database can be done by exploiting vulnerability in the database software or cracking an account on the database. In either way, the attacker can add new templates, modify existing templates or delete templates.

vii. Type 7: This point of attack is known as �Attack on the channel between the system database and matcher�. In this attack, the attacker intercepts the communication channel between the database and matcher to either steal and replay data or alter the

data.

viii. Type 8: This point of attack is known as �Attack on the channel

between the matcher and the application�. In this attack, the attackers intercept the communication channel between the 256X256 and resolution is set to 72 dpi. Two types of tests are performed on the database, during Test1 50 different images to be encrypted, 50 different passwords and 50 fingerprint templates are considered. During Test2 results are analyzed on 50 different images and 50 different passwords and with one fingerprint template. Discussed below is the result analysis from

both the tests.