INTRODUCTION

Biometrics is the technique of using unique, non-transferable,

physical characteristics, such as fingerprints, to gain entry for
personal identification. This replaces pin codes and passwords, which
can be forgotten, lost or stolen. Biometric IDs cannot be transferred.
Biometrics are best defined as measurable physiological
and / or behavioral characteristics that can be utilized to verify the
identity of an individual. They are of interest in any area where it is
important to verify the true identity of an individual. Initially, these
techniques were employed primarily in specialist high security
applications, however we are now seeing their use and proposed use in
a much broader range of public facing situations. Biometrics measure
individuals' unique physical or behavioral characteristics to recognize
or authenticate their identity. Common physical biometrics include
fingerprints; hand or palm geometry; and retina, iris, or facial
characteristics. Behavioral characters include signature, voice (which
also has a physical component), keystroke pattern, and gait. Of this
class of biometrics, technologies for signature and voice are the most
developed. Now a days the biometrics technology is preferred by many
organization for the security purpose and in coming future we will see
the same technology in ATM machine, telephone transactions, internet
transactions and so on.
Biometrics are not a future technology, they are a current
technology, with a bigger role in the future. Biometrics will not to
replace passwords, swipe cards, or pin numbers etc, rather work with
them in enhancing security in a simple, reliable, and cost effective
way.

1
 WHAT IS BIOMETRICS

The security field uses three different types of authentication:

 something you know—a password, PIN, or piece of personal
information (such as your mother's maiden name);
 something you have—a card key, smart card, or token (like a
Secured card); and/or
 Something you are—a biometric.

Biometrics involve directly the human being for the

identification or verification. Traditionally many security system employ
the verification technique rather than the identification which is the
main aim of biometrics. Although it doesn’t totally remove the
pin/password but with that tool it provide a very tight security system.
Biometrics as said earlier uses the individual’s physical characteristics
to do its job like hand geometry, retina structure, palm size etc.
Biometrics involves different types of devices for that. Eg, fingerprint
scanner, iris reader etc. It make use of the genetic differences between
the two persons which is a universal truth. Every human being on the
earth have a unique identification and that are shown in their different
body organs. Biometrics picks up that particular peculiarity to
distinguish the two bodies, and that makes it so strong.

2
 HISTORY BEHIND BIOMETRIC SECURITY

In fact, the basic principles of biometric verification were understood

and practiced somewhat earlier. Thousands of years earlier to be
precise, as our friends in the Nile valley routinely employed biometric
verification in a number of everyday business situations. There are
many references to individuals being formally identified via unique
physiological parameters such as scars, measured physical criteria or a
combination of features such as complexion, eye colour, height and so
on. It is well known that some personnel traits are distinct to each
individual and so people can be identified on the basis of their physical
characteristics. Of course, they didn’t have automated electronic
biometric readers and computer networks (as far as we know), and
they certainly were not dealing with the numbers of individuals that we
have to accommodate today, but the basic principles were similar.
Alphonse Bertillon, Chief of the criminal identification division, police
department in France, Paris developed a detail method of identification
based on the number of bodily measurements and physical
descriptions. The Bertillon method of anthropometric identification
gained wide acceptance before finger print identification superseded it
.However such recognition is not limited to faces. For example friends
or relatives talking on telephone recognizes one another’s voices.
The most popular Biometrics Characteristics is the finger
print. Scientists know form the number of archeological artifacts that
ancient civilization such as those of Babylon and China recognized the
individuality of finger print impression. Even today in country such as
India where large segment of population is illiterate and can not sign
their names, thumbprint signature is considered legal signature.

3
Later, in the nineteenth century there was a peak of interest as
researchers into criminology attempted to relate physical features and
characteristics with criminal tendencies. This resulted in a variety of
measuring devices being produced and much data being collected. The
results were not conclusive but the idea of measuring individual
physical characteristics seemed to stick and the parallel development
of fingerprinting became the international methodology among police
forces for identity verification.

In parallel, other biometric methodologies such as fingerprint

verification were being steadily improved and refined to the point
where they would become reliable, easily deployed devices. In recent
years, we have also seen much interest in iris scanning and facial
recognition techniques which offer the potential of a non contact
technology, although there are additional issues involved in this
respect.

4
 METHODOLOGIES OF BIOMETRICS

RETINA

An established technology where the unique patterns of the

retina are scanned by a low intensity light source via an optical coupler
It involves analyzing the layer of blood vessels situated at the back of
the eye. Retinal scanning has proved to be quite accurate in use but
does require the user to look into a receptacle and focus on a given
point. This is not particularly convenient if you are a spectacle wearer
or have concerns about intimate contact with the reading device. For
these reasons retinal scanning has a few user acceptance problems
although the technology itself can work well.

IRIS

An iris-based biometric, on the other hand, involves analyzing

features found in the colored ring of tissue that surrounds the pupil.
Iris scanning, undoubtedly the less intrusive of the eye-related
biometrics, uses a fairly conventional ccd camera element and requires
no close contact between the user and the reader. In addition, it has
the potential for higher than average template-matching performance.
Iris biometrics work with glasses in place and is one of the few devices
that can work well in identification mode. Ease of use and system
integration have not traditionally been strong points with iris scanning
devices, but you can expect improvements in these areas as new
products emerge.

5
FACE
A technique which has attracted considerable interest and
whose capabilities have often been misunderstood . Face recognition
analyzes facial characteristics. It requires a digital camera to develop a
facial image of the user for authentication. It is one thing to match two
static images (all that some systems actually do - not in fact
biometrics at all), it is quite another to unobtrusively detect and verify
the identity of an individual within a group (as some systems claim). It
is easy to understand the attractiveness of facial recognition from the
user perspective, but one needs to be realistic in ones expectations of
the technology. To date, facial recognition systems have had limited
success in practical applications. However, progress continues to be
made in this area and it will be interesting to see how future
implementations perform. If technical obstacles can be overcome, we
may eventually see facial recognition become a primary biometric
methodology.

SIGNATURE
Signature verification devices have proved to be
reasonably accurate in operation and obviously lend themselves to
applications where the signature is an accepted identifier. Signature
verification analyzes the way a user signs her name. Signing features
such as speed, velocity, and pressure are as important as the finished
signature's static shape. Signature verification enjoys a synergy with
existing processes that other biometrics do not. People are used to
signatures as a means of transaction-related identity verification, and
most would see nothing unusual in extending this to encompass
biometrics. Surprisingly, relatively few significant signature
applications have emerged compared with other biometric

6
methodologies. But if your application fits, it is a technology worth
considering.

VOICE
Voice authentication is not based on voice recognition but on
voice-to-print authentication, where complex technology transforms
voice into text. Voice biometrics has the most potential for growth,
because it requires no new hardware—most PCs already contain a
microphone. However, poor quality and ambient noise can affect
verification. In addition, the enrollment procedure has often been more
complicated than with other biometrics, leading to the perception that
voice verification is not user friendly. Therefore, voice authentication
software needs improvement. One day, voice may become an additive
technology to finger-scan technology. Because many people see finger
scanning as a higher authentication form, voice biometrics will most
likely be relegated to replacing or enhancing PINs, passwords, or
account names.

HAND RECOGNITION

Hand geometry is concerned with measuring

the physical characteristics of the users hand and fingers, Hand
Geometry scanning systems scan the size, length, thickness and
surface of a user’s hand (including fingers), in order to verify the user.
Unlike other biometrics, such as fingerprints and retina scanning, hand
geometry cannot be guaranteed as unique; hence, hand geometry is
not an identification technique, but rather a verification technique.
Hand reader machines require the user to first swipe their ID
card through the machine, or enter their pin number. Based on the

7
result from this, the hand geometry data for that person is retrieved
from a database. The user is then required to place their hand into the
reader machine, which has pegs inside to separate the fingers. A scan
of the hand is taken and is matched against the hand geometry data
retrieved from the database. Assuming the verification is complete;
the user is allowed access to the area in question.
Hand geometry verification is widely used today, especially in
airports and military centers. This methodology may be suitable where
we have larger user bases or users who may access the system
infrequently and may therefore be less disciplined in their approach to
the system.

FINGERPRINT VERIFICATION

A fingerprint looks at the patterns found

on a fingertip. There are a variety of approaches to fingerprint
verification. Some emulate the traditional police method of matching
minutiae; others use straight pattern-matching devices; and still
others are a bit more unique, including things like moiréfringe patterns
and ultrasonics. Some verification approaches can detect when a live
finger is presented; some cannot.
Fingerprint verification may be a good choice for in
house systems where adequate explanation and training can be
provided to users and where the system is operated within a controlled
environment. It is not surprising that the workstation access
application area seems to be based almost exclusively around
fingerprints, due to the relatively low cost, small size (easily integrated
into keyboards) and ease of integration

8
 HOW THE SYSTEM WORKS

Whilst individual biometric devices and systems have their own

operating methodology, there are some generalisations one can make
as to what typically happens within a biometric systems
implementation.

1. Obviously, before we can verify an individuals identity via a

biometric we must first capture a sample of the chosen biometric. This
‘sample’ is referred to as a biometric template and is the reference
data against which subsequent samples provided at verification time
are compared. A number of samples are usually captured during
enrolment (typically three) in order to arrive at a truly representative
template via an averaging process. The template is then referenced
against an identifier (typically a PIN or card number if used in
conjunction with existing access control tokens) in order to recall it
ready for comparison with a live sample at the transaction point. The
enrolment procedure and quality of the resultant template are critical
factors in the overall success of a biometric application. A poor quality
template will often cause considerable problems for the user, often
resulting in a re-enrolment.

2. Template storage is an area of interest, particularly with large scale

applications which may accommodate many thousands of individuals.
The possible options are as follows;
1) Store the template within the biometric reader device.
2) Store the template remotely in a central repository.
3) Store the template on a portable token such as a chip card.

9
Option 1, storing the template within the biometric device has both
advantages and disadvantages depending on exactly how it is
implemented. The advantage is potentially fast operation as a
relatively small number of templates may be stored and manipulated
efficiently within the device. In addition, you are not relying on an
external process or data link in order to access the template. In some
cases, where devices may be networked together directly, it is possible
to share templates across the network.
The potential disadvantage is that the templates are somewhat
vulnerable and dependent upon the device being both present and
functioning correctly. If anything happens to the device, you may need
to re-install the template database or possibly re-enrol the user base.
Option 2, storing the templates in a central repository is the option
which will naturally occur to IT systems engineers. This may work well
in a secure networked environment where there is sufficient
operational speed for template retrieval to be invisible to the user.
However, we must bear in mind that with a large number of readers
working simultaneously there could be significant data traffic,
especially if users are impatient and submit multiple verification
attempts. The size of the biometric template itself will have some
impact on this, with popular methodologies varying between 9 bytes
and 1.5k. Another aspect to consider is that if the network fails, the
system effectively stops unless there is some sort of additional local
storage. This may be possible to implement with some devices, using
the internal storage for recent users and instructing the system to
search the central repository if the template cannot be found locally.
Option 3, storing the template on a token. This is an attractive option
for two reasons. Firstly, it requires no local or central storage of

10
templates (unless you wish to) and secondly, the user carries their
template with them and can use it at any authorised reader position.
However, there are still considerations. If the user is attracted to the
scheme because he believes he has effective control and ownership of
his own template (a strong selling point in some cases) then you
cannot additionally store his template elsewhere in the system. If he
subsequently loses or damages his token, then he will need to re-
enroll. Another consideration may be unit cost and system complexity
if you need to combine chip card readers and biometric readers at
each enrolment and verification position.
If the user base has no objection, you may wish to consider both on
token and central storage of templates (options 2 and 3) this could
provide fast local operation with a fallback position if the chip card
reading process fails for any reason or if a genuine user loses their
token and can provide suitable identity information. Your choice of
template storage may be dictated to some extent by your choice of
biometric device. Some devices offer greater flexibility than others in
this respect.

3. Verification. The verification process requires the user to claim an

identity by either entering a PIN or presenting a token, and then verify
this claim by providing a live biometric to be compared against the
claimed reference template. There will be a resulting match or no
match accordingly (the parameters involved will be discussed later
under performance measures). A record of this transaction will then be
generated and stored, either locally within the device or remotely via a
network and host (or indeed both).
With certain devices, you may allow the user a number of attempts at
verification before finally rejecting them if the templates do not match.

11
Setting this parameter requires some thought. On the one hand, you
want to provide every opportunity for a valid user (who may be having
difficulty using the system) to be recognised. On the other hand, you
do not want impostors to have too much opportunity to experiment.
With some systems, the reference template is automatically updated
upon each valid transaction. This allows the system to accommodate
minor changes to the users live sample as a result of ageing, local
abrasions etc. and may be a useful feature when dealing with large
userbases.

4. Transaction storage. This is an important area as you will certainly

wish to have some sort of secure audit trail with respect to the use of
your system. Some devices will store a limited number of transactions
internally, scrolling over as new transactions are received. This is fine
as long as you are confident of retrieving all such transactions before
the buffer fills up and you start losing them. In practice, this is unlikely
to be a problem unless you have severe network errors. In some
cases, you may wish to have each biometric device connected directly
to a local PC which may in turn be polled periodically (over night for
example) in order to download transactions to a central point. In either
case, you will probably wish to adopt a local procedure to deal with
error and exceptional conditions, which will in turn require some sort
of local messaging. This may be as simple as a relay closure in the
event of a failed transaction activating an annunciator of some
description.
What you do with this transaction data is another matter. You may
wish to analyse it via an existing reporting tool (if it is in a suitable
format) or perhaps write a custom application in order to show
transactions in real time as well as write them to a central database.

12
 PERFORMANCE MEASURES

False accepts, false rejects, equal error rates, enrolment and

verification times - these are the typical performance measures quoted
by device vendors (how they arrived at them is another matter). But
what do they really mean? Are these performance statistics actually
realized in real systems implementations? Can we accept them with
any degree of confidence?
False accept rates (FAR) indicate the likelihood that an
impostor may be falsely accepted by the system.
False reject rates (FRR) indicate the likelihood that the
genuine user may be rejected by the system. This measure of
template matching can often be manipulated by the setting of a
threshold, which will bias the device towards one situation or the other.
Hence one may bias the device towards a larger number of false
accepts but a smaller number of false rejects (user friendly) or a larger
number of false rejects but a smaller number of false accepts (user
unfriendly), the two parameters being mutually exclusive.
Somewhere between the extremes is the equal error point where the
two curves cross and which may represent a more realistic measure of
performance than either FAR or FRR.
These measures are expressed in percentage (of error
transactions) terms, with an equal error rate of somewhere around
0.1% being a typical figure. However, the quoted figures for a given
device may not be realized in practice for a number of reasons. These
will include user discipline, familiarity with the device, user stress,
individual device condition, the user interface, speed of response and
other variables. We must remember that vendor quoted statistics may
be based upon limited tests under controlled laboratory conditions,
supplemented by mathematical theory. They should only ever be

13
viewed as a rough guide and not relied upon for actual system
performance expectations.
This situation is not because vendors are trying to mislead
you (in most cases anyway) but because it is almost impossible to give
an accurate indication of how a device will perform in a limitless
variety of real world conditions.
Similarly, actual enrolment times will depend upon a number
of variables inherent in your enrolment procedure. Are the users pre-
educated? Have they used the device before? What information are
you gathering? Are you using custom software? How well trained is the
enrolling administrator? How many enrolment points will you be
operating? What other processes are involved? And so on. The vendors
cannot possibly understand these variables for every system and their
quoted figure will again be based upon their own in house experiences
under controlled conditions.
Verification time is often misunderstood as vendors will typically
describe the average time taken for the actual verification process,
which will not typically include the time taken to present the live
sample or undertake other processes such as the presentation of a
token or keying of a PIN. Consider also an average time for user error
and system response and it will be apparent that the end to end
verification transaction time will be nothing like the quoted figure.
Given the above, it will come as no surprise that biometric
device performance measures have sometimes become a contentious
issue when implementing real systems. In order to provide an
independent view a National Biometric Test Centre has been
established in the US with a similar facility recently announced in Hong
Kong. These centres are based at academic institutions and will over
time no doubt provide for some interesting views. However, this does

14
not necessarily mean that vendors will rush to conform with regard to
their quoted specifications and the method used to arrive at them. We
should therefore continue to view such specifications as a rough guide
and rely on our own trials and observations to provide a more
meaningful appraisal of overall performance.
As a side issue to the above, there is a question concerning the
uniqueness of biometric parameters such as fingerprints, irises, hands
and so forth. The degree of individuality or similarity within a userbase
will naturally affect performance to some degree. It is outside the
scope of this paper to examine this aspect in any detail, but suffice it
to say that no one has reliable data for the whole world and cannot
therefore say that any biometric is truly unique. What we can say is
that the probability of finding identical fingerprints, irises, hands etc.
within a typical userbase is low enough for the parameter in question
to be regarded as a reliable identifier. Splitting hairs maybe, but
beware of claims of absolute uniqueness - some individuals are similar
enough to cause false accepts, even in finely tuned systems.

15
 ACCURACY

There are wto parameters to judge the accuracy of the biometrics

system :false acceptance rate and false-rejection rate. Both methods
focus on the system's ability to allow limited entry to authorized users.
However, these measures can vary significantly, depending on how you
adjust the sensitivity of the mechanism that matches the biometric.
For example, you can require a tighter match between the
measurements of hand geometry and the user's template (increase
the sensitivity). This will probably decrease the false-acceptance rate,
but at the same time can increase the false-rejection rate. So be
careful to understand how vendors arrive at quoted values of FAR and
FRR.
Technology leaning toward the false reject protect any unauthorized
acceptance and hence become more widely taken while in the case of
false-acceptance sometimes an unauthorized person may got the
access permission which may be dangerous. Hence based on these two
variables the accuracy of the installed technology is measured.

16
 COMPARISION OF BIOMETRICS TECHNIQUES

Hand
Characteristic Fingerprints Retina Iris Face Signature Voice
Geometry
Ease of Use High High Low Medium Medium High High
Lighting,
Hand Noise,
Error Dryness, Poor age, Changing
injury, Glasses colds,
incidence dirt, age Lighting glasses, signatures
age weather
hair
Very Very
Accuracy High High High High High
High High
Cost * * * * * * *

User
Medium Medium Medium Medium Medium Medium High
acceptance

Required Very
High Medium High Medium Medium Medium
security level High

Long-term
High Medium High High Medium Medium Medium
stability

ADVANTAGES

17
 Biometric identification provide a unique identification.

 Biometrics is more reliable and efficient in distinguishing

between a specific individual and an imposter.

 Biometric identification protects customers against theft and

fraud.

 Identification of the individuals is based on the individual’s

unique physical and biological qualities that can not be traded,
shared, lost or stolen.

 Degree of the efficiency is too much in the biometric technique.

 The techniques like DNA profiling are highly reliable and efficient
that’s why it is going to be adopted widely.

 It is much efficient than the (PIN) personal identification number

or token-based authentication techniques.

 After all it can’t be forgotten or lost.

DISADVANTAGES

18
 Biometric system may not give an accurate identification.

 A Biometric system can establish an identity only to a certain

level of accuracy.

 FAR (False acceptance rate) is probability by which system can

accept imposter as genuine individual.

 FRR (false rejection rate) is probability by which system can

reject a genuine individual.

 Cost of the implementation tools is too high (such as finger print

sensors are extremely expensive).

 The cost of the storing biometric templates and of the computing

power required to process and match biometric measurement is
quite high.

 There are some techniques like DNA profiling which is

complicated and time taking process.

 Change of hair style in facial recognition, wearing glasses, and

light intensity in retina scanning may effect the authentication
process.

19
 APPLICATIONS

Security systems use biometrics for two basic purposes: to verify or to

identify users. Identification tends to be the more difficult of the two
uses because a system must search a database of enrolled users to
find a match (a one-to-many search).

Physical access:
Today, the primary application of biometrics is in physical security: to
control access to secure locations (rooms or buildings). Biometrics are
useful for high-volume access control. For example, biometrics
controlled access of 65,000 people during the 1996 Olympic Games,
and Disney World uses a fingerprint scanner to verify season-pass
holders entering the theme park.
Government – passports, national ID cards, voter cards, driver’s
licenses, social services, etc;

Transportation – airport security, boarding passes and commercial

driver’s licenses;

Healthcare – medical insurance cards, patient/employee identity cards;

Financial – bank cards, ATM cards, credit cards and debit cards;

Virtual Access:
For a long time, biometric-based network and computer access were
areas often discussed but rarely implemented. Analysts see virtual
access as the application that will provide the critical mass to move
biometrics for network and computer access from the realm of
science-fiction devices to regular system components. passwords are
currently the most popular way to protect data on a network.
Biometrics, however, can increase a company's ability to protect its
data by implementing a more secure key than a password. Using

20
biometrics also allows a hierarchical structure of data protection,
making the data even more secure: Passwords supply a minimal level
of access to network data; biometrics, the next level. You can even
layer biometric technologies to enhance security levels.

E-Commerce:
E-commerce developers are exploring the use of biometrics and smart
cards to more accurately verify a trading party's identity. For example,
many banks are interested in this combination to better authenticate
customers and ensure nonrepudiation of online banking, trading, and
purchasing transactions. Some are using biometrics to obtain secure
services over the telephone through voice authentication. Developed
by Nuance Communications, voice authentication systems are
currently deployed nationwide by the Home Shopping Network.

Other Applications involve:

Voting systems, where eligible politicians are required to verify their
identity during a voting process. This is intended to stop ‘proxy’ voting
where the vote may not go as expected.
Junior school areas where (mostly in America)
problems had been experienced with children being either molested or
kidnapped.
The application of biometrics in near future will be in ATM
Machines where the leading banks will use biometrics as a general
means of combating card fraud.
Apart from these this technology is going to make place in internet
transaction, telephone transaction, and will be used as public identity
cards.

21
 FUTURE OF BIOMETRICS
Although companies are using biometrics for
authentication in a variety of situations, the industry is still evolving
and emerging. To both guide and support the growth of biometrics, the
Biometric Consortium formed in December 1995.
Standardization:
Standards are emerging to provide a common software interface, to
allow sharing of biometric templates, and to permit effective
comparison and evaluation of different biometric technologies.
The BioAPI standard released at the
conference, defines a common method for interfacing with a given
biometric application. BioAPI is an open-systems standard developed
by a consortium of more than 60 vendors and government agencies.
Written in C, it consists of a set of function calls to perform basic
actions common to all biometric technologies, such as
* enroll user,
* verify asserted identity (authentication), and
* discover identity.
Another draft standard is the Common Biometric Exchange File
Format, which defines a common means of exchanging and storing
templates collected from a variety of biometric devices.
Hybrid Technology:
One of the more interesting uses of biometrics involves combining
biometrics with smart cards and public-key infrastructure (PKI).
Vendors enhance security by placing more biometric functions directly
on the smart card. Some vendors have built a fingerprint sensor
directly into the smart card reader, which in turn passes the biometric
to the smart card for verification. PKI uses public- and private-key
cryptography for user identification and authentication. It is
mathematically more secure, and it can be used across the Internet.

22
 CONCLUSION

At its infancy, current biometric technology is still

considered immature to completely replace password and other
authentication schemes. Security wise, biometric technology shows
vulnerabilities that can be easily exploited for wrongful purposes.
Biometrics itself is by nature complicated and distinctively secured to
each unique identity. It is the imperfect design of the system and its
elements that produces the security holes. Hence, to achieve higher
security performance, the design of biometric system should take into
consideration the possible vulnerabilities of the processes and
algorithms of the system for the whole life cycle, namely data
collection, data transmission, storage, templates comparison and
susceptibility of the system to physical human attack.
Another challenge confronting biometrics is the fact
that people are not ready to accept the technology in its entirety. Due
to the far-reaching impact of biometric data misuse, any irresponsible
use of the technology could be destructive to the society and would
certainly compromise the privacy rights of people. Thus, regulations
are needed to control and manage the implementation of biometrics.
3-factors authentication, microchip implantation and DNA profiling are
among the many that deserve attention.
Although the challenges confronting biometrics are
many, none of these is going to stop the progress of biometrics being
used as authentication and identification tools. This is not the time to
argue whether biometrics should be used widely or not in the future. A
wiser approach would be to prepare the people mentally and
psychologically for the new technology, make further improvements to
the technology itself and think of how to properly use biometrics for
everybody’s benefit.

23
24