Dr.

Sarah Abu Ghazalah

Chapter 3: Biometrics
Introduction
• Biometrics is the analysis of biological observations and phenomena.
• People routinely use biometrics to recognize other people, commonly using the shape of a face or the sound
of a voice to do so.
• Using biometrics in security applications is certainly appealing.
• Determining a person’s identity through the presence of a physical object such as a key or access card has
the problem that the physical token can be lost or stolen.
• Shared secrets such as passwords can be forgotten.
• Determining a person’s identity using biometrics seems an attractive alternative. It is generally impossible for
people to lose or forget their biometric data.
Biometric data should be as:

unique as
possible
(uniqueness)

causing undue
occur in as many
inconvenience
people as
or distress to a
possible
user
(universality)
(acceptability

stay relatively
be able to be
constant over
measured easily
time
(measurability)
(permanence)
Biometrics
• Biometrics systems can be used as a means of authenticating a user.
• Systems based on biometrics can also be used as a means of
identification. When they are used in this way, captured biometric data
is compared to entries in a database, and the biometric system
determines whether or not the biometric data presented matches any
of these existing entries.
Biometrics
• Biometrics do not always require the active participation of a subject.
While a user always needs to enter her password when the password
is used to authenticate her, it is possible to capture biometric data
without the user’s active involvement, perhaps even without her
knowledge.
• For example, It is possible to automatically capture images of
customers in a bank, for example, and to use the images to help
identify people who are known to commit check fraud.
• Or it is possible to automatically capture images of airline passengers
in an airport and use the images to help identify suspicious travelers.
Biometrics

The use of biometrics for identification also has the

potential to pose serious privacy issues.

For example, if a user needs to provide a DNA sample as a

means of identification, the same DNA sample could be
used to determine genetic information that the user
might rather have kept private.
BIOMETRIC SYSTEM ARCHITECTURE

A data
capture
subsystem

A signal
A decision
processing
subsystem
subsystem

A data A
storage matching
subsystem subsystem
Data Capture
• A data capture subsystem collects
captured biometric data from a user.
• The captured biometric data usually
needs to be processed in some way
before it can be used in a decision
algorithm.
• It is extremely rare for a biometric
system to make a decision using an
image of a fingerprint, for example.
• Instead, features that make fingerprints
different from other fingerprints are
extracted from such an image in the
signal processing subsystem, and these
features are then used in the matching
subsystem.
Data Capture
• Environmental conditions can also significantly affect the operation of a
data capture subsystem.
• Dirty sensors can result in images of fingerprints that are distorted or
incomplete.
• Background noise can result in the collection of a data that makes it
difficult for the signal processing subsystem to identify the features of
a voice signal.
• Lighting can also affect any biometric data that is collected
 Signal Processing
• A signal processing subsystem takes the captured biometric data from a data
capture subsystem and transforms the data into a form suitable for use in the
matching subsystem.
• This transformed data is called a reference, or a template.
• A signal processing subsystem may also analyze the quality of captured
biometric data and reject data that is not of high enough quality
Signal Processing
• If the captured biometric data is not rejected, the signal processing subsystem then
transforms the captured biometric data into a reference.
• In the case of fingerprints, for example, the signal processing subsystem may extract
features such as the locations of branches and endpoints of the ridges that comprise a
fingerprint.
• A biometric system that uses the speech of users to characterize them might convert the
speech signal into frequency components using a Fourier transform and then look for
patterns in the frequency components that uniquely characterize a particular speaker.
• A biometric that uses an image of a person’s face might first look for large features such as
the eyes, nose, and mouth and then look for distinctive features such as eyebrows
 Matching
• A matching subsystem receives a reference from a signal processing subsystem and then compares the
reference with a template from a data storage subsystem.
• The output of the matching subsystem is a numeric value called a comparison score that indicates how
closely the two match.
• The distribution of comparison scores that are calculated from repeated captures of biometric data
from a single user are random. Such random data tend to be close to an average value every time that
they are calculated from captured biometric data but not exactly the average value.
Data Storage
• A data storage subsystem stores templates that are used by the
matching subsystem. A data storage subsystem stores templates that
are used by the matching subsystem.
Decision
• To make a yes or no decision, a decision subsystem compares a
comparison score with a parameter called a threshold.
• The threshold value represents a measure of how good a comparison
needs to be to be considered a match. If the comparison score is less
than or equal to the threshold value, then the decision subsystem
returns the value yes. If the comparison score is greater than the
threshold, it returns the value no
Errors
• Errors may occur in any decision subsystem.
There are two general types of errors that can occur.
• In one case, a decision subsystem makes the incorrect decision of no
instead of yes. In this case, a user is indeed who she claims to be, but
large random errors occur in the data capture subsystem and cause
her to be incorrectly rejected.
• It is called type-1 error by statisticians, false rejection, false nonmatch,
false nonmatch rate (FNMR)
Errors
• In the second case, a decision subsystem incorrectly returns a yes
instead of a no.
• In this case, random errors occur that let a user be erroneously
recognized as a different user. This might happen if the user Alice tries
to authenticate as the user Bob, for example.
• This class of error is known as a type-2 error by statisticians, false
acceptance, false match, false match rate.
USING BIOMETRIC SYSTEMS
• There are three main operations that a biometric system can perform. These are the following:
• Enrollment. During this operation, a biometric system creates a template that is used in later
authentication and identification operations. This template, along with an associated identity, is
stored in a data storage subsystem.
• Authentication. During this operation, a biometric system collects captured biometric data and a
claimed identity and determines whether or not the captured biometric data matches the template
stored for that identity. Although the term authentication is almost universally used in the
information security industry for this operation, the term verification is often used by biometrics
vendors and researchers to describe this.
• Identification. During this operation, a biometric system collects captured biometric data and
attempts to find a match against any of the templates stored in a data storage subsystem.
Enrollment
• The probability of a user failing in the enrollment process is used to calculate the failure to enroll
rate (FER). Almost any biometric can fail sometimes, either temporarily or permanently.
• Dry air or sticky fingers can cause fingerprints to temporarily change. A cold can cause a voice to
temporarily become hoarse. A broken arm can temporarily change the way a person writes his
signature. Some skin diseases can even permanently change fingerprints.
• A useful biometric system should have a low FER, but because all such systems have a nonzero
value for this rate, it is likely that there will always be some users that cannot be enrolled in any
particular biometric system, and a typical FER for a biometric system may be in the range of 1% to
5%.
• For this reason, biometric systems are often more useful as an additional means of authentication
in multifactor authentication system instead of the single method used.
Security Considerations
• Biometric data is not secret, or at least it is not very secret.
• Fingerprints, for example, are not very secret because so-called latent fingerprints
are left almost everywhere. On the other hand, reconstructing enough of a
fingerprint from latent fingerprints to fool a biometric system is actually very
difficult because latent fingerprints are typically of poor quality and incomplete.
• It is relatively easy to require users to frequently change their passwords, but many
types of biometric data last for a long time, and it is essentially impossible to force
users to change their biometric data. So, when biometric data is compromised in
some way, it is not possible to reissue new biometric data to the affected users.
Storage of Templates
• One obvious way to store the templates used in a biometric system is
in a database.
• This can be a good solution, and the security provided by the database
may be adequate to protect the templates that it stores.
• In other cases, it may be more useful for a user to carry his template
with him on some sort of portable data storage device and to provide
that template to a matching subsystem along with his biometric data