# Biometric authentication

Post-publication activity

Curator: Anil K. Jain

Biometric recognition (also known as biometrics) refers to the automated recognition of individuals based on their biological and behavioral traits (ISO/IEC JTC1 SC37). Examples of biometric traits include fingerprint, face, iris, palmprint, retina, hand geometry, voice, signature and gait.

## Introduction

Personal identity refers to a set of attributes (e.g., name, social security number, etc.) that are associated with a person. Identity management is the process of creating (linking the attributes to a physical person), maintaining and destroying identities of individuals in a population. One of the critical tasks in identity management is person authentication, where the goal is to either determine the previously established identity of an individual or verify an individual's identity claim. This can be accomplished by three methods (Jain et al., 2007). The two conventional methods of authentication are based on a person’s exclusive possession of a token (e.g., ID card or key) or knowledge of a secret (e.g., password). The third method, called biometric recognition, authenticates a person based on his biological and behavioral (biometric) traits.

Biometric recognition forms a strong link between a person and his identity because biometric traits cannot be easily shared, lost, or duplicated. Hence, biometric recognition is intrinsically superior and more resistant to social engineering attacks (e.g., phishing) than the two conventional methods of recognition, namely, passwords and tokens. Since biometric recognition requires the user to be present at the time of authentication, it can also deter users from making false repudiation claims. Moreover, only biometrics can provide negative identification functionality where the goal is to establish whether a certain individual is indeed enrolled in a system although the individual might deny it. Due to these characteristics, biometric recognition has been widely hailed as a natural, reliable, and irreplaceable component of any identity management system. Biometrics is being increasingly incorporated in various authentication and security applications that require accurate and reliable answers to the following questions: (i) “Is he the person who he claims to be?”, (ii) “Who is this person?”, and (iii) "Is this person someone on a watch list?". Note that in answering the above questions, it is assumed that a person's identity has already been created or established; biometric recognition links the person to his/her previously established identity through automated means.

We routinely use body characteristics such as face, voice, gait, etc. to recognize each other. The discovery of the distinctive nature of fingerprints in the late 19th century by Faulds, Herschel and Galton (Faulds, 1880, Herschel, 1880, Galton 1888) has enabled almost all the law enforcement agencies in the world to rely on fingerprints for criminal and forensic identification. A number of other biometric traits (see Figure 1) such as iris (Daugman, 2006) and face (Li and Jain, 2005) are in use in various applications that deal with access control, checking for multiple enrollments (e.g. duplicate driver license), international border crossing and secure identification document (e.g. passport). Each biometric trait has its strengths and weaknesses, and the choice of a specific trait depends upon the requirements of the application. No single biometric trait is able to effectively meet the requirements of recognition accuracy, resource requirements, reliability and cost in all the applications (Prabhakar et al., 2003).

Figure 1: Examples of biometric characteristics that are commonly used: (a) face, (b) fingerprint, (c) hand geometry, (d) iris, (e) signature, and (f) voice.

## Biometric Systems

A biometric system is a computer system that implements biometric recognition algorithms. A typical biometric system consists of sensing, feature extraction, and matching modules. Biometric sensors (e.g., fingerprint sensor, digital camera for face) capture or scan the biometric trait of an individual to produce its digital representation. A quality check is generally performed to ensure that the acquired biometric sample can be reliably processed by the subsequent feature extraction and matching modules. The feature extraction module discards the unnecessary and extraneous information from the acquired samples, and extracts salient and discriminatory information called features that are generally used for matching. During matching, the query biometric sample is matched with the reference information stored in the database to establish the identity associated with the query.

Generally, a biometric system has two stages of operation: enrollment and recognition. Enrollment refers to the stage in which the system stores some biometric reference information about the person in a database. This reference information may be in the form of a template (features extracted from the biometric sample or parameters of a mathematical model that best characterizes the extracted features) or the biometric sample itself (e.g., face or fingerprint image). In many applications, some identity attributes about the person (name, ID number, etc.) is also stored along with the biometric reference. When no personal identity information is available (e.g., unknown latent prints lifted from a crime scene, anonymous authentication applications, etc.), the reference is usually tagged with a system-generated ID for future recognition. In the recognition stage, the system scans the user’s biometric trait, extracts features, and matches them against the reference biometric information stored in the database. A high similarity score between the query and the reference data results in the user being authenticated or identified.

The example of fingerprint matching (Maltoni et al., 2003) illustrates how a biometric system operates. Minutiae are the most commonly used fingerprint features. These are defined as points of (i) ridge ending and (ii) ridge bifurcation in a fingerprint image. A minutia is represented in terms of a triplet (x,y,θ), where (x, y) represents its position and θ represents the local orientation of the ridge at that minutia. Typically, a fingerprint image may contain between 20 to 70 minutiae depending on the fingerprint sensor characteristics (e.g., sensor area) and the position of the user’s finger on the sensor.

Given two (query and reference) fingerprints, represented in terms of their minutiae, the matching module determines whether the prints are impressions of the same finger or not. Figure 2 illustrates the matching process. Due to variations in finger placement and pressure on the sensor, the numbers of minutiae in the two fingerprints may not be the same; furthermore, the fingerprints need to be aligned (or registered). After aligning the two fingerprints, the number of matching (or corresponding) minutiae is determined and a similarity, or match score, is defined in terms of the number of corresponding minutiae. Even in ideal finger imaging situations, not all minutiae from query and template prints from the same finger can be matched. As a result, the matcher uses a system parameter, called the threshold, to decide whether a given pair of minutiae patterns belongs to the same finger or not. If the match score exceeds the threshold, the two prints are declared to come from the same finger.

Figure 2: Biometric System Operation: Fingerprint Case Study

Biometric recognition systems typically provide two different functionalities:

(a) Verification (“Is this the person who he claims to be?”). For example, a person claims that he is John Doe and offers his fingerprint; the system then either accepts or rejects the claim based on comparing the offered pattern (query or input) and the enrolled pattern (reference) associated with the claimed (John Doe) identity. Many commercial applications such as physical (e.g., entrance to a building) or logical (e.g., computer login) access control, transactions at a bank ATM, credit card purchases, and medical records management are examples of verification applications.

(b) Identification (“Is this person in the database?”). Given an input biometric sample, the system determines if this pattern is associated with any one of a usually large number (e.g., millions) of enrolled identities. There are two types of identification scenarios. In positive identification, the person asserts that the biometric system knows him. In negative identification, the person asserts that the biometric system does not know him. In both scenarios, the system confirms or refutes the person's assertion by acquiring his biometric sample and comparing it against all templates in the database. "PIN-less" access control systems and welfare disbursement schemes are examples of positive identification systems, while driver license issuance and watch-list surveillance are examples of negative identification systems.

## Challenges

Although biometrics appears to be the obvious technology for robust person authentication, and has been successfully deployed in several niche markets, it is not yet a foolproof method of automatic human recognition. With the availability of inexpensive and compact biometric sensors and fast processing chips, it is becoming increasingly clear that a broader use of biometric technology would require better solutions to three fundamental barriers: (i) Recognition performance: How to effectively represent and recognize biometric patterns (e.g., how to recognize a person with 99.999% accuracy), (ii) System security: How to guarantee that the biometric systems are not vulnerable to sabotage (e.g., can we ensure that fraudsters cannot infiltrate the system?), and (iii) Privacy issues: How to make sure that the biometric system is being exclusively used for the expressed purpose (e.g., how to prevent trusted system administrators from abusing the system).

### Performance

The critical promise of biometric recognition is that when a biometric sample is presented to the system, it will offer the correct decision. However, a practical biometric system can make two basic types of errors (Ross et al., 2006): (i) False Match: the system incorrectly declares a successful match between the input pattern and a non-matching template in the database (in the case of identification) or a template associated with an incorrectly claimed identity (in the case of verification). (ii) False Non-match: the biometric system incorrectly declares failure of match between the input pattern and a matching pattern in the database (identification) or the pattern associated with the correctly claimed identity (verification).

Table 1 shows state-of-the-art error rates for four of the most commonly used biometric traits, namely, fingerprints, iris, face, and voice. These error rates were reported in third party evaluations conducted by the National Institute of Standards and Technology (NIST). It is easy to note that these error rates are far from being zero and so there is a large scope for improvement in the accuracy of current biometric systems. However, these error rates do not reflect a fair technology comparison because of the large variations in the test conditions. A more reasonable comparison of these technologies in operationally commensurate environments was reported in (Mansfield et al., 2001).

“State-of-the-art” error rates (False Match Rate (FMR) and False Non-match Rate (FNMR)) associated with fingerprint, face, voice and iris biometric systems. Note that the accuracy estimates of biometric systems are dependent on a number of test conditions, including sensor characteristics, number of subjects in the database, characteristics of the population from which subjects are drawn, chosen operating points, etc. Hence, the error rates presented in this table is just for illustrative purposes and should not be considered as a fair technology comparison.
Modality Test Test Conditions FNMR FMR
Fingerprint FpVTE 2003 (Wilson et al., 2004) US Government operational data $$0.6\%$$ $$0.01\%$$
Face FRVT 2006 (Phillips et al., 2007) Changes in illumination, high resolution $$2.5-1\%$$ $$0.1\%$$
Voice NIST 2004 (Przybocki et al., 2004) Text independent, multi-lingual, operational data $$5-10\%$$ $$2-5\%$$
Iris ICE 2006 (Phillips et al., 2007) Controlled Illumination, broad quality range $$1.1-1.4\%$$ $$0.1\%$$

A receiver operating characteristic (ROC) curve is a comprehensive way to analyze the performance of a biometric system; it depicts the dependence of false match rate with the false non-match rate as the system threshold on match score is changed. Figure 3 shows the ROC curves corresponding to various commercial fingerprint matchers reported in FpVTE 2003 (Wilson et al., 2004). Another tool for analyzing the performance of a biometric system, especially when it is operated in the identification mode, is the cumulative match characteristic (CMC) curve. A CMC curve, as shown in figure 4, depicts the increase in the identification rate of the system with increase in the rank before which a correct match is obtained (Wilson et al., 2004).

Figure 3: ROC curves showing performance of various commercial fingerprint matchers on a medium scale dataset (Wilson et al. 2004).
Figure 4: CMC curve showing performance of the commercial fingerprint matchers on a medium scale dataset (Wilson et al. 2004).

There are three main reasons for the non-zero error rate of a biometric system: (i) intrinsic similarity of biometric patterns of two different individuals, often referred to as “small inter-class variability”, (ii) poor image quality or non-ideal interaction of the user with the sensor, resulting in large variations in the biometric pattern of a trait from the same user (“large intra-class variability”), and (iii) change in the biometric trait from enrollment to verification stage (e.g., due to facial aging) (see Figure 5).

Figure 5: : Some of the sources of error in a biometric system: (a) large inter class similarity (identical twins cannot be very easily distinguished based on face biometric), (b) user interaction with sensor (facial matching is difficult when enrolled and query images differ in a person’s pose in front of the camera), (c) poor image quality (large number of spurious minutiae are identified while several genuine minutiae are missed), and (d) large intra class variability (two fingerprints of the same finger that are difficult to match correctly due to distortion between the two prints).

Research is still underway to improve the performance of various biometric recognition systems by using better feature representation techniques and matching algorithms. Multibiometrics (Ross et al., 2006) is another technique to improve the biometric recognition performance by combining multiple biometric traits (e.g., fingerprint, iris, etc.). A multibiometric system aims to effectively fuse the salient information among the individual biometric traits which translates into better recognition performance.

### System Security

The security of biometric systems, i.e., assuring that the input biometric sample was indeed presented by its legitimate owner, and the system indeed matched the input pattern with genuinely enrolled pattern samples, is crucial (Jain et al., 2008). While there are a number of ways a perpetrator may attack a biometric system (Prabhakar et al., 2003), there are usually two very serious criticisms against biometric technology that have not been addressed satisfactorily: (i) biometrics are not secrets and (ii) enrolled biometric templates are not revocable. The first fact implies that the attacker has a ready access to the legitimate biometric trait (e.g., facial image of an enrolled user of the biometric system) and, therefore, could fraudulently inject it into the biometric system to gain access. The second fact implies that when a biometric trait has been “compromised”, the legitimate user has no recourse to revoking the trait. Researchers are addressing both of these issues.

First, the knowledge of biometric trait(s) does not necessarily imply the ability of the attacker to inject it into the system. The challenge then is to design a secure biometric system that will accept only the legitimate presentation of the biometric traits without being fooled by the doctored or spoofed measurements injected into the system. One could attempt various strategies to thwart fraudulent insertion of spoofed measurements into the system. For example, liveness detection schemes (Antonelli et al., 2006, Rowe, 2005) make sure that input measurements are not originating from an inanimate object. The other strategy to consider is multi-biometrics (Ross et al., 2006) - data from multiple and independent biometric identifiers are fused; reinforcing the identity of a person offers increasingly irrefutable proof that the biometric data is being presented by its legitimate owner and not being fraudulently presented by an impostor. On the other hand, even if the system is less effective in discriminating between a real and a spoofed trait, the biometric template should be designed in such a way that it reveals little about the actual biometric sample (Jain et al., 2008). Given such a template design, it should be possible to generate a large number of distinct templates for a specific biometric trait of a single user so that a compromised template can be replaced with another.

### Privacy Issues

A reliable biometric system provides an irrefutable proof of identity of the person. Consequently, the users of biometric systems have two concerns: Will the undeniable proof of biometrics-based access be used to track the person in a manner that may infringe upon his right to privacy? Will the biometric data be abused for an unintended purpose, e.g., will the fingerprints provided for access control be matched against the fingerprints in a criminal database? How would one ensure and assure the users that the biometric system is being used only for the intended purpose and none other? Perhaps, one needs to devise a system that meticulously records authentication decisions and the people who accessed the logged decisions using a biometric-based access control system. Such a system would be able to detect any abnormality in the access to specific segments of the system and would warn the affected users of any potential compromise. At present, there are no satisfactory solutions on the horizon for either addressing the entire spectrum of privacy issues or how exactly these privacy issues needed to be traded against the corresponding security issues (Prabhakar et al., 2003). This topic needs to be resolved by appropriate public discussion and policy-making.

## References

• Antonelli, A., Cappelli, R., Maio, D. & Maltoni, D., 2006. Fake finger detection by skin distortion analysis. IEEE Transactions on Information Forensics and Security, 1(3) p. 360-373.
• Bolle, R. M., Connell, J. H., Pankanti, S. Ratha, N. K., & Senior, A. W., 2003. Guide to biometrics. Springer.
• Daugman, J., 2006. Probing the uniqueness and randomness of iriscodes: results from 200 billion iris code comparisons. Proceedings of IEEE, 94(11), p. 1927-1935.
• Faulds, H, 1880. On the Skin-Furrows of the Hand. Nature, 22, pp. 605.
• Herschel, W, 1880. Skin Furrows of the Hand. Nature, 23, pp. 76.
• Galton, F, 1888. Personal identification and description. Nature, 38, p. 201-202.
• Jain, A. K., Flynn, P. J. & Ross, A. eds., 2007. Handbook of biometrics. Springer.
• Jain, A. K. Ross, A. & Prabhakar, S., 2004. An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology, Special Issue on Image- and Video-Based Biometrics, 14(1), p. 4-20.
• Jain, A. K., Nandakumar, K., & Nagar, A., 2008. Biometric Template Security, EURASIP Journal on Advances in Signal Processing, vol. 2008, Article ID 579416.
• Li, S. Z. & Jain, A. K. eds., 2005. Handbook of face recognition. Springer.
• Maltoni, D., Maio, D., Jain, A. K., and Prabhakar, S., 2003. Handbook of fingerprint recognition. Springer-Verlag.
• Mansfield, T., Kelly, G., Chandler, D., and Kane, J., 2001. Biometric Product Testing Final Report. Technical report, Centre for Mathematics and Scientific Computing, National Physical Laboratory.
• Phillips, P. J., Scruggs, W. T., OToole, A. J., Flynn, P. J., Bowyer, K. W., Schott, C. L, & Sharpe, M., 2007. FRVT 2006 and ICE 2006 large-scale results. Technical Report NISTIR 7408, NIST. Available online accessed 3 April, 2008.
• Prabhakar, S. Pankanti, S., & Jain, A. K., 2003. Biometric recognition: security & privacy concerns. IEEE Security & Privacy Magazine, 1(2) p. 33-42.
• Przybocki, M., & Martin, A., 2004. NIST speaker recognition evaluation chronicles. In Odyssey: The Speaker and Language Recognition Workshop, p. 12-22, Toledo, Spain, May 2004.
• Ross, A., Nandakumar, K., & Jain, A.K., 2006. Handbook of multibiometrics. Springer.
• Rowe, R. K., 2005. A multispectral sensor for fingerprint spoof detection. Sensors, 22(1), p. 1-4.
• Wayman, J., Jain, A. K., Maltoni, D.,& Maio, D. eds., 2005. Biometric systems: technology, design and performance evaluation, Springer.
• Wilson, C., Hicklin, A. R., Bone, M., Korves, H., Grother, P., Ulery, B., Micheals, R., Zoep, M., Otto, S., & Watson, C., 2004. Fingerprint vendor technology evaluation 2003: summary of results and analysis report. Technical Report NISTIR 7123, NIST. Available online accessed 3 April, 2008.

Internal references

• John Dowling (2007) Retina. Scholarpedia, 2(12):3487.