BIOMETRICS

Presentation to 2008 AFCEA PD Workshop CAL CLUPP BSC CISSP
Director, Risk Management Consulting Bell Canada
(613) 597-2336 597cal.clupp@bell.ca
Source: http://www.banking.com/aba/january.htm

1

OUTLINE

‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡

DEFINITION BRIEF HISTORY APPLICATIONS HOW BIOMETRIC DEVICES WORK TYPES OF DEVICES BIOMETRICS TESTING EXAMPLE APPLICATIONS AREAS OF IMPLEMENTATIONS

2

03 June 2008

Bell Restricted

DEFINITION
‡ ‡ Biometrics - (Classical Definition) Identification of living things based on physiological and/or behavioral characteristics Biometrics - (ISO Definition) A measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an enrollee. Biometric System ± (ISO Definition) An automated system capable of:
± ± ± ± ± capturing a biometric sample from an end user; extracting biometric data from that sample; comparing the biometric data with that contained in one or more reference templates; deciding how well they match; and indicating whether or not an identification or verification of identity has been achieved.

‡

3

03 June 2008

Bell Restricted

HISTORY OF BIOMETRICS
‡ Used since man first walked upright
± ± We all use facial recognition on a daily basis We use voice recognition during conversations to identify the other party (e.g. Telephone)

‡ ‡ ‡ ‡ ‡

Fingerprints have been used in forensics for over 100 years by police investigators Babies registered at birth using palm/foot prints Dental records and X-rays have long been used to identify decomposed bodies The hand written signature is a form of behavioral biometric identification DNA is one of the latest advances used in identification

4

03 June 2008

Bell Restricted

expensive. proprietary and unreliable They were considered as ³science fiction´ or ³spy toys´ and not likely to be used by ordinary people in daily transactions Today costs are coming down.HISTORY (continued) ‡ ‡ ‡ ‡ Modern technologies have made it possible to mechanically and automatically convert physical and behavioral characteristics into digital electronic form Early biometric systems were slow. speed and reliability are increasing and biometric devices are starting to become part of our daily lives 5 03 June 2008 Bell Restricted .

BIOMETRIC APPLICATIONS ‡ Depending on the application.g.g. privacy. airports) Computer/Network logins (e.g. or to deliver enhanced services. Applications include: ± ± ± ± ± ± ± ± ± ± ± 6 Physical security and access control (e. fraud reduction. research animals. Military/Govt/Corporate ID cards) Registering race horses. biometrics can be used for security.g.g. Visas. ATM withdrawals) Credit and debit card protection Voting Receiving government benefits (e. pension) Healthcare services (e. SIN cards. vehicle registration. convenience. drivers licenses.g. biometric tokens) Bell Restricted 03 June 2008 . laptops with fingerprint sensors built in) Business transactions (e. passports. welfare.g. pets and other wildlife Data protection (e.g. borders. smart guns. patient ID) Law enforcement (e. criminal identification systems) Identification Documents (e.

g.HOW BIOMETRIC DEVICES WORK ‡ With all biometric systems there are 3 steps (i. voice sample.e. data capture. and decision) which define the process flow: ± Data Capture ‡ All biometrics start with a piece of raw analogue data (e. signal processing. creates template) The stored and live templates are compared and if they match (i. face/hand/retina image) This raw data is digitized so that computers can process it The computer software extracts the critical features (e.e.g. minutiae) and discards those elements that are irrelevant to making a successful comparison (i. fingerprint.e. within set threshold) user will be accepted ± Signal Processing ‡ ‡ ± Decision ‡ 7 03 June 2008 Bell Restricted .

HOW DEVICES WORK (continued) ‡ During enrollment the template is created and stored (sizes from 9Bytes to 1KByte) Source: SCA ± Biometrics May 2002 8 03 June 2008 Bell Restricted .

Source: SCA ± Biometrics May 2002 9 03 June 2008 Bell Restricted .HOW DEVICES WORK (continued) ‡ During verification the first 2 steps are repeated with the resulting representation being the live scan or template.

HOW DEVICES WORK (continued) ‡ ‡ Compare Template ± ± The live scan is compared to the stored template. it is accepted as valid Decide Match Source: SCA ± Biometrics May 2002 10 03 June 2008 Bell Restricted . If they match within a set statistical range.

HOW BIOMETRIC DEVICES WORK Creation of BIR (Enrollment) DATA CAPTURE SIGNAL PROCESSING DECISION Compare Template TEMPLATE / BIR STORAGE Signal Detection Decide Match Biometric System Controller Extract Features Biometric Sensor Create Template* Decide Acceptance Set Threshold QUALITY CONTROL Present Biometric Sample User INPUT / OUTPUT INTERFACES Portal Administrator Grant Privileges *Template = Processed Biometric Sample The Create Template process may also include the creation of the Biometric Identification Record (BIR) 11 03 June 2008 Bell Restricted .

e.TYPES OF DEVICES ‡ Physiological (i. physical) Characteristic Devices ± ± ± ± Finger/thumb print readers Hand/Finger geometry readers Facial Verification Systems Eye Scanners ‡ ‡ Retina Scanners Iris Scanners ± ± DNA Identification Systems Voice Verification1 Note 1: Voice verification can also be considered a Behavioral Characteristic device 12 03 June 2008 Bell Restricted .

DEVICES (continued) ‡ Behavioral Characteristic Devices ± ± ± ± Voice Verification1 Signature Dynamics Analysis Keystroke Dynamics Analysis Gait Analysis Note 1: Voice verification can also be considered a Physiological Characteristic device 13 03 June 2008 Bell Restricted .

optical.e.g. RF) 14 03 June 2008 Bell Restricted . minutiae) Produces one of the largest templates (aprox 1KByte) depending on the method used Devices are very reliable in use but in some cases other techniques may be required Several types (e. capacitive.FINGER/THUMB PRINT READERS ‡ ‡ ‡ ‡ ‡ Most widely used Most systems rely on classifying the differences between ridges and valleys in the patterns of the print and at ridge bifurcations or ridge endings (i. ultrasound.

e. ± The correlation-based method is able to overcome some of the difficulties of the minutiae-based approach. pattern matching) require the precise location of a registration point and are affected by image translation and rotation. there are some difficulties when using this approach. it has some of its own shortcomings. Also this method does not take into account the global pattern of ridges and furrows. ‡ ‡ ‡ It is difficult to extract the minutiae points accurately when the fingerprint is of low quality. and false minutiae. More subject to wear and tear. However. Larger templates (often 2 ± 3 times larger than minutiae-based) Bell Restricted ‡ 15 03 June 2008 . However.FINGERPRINT (continued) ‡ Fingerprint matching techniques can be placed into two categories: minutiae-based and correlation based. ‡ Correlation-based techniques (i. ± Minutiae-based techniques first find minutiae points and then map their relative placement on the finger.

g. securing smartcards) A much smaller ³scrolling´ sensor is now available which has made even more applications possible and has addressed some of the security concerns with latent prints Some more advanced readers can differentiate between live and dead tissue ± ± ± 16 ‡ ‡ by checking for pulse by sensing oxygen level by checking capacitance of the biometric sample Bell Restricted 03 June 2008 .FINGERPRINT (continued) ‡ ‡ Intrusive procedure In 1997 the stamp-sized fingerprint reader on a microchip was introduced which has led to the potential for many new applications (e.

FINGERPRINT (continued) Print showing various types of Minutiae 17 03 June 2008 Bell Restricted .

edu/info. Most often used in forensics.html 18 03 June 2008 Bell Restricted . rarely in authentication systems ‡ ‡ Source: biometrics. and tented arch. Special algorithms have been developed to classify fingerprints into five classes.msu. right loop. whorl.FINGERPRINT (continued) ‡ To reduce the search time and computational complexity. left loop. it is desirable to classify fingerprints in an accurate and consistent manner so that the input fingerprint is required to be matched only with a subset of the fingerprints in the database. namely.cse. arch.

FINGERPRINT (continued) Source: Various websites 19 03 June 2008 Bell Restricted .

FINGERPRINT (continued) US Dime Source: Protective Technologies Website 20 03 June 2008 Bell Restricted .

HAND/FINGER GEOMETRY READERS ‡ ‡ ‡ ‡ ‡ The first modern biometric device was a hand geometry reader that measured finger length These devices use a 3D or stereo camera to map images of the hands and/or fingers to measure size. shape and translucency Actual sensor devices are quite large in size Templates are typically small (approx 10 Bytes) High acceptance rate among users 21 03 June 2008 Bell Restricted .

HAND/FINGER GEOMETRY (continued) Source: Biometrics Store Website Source: http://recognitionsystems.msu.com/products/ Source: biometrics.edu/info.cse.html 22 03 June 2008 Bell Restricted .schlage.

feature analysis. neural network. and automatic face processing New systems are being developed that measure three dimensional characteristics of the face One of the fastest growing areas in biometric industry 23 03 June 2008 Bell Restricted .FACIAL RECOGNITION ‡ ‡ ‡ ‡ ‡ Considered by some as an intrusive system Uses high resolution cameras (several types) to take pictures of the face for comparison The four primary methods traditionally employed by facial scan vendors to identify and verify subjects include eigenfaces.

Source: MIT Face Recognition Demo Page 24 03 June 2008 Bell Restricted . global grayscale images representing distinctive characteristics of a facial image Variations of eigenface are frequently used as the basis of other face recognition methods.FACIAL (continued) Typical Eigenfaces Utilizes two dimensional.

though more capable of accommodating changes in appearance or facial aspect (e. Most faces can be reconstructed by combining features of 100-125 eigenfaces. During enrollment. Relative distances and angles of the "building blocks" of the face are measured. LFA is a derivative of the eigenface method and was developed by Visionics. the user's eigenface is mapped to a series of numbers (coefficients). frowning). a "live" template is matched against the enrolled template to obtain a coefficient variation. smiling.. LFA can accommodate 25-degree angles in the horizontal plane and 15 degrees in the vertical plane. 03 June 2008 Bell Restricted ‡ 25 ." a technology patented at MIT that uses 2D global grayscale images representing distinctive characteristics of a facial image. Corp. Local Feature Analysis (LFA): also a 2D technology. Upon a 1:1 match. incorporates the location of these features.g.FACIAL (continued) ‡ Eigenface: "one's own face. LFA uses dozens of features from different regions of the face. This variation either accepts or rejects the user.

frontal image capture situations. Neural Networks: use algorithms that use as much of the face as possible. Not as robust as the other technologies. ‡ 26 03 June 2008 Bell Restricted . Neural networks are a step up from LFA. and corners of mouth. These algorithms run as the human brain would in cognition to learn about facial features.FACIAL (continued) ‡ Automatic Face Processing (AFP): This 2D technology uses distances and distance ratios between eyes. but may be more affective in dimly lit. nose.

FACIAL (continued) ‡ New Volumetric-based 3D Processing Systems: Create a template of the face that is based on tens-of-thousands of points on the face.. ‡ The input starts as a digital image and does not need to be converted The secret to a true 3D method lies in the ability to use direct measurements to compare individuals. ± 27 03 June 2008 Bell Restricted . ‡ That is. ± A 3D laser camera takes a picture of the face and represents it within a virtual cube. these systems look at specific points within a millimeter apart. rather than the traditional method of an indirect search for facial features on an image. thus forming a very high-resolution interpretation of the subject.

g. airports) ‡ ‡ 28 03 June 2008 Bell Restricted . etc Human faces vary dramatically over long term (aging) and short term (facial hair growth. frowning. plastic surgery) Expected high rate of acceptance as people are already used to being photographed or monitored Best method for identification systems (e.e. beards.FACIAL (continued) ‡ ‡ ‡ ‡ ‡ Varying light (i. different hair styles. outdoors) can affect accuracy Some systems can compensate for minor changes such as puffiness and water retention Smiling. etc can affect accuracy Some systems can be confused by glasses.

FACIAL (continued) Source: MIT Face Recognition Demo Page Source: biometrics.cse.msu.edu/info.html 29 03 June 2008 Bell Restricted .

diabetes or glaucoma may give inconsistent readings Template aprox 35 Bytes and extremely reliable Primary use is in high security access control 30 03 June 2008 Bell Restricted .RETINA SCANNERS ‡ ‡ ‡ ‡ ‡ Rely on the uniqueness of the pattern of blood vessels lining the retina Users place their eyes a few inches from an incandescent light beam and the sensor maps the capillary pattern by measuring reflected light People with high blood pressure.

RETINA SCANNERS (continued) Camera Enrollment device Source: Biometrics Store Website 31 03 June 2008 Bell Restricted .

RETINA SCANNERS (continued) Main retina features Actual photo of retina Source: American Academy of Ophthalmology 32 03 June 2008 Bell Restricted .

and pattern matching (i.e. bad phone line.VOICE VERIFICATION ‡ ‡ A completely non-intrusive technique Examines tonal wave patterns that cannot be imitated by other individuals (voice patterns of impersonators are different than the real voice pattern) Analog recordings cannot reproduce accurate tone patterns. comparing successive voice samples) may help to prevent reply attacks based on digital voice recordings ‡ ‡ ‡ ‡ Most appropriate method for telephone use People with colds & laryngitis can affect FRR ± although slight variations can be compensated for Signal quality can introduce errors (e.g. but digital recordings may be able to do so ± Random question and answer techniques. noise in background) 03 June 2008 Bell Restricted 33 .

It is these well-formed. called the frame. This frame is the essence of voice verification technology.VOICE VERIFICATION (continued) A complete signal has an overall pattern. Since no two vocal tracts are exactly the same. These patterns are created from the size and shape of the physical structure of a person's vocal tract. as well as a much finer structure. no two signal patterns can be the same. 34 03 June 2008 Bell Restricted . regular patterns that are unique to every individual.

The image at right shows how characteristics of voice actually involve much more of the body than just the mouth. harmonics. and shape of vocal tract. tone. pitch. 35 03 June 2008 Bell Restricted .VOICE VERIFICATION (continued) These unique features consist of cadence.

etc to characterize an individual User stress can affect the accuracy of this device Signatures tend to change over time These types of devices are now starting to make their way into practical everyday use 36 03 June 2008 Bell Restricted . angle-ofattack and stroke characteristics (40 plus) A typical system will take up to 100 elements of speed.SIGNATURE ANALYSIS ‡ ‡ ‡ ‡ ‡ These devices quantify speed. pressure. pressure.

It also protects against fraud since it is practically impossible to duplicate "how" someone signs. and thus allows for strong authentication. and the angles in various directions. This signing pattern is unique for each individual. 37 03 June 2008 Bell Restricted Source: Biometrics Store Website and Smart Pen . the speed of writing.SIGNATURE ANALYSIS (continued) Built-in sensors register the dynamics of the act of writing. These dynamics include the 3D-forces that are applied.

EXAMPLE IMPLEMENTATIONS ‡ ‡ ‡ ‡ ‡ Otay Mesa. California/Mexico border crossing ± ± ± facial recognition of drivers who frequently cross border uses iris scanning to identify over 10. Florida Coca Cola is using hand geometry to prevent workers from ³buddy punching´at the time clock Lotus employees must pass hand geometry scan before picking up their kids at the company daycare 38 03 June 2008 Bell Restricted .000 race horses seasons ticket holders gain entrance by finger geometry Japanese Racing Association Walt Disney World.

IMPLEMENTATIONS (continued) ‡ ‡ Several states use voice recognition for parolees on home detention US Immigration and Naturalization Service ± Frequent travelers between Canada and Montana use voice verification to access an automated border crossing system ‡ ‡ ‡ A leading ATM manufacturer in Tokyo. OKI Electric Industry Co has implemented iris scanners in ATM machines of Japanese banks ICAO using facial recognition as mandatory identifier and fingerprints & iris as optional identifiers on MRTDs Aeroplan ± Voice Recognition System for Account Access 03 June 2008 Bell Restricted 39 .

$3.IMPLEMENTATIONS (continued) ‡ ‡ ‡ ‡ Terminal 3 at Pierson Airport uses hand geometry to identify frequent travelers between US and Canada Canadian Airlines uses voice recognition to control access at two of its hangars Citizenship and Immigration Canada .5 million biometric pilot project Transport Canada and the Canadian Air Transport Security Authority (CATSA) new restricted area identification card Facial Recognition Project at the Passport Office Bell Canada ± Maintenance Technician Voice Verification Bell Canada ± Client Account Access Voice Verification (³My voice is my password´) ‡ ‡ ‡ 40 03 June 2008 Bell Restricted .

Summary ‡ ‡ Today's powerful computers and microelectronics make biometric identification and verification systems a reality Biometric advocates still face uphill battle to convince the skeptical public. lawyers & security professionals that systems are safe. legislators. Biometrics has seen a resurgence in interest and is now being seriously considered by governments and other organizations as part of their solution for ensuring the identity of individuals and protecting their assets Biometrics by itself is not the solution. reliable and worth implementing In the aftermath of 9/11. only the inappropriate or inadequate implementation of it is 03 June 2008 Bell Restricted ‡ ‡ ‡ ‡ 41 . only one part of it Biometrics has the potential to be utilized in any application where authentication and verification is required and it is only a question of time before we start to see these systems used in our daily lives Use of Biometrics is not the main contributor to security and privacy risks.

Sign up to vote on this title
UsefulNot useful