BIOMETRICS IN IDENTIFICATION & AUTHENTICATION

Access Control Systems:

Identification and authentication are the very basis of access control systems.
Identification and authentication are a two-phase, or two-step, process, in which
the user first professes his identity to a system (typically by typing in his log-in
ID), and the system thereafter verifies, or authenticates, his claim by verifying his
password. Access is allowed to the user only when the log-in ID of the user is
found in the systems table, and the password matches the value stored against
that users log-in ID.
Basis of Authentication systems
Authentication systems are based on one or more of the following factors: Something you know: for example, a PIN (personal identification number)
or password.
Something you have: an ATM card or a smart card.
Something you are: a unique, verifiable trait of an individual, such as a
fingerprint or retina scan.
When two of the above factors are combined for the purpose
of authentication, such as possession of an ATM card and keying in the correct
PIN, this is called two-factor authentication.
In this article, we shall focus on the factor something you are which falls within
the ambit of Biometrics.
Biometrics:
Biometrics is defined as an automated means of identifying or authenticating the
identity of a living person based on physiological or behavioral characteristics.
Biometric access controls are considered the most effective means of
authenticating a users identify because, while cards and PINs / passwords
(something you have and something you know) can be stolen or compromised, it
is almost impossible to simulate a physical (e.g., fingerprint) or behavioral (e.g.,
voice) characteristic. Biometric systems can be used in both physical and logical
access controls.
The Process
To apply biometric controls, a users biometric feature is first enrolled into the
system by an iterative, averaging process in which the feature or characteristic is
extracted, digitized and a template created from it. Subsequently, when the user
desires to access the system, a reader interprets that characteristic and
compares it with the template. Access is allowed if there is a match and denied if
there is none. A margin for variance can be set. However, it should be noted

that even Biometric features can change (our voice does not always sound the
same, signatures can vary, even fingerprints may be scarred or damaged in
accidents), and hence biometric controls may sometimes fail.
PHYSICAL BIOMETRIC CONTROLS
Fingerprint This is the most commonly used biometric control. When a user
places his or her finger on a scanner for a few seconds, 30-40 details are read,
like ridge patterns, bifurcations and divergences, etc. These details are
compared with the stored template of that user to decide whether or not to allow
access.
Retina Optical technology is used to map the capillary pattern of the users
retina. As the capillary patterns of the retina are unique for every human being,
retinal scan is the most reliable biometric control. However, user acceptability is
a practical problem as the user has to put his or her eye very close to the reader.
Iris Iris-scanning is an improvement over retinal scanning. It is also highly
reliable as the iris has over 400 characteristics and these remain stable over
time. The user has to focus his or her vision on the reflection of their iris in the
device, upon which the reader scans their iris and compares it with a stored
value. It has greater acceptability than retina scanning as close contact with a
device is not necessary, but these methods are expensive.
Palm/hand geometry: These systems are based on physical characteristics of
the palm / geometry of the hand, such as ridges and valleys on the palm, threedimensional measurements of the users hand and fingers. The advantages of
these are social acceptance (people are far less reluctant to place their
palms/hands on a device than bring their eyes close to it) and low requirement of
resources in terms of storage space.
BEHAVIOUR-OREINTED BIOMETRIC CONTROLS
These are usually based on signature recognition and voice recognition.
Signature recognition involves capturing and using two areas of information
about an individuals signature: the features of the signature and the features of
the process of signing. Signature dynamics, like the speed of signing, pressure
applied, directions, stroke lengths and the points at which the pen is lifted from
the surface, are recorded. The process is easy to use and can be implemented
at a relatively low cost. It is highly effective because, while a forger can usually
replicate the image of a signature, it is virtually impossible to reproduce the
signature dynamics. Disadvantages are that not all users sign in a consistent
manner and signatures may vary when a person is ill or excited / upset.
Voice recognition requires an individual to speak a certain phrase, called a
passphrase, and converting it into a digital template. However, the system may

not work sometimes because an individuals voice may change when he is

unwell (e.g., a cold) or because background noise may interfere.
Performance Measures of Biometrics:
There are three major quantitative measures in biometrics:a) False rejection rate (FRR)
FRR is the percentage of valid / authorized users wrongly denied access
by
the system
b) False acceptance rate(FAR)
FAR is the converse of FRR and is the percentage of invalid users who are
wrongly given access by the system.
c) Cross over error / Equal error rate (CER/EER).
CER / EER is the percent when FRR and FAR are equal.
Obviously, the most effective system is the one
with the lowest CER / EER.
In conclusion, it can be stated that biometrics are a powerful authentication tool.
Biometric tools are often used in top secret scientific and military installations,
where allowing access to an unauthorized person can be disastrous (false
acceptance). However, it is always preferable to rely on more than one factor for
authentication (something you know or something you have, besides something
you are).

By D.S.Mahanty, CM
Information Security Dept
Corporate Centre, Belapur