Fundamentals of Biometric System Design. Chapter 1 Introduction

Transcription

1 Fundamentals of Biometric System Design by S. N. Yanushkevich Chapter 1 Introduction Biometric sensor Biometric sensor Computer platform Biometric sensor Biometric sensor Verification: Am I whom I claim to be? Identification: Who am I? Verification and identification Positive recognition Negative recognition Leading biometric technologies Biometric systems Applications Historical perspectives Advanced topics Further reading Problems

2 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 2 Preface Biometric is understood as a measurable physiological and/or behavioral trait that can be captured and compared with another instance at the time of verification. Biometric data is unprocessed or raw biometric data. This data cannot be used to perform biometric matches. Biometric system do not store biometric data. The process by which a user s biometric data is initially acquired, assessed, processed, and stored in the form of a template is called enrollment. Biometrics is the science of the measurement of unique human characteristics, both physical and behavioral. Biometric technology refers to any technique that reliably uses measurable physiological or behavioral characteristics to distinguish one person from another. The roots of biometric technology go back a long way, about several thousands of years. This lecture is the base for the implementation issue of biometric technology. We follow a three phase scheme: biometric data acquisition, biometric techniques, and computing platform, that is: Biometric data } {{ } From sensors Biometric techniques } {{ } Interdisciplinary methodology Computing platform } {{ } Hardware and software Biometric data are generated by humans and can be analyzed by biometric system in various bands (visible light, infrared, and acoustic). The purpose of this analysis can be defined as the identification of person, illness diagnostic (recognition), behavior state recognition, and human-machine interface design. Common physiological biometric traits include, for instance, Fingerprints, Retina, Iris, Facial images, and Hand geometry. Whereas, common behavioral biometric traits include, in particular, signature, gait, voice recordings, and keystroke rhythms. A biometric system should meet the specified recognition accuracy, speed, and resource requirements, be harmless to the users, be

3 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 3 accepted by the intended population, and be sufficiently robust to various fraudulent methods and attacks to the system. Biometric system is an application-specific computer system. Application-specific techniques (pattern recognition methods, algorithms, and programs) are implemented using efficiency organized hardware platform. Biometric data are characterized by the following features: Universality, Distinctiveness, Permanency, Contestability, Reliability, and Acceptability. Biometric system operates as follows: Acquiring biometric data } {{ } From an individual Processing } {{ } Comparing against the templates } {{ } From the acquired data From the database Essentials of this lecture Multidisciplinary methodology and techniques of the biometric system design. The lecture outlines the consequences of adopting various design platforms such as distributed systems, fault tolerant systems, parallel computer architecture, mobile systems, and portable systems and devices. Biometric system design is appear relevant to these platforms but within the constraints of specific-area applications (security, attack-tolerance, etc.). Self-study. This lecture provides a(future) designer of a biometric system with necessary background information. Use as reference. A designer faced with newly developed technologies needs to consult the research literature and other more specialized texts; the many references provided can aid such a search. Dr. S. Yanushkevich

4 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 4 Introduction to Biometric System Design Information necessitating a change of design will be conveyed to the designer after - and only after - the plans are complete. Murphy s Law (First Law of Revision) a a 2009 Calendar by A. Bloch, Andrews McMeel Publishing, Kansas City Biometrics is the science of the measurement of unique human characteristics, both physical and behavioral. The word biometrics is a combination of the Greek words bio and metric. When combined, it means life measurement. Biometric technology refers to any technique that reliably uses measurable physiological or behavioral characteristics to distinguish one person from another. Common physiological biometric traits include, for instance, fingerprints, retina, iris, facial images, hand geometry. Whereas, common behavioral biometric traits include, in particular, signature, gait, voice recordings, and keystroke rhythms. This lecture focuses on the role of biometric information in state-ofthe-art biometric systems. 1 Biometric system as an application-specific computer system Biometric system is an application-specific computer system. The design of a biometric system is considered as an efficient implementation of application-specific techniques (methods, algorithms, and programs) using some computing platform (Fig. 1). Application-specific techniques Application-specific hardware platform Biometric techniques Computer platform Application-specific software platform Application-specific I/O interfaces Fig. 1: Biometric system is an application-specific computer system consisting of the specific-purpose programs and computing platform.

5 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 5 The key components of biometric system are: Component 1: Biometric data sensors. Generation of biometric data in the form of signals such as visual, acoustic, and other electromagnetic spectrum signals (Fig. 2)is a nature of humans. 1 µm 1 mm 1 m 1 km Visible light Infra red Voice Fig. 2: Generation of biometric data. This data can be used for various purposes, such as illness diagnostic and recognition, behavior state recognition, human-machine interface design, and identification. In this lecture, the goal of manipulation of biometric data is the identification of persons. Biometric data used for person identification must satisfy various criteria discussed in this chapter. Additional constraints are applied to biometric data at the state of implementation. Component 2: Techniques for manipulation of biometric data include various algorithms for filtering, transforms, and pattern recognition. Also decision-making algorithms are used at various phases of biometric data manipulation. Component 3: Hardware platform for the implementation of these techniques. Often the application-specific instruction-set processors are used as a hardware platform for biometric devices and systems. The instruction set of these processors is tailored to benefit a specific (biometric) application. This specialization of the core provides a tradeoff between the flexibility of a general purpose CPU and the performance of application-specific instruction-set processors. Applications-specific systems, such as biometric systems, have constraints on latency; that is, for the system to work, the specific-purpose programs must be completed within some time constraint. A specialized digital signal processor (DSP) for digital signal processing is a typical example of an application-specific design using special architecture. Another examples of applications-specific systems are high definition digital TV systems, encryption and decryption, private property protection, automobile control systems, and personal assistances.

6 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 6 Advanced methodologies for designing application-specific computer systems are Application - Specific Integrated Circuits (ASIC) and System-on-Chip (SoC). A typical platform design flow is given in Fig. 4. The design begins with the exploration of the biometric application requirements (the first phase). Requirements such as execution time, resource utilization, power dissipation, etc., are derived and their mutual dependencies specified. Information about appearance of special functions and function sequences calling for hardware acceleration is also needed. Biometric system can have different configurations. These configurations can be characterized as centralized and distributed architectural designs. Example 1: (Biometric system configurations.)in Fig. 3, the distributed biometric system is shown. Biometric sensor Computer platform Biometric sensor Computer platform Biometric sensor Computer platform Biometric sensor Computer platform Biometric sensor Biometric sensor Computer platform Biometric sensor Biometric sensor (a) (b) Fig. 3: Example of configuration of biometric systems: distributed architecture (a) and centralized architecture (star-like configuration) (b). 2 Biometric data specification Any human physiological and/or behavioral characteristic can be used as a biometric data as long as it satisfies the following requirements 1 : 1 A. Jain, R. Bolle, and S. Pankanti, Eds., Biometrics: Personal Identification in a Networked Society, Kluwer, 1999

7 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 7 Requirements to biometric data Requirement 1: Universal (every person should have that characteristic), Requirement 2: Unique (no two people should be exactly the same in terms of that characteristic) Requirement 3: Permanent (invariant with time) Requirement 4: Collectable (can be measured quantitatively) Requirement 5: Reliable (must be safe and operate at a satisfactory performance level) Requirement 6: Acceptable (non-invasive and socially tolerable). In a biometric system, that is, a computer system that employs biometrics for personal recognition, there is a number of other issues that should be considered, in particular: Performance, which refers to the achievable recognition accuracy and speed, the characteristics of required resources, as well as the operational and environmental factors; Acceptability, which refers to the extent to which people are willing to accept the use of a particular biometric identifier (characteristic) in their daily lives. In addition, the characteristic called a circumvention introduces the behavior of a biometric system for particular scenarios: how easily the system can be fooled using fraudulent methods. 3 Application-specific techniques for biometric data manipulation Techniques for manipulation of biometric data include various algorithms such as filtering, convolution, Fourier transforms, and pattern classification and recognition. Decisionmaking techniques are applied in most simple form, such as threshold, at the lowest level. Sophisticated algorithms for decision making under uncertainty are used at the highest levels of the system such as human-machine interface. In this section, we consider the verification and identification. 3.1 Verification and identification An application-specific techniques biometric system is essentially a pattern recognition system that operates by acquiring biometric data from an individual, extracting a feature

8 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 8 1 Application domain exploration Characterization of: Deployed biometric system Deployed terminals Re-design if needed 2 Functional block selection Computational complexity estimation Functional block specification Re-design if needed 3 Communication network design Scheduling tasks Deriving communication constraints Communication protocols 4 Floor planning Physical characterization Communication network Optimization Verification Algorithm implementation Re-design if needed Fig. 4: Platform-based design flow.

9 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 9 set from the acquired data, and comparing this feature set against the template set in the database. Identification and verification (also known as authentication) are both used to declare the identity of a user. Depending on the application context, a biometric system may operate either in verification mode or identification mode. Before a system is able to verify/identify the specific biometrics of a person, the system requires something to compare it with. Therefore, a profile, or template, containing the biometric properties, is stored in the system. Recording the characteristics of a person is called enrollment. As a user, you can be identified or verified on the basis of: Something you know, for example, a password or a PIN. Something you hold, for example, a credit card, a key, or a passport. Something you are (biometrics), for example, a fingerprint or iris patterns Using something you know and hold are two easy identification/verification solutions widely used today. Using something you know only requires memorization of some data (passwords, etc.), but can, on the other hand, be easily overheard, seen, or even guessed. An item you hold can be stolen and later on used or copied. Using biometrics might, at first, seem to overcome these problems, since fingerprints, iris patterns, etc. are part of your body and thus are not easily misplaced, stolen, forged, or shared. This report might, however, give you some new insight about this subject. One way to increase security in an identification/verification system is to combine two or more different identification/verification methods. Depending on the application context, a biometric system may operate either in: Verification mode or Identification mode. 3.2 Verification: Am I whom I claim to be? In the verification mode, the system validates a persons identity by comparing the captured biometric data with his or her own biometric template(s) stored in the system database. In such a system, an individual who desires to be recognized claims an identity, usually via a personal identification number (PIN), a user name, or a smart card, and the system conducts a one-to-one comparison to determine whether the claim is true or not (Am I whom I claim to be?) Identity verification is typically used for positive recognition, where the aim is to prevent multiple people from using the same identity. Let: Input feature vector X Q extracted from the biometric data,

10 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 10 I be a claimed identity, w 1 be the class that indicates that the claim is true (a genuine user), w 2 be the class that indicates that the claim is false (an impostor), S(X Q,X I ) be the function that measures the similarity between feature vectors X Q and X I, t is a predefined threshold. The verification problem is formulated as follows: Given X Q, determine if (I,X Q ) belongs to class w 1 or w 2. The verification problem can be described in the form Class w 1, if S(X Q,X I ) t Verification (I,X Q ) Class w 2, otherwise (1) Typically, X Q is matched against X I, the biometric template corresponding to user I, in order to determine its category. The value S(X Q,X I ) is termed as a similarity or matching score between the biometric measurements of the user and the claimed identity. Therefore,everyclaimedidentityisclassifiedintow 1 orw 2 basedonthevariablesx Q,X I, I, and t, and the function S. Note that biometric measurements of the same individual taken at different times are almost never identical. This is the reason for introducing the threshold t. 3.3 Identification: Who am I? In the identification mode, the system recognizes an individual by searching the templates of all the users in the database for a match. Therefore, the system conducts a one-tomany comparison to establish an individuals identity(or fails if the subject is not enrolled in the system database) without the subject having to claim an identity (Who am I?) Let: I k, k 1,2,...,N,N +1 be the identity. Suppose that I 1,I 2,...,I N are the identities enrolled in the system and I N+1 indicates the reject case where no suitable identity can be determined for the user. X Ik be the biometric template corresponding to identity I k, and t is a predefined threshold. The identification problem is formulated as follows: given an input feature vector X Q, determine the identity I k, k 1,2,...,N,N +1. This can be described in the form

11 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 11 I k, if max S(X Q,X Ik ) t k Identification I Q I N+1, otherwise (2) Identification is a critical component in both positive and negative recognition applications. 4 Person identification: Positive and Negative Positive and negative recognition The purpose of positive recognition is to prevent multiple people from using the same identity. The purpose of negative recognition is to prevent a single person from using multiple identities. There is actually nothing in your voice, hand shape or any biometric measure to tell the computer your name, age or citizenship, or to establish your eligibility to vote. External documents (passport, birth certificate, naturalization papers) or your good word establishing these facts must be supplied at the time you initially present yourself to the biometric system for enrollment. At this initial session, your biometric characteristic, such as an eye scan, is recorded and linked to this externally-supplied personal information. At future sessions, the computer links you to the previously supplied information using the same physical characteristic. Even if the biometric system works perfectly, the personal data in the computer, such as your voting eligibility, is only as reliable as the original source documentation supplied. Once the computer knows your claimed identity, it can usually recognize you whenever you present the required biometric characteristic. No biometric identification system, however, works perfectly. Problems are generally caused by changes in the physical characteristic. Example 2: (Physical characteristic changes.) Even fingerprints change as cuts, cracks and dryness in the skin come and go. It is far more likely that the computer will not recognize your enrollment characteristic than link you to the characteristic of someone else, but both types of errors do occur. To minimize the possibility that you will be linked to another record, positive identification systems ask you to identify yourself. Your biometric characteristic is then compared to the characteristic stored at the time you enrolled. Biometric measures

12 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 12 are always fuzzy to some extent, changing over time and circumstance of collection. If the submitted and stored biometric measures are close enough, it is assumed that you are indeed the person enrolled under the identity you claimed. If the presented and enrolled characteristics are not close enough, you will generally be allowed to try again. If multiple attempts are allowed, the number of users falsely rejected can be under 1%, although there are always some people chronically unable to use any system who must be given alternate means of identification. The possibility that an impostor will be judged close enough, even given multiple attempts, is usually less than one in ten. Example 3: (Multiple attempts.) The threat of being caught in 9 out of 10 attempts is enough to deter most impostors, particularly if penalties for fraud are involved. Positive identification using biometrics can be made totally voluntary (Fig. 5). People not wishing to use the system can instead supply the source documents to human examiners each time they access the system. Many biometric methods have been used in public systems for positive identification: hand and finger geometry, iris and retinal scanning, voice and face recognition, and fingerprinting. There is a another way some biometric systems can be used: negative identification. In these applications, found in driver licensing and social service eligibility systems where multiple enrollments are illegal, the user claims not to be enrolled. Apart from the honor system, where each persons word is accepted, there are no alternatives to biometrics for negative identification. During enrollment, the system must compare the presented characteristic to all characteristics in the database to verify that no match exists. Because of the ongoing changes in everyones body, errors can occur in the direction of failing to recognize an existing enrollment, perhaps at a rate of a few percent. But again, only the most determined fraudster, unconcerned about penalties, would take on a system weighted against him/her with these odds. False matches of a submitted biometric measure to one connected to another person in the database are extremely rare and can always be resolved by the people operating the system. Negative identification applications cannot be made voluntary. Each person wishing to establish an identity in the system must present the required biometric measure. If this were not so, fraudsters could establish multiple enrollments simply by declining to use the biometric system. On the other hand, negative identification can be accomplished perfectly well without linkage to any external information, such as name or age. This information is not directly necessary to prove you are not already known to the system, although it may be helpful if identification errors occur.

13 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 13 Positive identification To prove I am someone known to the system Negative identification To prove I am not someone known to the system Comparison of submitted sample to single claimed template Comparison of submitted sample to all enrolled templates Alternative identification methods exist No alternative methods exist Can be voluntary Must be mandatory for all Biometric measures linked to personal information (name, age, citizenship) only through external source documents. Linkage to personal information not required. Fig. 5: Positive and negative identification using biometrics. and corresponding technologies demonstrated in public systems. While traditional methods of personal recognition such as passwords, PINs, keys, and tokens may work for positive recognition, negative recognition can only be established through biometrics. In positive identification systems, a false match is called a false acceptance, and a false non-match is called a false rejection. In negative identification systems, the terminology is reversed. Regardless of whether a system is for positive or negative identification, false acceptances allow for fraud and false rejection. Those are inconvenient and require exception handling. The false rejection rate is immediately measurable from user demands for exception handling. Instances of false acceptance are almost never reported. The perceived rate, however, must be kept low enough to maintain deterrence.

14 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 14 5 Biometric data Any human physiological and/or behavioral measurements represent some biometric data. Although many types of data the human body carries or generates various types of data in different spectral bands, not all biometric data are deployed in biometric systems. Example 4: (Future generation of biometric systems.) Brain activity can be considered as generation of biometric data. This data can be extracted using monitoring brain activity (for example, EEG techniques) and is useful for the brain-machine interface design. But these data cannot be used in biometric system design for two main reasons: (a) high cost of acquisition equipment and processing techniques and, (b) insufficiency of study performed on the data that proves its feasibility for humans identification. By the same reason, DNA-based systems are considered as a future generation of biometric systems. Hence, there are various constraints for using biometric data in biometric system design. These constrains can be introduced in the form of the requirements to biometric data. 5.1 Six basic requirements to biometric data Biometric data can be used as a biometric characteristic for human identification, if it does satisfy the following key requirements: Requirement 1: Permanence. The biometric data should be sufficiently invariant over a period of time. Requirement 2: Distinctiveness. Any two persons should be sufficiently different in terms of the characteristic. Requirement 3: Collectability. The biometric data can be measured quantitatively. These three key requirements are considered while choosing the type of biometric data application for a particular. Example 5: (Requirements to biometric data.) An example of permanent biometric data is fingerprint and iris; the nonpermanent data include face (because of aging, disguise), and voice (aging, illness). The requirements of distinctiveness and collectability of biometric data are concerned assessing the available techniques and tools.

15 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 15 In addition, the following three requirements to biometric data must be satisfied while developing and implementing various algorithms for biometric data manipulation: Requirement 4: Acceptability which indicates the extent to which people are willing to accept the use of their particular biometric identifiers (characteristics) in their daily lives Requirement 5: Performance. It refers to the achievable accuracy and speed using the reasonable computing resources, as well as the operational and environmental factors that affect the accuracy and speed. If biometric data do not satisfy this requirements, for example, the cost of computing resources is not acceptable to achieve desired accuracy and performance parameters, this data is considered as unacceptable for biometric system design. Requirement 6: Circumvention. It reflects how easily the system can be fooled using fraudulent methods. That is, biometric data and system for its manipulation must be sufficiently robust to various attacks on system. If biometric data do not satisfy these requirements, that is, the fraudulent techniques can be easy developed, these biometric data are considered as unacceptable for biometric system design. Alternative solution is to use multiple biometric data, for example, fingerprints and facial images. Moreover, techniques for biometric data extraction must be harmless to the users and be accepted by the intended population. Example 6: (Biometric data chart.) Consider various types of data and how they satisfy the above requirements. This analysis results are presented in Summary 1, 2, and 3 and the chart in Fig. 6. For example, the row Summary 1 includes three types of biometric data that satisfy all six requirements. 5.2 Properties of biometric data There is a number of additional properties of biometric data, such as distorted data, intra-class variations, distinctiveness, and nonuniversality. Distortion in sensed data. The sensed data might be noisy or internationally distorted. Afingerprintwithascaroravoicealteredbycoldareexamplesofnoisydata. Noisydata could also be the result of defective or improperly maintained sensors (e.g., accumulation of dirt on a fingerprint sensor) or unfavorable ambient conditions (for example, poor

16 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 16 R e q u i r e m e n t B i o m e t r i c t y p e Permanence 2 Distinctiveness 3 Collectability 4 Acceptability 5 Performance 6 Circumvention Summary 1 Summary 2 Summary 3 Fig. 6: Biometric data chart (Example 6). illumination of a user s face in a face recognition system). Noisy biometric data may be incorrectly matched with templates in the database resulting in a user being incorrectly rejected. Intra-class variations. The biometric data acquired from an individual during authentication may be very different from the data that was used to generate the template during enrollment, thereby affecting the matching process. This variation is typically caused by a user who is incorrectly interacting with the sensor or when sensor characteristics are modified (for example, by changing the sensor interoperability) during the verification phase. As another example, the varying psychological makeup of an individual might result in vastly different behavioral traits at various time instances. Distinctiveness. While a biometric trait is expected to vary significantly across individuals, there may be large inter-class similarities in the feature sets used to represent these traits. This limitation restricts the discriminability provided by the biometric trait. Example 7: (Distinctiveness.) The information content (number of distinguishable patterns) in two of the most commonly used representationsofhandgeometryandfaceareonlyoftheorderof 10 5 and 10 3, respectively. Thus, every biometric trait has some theoretical upper bound in terms of its discrimination capability. See, for example, M. Golfarelli, D. Maio, and D. Maltoni, On the errorreject tradeoff in biometric verification systems, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 19, pp , July 1997.

17 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 17 Non-universality. While every user is expected to possess the biometric trait being acquired, in reality it is possible for a subset of the users not to possess a particular biometric. Example 8: (Non-universality.) A fingerprint biometric system may be unable to extract features from the fingerprints of certain individuals, due to the poor quality of the ridges. Attacking the biometric identifiers. An impostor may attempt to spoof the biometric trait of a legitimately enrolled user in order to circumvent the system. This type of attack is especially relevant when behavioral traits such as signature and voice are used. However, physical traits are also susceptible to spoof attacks. Example 9: (Attacking biometric identifiers.) It has been demonstrated that it is possible(although difficult and cumbersome and requires the help of a legitimate user) to construct artificial fingers/fingerprints in a reasonable amount of time to circumvent a fingerprint verification system. Thetermspoofing isoftenusedtoindicateasecurityattackwhereanattacker(evena legitimate user of a system), runs a program with a false login screen and the unsuspecting user provides password and ID to an attacker. Several scenarios are possible in this situation, which depend on the attacker s strategy. Example 10: (Spoofing.) The attacker can, after memorizing the password and ID, allow the user to enter the system. The attacker can later re-enter the system using the stolen password and ID. Or, the attacker can refuse to allow the user to continue stating, with a fake error message, that the system cannot allow access at this time. At this point in time, the fake control screen seizes, and the user is logged off. The attacker, at a later point in time, logs onto the screen using the falsely obtained user ID and password. This is spoofing. Intellectual property protection. One of the ways of protection the intellectual property rights using biometric data is known as a watermarking.

18 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 18 6 Leading biometric technologies Example 11: (Watermarking.) Watermarking is defined as a mechanism for embedding specific data into host data. This specific data must satisfy a number of requirements, in particular: author (source, the used tools, technique, etc.) identification, and being difficult to detect and remove. The goal of watermarking is to protect the intellectual property rights of the data. In certain applications, such as integrated circuit printed boards, as well as some documents, biometric data is used as a watermark. Some of the more traditional uses of physiological and behavioral characteristics are given in Fig. 7. Today biometric systems can achieve the following error rates: Error rates of some biometric systems Fingerprint identification system: of 1 in 10 5 using a single fingerprint, Iris identification system: of 1 in 10 6 using a single iris, Facial identification system: of 1 in 10 3 using a single face appearance. In order to uniquely identify one person in a population, for example, of 50 million, a fingerprint system should use at least four fingers per person, and an iris system should use both eyes. Facial biometrics could not provide a sufficient accuracy of identification of this population. However, facial identification system can be used in one-to-one comparison as an aid to identity checking, for example, for passport holders. The applicability of a specific biometric technique depends heavily on the requirements of the application domain. No single technique can outperform all the others in all operational environments. In this sense, each biometric technique is admissible, and there is no optimal biometric characteristic. Example 12: (Comparison.) It is well known that both the fingerprint-based and iris-based techniques are more accurate than the voice-based technique. However, in a telebanking application, the voice-based technique may be preferred, since it can be integrated seamlessly into the existing telephone system. Advantages and disadvantages of biometrics are discussed in Section 10, Further study.

19 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 19 LEADING BIOMETRIC TECHNOLOGIES Facial recognition attempts to identify a subject based on facial characteristics (eye socket position, space between cheekbones, etc.). Fingerprint recognition systems rely on the biometric device s ability to distinguish the impressions of ridges and valleys made by an individual s finger. Hand geometry solutions take more than 90 dimensional measurements to record an accurate spatial representation of an individual s hand. The geometry of the hand is not known to be very distinctive and may not be invariant during the growth period of children. The physical size of a hand geometry-based system is large, and it cannot be embedded in certain devices like laptops. Palmprint recognition is based on the palms of the human hands that contain pattern of ridges and valleys(like the fingerprints) and additional distinctive features such as principal lines and wrinkles. When using a high-resolution palmprint scanner, all the features of the palm such as hand geometry, ridge and valley features, principal lines, and wrinkles may be combined to build a highly accurate biometric system. Iris scanning/recognition uses a camera mounted between three and 10 feet away from the person to take a high definition photograph of the individual s eyes. It then analyzes of two-three hundreds different points of data from the trabecular meshwork of the iris. Retina scanning/recognition involves an electronic scan of the retina, the innermost layer of the wall of the eyeball. Signature dynamics/recognition not only compares the signature itself, but also marks changes in speed, pressure and timing that occur during signing. Keystroke dynamic techniques measure dwell time (the length of time a person holds down each key) as well as flight time (the time it takes to move between keys). Taken over the course of several login sessions, these two metrics produce a measurement of rhythm to each user. Voice/speaker recognition techniques digitize a profile of a person s speech into a template voiceprint and stores it as a table of binary numbers. During authentication, the spoken passphrase is compared to the previously stored template. Gait recognition is defined as the identification of a person through the pattern produced by walking. Gait has particular advantages over other biometrics: it can be used at a distance, uses no additional skills on the part of the subject, and may be performed without the subject s awareness or active participation. Gait is not supposed to be very distinctive, but is sufficiently discriminatory to allow verification in some low-security applications. Ear recognition attemptstoidentifyasubjectbasedontheshapeoftheearandthestructure of the cartilegenous tissue of the pinna. Ears are characterized by a stable structure that is preserved from birth well into old age. The features of an ear are not expected to be very distinctive in establishing the identity of an individual. Fig. 7: Leading biometric technologies.

20 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 20 7 Applications As mention in Section 3, there are two basic applications of biometric technology: Verify if I am someone enrolled in the system (called a positive identification) Verify if I am not someone enrolled in the system (called a negative identification). Recall that for positive identification, the user will generally claim an identity by giving a name or an ID number, then submit a biometric measure. That measure is compared to the previously submitted measure to verify that the current user is the one enrolled under the claimed identity. The purpose of positive identification is to prevent multiple users from claiming a single identity. There are numerous non-biometric alternatives in such applications, such as ID cards, PINs and passwords. Consequently, use of biometrics for positive identification can be made voluntary, and those not wishing to use biometrics can verify identity in other ways. Example 13: (Immigration and naturalization service.) The U.S. Immigration and Naturalization Service Passenger Accelerated Service System (INSPASS), in use at airports, is an example of voluntary, positive-identification biometric system. In negative identification, a user claims not to be previously enrolled in the system and submits a biometric measure, which is compared to all others in the database. If a match is not found, the user s claim of non-enrollment is verified. The purpose of negative identification is to prevent claims of multiple identities by a single user. There are no reliable non-biometric alternatives in such applications. The use of biometrics in negative identification applications must be mandatory. Example 14: (Driver s licensing.) Biometric identification for driver s licensing in many U.S. states and welfare eligibility verification in several states are examples of mandatory, negativeidentification biometric systems. Some biometric systems use both positive and negative identification. The problem of identification of Internet voters is one of both positive and negative identification. Negative identification would be required if we wished to prevent multiple registrations of the same person. Positive identification would be required to identify the person casting the vote as the registered voter.

21 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 21 Negative identification must be mandatory for all voters. In the case of Internet voting, multiple Internet registrations could be prevented by the mandatory biometric identification of all Internet voters at registration. This would not require mandatory identification of non-internet voters if we were willing to allow for the possibility of fraud through both Internet and paper registration of the same voter under different identities. Internet registration with the submission of a biometric identifier could not be securely done over the Internet, but would require in person registration and the collection of the biometric identifier by trained and trusted persons. This identifier would be placed in a database under the control of the jurisdiction. Upon verification that the registering voter is not already in the database, a voter ID number, code or PIN could be issued. Biometric identification and specialized hardware at the time of voting would not be required for negative identification. Positive identification by Internet voters using biometrics would require that biometric measures be previously registered in person with the jurisdiction and would require standardized biometric collection hardware and software on the computer used for voting. Positive biometric identification might be used on a voluntary basis to replace other types of PIN or password identification. An added problem is the occasional failure of all biometric techniques to recognize properly registered users. 7.1 Privacy issues Example 15: (Security system ID cards and Internet voting.) The State of Connecticut Social Service and Philippine Social Security System ID cards, for instance, require negative identification for issuance, but store fingerprint templates on the card for later positive identification applications. In 1999, the State of California created an Internet Voting Task Force to study the possibility of casting votes over the Internet. The task force found that one of the obstacles to Internet voting would be the identification of the person casting the vote. A biometric sensor takes a signal from a user which is transformed by a computer in some proprietary way to a template. A template is a collection of numbers (a vector) deemed to be adequately different between individuals and adequately stable over time for a single individual. Generally, the original image is discarded, and only the template is stored by the system. In almost all cases, the original image cannot be recreated from the template. Nothing inherent in a biometric system can identify a person by name, citizenship, age or race. If a system must know any of these items, they must be established through

22 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 22 external means, such as birth certificates and drivers licenses. Consequently, use of biometrics to establish real identities is only as reliable as the source documentation. Example 16: (Applications of biometrics.) Biometric systems cannot be used to establish that social service recipients are eligible for benefits beyond showing that they have not claimed multiple identities (negative identification) or have not falsely claimed the identity of a true beneficiary (positive identification). Because a biometric system cannot know who you really are, use of biometrics to support anonymous transactions becomes real possibility for applications, such as banking. Example 17: (Biometrics to support anonymous transactions.) (a) A credit card could carry one of your biometric measures instead of your name. (b) Images cannot generally be reconstructed from templates (which are just a series of numbers), system administrators cannot generally obtain any information about users in any humanly recognizable form. Consequently, biometric identification technology is, at worst, neutral with regard to privacy. 7.2 Choosing biometrics for business case All security systems require the expenditure of time, energy and money. Biometric systems are certainly no different in this regard. They are not free in any sense. Many failed biometric efforts do so, not because of deficiencies in the technology, but because the business case was not sufficient in the first place to justify the required expenditures. Fascination with the technology is not a sufficient business case. For positive identification applications, alternatives to biometrics exist that might be faster, cheaper and more seamlessly integrated into existing systems. The most successful biometric implementations are those that replace existing systems deemed too expensive or problematic to the administrators, or too cumbersome to the users. Other alternatives exist in these situations, but biometric identification has proved faster, cheaper and easier for all concerned. Other successful implementations occur when the system management has carefully assessed the alternatives and is prepared to do the work necessary to make the systems effective. In Fig. 8, we cite the summary on business case consideration, prepared at the NIST (National Institutes for Standards), USA.

23 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 23 Preparing the business case Alternatives to biometric identification exist in positive ID applications. All security systems, even biometrics, require time, money and energy to set up and run. In addition to set-up and operational costs, system throughput rates must be carefully considered. Enrollment sessions for all users is almost always required. Not all people will be able to use any biometric system successfully every time. This implies that backup systems for exception handling will always be required. Studies of user attitudes regularly show user acceptance of biometric technology to well exceed 90%. Nonetheless, there will always be a very few people who object to any new technology. Hardware/software integration will prove to be the hardest task. Biometric technologies are not plug and play". Even ideal technologies will fail if the devices cannot talk to the database or open the gate. System integration may require changes in other pieces of hardware not considered at first glance to be part of the biometric technology. Know the history and track record of the technology vendor. Commercial products and vendors are in a continual flux. The technology you invest in today may not have vendor support next year. The addition of biometrics, or substitution for another component, will inevitably lead to a change in your business processes. Beyond the software/hardware integration is the most daunting problem of integrating the use of biometrics into the existing processes. If the finished business system is not more efficient than the alternatives, the use of biometrics will be seen as a mistake. James L. Wayman, Editor, National biometric test center collected works , NIST Institute, p. 280 Fig. 8: Preparing the business case.

24 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 24 8 Summary of biometrics technologies A biometric system should meet the specified recognition accuracy, speed, and resource requirements, be harmless to the users, be accepted by the intended population, and be sufficiently robust to various fraudulent methods and attacks to the system. The key aspects of this introduction to biometric system design are as follows: (a) Verification and identification (also known as authentication) are both used to declare the identity of a user. (b) Biometric system is an application-specific computer system. Application-specific techniques (pattern recognition methods, algorithms, and programs) are implemented using efficiency organized hardware platform. (c) Biometric data are characterized by the universality, unique, permanency, contestability, reliability, and acceptability. Biometric system operates by acquiring biometric data from an individual, extracting a feature set from the acquired data, and comparing this feature set against the template set in the database. The main conclusions of this lecture are as follows: In a verification (authentication) system, the individual to be identified has to claim his/her identity (Am I whom I claim to be?), and this template is then compared to the individual s biometric characteristics. The system conducts oneto-one comparisons to establish the identity of the individual. In an identification system, an individual is recognized by comparing his/her template with an entire database of templates to find a match. The system conducts one-to-many comparisons to establish the identity of the individual. The person to be identified does not have to claim an identity (Who am I? ). Identity verification is typically used for positive recognition, where the aim is to prevent multiple people from using the same identity. Identification is a critical component in negative recognition applications where the system establishes whether the person is who he/she (implicitly or explicitly) denies to be. The purpose of negative recognition is to prevent a single person from using multiple identities. Biometrics enable a prospective approach to support anonymous transactions. This is because a biometric system cannot know who you really are.

25 S.N. Yanushkevich, Fundamentals of Biometric Systems Design 25 9 Historical perspective 1880: Alphonse Bertillon, chief of the criminal identification division of the police department in Paris, developed and then practiced the idea of using a number of body measurements to identify criminals, in particular, the potential of the human ear for personal identification. Ears have played a significant role in forensic science for many years, especially in the United States, where an ear classification system based on manual measurements has been developed by Iannarelli, and has been in use for more than 40 years, although the safety of ear-print evidence has recently been challenged in the Courts. 1888: Francis Galton proposed a formal method of classifying faces ( Personal identification and description, in Nature, June 21, 1888, pp ). He proposed collecting facial profiles as curves, finding their norm, and then classifying other profiles by their deviations from the norm. The classification was to be multi-modal, i.e. resulting in a vector of (hopefully) independent measures that could be compared with other vectors in a database. Early 1970s: Automated systems for fingerprint recognition have been made commercially available. 10 Further study Advanced topics of biometrics The successful installation of a biometric systems in various applications does not imply that it fully solves the problem of individual identification. There is plenty of scope for improvement in biometrics. Researchers are currently addressing issues related to reducing error rates, as well as looking for ways to enhance the usability of biometric systems. Topic 1: Fundamentals. An introduction to biometrics can be found in papers by Jain et. al. [32] and collection of papers edited by Jain et al. [33, 35]. State-of-the-art trends in biometrics are discussed in the book by Zhang [95]. The Guide to Biometrics by Bolle et al. [8] provides the reader with practical aspects and recommendation on development of biometric devices and systems. The authors of [92] introduced their vision on the problem of identity assurance in biometrics. Data fusion is aimed at improvement of the reliability of biometric devices and systems and is of special interest in today s biometrics. Clark and Yuille [17] introduced techniques for data fusion for sensory systems. Prabhakar and Jain [63] proposed an algorithm for decision-level fusion in fingerprint verification. Details of error rates of some biometric systems can be found in [8, 16, 19, 32, 34, 42]. Fundamentals of image processing can be found in [26]. Practical MATLAB implementation useful in synthesis of biometric data can be found in [27].