Biometric Credentials

Biometric credentials represent the “something you are” factor of authen-tication. They are based on the physical or behavioral characteristics of the user. The idea behind biometric credentials is that measurable char-acteristics such as the user fingerprint or the dynamics of user handwriting do not or hardly ever change, and can therefore be used to authenticate the identity of a user.

Biometric credentials can be used for either authentication only (ver-ification) or both identification and authentication (recognition). In either case, the authentication database must be populated with the biometric profiles of all the individuals who will be identified or authenticated. The process of population is known as enrollment; each user must provide specific biometric patterns to the system. Typically, the user will present the same pattern (such as a fingerprint) a number of times for calibration and to store a more accurate profile.

Measurements of biometric device accuracy and effectiveness are the false acceptance rate (FAR) and the false rejection rate (FRR) parameters, which are specific for each and every type of biometric credential, and potentially for different implementations. The FAR is an expression of the

AU5219_book.fm Page 34 Thursday, May 17, 2007 2:36 PM

User Identification and Authentication Concepts  35

number of times a user was recognized by the system as a valid user while at the same time he was not a valid user. The FRR is an expression of the number of times a user was rejected by the authentication process while in fact he was a valid user. The goal of biometric authentication systems is to keep FAR and FRR low, and at the same time provide for convenient and quick authentication.

When biometric credentials are used for authentication (verification), the user must present his identity to the system in the form of a user ID.

Biometric authentication will then capture the user’s biometric credentials and compare them against the patterns stored for the user in the authen-tication database, so there will be a one-to-one comparison with the existing enrollment credentials. This process typically takes less than a couple of seconds.

When biometric credentials are used for user identification (recogni-tion), the user does not need to present a user ID to the system. The biometric credentials will be analyzed and then a search will be carried out against the authentication database to determine whether there is a known user with the specific biometric profile. If a match is found, the user is both identified and authenticated. In this case, the biometric profile is compared against many entries in the authentication database; thus, the process can take considerable time for large databases of users. This approach is typically used at airports or by the police to identify individ-uals, but it is not widely adopted for user authentication in IT systems.

There are two main types of biometric credentials:

1. Static (pattern-based). These credentials are based on a static pattern of a biometric characteristic, such as a fingerprint, a retina pattern, or an iris pattern. The pattern is typically stored as a raster or vector image in an authentication database. At the time of user authentication, recognition is based on the number of matching points between the stored image and the authentication image.

More matching points mean better accuracy.

2. Dynamic (behavior-based). Authentication using dynamic biomet-ric credentials is based on the recognition of user-specific behavior, such as the dynamics of user handwriting or the way the user types in a specific text, such as his password.

Some of the most popular biometric authentication methods include:

 Fingerprint authentication. This pattern-based authentication method is, by far, the most popular. It is based on the fact that user fingerprints are virtually unique. The user needs to place his finger on a fingertip reader device that may use optical or semiconductor-generated

AU5219_book.fm Page 35 Thursday, May 17, 2007 2:36 PM

36  Mechanics of User Identification and Authentication

electric field to scan the fingerprint. This type of credential is used for user identification at U.S. airports, and the technology is quickly evolving. Fingerprint readers are currently available with keyboard and mouse devices, as well as on PDAs.

 Retina scan. This is a pattern-based authentication method and is based on the uniqueness of the formation of blood vessels in the back of the eye. To authenticate, the user needs to look into a special receptacle in a specific way and the system will scan the individual’s retina by optical means.

 Iris scan. Similar to a retina scan, this method is based on the uniqueness of the colored ring of tissue around the pupil (the iris).

This authentication method can use a relatively simple camera for the scan, and is based on optical scanning. Due to the relatively simple equipment required, some airports are currently experi-menting with this type of credential for individual identification.

 Hand geometry. This method is based on the uniqueness of dimen-sions and proportions of the hand and fingers of the individual.

The image is three-dimensional and taken by optical means, and can use conventional cameras.

 Face geometry. This mechanism was developed to mimic the nat-ural, human way of identifying individuals based on their faces.

The authentication process relies on the recognition of specific facial patterns, such as the dimensions and proportions of the face, the distance between face elements, as well as the shape and proportion of the nose, eyes, chin, etc. The image is taken by optical means and can use conventional cameras.

 Skin pattern. Based on the uniqueness of the texture of the skin, this method creates a “skinprint.” Unlike hand and face recognition, this method can distinguish between individuals who are physically similar, such as twins. The image is taken by optical means and can use conventional cameras.

 Voice pattern. This method is based on the uniqueness of the human voice. A conventional microphone can be used to enroll and authenticate users. Background noise can have a negative impact on the authentication process, so this method is not appro-priate in noisy environments.

 Handwriting. This method is a behavioral approach based on user handwriting. Sensors detect the speed, direction, and pressure of individual handwriting for a predefined pattern, such as the indi-vidual’s signature. The accuracy of this method can vary.

Biometric authentication methods remain rarely used. One of the reasons why they have not been widely adopted is cost. Most biometric solutions are relatively expensive (at least much more expensive than user

AU5219_book.fm Page 36 Thursday, May 17, 2007 2:36 PM

User Identification and Authentication Concepts  37

passwords, or even certificates stored on smart cards), and are not suitable for authentication at each and every user workstation, unless very high security requirements must be met. User reluctance to use biometric authentication is another factor. This may be a due to fear (a retina scan requires the user to look into a receptacle, which may be considered intrusive), inconvenience, or privacy concerns. Another important factor is accuracy. Despite the fact that biometric devices use natural user characteristics to identify and authenticate users, the technologies used are not perfect, so recognition or authentication may require a number of attempts. The placement of the finger on the fingerprint reader, the clarity of the image which may be affected by an unclean optical surface on the fingertip reader, whether the finger is dry or wet — these are all factors that affect the effectiveness of fingerprint authentication. A user may be required to provide credentials a number of times; and due to human nature, the chances of obtaining a good pattern when the user is under pressure are likely to decrease.

Biometric authentication technologies present more potential rather than actual effectiveness and wide implementation. As the technologies evolve, the accuracy and the convenience for users are likely to increase, and biometric devices may take the natural and well-deserved lead as user authentication credentials.