Deploying fingerprint biometrics
Biometrics as an access control technology has received something of a mixed response from the general market. The technology is often specified for one of two reasons. The goal is either to achieve positive identification of those entering a protected area, or to reduce the cost of credential management. Benchmark considers both aspects.
[dropcap]W[/dropcap]hen you consider the role of biometric technology in the security market-place, you soon discover that there are two somewhat different and, at times, contradictory sales pitches.
The most established – and the one probably most accepted by those seeking to introduce the technology into projects – is that biometrics allows individuals to be positively identified when accessing a building or protected area. If this degree of identification is demanded, then often the customer will be willing to invest in systems of an appropriate quality. They will also accept that due to the more secure nature of the system, throughput (in terms of access time per individual) may be slightly lower than with other systems.
The second approach, and one which is becoming more common as the cost of biometric readers falls, is that money can be saved by virtually eliminating credential management. Such an approach puts savings in terms of the cost of credentials, and resources to manage these, before higher security concerns. Often those selecting devices for such applications want throughput times that are the equivalent of tags or cards, along with biometric readers that carry a similar price tag to conventional access readers.
These two differing approaches carry varied challenges, and whilst the technologies employed are similar, the considerations that need to be made are almost polar opposites!
The Biometric ‘fit’
There are commonly three general methods for authenticating the access rights of an individual. These are by something a person possesses, such as a key, token or card; by something a person knows, such as a personal identification number (PIN), alphanumeric code or password; or by a biometric characteristic.
Biometric systems are varied and can use physical characteristics such as a fingerprint, retina, iris or vein structure, or behavioural characteristics such as handwriting and speech patterns. The most common biometric identification systems are based on the fingerprint, although there are options that span voiceprints, signature analysis, hand geometry, retinal scanning, vein patterns, facial recognition, facial thermography and iris scanning.
Over the years, biometric systems have become more accurate, reliable and affordable. However, when choosing the right system, integrators and installers must assess not only the suitability of the devices used, but also whether a biometric solution will actually meet the expectations of the customer!
Verify or identify?
It is essential to understand the difference between biometric verification and biometric identification. Verification is the process of determining that the person requesting access is who they say they are. With regard to biometric systems, this involves matching the biometric characteristic to a template called up from a central database.
As biometric verification uses a one-to-one comparison, there needs to be a secondary credential, and the biometric element simply confirms that the person using that credential is the individual to whom it – and the authority to enter – was issued. Verification works well and is effective where absolute identification is required. However, if a user is seeking to eliminate credentials, then it somewhat defeats the object of the exercise.
Biometric identification uses a one-to-many comparison in order to ascertain whether a given user is authorised for entry. The biometric characteristic alone is used, and is compared all templates in the database, until a match is found or the data is rejected as unidentified.
Identification has the advantage of eliminating the need for a user PIN or card. In the past this approach was often dismissed as being too time-consuming to be feasible, especially when systems had a very high number of users. The truth is that with modern processing power, any delay should be negligible.
There is one proviso to this: if the customer is seeking to eliminate the use of credentials as a money-saving measure, and subsequently opts for a budget system, the processing might not be up to the job. This will inevitably lead to their expectations not being met. Identification-based systems do require a robust processing engine in order to deliver the right levels of performance.
Assessing the accuracy of any biometric reader without a field trial is not always simple. Some systems have an adjustable threshold for sensitivity. These can be adjusted to require near-perfect template matches to virtually eliminate false accepts (approving an unauthorised user), or to only require a match of a certain percent of data to eliminate false rejects (when an authorised user is not approved). If false accepts are eliminated, false rejects increase. Similarly, if the goal is to reduce false rejects, false accepts correspondingly increase. False accepts are a security risk. False rejects create user dissatisfaction.
Some biometrics manufacturers have, on occasions, advertised very low false accept rates and very low false reject rates in a single system, without revealing that these rates require radically different sensitivity settings and cannot be attained simultaneously.
Understanding system accuracy – even on readers with no sensitivity adjustment – is vital when considering how performance will impact on the user’s expectations. This is true regardless of whether the user is seeking positive identification or trying to eliminate the use of credentials.
Real world issues
In reality, many of the issues associated with biometric systems will be specific to the application and how the system is being used. The type of biometric technology will also impact on real world performance.
As an example, consider using fingerprint scanning for an external door. In average conditions, and for most of the time, such a system will work to an acceptable level. However, on very cold or wet days, many readers will struggle and throughput times could fall.
First off, there will practicalities such as users wearing gloves or carrying bags. They might have to put down anything they are carrying on the wet ground, and gloves will need to removed. If numerous people are starting a shift at the same time, this could create a bottle neck.
More problematic would be the fact that fingerprint readers using optical scanning lose accuracy – with some simply failing to work – if a wet or even damp digit is presented. This is because moisture in the ridges of the fingerprint becomes compressed when a finger is placed on the scanning plate, and as a result the optical image is a black blob.
Whenever Benchmark tests fingerprint readers, we always assess performance with damp and wet digits, and to date have found that only readers using multispectral imaging can deliver consistent performance in a wide range of conditions, including when hands are wet, dirty, dusty or very dry.
Multispectral imaging makes scans of the finger using differing light frequencies, with polarised and non-polarised sources. By using blue (430nm), green (530nm) and red (630nm) light, as well as white light scans, the technology captures differing aspects of the physiology of the presented finger. This is because the varying frequencies of light have different reflectance and refractance properties.
Each frequency of light discerns different information about the presented finger. It is possible to scan the skin surface, the epidermis, for ridge and groove information. Multispectral imaging technology can also scan the dermis, the second layer of skin. Whilst the benefit of this might not be immediately obvious, the fingertips are literally riddled with tiny blood vessels. This is what makes touch so sensitive. These blood vessels mimic the ridges in the fingerprint; indeed, the ridges of a fingerprint conform to the dermal papillae. By scanning these, much information about the fingerprint can be gathered, even if the digit is applied to the sensor surface with high or low pressure, is dirty or wet, or the skin is damaged.
Multispectral imaging sensors are manufactured by Lumidigm, and a number of manufacturers of fingerprint readers use this technology under licence.
This anomoly with fingerprint readers highlights the fact that biometric solutions often have to specified to suit the demands of the site. There is no ‘one size fits all’ solution, and deciding which biometric element to use is as important as correctly installing and configuring the final system.
A critical consideration when specifying a biometric system for a security application is whether the biometric characteristic is a ‘unique’ element. If a biometric feature is duplicable or changeable, the overall long term reliability and security of the system has to be questioned.
The stability of the biometric feature during the lifespan of a given individual must be considered very carefully. Biometric features that are generally accepted as unique include fingerprints (with the exception of identical twins), the retina and the iris.
Voice patterns tend to change with the individual’s mood and health. The common cold or flu, for instance, would alter the tone and pitch of a person’s voice. The heat patterns in a person’s face, or facial thermography, are often affected by weather conditions. With vein pattern recognition, these structures change to varying degrees as the person ages, dependent on the particular individual. This necessitates a program of updating templates.
Where high security is the objective, the choices tend to centre around fingerprint, retina or iris scanning. A point to note is that whilst iris scanning can be done without the subject having to touch the device, retinal scanning does require a degree of contact. Evidence has shown that users are more likely to resist the use of retinal scanners.
If the end user is trying to reduce the costs associated with access control, then the option typically chosen is fingerprint scanning, because the readers carry a lower price-tag.
Regardless of the method chosen, throughput time must allow for a consistent flow of traffic, especially at the start of shifts.
Data acquisition speed reflects the time required for the system to collect the biometric data on which the access decision is based. Throughput rates for biometric access control systems are maximised in the six to ten persons per minute range. This rate means that each person has from six to ten seconds after arrival to get through the door. Considering the time required to physically open and close a door, these are optimum rates, only attained by the best systems.
Again, if the selection of a system is dictated by a desire to reduce budget, there is every chance that the expectations of an end user will not be met.
Biometric systems were originally designed for high security applications where one false accept could constitute a fatal flaw. With the correct specification, this can still be achieved. For many, the preferred approach is to opt for a verification system.
If readers with distributed intelligence are selected, and smart card technology used to allow a ‘template on a card’ approach – where the user credential includes a secure and encrypted biometric template to be used for comparison – an advanced system can function even when off-line! This ensures that it offers robust security.
There is, however, something of a question-mark over the idea of using biometric technology to implement an access control solution without the cost of credentials. The concept is touted by some manufacturers of lower cost solutions, but issues with use in external areas, throughput times and overall resilience means that the customer’s expectation might not be met.
If selected appropriately, the right biometric system can provide an organisation with an effective method to identify and authenticate personnel. However, it is critical that the various system capabilities – including accuracy, speed, acceptability, enrolment time and the biometric feature being measured – are carefully validated.
Manufacturers of biometric systems – and especially those involved with fingerprint-based systems – often talk about how their products offer the detection and rejection of ‘spoof’ attempts to defeat the biometric reader. Indeed, any quick search on the internet will show numerous attempts, many successful, to defeat a whole range of biometric devices (not necessarily security devices, but they are still used to highlight the issue) using fingerprint scanning as a log-in. However, do these attempts indicate a real issue for security users?
Most so-called successful attempts have one thing in common: complicity. Usually these ‘demonstrations’ involve somebody registered with the device in question either making, or assisting in the creation of, a replica of the fingerprint from the registered digit. Depending upon the reader being tackled, this can range from a high resolution image of the fingerprint, through to a mould. With an image, it is then fixed to a finger and presented, and can work with low grade 2D optical scanners. Moulds are used to make a thin latex film with the correct fingerprint, which is then worn by another user.
Where complicity is an issue, it is possible to defeat some mainstream biometric fingerprint readers. That said, complicity can also defeat PIN code, card and tag based systems too!
Of course, if you rule out complicity, the situation does change somewhat. In such a scenario, it would become necessary for an intruder to ‘lift’ the fingerprint of a registered individual. This immediately introduces a wide number of issues which would have to be addressed. As the fingerprint would need to be lifted surreptitiously, the would-be intruder would have to identify which finger was registered, and ensure the correct print was lifted.
Additionally, the actual collection of the print, and the subsequent process to make from that a working facsimile, are not straightforward. In order to have some small chance of success, the would-be intruder would also require a working knowledge of the system in place, along with a knowledge of the site’s security operations. Even after all this effort, the spoof attempt might fail!
Given the difficulties associated with such entry attempts, would-be intruders are more likely to investigate a site and find another method of entry. It certainly would be simpler to find a weak spot in a site’s defences than to participate in a long and complex spoof attack that may not work!
This does not mean that sites will never suffer from spoof attempts, but it is worth completing a risk assessment with the end user before paying a significant amount for the promise of spoof detection and rejection!