Biometrics Kayla Burke

Overview Basic Authentication Biometrics Why use biometrics? Types of Biometrics Fingerprinting Biometric Process Applications in CS/SE Authentication -

Basic Authentication Passwords and PINs Cards and Tokens 70% of people would reveal their computer password for a bar of chocolate. Family Names Sports Teams Pet Names Authentication asks two questions: Who is the user? Is the user really who he says he is? [2] In today’s world, almost everyone has been exposed to some type of authentication.   The most common and well known type of authentication would be the use of passwords or personal identification numbers (more commonly known as PINs). Because passwords and PINs are used everywhere in today’s technology, many systems have policies that must be followed when creating a password. However, even with these policies enforcing password strength, they are still very vulnerable. Users may not understand the importance of password security. According to a BBC News article from 2004, “More than 70% of people would reveal their computer password in exchange for a bar of chocolate.” The article states that the majority of passwords created include information that is simple to reveal from the user such as family names, sports teams, or pet names. [3] Along with this issue, many users use the same password for multiple sensitive accounts. This causes obvious problems when easily hacked passwords are used for accounts that hold private information such as an online bank account. Finally, users may not be aware of a stolen password or PIN for a length of time after the theft occurs. These are only a few of the issues involving passwords. Cards and tokens can be used as another form of authentication. Because cards are a tangible form of authentication, only one person can use the card at a time. This does not mean that other cannot use it but if the rightful owner allows another user to use the card, now the owner cannot gain access to the card protected information or area. In some ways, cards are safer than passwords. Cards and tokens do not require any memorization which allows stronger forms of protection. Tokens automatically generate a code that the user will use to enter into the authentication device or system. Tokens will be different each time. Some systems use the current date and time to generate a token while other use an internal counter. An advantage of using a device that the user has physical possession of is that the user will be able to tell immediately if the device was stolen. However, similar to passwords, authentication devices and computers will not have a way to tell if carded used is from its rightful owner or not. [1]

Biometrics Life Measurement Methods of authentication based on physical or behavioral characteristics of an individual Biometrics is one more form of authentication. Biometrics measurements strive to resolve the issues that occur with passwords, PINs, cards, or tokens. One can think of passwords as what users know and cards and tokes are what users have. Biometrics authentication is what the users physically are. [1] Because a biometrics measurement is a part of the users being, it cannot be forgotten, stolen or lost.

Why use biometrics? Benefits Who already is using biometrics We use biometrics everyday! Biometric measurements are a convenient, strong form of authentication. Since the user does not have to carry a device or remember any passwords, biometric authentication is very convenient for the user. It is also very strong because the authentication cannot be forgotten, stolen, or easily replicated. Because of these advantages, many corporations have adopted biometrics as their form of authentication. Here are some examples of biometric applications within the government and military programs:   Social Services – to prevent citizens from acquiring additional funds Trusted Traveler Credentials – for the security screening of passengers in civil aviation National Identity – to identify the citizens of a country Access Control – such as allowing certain people to use a secure computer system Other various military programs ALL OF US

Types of Biometrics Fingerprint Hand Geometry Hand geometry is based on a number of measurements of the hand including the shape of the hand, width of the palm, and the length and width of the fingers. Hand geometry is used quite commonly and is known to be fairly accurate. [6] There are more limitations with hand geometry though. Issues such as jewelry and dexterity can cause the measurements to be less accurate than other forms of biometrics. [4] Some only look at the palm while others look at the whole hand.

Types of Biometrics Facial Recognition Facial Recognition Android 4.0 Faces are the most commonly used characteristic used by human beings to identify other humans which is why technology has tried to use the same idea in biometrics. There are multiple forms of facial recognition measurements but the most popular is the location and shape of facial attributes. In order for the technology to be efficient it should be able to recognize when a face is in the image at all, locate the face, and be able to recognize the face from multiple angles. [4] Similar problems to hand geometry occur in facial recognition such as additional features being added to the face such as sunglasses.  

Types of Biometrics Voice Recognition Voice Recognition   Voice Recognition Because voices are not as unique and can be easily imitated, voice recognition is not as widely used as other forms of biometrics. However a voice is another human characteristic that is used to identify each other. A person’s voice is created using various oral and nasal airways. User’s airway sizes vary which causes the voice to sound differently from another’s. [1] Voice recognition faces many challenges. Some of these challenges include the voice changing due to aging or sicknesses and background noise. Voice recognition is most commonly used in telephone applications. [4]

Types of Biometrics Iris and Retina Scanning Iris and Retina Scanning   The iris is the colored part of the eye surrounding the pupil. The retina is the veins behind the eyeball. (See figure 2) [1] Irises, like fingerprints, are unique to each individual and hold a lot of information that can be used in identification. Because of this reason, iris scans seem to be a promising form of biometric measurement for large scale systems. It is also easy to distinguish fake irises from authentic which resolves it issue of replication that occurs in many other forms of biometric authentication. Retinal scanning is known to be the most secure form of biometric authentication because it’s close to impossible to change or replicate another human’s retina. To get an initial read of the retina the eye must be physically contacted by the equipment and requires effort from the subject. These are a few of the factors as to why retinal scans are not as widely accepted as other forms of biometric authentication.

Types of Biometrics Facial and Palm Thermogram Recognition A thermogram is the pattern of heat that is emitted from the skin, in this case the face of palm. The data gathering process is as simple as taking a photo of the area to be measured. However, these systems are also very expensive so they are not widely adopted.

Types of Biometrics Signature Recognition Signature Recognition   Because signatures change quite often and they are easily forged, they are not usually used in biometric systems. However, when they are used they are measured in two ways: the way the signature is written and the final signature. The data is gathered by allowing the user to write on an electronic writing space. [1][4]

Types of Biometrics Keystroke Recognition Keystroke Recognition   Keystroke recognition is attractive because it does not require additional hardware to use. The technique is done entirely by software so it can be applied to any system that accepts keyboard inputs. To gather the data, the user is asked to type their authentication information (usually a username and password) multiple times in a row. Usually the system will measure the amount of time between each keystroke and an average is found to create the template to be matched.

Fingerprinting Background 1000-2000 B.C. Present Day Fingerprint recognition uses the unique features of the user’s fingerprints, known as minutiae, to identify the user from others. These minutiae are the ridges and valleys on the surface of a fingertip. Looking at a fingerprint, ridges appear as the dark lines and valleys are the lines where light was able to shine through and show up lighter. These ridges and valleys also create other distinct patterns within a fingerprint (See Figure 1). However, the most commonly used characteristics in a fingerprint are the ridge endings and the bifurcations. Because each person’s fingerprints are unique, the matching accuracy is very high. Even twins have different fingerprints. [5] Signing contracts 1888 - Sir Francis Galton’s began his study of fingerprints during the 1880s, primarily to develop a tool for determining genetic history and hereditary traits. Through careful study of the work of Faulds, which he learned of through his cousin Sir Charles Darwin, as well as his examination of fingerprints collected by Sir William Herschel, Galton became the first to provide scientific evidence that no two fingerprints are exactly the same, and that prints remain the same throughout a person’s lifetime. He calculated that the odds of finding two identical fingerprints were 1 in 64 billion. 1000-2000 B.C. Present Day

Fingerprinting Background 1892 - Juan Vucetich, an Argentine police official, had recently begun keeping the first fingerprint files based on Galton’s Details. History was made that year when Vucetich made the first criminal fingerprint identification. A woman named Rojas had murdered her two sons, then cut her own throat to deflect blame from herself. Rojas left a bloody print on a doorpost. After investigators matched the crime scene print to that of the accused, Rojas confessed. Vucetich eventually developed his own system of classification, and published a book entitled Dactiloscopía Comparada ("Comparative Fingerprinting") in 1904, detailing the Vucetich system, still the most used system in Latin America. 1903 - Fingerprinting technology comes into widespread use in the United States, as the New York Police Department, the New York State Prison system and the Federal Bureau of Prisons begin working with the new science. 1905 - The U.S. Army gets on the fingerprinting bandwagon, and within three years was joined by the U.S. Navy and Marine Corps. In the ensuing 25 years, as more law enforcement agencies joined in using fingerprints as personal identification methods, these agencies began sending copies of the fingerprint cards to the recently established National Bureau of Criminal Investigation. 1924 - The U.S. Congress acts to establish the Identification Division of the F.B.I. The National Bureau and Leavenworth are consolidated to form the basis of the F.B.I. fingerprint repository. By 1946, the F.B.I. had processed 100 million fingerprint cards; that number doubles by 1971. 1990s - AFIS, or Automated Fingerprint Identification Systems, begin widespread use around the country. This computerized system of storing and cross-referencing criminal fingerprint records would eventually become capable of searching millions of fingerprint files in minutes, revolutionizing law enforcement efforts. 1999 - The FBI phases out the use of paper fingerprint cards with their new Integrated AFIS (IAFIS) site at Clarksburg, West Virginia. IAFIS will starts with individual computerized fingerprint records for approximately 33 million criminals, while the outdated paper cards for the civil files are kept at a facility in Fairmont, West Virginia.

PrintQuest AFIS - APIS System

PrintQuest AFIS - APIS System

Fingerprinting Basics Fingerprint features

Fingerprinting Basics Fingerprint Patterns

Fingerprinting Issues Solutions Replication / Spoofing Liveness Testing

Biometric Process 3 Steps Acquiring Data Processing Raw Data Decision Process There are three main steps in the biometric process: acquiring data, processing the raw data, and a decision process. Each step uses various algorithms and equations to calculate the needed data and accuracy. Fingerprint recognition will be used as the biometric example in this investigation of the three steps.  

AQUIRING DATA (Enrollment) The first step of the biometric process is where the biometric is presented to the system. This step is usually known as enrollment. Multiple samples of the fingerprint are taken in which a template will be made from in the next step. The calculated average of these samples is assigned an enrollment score. Whether the score is good enough or not depends on the minimum accepted level (or threshold) that is needed is determined by the system owner.   Step 1: When an employee reports on day one, the biometrics system administrator completes his enrollment in the biometrics solution. This begins with the administrator supervising collection of one or more biological characteristics, using a sensor connected to the biometrics enrollment application. Step 2: The enrollment application creates a reference template. This consists of a numeric representation of the characteristics collected. Step 3: The reference template is connected to the user’s ID and stored in a database. Accuracy is measured by a failure to enroll rate (FTER). What determines if the enrollment fails varies depending on the biometric. In fingerprint recognition, the enrollment might fail if there is debris, perspiration, or even a cut on the fingertip. Each system owner may have different requirements for this measurement as well. rocessThis rate is calculated by dividing the number of unsuccessful enrollments by the number of participants attempting to enroll. If the system has a high failure to enroll rate, that means that the system will struggle to find matches when the number of total participants increases. FER (Failure to Enroll Rate) = Number of Failed Enrollments ÷ Number of Attempted Enrollments

AQUIRING DATA Thinning a fingerprint Let A(P) be the number of 01 patters in the order set P2 … P9 Let B(P) be the number of non-zero neighbors of P Do until image is stable (i.e. no changes made) Sub-iteration 1: Delete P from image if: a) 2 ≤ B(P) ≤ 6 b) A(P) = 1 c) P2 * P4 * P6 = 1 d) P4 * P6 * P8 = 1 Sub-iteration 2: a) and b) from above c') P2 * P4 * P8 = 1 d') P2 * P6 * P8 = 1 Thinning was done using the Zhang-Suen algorithm as described in their paper title, A Fast Parallel Algorithm for Thinning Digital Patterns. A 3x3 window is move down throughout the image and calculations are carried out on each pixel to decide whether it needs to stay in the image or not. To the right is a description of the window and the classification given to the pixels that surround the center pixel. The algorithm runs two subiterations continuously until the image reaches a stable state.

AQUIRING DATA Before and after

Biometric Process RAW DATA PROCESSING The second step in the biometric process is where the data collected from the first step is processed for the matching process. Algorithms are used to separate the irrelevant data from the data that will be used in the matching process. These algorithms are usually very protected by the biometric vendors that created them. One thesis paper from the University of Los Angeles did show the pseudo code for code used to thin the lines of a fingerprint. (See Figure 3). This is also the step where the template is created. This template is created by identifying and drawing out the unique characteristics of the fingerprint (See Figure 4). In Figure 4, the template is referred to as a minutia map. This step also produces a quality score and a matching score which tell how likely that the data will be able to be matched in the future. These scores are analyzed by the system administrator to determine if they are fit for the system.  

DECISION PROCESS Step 1: User uses biometrics sensor to supply the measured physical characteristic. Step 2: The biometrics software translates the collected user characteristics into a trial template. Step 3: The trial template and user ID is sent to the verification algorithm. Step 4: The verification algorithm sends a request to the database for the stored reference template associated with the provided user ID. Step 5: Once the reference template is returned, it is compared with the trial template. Step 6: If the templates match within a reasonable margin of probability (as defined by the organization and set by the administrator), access is granted to all applications integrated with the sign-on solution used. The decision process is the final step of the process. This is where the biometric is matched and the yes or no decision is made. There are two different levels of decision making: verification and identification. Verification is the simpler of the two because it is a one to one matching system. Each subject matches one and only one template. Another way to think about verification is to as the question “Am I am who I claim I am?” If involves denying or confirming the user’s identity. On the other hand, identification involves a one to many match. All of the records in the system are searched for a match. The question “Who am I?” can be asked in this type of decision making.   Accuracy of the decision process is measured using two equations. The first equation measures the false acceptance rate (FAR). This rate is calculated by dividing the number of false acceptances by the number of samples. This number measures of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. The other equation used to measure accuracy is the false rejection rate (FRR). This rate is calculated by dividing the number of false rejections by the number of samples. This number is the measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user. Usually, the false acceptance rate is analyzed more than the false rejection rate.  Finally, there are two types of searches that can be performed during the decision process: binary and multiple sequence. In the binary search, if a match is not found the participant is simply denied access. In a multiple sequence search, if a match is not found, a second query is performed. This secondary query can be done on another device or by using the same device as the first query.

Applications in CS/SE University Courses Algorithms Infrastructure/Technical Support Testing Average Salary: $65,000 Computer science courses in biometrics are starting to be taught in schools around the United States. There are many ways that computer science can be applied to biometrics. The algorithms that are used to find matches and to get relevant data need to be written, updated, and tested. The infrastructure and software to support these systems needs to be maintained. Also, there is various testing that needs to be done to the systems.

Conclusion In conclusion, biometrics seems to be a very promising form of authentication. Although it is not yet being used by many other than the government, it holds advantages that could really help to improve security within businesses. Perhaps one day, users will not have to remember passwords or PINs or carry access cards with them to work each day. All user will need to access their data is themselves.