Authentication using passwords and PINs are no longer considered to be safe. We have seen a couple of recent incidences of data breach where user data is compromised and exploited for even further attacks. Two factor authentication is one option of dealing with it. But, that also cannot be considered to be sufficient. A two factor authentication system also can be compromised. We need some authentication mechanism in which the authentication data can be provided by the individual only and cannot be tampered with. And, that is the main motivation behind using biometric system.
What is Biometrics ?
The word “biometrics” is derived from the Greek word “bio” which means life and “metric” which means to measure. Biometrics refers to the automatic identification of a person based on his or her unique physiological or behavioral characteristics, such as fingerprints, voice pattern, iris, keystroke rhythm etc. These characteristics are unique to every individual and cannot be tampered easily. And, that is why biometric systems are today widely used for authentication purposes.
History of Biometrics
The history of biometrics dates back to 1870, with the measurement system of Alphonse Bertillon. In this measurement system, human body measurements such as skull diameter, arm and foot length etc used to be used to identify a person uniquely. Until 1920's, this system used to be used for identifying prisoners.
Later in 1960s, identification through fingerprints and facial measurements was proposed. In 1960's, the techniques of digital signal processing were developed and that enabled convenient processing and storing of the biometric data. And, that led to identification of individuals in an automated way.
Voice and fingerprints recognition systems were later developed and their applications included high security access control, personal locks and authentication of financial transactions since 1960's.
Later, biometric system based on face recognition and iris recognition was developed. And, today biometric systems based on fingerprints and face recognition, iris pattern recognition or keystroke rhythm and voice recognition are widely used.
There are a number of reasons for which biometrics are supposed to be reliable enough to be used for authentication purposes :
- Biometric data of an individual can be produced by the individual only and the individual has to be physically present at the time of authentication. It is not easy to tamper with biometric data. And, this biometric system much reliable, as it can prevent illegitimate access based on stolen credentials.
- As biometric data is unique for every individual and can be produced by the individual only, it can provide negative identification. If an individual is enrolled in a biometric system, he cannot later deny his enrollment.
- In biometrics, one does not need to remember a huge number of credentials, as it happens in case of passwords or PINs. A password or PIN can be easily forgotten or broken if not strong enough. But, biometric data of an individual is strong enough not to guess or break.
- In biometrics, one does not need to carry any physical tokens for authentication, as it is done for smart cards, magnetic stripe cards, photo ID cards, physical keys etc. So, biometric authentication is much more convenient for an individual.
Characteristics of Biometric Data
A biometric data should have the following characteristics so that it can reliably be used for authentication purposes :
- Biometric data should be constant over a long period of time. There should be no significant differences in the biometric data based on factors like age, disease etc.
- Biometric data of an individual should be unique and significantly different from another individual.
- The captured biometric data should be conveniently stored in a format, which is easy to handle.
- Biometric data of an individual should be impractical to mask or manipulate.
- Biometric data of an individual should be digitally comparable with that of another individual.
- Biometric data must be irreproducible by other means, unless the individual himself or herself produces the data.
- Biometric data has to be accurate. It should not have any false acceptance or false rejection rate.
How does Biometric System work ?
A biometric system typically works in the following way :
- An individual produces his or her biometric data. Normally, the biometric data is captured by a sensing device like a fingerprints scanner or a video camera.
- Distinguishing characteristics are extracted from the raw biometric sample and converted into a biometric template.
- The mathematical representation of the biometric template is registered and stored in the database.
- Later, when an individual tries to authenticate producing his or her biometrics, the stored biometric data is compared with the given data for verification.
Types of Biometrics
Biometrics can be of two types :
- Physiological Biometrics
- Behavioral Biometrics
Physiological biometrics is based on some physiological characteristics of an individual, such as fingerprints, iris pattern, face recognition etc.
And, behavioral biometrics is based on behavioral characteristics of an individual, such as keystroke rhythm, signature, voice recognition etc.
The main differences between these two biometrics is, physiological biometrics does not get influenced by psycho-emotional state of an individual. It remains unchanged over time and emotional state. But, behavioral biometrics can be influenced by factors like emotional state or disease of an individual. So, physiological biometrics is supposed to be more reliable than behavioral biometrics.
Let's look at a couple of biometric systems and their advantages and disadvantages.
Each individual has distinctive features in his facial image based on eyebrows, width of eyes, breadth of nose etc. The facial recognition system first captures the facial image of an individual and then differentiates the face from the background. It then extract features from the facial image.
There are around 80 features that a facial recognition system can make use of and these include jaw line length, eye socket depth, distance between the eyes, cheekbone shape, width of the nose etc.
The distinctive features are then suitably represented in a mathematical format and stored in the database. Later, this data is retrieved and compared with the collected data for authentication.
- It is not intrusive.
- It is hands-free and convenient.
- It can be done from a distance. This can be useful if used responsibly for surveillance purpose for identifying criminals from a crowd.
- A facial recognition system should be resistant to factors like facial expressions etc.
- Face recognition may not work properly with factors like poor lighting, sunglasses, partially covered face, low resolution images etc.
- If not used responsibly with the permission of the individual, face recognition can be a major privacy violation.
The iris is the colored ring around the pupil of a human being. It eyes has complex random patterns, which are unique and can be seen even from a certain distance. An iris recognition system anlyzes the complex random patterns of an iris and detects a person's identity based upon that.
- Iris recognition technology is not very intrusive as it does not need direct contact between the subject and the camera.
- Iris recognition can be done using simple video technology.
- Error rates of iris recognition system is very low and it can be reliably used for authentication purpose.
- Scanning iris may be inconvenient, as it can be covered by objects like eyelid or eyelashes.
- Iris recognition biometrics may prove difficult for people with blindness or cataract.
- The camera involved for taking iris image should have correct amount of illumination, otherwise it may prove difficult to capture the accurate image of the iris.
In this method, digital representation of a fingerprint is scanned using a fingerprint scanner and then features are extracted based on ridges and valleys of the finger. Later, these features are used to identify and authenticate an individual. Among all biometric techniques, fingerprint recognition is the most popular method and is widely used.
- Fingerprints of an individual develops at the age of about seven months and remains unchanged for the rest of the life. These characteristics do not change easily and so, can be used reliably for authentication.
- For some people it is intrusive, as it is still related to criminal identification.
- Captured biometric data is large and needs compression to store efficiently.
Keystroke Rhythm Recognition
Each individual has his own typing rhythm and based on that biometric authentication can be done. The main features used in this technology are :
- Latencies between two successive keystrokes.
- Finger placement.
- Pressure applied on the keys.
- Overall typing speed.
- It is simple to implement and does not require any specialized hardware.
- Keystroke rhythm can be influenced by various circumstances like psycho-emotional state, hand injury, fatigueness of the individual etc. So, it has limited accuracy.
Challenges of Biometric Authentication
There are a couple of challenges of using biometric authentication :
- If stored biometric data is compromised, it would be a major privacy concern. Biometric data of an individual, unlike other credentials like passwords or PINs, cannot be changed.
- One has to make sure the collected biometric data is not influenced by noise or errors. Biometric systems must endure failures within a rational bound and give reliable results.
Are Biometric Systems vulnerable to hacking ?
Biometric system is still in its infancy and cannot be considered to be 100% secure. A biometric system can be compromised in a number of ways :
- Attackers can use a backdoor to bypass authentication and gain unauthorized access of the system.
- Attackers can provide facsimile of the actual biometrics to gain access. In the worst case, the attacker can use body parts not attached to the owner to gain access. A biometric system should be able to tell the difference between a live body part and an amputated one.
- At the time of enrollment, biometric data of an individual is collected and stored in a database, so that it can later be compared with the collected biometric data for authentication. An attacker can perpetrate a Man-In-The-Middle Attack while storing the biometric data and manipulate the data to take advantage of that later.
So, biometric systems cannot be considered to be fully secure. However, two factor authentication comprising of biometric data of an individual and something you know like a password or PIN will increase the security to a great extent and provide effective countermeasures.
Biometrics and Privacy
Privacy is a big concern for biometrics. We have seen couple of incidences where the use of biometrics call for questions for privacy advocates. For example, using face recognition technology, one can monitor public places and use the scanned images to indentify known criminals. But, if the scanning is done without the knowledge of the public and utilizing a technology which is not fully understood for its impacts, then it is a big privacy concern.
Privacy concern also exists about how the biometric data stored in a database can be used. Using or sharing the biometric data without the individual's knowledge is also a big privacy concern.
Also, biometric systems should be safeguarded from fraudulent activities and data breaches. Biometrics of an individual, unlike other credentials, cannot be changed.
Applications of Biometrics
Biometrics are used in a number of places :
- It is used in military programs.
- To survey a busy place to identify known criminals.
- To access accounts in banks.
- For ATM transactions, using special purpose kiosks.
- To secure online banking.
- For PC or network access.
- In air travel, to reduce the inspection processing time for authorized travellers.
- To control travelers crossing the national or state border.
- Some countries include biometric information in passports, in terms of barcode or smart chips.
So, no authentication system is fully secure. But, biometrics if used responsibly with caution, can enhance security to a large extent. This article just gave some basic information on biometrics. Hope you liked it.
What is Device Fingerprinting ?
What is Device Fingerprinting ?