Biometrics

What does it mean?

It is a method of automatic identification or authentication of a person using one or more of his/her physiological or behavioural characteristics. This is based on measurements and data derived from direct measurement of a part of the human body.

The need for biometrics

The fundamental tenet of information security is controlling access to the critical resources that require protection from unauthorized modification or disclosure.

Yes, you may be wondering what about the role of a password. There is a limit to what can be achieved with password (see note on "password management") as a means of identification and authentication. This is where biometrics comes in.

It provides strong authentication by adding the "proof by property" (i.e. physiological or behavioural characteristics) as against the "proof of knowledge" (password) and "proof by possession" (Token, smart card e.t.c).

This method tries to overcome some of the weaknesses of traditional method of identification and authentication like password, PIN or ID cards. Some of the problems of traditional methods of identification and authentication are for example, the need to remember the password or the temptation of writing it in a secret place, in case it is forgotten. This would not arise. PIN could also be revealed unintentionally while ID cards could also be stolen.

There is no need of carrying any Token around as the user carries with him/her the needed part of his/her body to be used in identifying himself or herself.

Types of biometrics

1) Fingerprint

2) Hand geometry. Two-finger geometry is a recently marketed variation.

3) Voice patterns,

4) Retina scan (i.e. the blood-vessel pattern inside the eyeball),

5) Signature dynamics (i.e., the speed, direction, and pressure of pen strokes)

6) Iris recognition (i.e., the pattern of features in the colored portion of the eye around the pupil).

7) Keystroke dynamics (i.e., the measurable pattern of speed and time in typing words) and

8) Signature recognition (i.e., matching).

How they operate?

i) The user first enroll in the system

ii) The template obtained from the enrolment is stored in a database.

iii) This database is secured for future use.

iv) Anytime the user needs to be identified, the information system compares the actual data from the user with the one in the database.

v) If it compares exactly with the one in the database, the user receives a positive response or otherwise, he is rejected.

Note:- Depending on the context, the system can operate either in verification (authentication) or an identification mode.

Characteristics of a good biometrics system

1) Accuracy

This is the most critical characteristic of any identifying verification system. It must have the ability to identify a true user from an impostor. This is very important where the security of information is very high e.g. financial institution or airport (especially in this era of terrorism).

There are two parameters that are used in determining the accuracy of any good system, they are:

a) False Reject Rate: This is the rate, generally stated in percentage, at which valid or authentic, enrolled persons are rejected as unidentified or unverified persons by a biometrics system. This is also referred to as Type I error.

b) False Accept Rate: This is the rate, generally stated in percentage, at which unenrolled persons or impostors are accepted as authentic, enrolled persons. This is also referred to as Type II error.

c) Crossover Error Rate: This is also called the equal error rate. This is the point, generally stated as a percentage, at which the false rejection rate and the false acceptance rate are equal.

2) Speed

The speed at which the data (the physiological or behavioural part of the user taken and compared with the information in the database) is processed and the response given either access accepted or denied. This is also referred to as the “throughput”. This is the most important characteristic of any identification system where there is likely to be a queue e.g. a busy airport, restaurant etc.

3) Reliability

A good identification system must be reliable, that is, it must be able to continuously provide accurate identification of users.

4) Acceptability to users

System acceptability to the people who must use it has been identified as an important factor in any identification operations. This is because there are some cultural nuances, for example, there are some people who believe that putting hands or any part of their body in the same place where others have passed through could lead to one health problem or the other despite the fact that there is no scientific basis that support it.

5) Resistance to Counterfeiting

The higher the ability of the system to identify an impostor, the better and the more acceptable the biometrics systems would be to the generality of users.

Advantages of biometric identification over card systems

1) Biometrics requires the physical presence of the person that is being verified i.e. it controls people.

2) It cannot be misplaced like a card.

3) It cannot be forgotten like a PIN or password.

4) The possibility of writing (password) or keeping (card) near your computer does not arise because it is part of you.

5) It cannot be forged or guessed like a card or password

Information Security Applications of Biometrics

There are two major ways of using biometrics identification systems in order to enforce the security policy of an organisation. They are:

i) To controls access to hard-copy documents and wherever they are kept i.e. the rooms and/or, where they are locked like cabinet e.t.c

ii) To controls access to computer resources and facilities where the critical electronic information is kept.