Secure Biometrics Authentication: A brief review of the Literature Fahad Al-harby, Rami Qahwaji, and Mumtaz Kamala School of Informatics, University of Bradford BD7 1DP, UK
Abstract— this paper presents a brief overview of the literature in the field of Biometrics authentication, The advent of the Internet saw technological innovations such as Biometrics device, in particular fingerprint reader, as an electronic equivalent to manuscript authentication in the online environment. However, the use of this technology is still insignificant. The aim of this paper is to review the various studies that have explored the technical and legal issues associated with Biometrics authentication with an objective to provide insights on their lack of acceptance. Index Terms— Authentication, Biometrics, e-transaction, Fingerprint
INTRODUCTION Biometric authentication is one of the most exciting technical improvements of recent history and looks set to change the way in which the majority of individuals live, Security is now becoming a more important issue for business, and the need for authentication has therefore become more important than ever. The use of biometric systems for personal authentication is a response to the rising issue of authentication and security. The most widely used method of biometric authentication is fingerprint recognition. This paper is organised as follows: by now, the reader is already familiar with the content of section one which consisted of an introduction followed by the concepts of Biometrics in section two, the study objectives and the hypothesis in section three and four, followed by the investigation methods in section five, section six will consist of the selection of the participants. Section seven will illustrate how the investigation was conducted and which methodological choices were made. This is followed by the survey in section eight. Finding and results in section nine. In the final section the conclusions and recommendations will be proposed as well as suggestions for further research in sequence in section ten and eleven.
LITERATURE REVIEW The term biometrics comes from the Greek words bios, meaning life, and metrics, meaning measure. Biometrics can be defined as measurable physiological and/or behavioural characteristics that can be utilized to verify the identity of an individual, and include fingerprint verification, hand geometry, retinal scanning, iris scanning, facial recognition and signature verification [1]. Biometric authentication is considered the automatic identification, or identity verification, of an individual using either a biological feature they possess physiological characteristic like a fingerprint or something they do behaviour characteristic, like a signature [2]. In practice, the process of identification and authentication is the ability to verify and confirm an identity. It is accomplished by using any one or a combination of the following three traditional identification techniques: something you possess; something you know; or something you are [1]. Something you possess: often referred to as a token and can be produced from a multitude of different physical objects. There are two basic types of tokens in use today: manual and automated. If a token is described as manual it means that the identification process requires some form of human intervention; in other words, a person will make the final decision of whether an identity is approved or not. Good examples of manual tokens are paper ID documents and passports. Automated tokens, on the other hand, do not involve human intervention in the identification process, but rather the identity is verified by a system/computer such as magnetic-stripe cards, memory cards, or smart cards [1]. Something you know: the knowledge should not be commonly held, but secret. Examples of regularly used secrets are passwords, pass-phrases, and personal identification numbers PINs.
Something you are: recognizing an entity through what "they are" requires measuring one or more of their biological features. Biological features can be either physiological characteristics like fingerprints or behavioural traits like an individual's signature [1, 2]. The
following
table
outlines
a
comparison
between
passwords
vs.
tokens
vs.
biometrics
[3-5].
- Can be forged and used without the knowledge of the original holder. For example, a forger can "steal an identity" and create a fake ID document using another person's information.
Tokens
Passwords
- Can be lost, stolen or given to someone else. - Can be obtained or "cracked" using a variety of techniques such as using programs/tools to crack the password. - Can be disclosed. If the password is disclosed to a person they will be able to gain access to information for which they are not authorized. - Can be forgotten which will place a further burden upon an organization’s administration. - Cannot be forged [5]
Biometrics
- Can be destroyed, and a biometric characteristic's ability to be read by a system can be reduced. An individual's fingerprints, for example, can be affected by cuts and bruises and can even be destroyed by excessive rubbing on an abrasive surface [4]. Also, Accuracy of Biometrics depends mainly on the software that is dealing with them. Table 1: Passwords vs. Tokens. vs. Biometrics
Biometric characteristics can be separated into two main categories [1] : Physiological characteristics are related to the shape of the body. The trait that has been used the longest, for over one hundred years, are fingerprints; other examples are face recognition, hand geometry and iris recognition. Behavioural characteristics are related to the behaviour of a person. The first characteristic to be used that is still widely used today is the signature. Generally, physical and behavioural characteristics used by biometrics include the following taxonomy [6] :
Figure 1: physical and behavioural characteristics used by biometrics Source: Adapted from source - Zhang, D. [6]. Automated Biometrics: Technologies and Systems, Norwell, MA: Kluwer Academic Publishers.
The accuracy of a Biometrics system is measured by: FMR False match or acceptance rate: the lower the biometric identification system's FMR, the better the security. FMR means the rate at which the biometric measurements from two different individuals is mistaken to be from the same individual [5]. FNMR False non-match or rejection rate: the lower the biometric identification system's FNMR, the easier the system is to use. FNMR means mistaking two biometric measurements from the same individual to be from two different individuals [5]. In summary, all biometric systems work in similar ways, but it is important to remember that the ease of enrolment and quality of the template are critical success factors in the overall success of any biometric system [7] . Allan [7] provides a list of some of the strengths, weaknesses and suitable applications for each biometric methodology:
Figure 2: Strengths, Weaknesses and Suitable Applications Source: Adapted from source - Allan, A. [7] “Biometric Authentication: Perspective.” Gartner Research, ID Number: DPRO95808.
Today there are several biometric characteristics that are in use in various applications. Each biometric has its own strengths and weaknesses, and suitable applications for each biometric methodology. There are no particular biometrics which may successfully meet the requirements of all applications. Depending on the application’s usage and the biometric characteristic’s features we are able to suitably match a particular biometric to an application [5]. Explain that the fingerprint- and iris-based techniques are more accurate than the voice-based technique. Nevertheless, in a phone banking application, the voice-based technique might be
preferable as the bank could integrate it seamlessly into the existing telephone system. The following table briefly compares five biometrics according to seven parameters [5] .
Figure 3: Comparison of Biometrics
Harris and Yen [8] take into account the advantages and disadvantages of biometric identification systems which can be summarized in the following two figures:
Figure 4: Summary of Biometric advantages
Figure 5: Summary Of Biometric Disadvantages Source: Adapted from source - Harris, A. J. and Yen, D. C. [9] "Biometric authentication: assuring access to information." Information Management and Computer Security 10(1): 12-19.
To summarize, the advantages and disadvantages of the biometric identification system require assessment by the organization in order to determine the most appropriate identification technique for their business purposes. A number of studies have been carried out in several countries by prospective users, vendors, and governments. The following is a sampling of these studies: A six month study was carried out in the UK in April 2004 to assess processes and record testimony of user experiences and attitudes to incorporate biometric information into new passports and the proposed national identity card. 10,016 users joined in the study which used facial, iris and fingerprint biometrics. Six static and one mobile centre in different regions of the UK were used to gather data. The study covered the testing of the use of biometrics through a simulated application process; measurement of the process times; assessment of customer perceptions and reactions; testing fingerprint and iris biometrics for one-to-many identification and testing; and facial, iris and fingerprint biometrics for one-to-one verification. However, the outcome of this study revealed high enrolment times: on average 8 minutes and 15 seconds, and 10 minutes and 20 seconds for disabled participants. A recommendation by the study’s organisers was presented for example a number of such as good design and management of the enrolment, environment is significant to accomplish high success rates; a number of measures require to be put in place for the enrolment of disabled people; improved processes for failed enrolments are necessary; testing is essential. The UK’s National Health Service NHS have adopted the use of biometric authentication with about 11,000 employees enabled with fingerprint recognition technology in over 60 hospitals, and with over 30,000 employees able to access patients records remotely. In a recent ISL Biometrics assessment in a UK Bank, 91 per cent of clients seemingly favoured biometrics over user-name/password authentication systems. In the USA, United Bank provides a fingerprint sensor for their clients to access their account rather than using a username and password. In addition Westpac is reported to be carrying out an assessment of biometric security technology that would issue clients with biometric fingerprint devices to allow them to access their accounts online. JCB Japan, a financial services organisation, undertook a biometric authentication trial using fingerprint authentication for mobile access to JCB's on-line card member account inquiry service. According to the Civil Aviation Authority of Singapore, a project at Singapore's Changi Airport known as Fully Automated Seamless Travel (FAST) is expected to decrease traveller processing time from 15 minutes or longer to two minutes by using fingerprint and facial recognition equipment. Woodward, Webb, Newton, Bradley and Rubenson [10] identified that people related concerns as a major hindrance to the acceptance of a biometric system. The concerns raised can be divided into three major areas: • Informational privacy; • Physical privacy; • Religious objections.
These concerns are what might be labelled “emotional” issues as they are driven by a fear of loss of privacy or a fear of physical harm. The following concerns relating to information privacy were identified: 1- The “function creep” is the process of using information for something other than for what it was initially intended [5, 10]. 2- The “tracking” is a concern many people share given that access to data relating to a individual, governments could start to develop into “Big Brother” institutions capable of tracking a citizen’s every move [5, 10]. 3- The final concern is the misuse of data [10]; for example, the capture and abuse of biometric information in an online environment .
Many biometrics have a certain stigma attached to them and can prevent people from using the system comfortably. Fingerprinting, for example, has an undeserved stigma from association with criminal activities [5, 10], and, because of this, users feel that they are being criminalised when asked to give a fingerprint, especially when this fingerprint submission is a mandatory event. Concerns relating to actual harms can include physical harm to an individual from the sensor; for example, the laser used in retinal scanning, as well fear that an impostor might want to sever a limb, such as a finger, in order to bypass the biometrics system [5, 10]. Another concern raised regarding working within the iris recognition industry is whether eye infections such as conjunctivitis are transferable by the camera. Users of the touch-based biometric scanners also often fear the transmission of illness and bacteria through the use of scanners [5, 10]. Different countries have different cultures and religious beliefs which govern business and social practices, and people will be hesitant to adopt practices considered contrary to their cultural or religious dictates. Many Christians, for example, believe biometrics represent the “Mark of the beast” as described in Revelation [5, 10] and this could result in prohibiting their use. In addition women’s facial recognition would be prohibiting in some Muslim countries such as Saudi Arabia.
CONCLUSION Biometric authentication is one of the most exciting technical improvements of recent history and looks set to change the way in which the majority of individuals live. The literature review has served to expand the concepts behind biometric authentication, give explanations of how such systems work and to estimate their effectiveness. The point is not to support the reader with deep knowledge of the main physiological biometrics: fingerprint, hand geometry, facial recognition, and iris recognition, but rather to show how these biometrics are surprisingly alike in design. They all function and mainly use of the same techniques. In this review, the most important physiological and behavioural biometrics have been reviewed and it has become clear that the inner workings of behavioural biometric systems are overall significantly more complex than physiological systems. Using multiple biometrics in one application is one of most interesting aspects of the research, and an approach has been introduced to evaluate the possibility of employing biometrics in a central database environment. This approach allows a single biometric to be used in multiple applications and multiple biometrics to be used in a single application. The use of biometrics will become an increasingly essential part of our lives, changing the traditional method of transactions like tokens, usernames and passwords. Etransactions are the way of the future. Financial institutions and banks, along with many other organisations, are being forced to modify the techniques with which they carry out business. These technological changes have brought with them e-transaction hackers and identity theft. These cyber crimes have become common and are only expected to increase. However, a more efficient means of protecting identities and transactions is required to be implemented and the best method of providing such secure identification at this time is by employing biometric systems.
REFERENCES
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Ashbourn, J., Biometrics: Advanced Identity Verification: The Complete Guide. Springer-Verlag, London, . . 2000: Springer. 201. Wayman, J.L. and L. Alyea, Picking the Best Biometric for Your Applications, in National Biometric Test Center Collected Works. 2000, National Biometric Test Center: San Jose. p. 269-275. Pfleeger C.P., Security in computing. second edition ed. 1997: Prentice Hall PTR. Tiwana, A., Web Security. 1999: Digital Press An imprint of Butterworth-Heinemann. Prabhakar, S., S. Pankanti, and A.K. Jain, Biometrics Recognition: Security and Privacy Concerns. IEEE Security & Privacy, 2003. 1(2): p. 33-42. Zhang, D., Automated Biometrics: Technologies and Systems 2000, Norwell, MA: Kluwer Academic Publishers. 331. ALLAN, A., Biometric Authentication. Perspective. Gartner Research, 2002a: p. 1-31. HARRIS, A.J. and D.C. YEN, Biometric authentication: assuring access to information. Information Management and Computer Security, 2002. 10(1): p. 12-19. Dugelay, J.L., et al., Recent Advantages in Biometric Person Authentication, in ICASSP International Conference on Acoustics, Speech and Signal Processing. 2002: Orlando, Florida, USA. Woodward, J.D., et al., Army Biometric Applications: Identifying and Addressing Sociocultural Concerns. 2001: RAND.