Biometric verification is an automated method whereby an individual's identity is confirmed by examining a unique physiological trait or behavioral characteristic, such as a fingerprint, retina, or signature. Physiological traits are stable physical characteristics, such as palm prints and iris patterns. This type of measurement is essentially unalterable. A behavioral characteristic — such as one's signature, voice, or keystroke dynamics — is influenced by both controllable actions and less controllable psychological factors. Because behavioral characteristics can change over time, the enrolled biometric reference template must be updated each time it is used. Although behavior-based biometrics can be less expensive and less threatening to users, physiological traits tend to offer greater accuracy and security. In any case, both techniques provide a significantly higher level of identification than passwords or smart cards alone.

Because biometric traits are unique to each individual, they can be used to prevent theft or fraud. Unlike a password or personal identification number (PIN), a biometric trait cannot be forgotten, lost, or stolen. Today there are over 10,000 computer rooms, vaults, research labs, day care centers, blood banks, ATMs and military installations to which access is controlled using devices that scan an individual's unique physiological or behavioral characteristics.

Biometric identifiers currently available or under development include fingerprint, body odor, DNA, ear shape, face recognition, facial thermogram, keystroke dynamics, palm print, retinal scan, iris pattern, signature, "veincheck" and voice pattern.

Biometrics Defined

Biometrics, strictly speaking, refers to a science involving the statistical analysis of biological characteristics. Today, the term "biometrics" usually refers to technologies that analyze human characteristics for security purposes. The statistical science of biometrics continues in the background and should be treated separately. A de facto definition of security-based biometrics has been circulating for a number of years.

A biometric is a unique, measurable characteristic or trait of a human being for automatically recognizing or verifying identity.

Biometric technologies, therefore, are concerned with the physical parts of the human body or the personal traits of human beings. The term "automatic" essentially means that a biometric technology must recognize or verify a human characteristic quickly and automatically, in real time. The most common physical biometrics are the eye (iris and retina), face, finger image, hand and voice (see article on Authentication Methods). Behavioral biometrics include typing rhythm (keystroke dynamics) and signature.

In the security industry, biometrics are regarded as providing the highest level of security. The methods for verifying an individual's identity are commonly broken down into the following three stages:

Stage 1 (lowest level of security) — something you have, such as a photo ID.

Stage 2 (second level of security) — something you know, such as a password to access a computer or a personal identification number (PIN) to access funds at an ATM.

Stage 3 (highest level of security) — something you do or something you are, which comprises physiological and/or behavioral biometrics, including fingerprints, voiceprints, signatures, etc.

Biometrics - how it works

All biometric systems operate in a similar fashion. First, the system captures a sample of the biometric characteristic (this is known as the enrollment process). During enrollment, some biometric systems may require a number of samples in order to build a profile of the biometric characteristic. Unique features are then extracted and converted by the system into a mathematical code. This sample is then stored as the biometric template for the enrollee. The template may reside in the biometric system itself, or in any other form of memory storage, such as a computer database, smart card or barcode.

In addition, the biometric system may require a trigger, or a means of tying the template to the person. For example, a personal identification number (PIN) is keyed in to access the template, or a smart card storing the template is inserted into a card reader. In either case, the end user interacts with the biometric system a second time to have his or her identity checked. A new biometric sample is taken and this is compared to the template. If the template and the new sample match, the end user is granted access. This is the basic premise of biometrics — that a person has a sample of their biometric data captured and the biometric system decides if it matches with another sample.

Because both physical and behavioral characteristics can change slightly over time (e.g., a finger can be scarred and a signature may change as a person gets older), the biometric system must allow for these subtle changes, so a threshold is set. This can take the form of an accuracy score. In this case, comparison between the template and new sample must exceed the system's threshold before a match is recorded. In other words, if the new biometric sample is sufficiently similar to the previously stored template, the system will determine that the two do in fact match. If not, the system will not record a match and will not identify the end user. This use of a threshold gives biometric technologies a significant advantage over passwords, PINs and ID badges. With biometrics, it doesn't matter if you forget your password or lose your ID. The use of a threshold affords a tremendous degree of flexibility and if the comparison between the new biometric sample and the template exceeds the stated threshold, identity will be confirmed.

All biometric systems use the four-stage process of capture, extraction, comparison, and match, but employ different methods and techniques to deal with the human factor (stress, general health, working and environmental conditions, and time pressures all conspire to make humans inconsistent). At the heart of the biometric system is the biometric engine, a proprietary element that extracts and processes the biometric data. This may apply an algorithm or an artificial neural network. It extracts the data, creates a template, and computes whether the data from the template and the new sample match.

The following four-stage process illustrates the way biometric systems operate:
Capture — a physical or behavioral sample is captured by the system during enrollment.
Extraction — unique data is extracted from the sample and a template is created.
Comparison — the template is then compared with a new sample.
Match/Non-Match — the system then decides if the features extracted from the new sample are a match or a non-match.

Identification vs. Verification

In the biometrics industry, a distinction is made among the terms identification, recognition and verification. In both identification and recognition, essentially synonymous terms, a sample is presented to the biometric system during enrollment. The system then attempts to find out who the sample belongs to, by comparing the sample with a database of samples in the hope of finding a match (this is known as a one-to-many comparison).

Verification is a one-to-one comparison in which the biometric system attempts to verify an individual's identity. In this case, a new biometric sample is captured and compared with the previously stored template. If the two samples match, the biometric system confirms that the applicant is who he/she claims to be.

The same four-stage process — capture, extraction, comparison, and match/non-match — applies equally to identification, recognition and verification. Identification and recognition involve matching a sample against a database of many, whereas verification involves matching a sample against a database of one. The key distinction between these two approaches centers on the questions asked by the biometric system and how these fit within a given application. During identification, the biometric system asks, "Who is this?" and establishes whether a biometric record exists, and, if so, the identity of the enrollee whose sample was matched. During verification, the biometric system asks, "Is this person who he/she claims to be?" and attempts to verify the identity of someone who is using, say, a password or smart card.

Biometricals

Biometric characteristics can be divided in two main classes, as represented in figure on the right:
- physiological are related to the shape of the body. The oldest traits, that have been used for more than 100 years, are fingerprints. Other examples are face recognition, hand geometry and iris recognition.
- behavioral are related to the behavior of a person. The first characteristic to be used, still widely used today, is the signature. More modern approaches are the study of keystroke dynamics and of voice.

Authentication Methods

Fingerprint

In recent years, fingerprints have rallied significant support as the biometric technology that will probably be most widely used in the future. In addition to general security and access control applications, fingerprint verifiers are installed at military facilities, including the Pentagon and government labs. Although machines tend to reject over 3% of authorized users, the false acceptance rate (FAR) is less than one in a million. Today, the largest application of fingerprint technology is in automated fingerprint identification systems (AFIS) used by police forces throughout the U.S. and in over 30 foreign countries.

The fingerprint’s strength is its acceptance, convenience and reliability. It takes little time and effort for somebody using a fingerprint identification device to have his or her fingerprint scanned. Studies have also found that using fingerprints as an identification source is the least intrusive of all biometric techniques.

Verification of fingerprints is also fast and reliable. Users experience fewer errors in matching when they use fingerprints versus many other biometric methods. In addition, a fingerprint identification device can require very little space on a desktop or in a machine. Several companies have produced capture units smaller than a deck of cards.

One of the biggest fears of fingerprint technology is the theft of fingerprints. Skeptics point out that latent or residual prints left on the glass of a fingerprint scanner may be copied. However, a good fingerprint identification device only detects live fingers and will not acknowledge fingerprint copies.

Hand Geometry

Currently, hand geometry is employed at over 8,000 locations, including the Colombian legislature, San Francisco International Airport, day care centers, welfare agencies, hospitals and immigration facilities.

The advantages of a palm print are similar to the benefits of a fingerprint in terms of reliability, although palm print readers take up more space.

The most successful device, the Handkey, looks at both the top and side views of the hand using a built-in video camera and compression algorithms.

Devices that look at other hand features are also under development by several companies, including BioMet Partners, Palmetrics, and BTG.

Iris Patterns

The advantage of iris scanners is that they do not require the user to focus on a target, because the pattern of flecks on the iris are on the eye's surface.

In fact, a video image of the eye can be taken from up to three feet away, which allows for the use of iris scanners at ATM machines.

In visually impaired persons with intact irises, the iris can still be captured and encoded with iris imaging products that have active iris capture (e.g., the ATM application).

Since cataracts are a malady of the lens, which is behind the iris, cataracts do not affect iris scanning in any way.

Retinal Patterns

Retinal scans are performed by directing a low-intensity infrared light through the pupil to the blood vessel pattern on the back of the eye. Most uses of retinal scanners involve high-security access control, since they offer one of the lowest false rejection rates (FRR) and a nearly 0% false acceptance rate (FAR). However, since retinal imaging requires a clear view of the back of the eye, cataracts can negatively impact the retinal image quality.

Voice Patterns

The appeal of voice verification is its acceptability to users. A common concern about this biometric approach is impersonations. However, this is not a serious problem, since the devices focus on different characteristics of speech than people do. Speech patterns are formed by a combination of physiological and behavioral factors. Currently, voice verification is being used to control access to medium-security offices, labs, and computer facilities. Several providers of home confinement systems use voice verification to confirm that early parolees are at home. While voice recognition is convenient, it is not as reliable as other biometric techniques. A person with a cold or laryngitis, for example, may have problems using a voice recognition system.

Facial Features

Facial verification and recognition is one of the fastest growing sectors of the biometrics industry. Its appeal lies in the fact that it most closely resembles the way we as humans identify one another. Most commercial efforts have been stimulated by the fast rise in multimedia video technology that is placing more cameras in the home and workplace. However, most developers have had difficulty achieving high levels of performance. Nevertheless, specific applications, such as screening welfare databases for duplicates and airport lounges for terrorists, are likely to appear in the future.

Keystroke Dynamics

Keystroke dynamics, also called typing rhythms, analyze the way a user types at a terminal by monitoring keyboard input 1,000 times a second.

This is analogous to the early days of the telegraph, when users identified each other by "the fist of the sender."

The advantage in the computer environment is that neither enrollment nor verification detracts from the regular work flow. Despite its appeal, however, efforts at commercial technology have failed.

Signatures

Static signature capture is becoming quite popular as a replacement for pen and paper signing in bank card, PC and delivery-service applications (e.g., Federal Express). Generally, verification devices use wired pens, pressure-sensitive tablets, or a combination of both. Devices using wired pens are less expensive and take up less room but are potentially less durable. To date, the financial community has been slow to adopt automated signature verification methods for credit cards and check applications because signatures are still too easily forged. This keeps signature verification from being integrated into high-level security applications.

DNA Printing

DNA Printing (sometimes known as DNA profiling) is not used in industrial applications as the time taken to verify the person using this method is very slow and laborious requiring specialized laboratories and trained personnel.

However it is perhaps the most accurate way of positively identifying a person.

DNA printing for identification is more commonly associated within the criminal investigation fraternity.

Biometric Applications

The practical applications of biometric technologies are diverse and expanding, as new needs are identified. By and large, biometric applications fall into two main categories: law enforcement and civilian applications.

The law enforcement community is perhaps the largest biometric user group. Police forces throughout the world use AFIS (Automated Fingerprint Identification System) technology to process criminal suspects, match finger images and bring guilty criminals to justice.

Those biometric applications not involving crime detection utilize some form of access control. This will either involve the physical access of people to secure areas, or securing the access to sensitive data. In other words, access control is either physical access or data access. Whether securing benefit systems from fraud, preventing illegal immigrants from entering a country, or prisoners from leaving a prison — controlling access is the underlying principle. Access control ensures that authorized individuals can gain access to a particular area and that unauthorized individuals cannot.

Some examples of biometric applications are listed below.

Banking

Banks have been evaluating a range of biometric technologies for many years. Fraud and general breaches of security must be controlled if banks are to remain competitive in the financial services industry. Automated teller machines (ATMs) and transactions at the point of sale are particularly vulnerable to fraud and can be secured by biometrics. Other emerging markets include telephone banking and Internet banking, both of which demand the utmost security for bankers and customers alike.

Computer Access

Fraudulent access to computer systems affects private computer networks and the Internet in the same way: confidence is lost and the network is unable to perform at full capacity until the breach in security is patched. Biometric technologies are proving to be more than capable of securing computer networks. This market area has phenomenal potential, especially if the biometrics industry can migrate to large-scale Internet applications. As banking data, business intelligence, credit card numbers, medical information and other personal data becomes the target of attack, the opportunities for biometric vendors are rapidly escalating.

Electronic Benefits Transfer (EBT)

Benefits systems are particularly vulnerable to fraud. The battle against fraud has been waged by welfare departments across many U.S. states for years. A variety of technologies are being evaluated, although fingerprint scanning is particularly widespread. AFIS technology and one-to-one verification are used to ensure that the benefit claimant legitimately receives a benefit check. Another development that may revolutionize the payment of benefits is Electronic Benefits Transfer (EBT), which involves loading funds onto a plastic card. The card can then be used to purchase food and other essentials in shops fitted with special point-of-sale smart card readers. Biometrics are well-placed to capitalize on this phenomenal market opportunity and vendors are building on the strong relationship currently enjoyed with the benefits community.

Immigration

Terrorism, drug-running, illegal immigration and an increasing throughput of legitimate travelers is putting a strain on immigration authorities around the world. It is essential for these authorities to quickly and automatically process law-abiding travelers and identify the lawbreakers. Biometrics are being employed in a number of diverse applications to make this possible. The U.S. Immigration and Naturalization Service (INS) is a major user and evaluator of biometric technologies. Systems are currently in place throughout the U.S. to automate the flow of legitimate travelers and deter illegal immigrants. Biometrics are also gaining widespread acceptance in Australia, Bermuda, Germany, Malaysia, and Taiwan.

National Identity

Biometrics are beginning to assist governments as they record population growth, identify citizens, and prevent fraud occurring during local and national elections. Often this involves storing a biometric template on a card which, in turn, acts as a national identity document. Fingerprint scanning is particularly strong in this area and programs are already underway in Jamaica, Lebanon, the Philippines, and South Africa.

Physical Access

More and more organizations are using biometrics to secure the physical movement of people. Schools, nuclear power stations, military facilities, theme parks, hospitals, offices and supermarkets across the globe employ biometrics to minimize security threats. As security becomes more important for parents, employers, governments and other groups, biometrics will be seen as a more acceptable and therefore essential tool. The potential applications are endless. Biometrics could even be employed to protect our cars and homes.

Prisons

Prisons, as opposed to law enforcement, use biometrics not to catch criminals, but to make sure that they are securely detained. A surprising number of prisoners simply walk out of prison gates before they are officially released. A wide range of biometrics are now being employed worldwide to secure prison access, police detention areas, enforce home confinement orders, and regulate the movement of probationers and parolees.

Telecommunications

With the rapid growth of global communications, cellular telephones, dial inward system access (DISA), and a range of telecommunication services are under attack from fraudsters. Cellular companies are vulnerable to cloning (a new phone is created using stolen code numbers) and new subscription fraud (a phone is obtained using a false identity). Meanwhile, DISA — which allows authorized individuals to contact a central exchange and make free calls — is being targeted by telephone hackers. Once again, biometrics are being called upon to defend this onslaught. Speaker ID is well suited to the telephone environment and is making inroads into these markets.

Time & Attendance

Recording and monitoring the movement of employees as they arrive at work, take breaks, and leave for the day was traditionally performed by "clocking-in" machines. However, manual systems can be circumvented by someone "punching in" for someone else, a process known as "buddy punching." This disrupts time management and unit costing exercises and costs companies millions of dollars. Replacing the manual process with biometrics prevents abuses of the system. In addition, biometrics can be incorporated with time management software to produce management accounting and personnel reports.