Biometrics
Biometrics
In the wake of the ongoing battle between security and access, many different forms of user authentication have come about to govern access control. There are generally four different types of authentications, involving something you know, such as your PIN for your debit card, something you are, like a fingerprint, something you have, like an access card with RFID, and where you are, such as whether you are within the internal network or not. There are many pros and cons based on the use or combination of several of these types of authentication. But the purpose of this report is to discuss the second type I listed, what you are. Properly called biometrics, this type of authentication is based off of unique, personal characteristics. These are further distinguished between two different types – behavioral and physical. This report will describe many of the common types of biometrics and their history, their strengths, and their weaknesses.
The first type of biometric I will discuss is handwriting. This has been one of the longest and most accepted styles of biometric in modern society. According to a book by Ross Anderson, special seals used by Chinese nobles were the first recorded use, but seals were often used to fasten messages shut from prying eyes. This has extended to personal use so that everyone uses their signature to create legally binding documents. Signatures are defined as a behavioral biometric. The strength in personal signatures is that they are hard to reproduce by the untrained, and handwriting samples contain many distinguishing characteristics. This type of control usually now requires some extra constraints, such as having publicly registered notaries witness signatures or requiring bank tellers to watch the signature for a bank withdrawal. There are a few weaknesses, though. There are documented cases of forgeries, and probably numerous cases of non-documented forgeries. Everyone from little children to professional thieves has tried to break this, and can often succeed. According to the research discussed by Anderson, untrained people have at least a 38% chance to identify signatures incorrectly (Anderson, 2001). Recent technological advances can photocopy and print signatures, and in many cases, an actual signature isn’t required anymore. ‘Electronic’ signatures are based more on what you know, and are a different subject then this paper. As Anderson continues, the one major use of signature is for check clearing, including the use of signature tablets that capture hand velocity and when the pen leaves the tablet. This is useful for automating the use of the biometric. The accepted issue with all biometrics is the false accept or false reject rate. Machines that test for signatures can mistake a false signature for a positive, and vice versa with a negative result on a true signature.
Another type of behavioral biometrics is voice recognition. This type of biometric takes short data samples and tests it according to a pre-recorded soundtrack. Different aspects like tone, pitch, and tempo, to borrow the music terminology, are all slightly different combinations for people. There are a few examples of this technology, from low grade whistle-activated key finders to controlling safes. There are a few weaknesses, though, such as voice training, which can change the voice to separate toning and pitch, creating new recordings by mixing and matching previous data samples, and even puberty! Also, devices exist, sold as toys in some instances, which change the characteristics of the voice by putting it through a machine and modifying the sound waves. Also, different types of atmospheres like helium can disrupt normal sound waves. This distortion is useful for preventing later identification by the technique known as forensic phonology, or the identification of people by speech patterns.
Another type of biometric is facial recognition. This is one of the physiological characteristics. Common examples of this are the FBI most wanted lists. This ability to identify people by their face is an ability that many would say is instinctive. The technological practice of this biometric is taking a database of facial shots, and checking for recognizable traits, like scars, face sculpture like the nose and eye brow geometric structure. This mentally automated task is hard to reproduce technologically, though. Even humans have a hard time identifying strangers by photo ids, and that’s with decent shot. And this becomes more difficult as it progresses from simple verification to analyzing poor-quality shots to real-time surveillance. This technology has not yet reached a level in which the error rate is acceptable, and will need further advances to become more viable. Another aspect of this technology is whether the use is intruding on an individual’s right to not have their photo taken by an organization. A common example is public school, where a waiver has to be signed in order for the school to make and record likenesses of the student in question. Such a facial recognition system was set up in a public elementary school nearby my house, and the people who set it up claimed that the system bypassed these rights by not recording the images, and that the transmission of the images to an outside network for analysis. Any technologically minded person could see the gaps in this claim, but the system was still put into place.
One of the more famous types of
biometrics is fingerprint scanning, which is another physiological trait. Fingerprints are something that is unique about each individual. Police forces have used fingerprints as a way to identify culprits for a crime. They started coming about at the turn of the last century, though previous uses and theories were out long before. Fingerprints can be distinguished by the whorls, arches, tents, and loops that comprise the little wrinkles in the skin. The two major uses are identification of past events, and real-time access to data or locations. In some rural areas, they work as a replacement to signatures. They are also used to screen jobs, whether as a background history check or a record on file, such as a government fingerprint clearance card. Fingerprint scanners now make up a lot of the biometrics in use today, and are even permanently installed on several laptops, or available as a plug-and-play device that is required to unlock a computer. This type of application can work fast as there aren’t that many matches to go through. Forensics, on the other hand, can take forever because of the sheer amount of fingerprints on record, which must be run one by one through a scanner for analysis. There is a criteria, depending on the local legal system, on how many matching ‘points’ must occur for positive identification. The problem with crime scenes, though, is that prints are often not clean or distorted. On a personal level, though, the question of not having enough data can be remedied by a second swipe. Repeated swipes, though, will discomfort a user, and might even be disabled by the user, thereby invalidating its whole point. The other weakness is the reproduction of fingerprints. The prints could be reproduced by tape or molds for a variety of reasons. Some grisly adventure stories even entail cutting off the hand or finger of an individual to gain access! While this type of case is a bit extreme and unlikely outside of a James Bond film, the possibility remains. As a last weakness, genetic and medical reasons can render the prints useless or difficult to incorporate, such as amputees, extra digits, scars, age, and the rare lack of fingerprints because of gross macro-level damage or genetic mutation. The use of fingerprint scanners is heavily present, though, and in demand. Everything from military monitoring of civilians to search for terrorists and potential threats to Disneyworld verifying that the same person uses the same park hopper pass every day. The degree to which Disney incorporates it has even made them a source of experience and authority for governments that have asked them for advice.
The last individual physiological characteristic used in biometrics that I will talk about is iris or retinal identification. This type of biometric is lauded as one of the least error-prone systems in ideal settings. The eye is something that a person will protect more than a digit, and is less prone to scarring. Also, like fingerprints, they are unique to individuals, even down to individual eyes being completely separate and distinguishable. The technology today can reliably distinguish these unique characteristics, and the Department of Energy’s test found a zero error rate in their test, according to the book by Anderson (Anderson, 2001). This, combined with fingerprints, is the current way that soldiers in Iraq use biometrics to scan individuals. There is a problem with using this system in widespread and real-time formats. First off, the cameras need to get a very clear picture of the iris, which would be hard in a crowd or a public surveillance camera. This would be even more difficult than facial recognition programs on such a scale. Little things like squinting, sunglasses and eyelashes all would disrupt a valid reading. Also, the legal implications for widespread surveillance are a lot murkier. On a small scale form of access control, however, the system promises many attractive benefits such as the low failure rate.
There are many other smaller or less-applicable methods of biometrics available. Everything from measuring gait to analyzing the veins in your hand to analyzing your smell (such as by a guard dog or a drug enforcement dog) has been put into practice. Another type of biometrics that is pretty infallible is DNA typing. This is done by isolating DNA fragments, culturing them, and running them through a special test called electrophoresis, which creates a unique identification of the gene structure of an individual. Such types of biometrics, however, are not in as much use because of failure rates or the invasion of privacy or the simple problem of time.
The true measure of many of these biometrics is whether their use will create a definite way to control access or monitor areas is whether it will make a difference or the effect will simply be deterrence. Many of these applications in real-life are just as effective as any other deterrent, but can be more costly or a waste of time. Also, by the widespread use, the unique biological data can simply become a set of facts that can be fed through to fake out systems. These are the questions that should be asked by any organization wanting such measures. Often, the best way to ensure total security is a mixture of several types of safety measures such as a fingerprint and password, or a PIN and an identifying card. There is never a complete possibility of total prevention, but great strides can certainly be taken. The best case scenario is always usually a unique answer depending on the needs of an organization.
References
Biometrics. Retrieved September 20, 2008, from Wikipedia Web site: http://en.wikipedia.org/wiki/Biometrics Access Control. Retrieved September 20, 2008, from Wikipedia Web site: http://en.wikipedia.org/wiki/Access_control Onley, Dawn (2004, August 16). Biometrics on the front line. Retrieved September 20, 2008, from GCN Web site: http://www.gcn.com/print/23_23/26930-1.html Anderson, Ross (2001). Security Engineering. Wiley. http://www.cl.cam.ac.uk/~rja14/Papers/SE-13.pdf. (Look up this guy - he's a big honcho at the University of Cambridge, and publishes a lot of his work and previous versions of his book online for free access!) Harmel, Karen (2006, September 1). Walt Disney World: The Government's Tomorrowland?. Retrieved September 20, 2008, from Liberty VS Security Web site: http://news21project.org/story/2006/09/01/walt_disney_world_the_governments
clone4 16 years ago
yeah same for me, something fresh, easy to understand but informative. Not Awesome for ocassional 'shallowness' of the content
ghost 16 years ago
Lots of details, references, expanding upon the original topic with classifications… Absolutely fantastic formatting. A few of the areas seemed as if you were "winging" it, but you were covering a range of topics so, ultimately, this is forgivable. It was a great read and, really, articles should follow this format: Pick a single topic, explore the various corners of that one topic with verifiable information, then round out with a discussion. Very much enjoyed reading this one.
ghost 16 years ago
Very good, although I would not expect too many comments, merely because not many would read about biometrics for fun.