1. BIOMETRICS
Kevin Swenson

2. Table of Contents
I. What’s a Biometric? ....................................................................................3
Definition...................................................................................................................................3
Physical/Anatomical ...................................................................................................3
Behavioral.....................................................................................................................3
Criteria for Biometric Identifiers..............................................................................................3
II. How do Biometrics Work?...........................................................................4
III. What is a Biometric System?.......................................................................5
Definition...................................................................................................................................5
Key Elements of a Biometric System......................................................................................5
Enrollment ....................................................................................................................5
Reference Templates ..................................................................................................5
Biometric Matching .....................................................................................................5
Important Distinctions .............................................................................................................6
Biometric Authentication: Verification vs.
Identification ................................................................................................................6
Fundamental Concepts............................................................................................................7
Authentication..............................................................................................................7
Identity & Access Management (IAM) .......................................................................7
Multi-Factor Authentication (MFA).............................................................................7
Multi-Modal Biometrics...............................................................................................7
...................................................................................................................................................8
The Process..............................................................................................................................8
Key Performance Indicators – KPI..........................................................................................8
False Accepts (false matches)...................................................................................8
False Rejects (false non-matches).............................................................................8
Equal Error Rate ...........................................................................................................8
Failure to Enroll ............................................................................................................8
Transaction Times.......................................................................................................8
IV. Types of Biometric Technologies ...............................................................9
The Most Noteworthy ..............................................................................................................9

3. Fingerprint ....................................................................................................................9
Heartbeat ECG .............................................................................................................9
Iris Structure.................................................................................................................9
Vein Structure.............................................................................................................10
The Others ..............................................................................................................................10
V. What Does our CIO Need to Know? ...........................................................10
How are Businesses are using Biometrics?.........................................................................10
Logical Access Control .............................................................................................10
Physical Access Control............................................................................................11
Who’s using it? .......................................................................................................................11
Restaurant & Retail Industries, Point of Sale
(POS)...........................................................................................................................11
Banking, ATMs...........................................................................................................11
Healthcare Candidate Verification ...........................................................................11
Industry Trends.......................................................................................................................11
VI. How About Some Examples? ....................................................................12
Descartes Biometrics.............................................................................................................12
MasterCard Identity Check (“Selfie Pay”).............................................................................12
Nok Nok Labs .........................................................................................................................13
VII. Anything Else? ..........................................................................................13
VIII. Works Cited ..............................................................................................14

4. BIOMETRICS - MARCH 2016 3
What’s a Biometric?
Definition
A Biometric is a characteristic, feature, or behavior that can be measured, is unique to a single,
living individual, and can be recorded, stored, and retrieved.
Biometrics can be categorized into one of two classes;
Physical/Anatomical
Physical characteristics (also referred to as biological,
physiological, or static) are based on a person’s physicality
and include things like fingerprints, hand geometry, facial recognition, etc.
Behavioral
Behavioral biometrics (also referred to as dynamic traits) are related to some pattern of a
person’s behavior and include things like signature, gait, or keystroke pattern. Behavioral
biometrics are prone to change over time making them less reliable then most physical
biometrics.
The difference between the two is in the amount of activity required by the end user. With
physical biometrics, the user isn’t required to play an active part. However, with behavioral
biometrics, the activity is what is being measured. (Das, 2015)
Criteria for Biometric Identifiers
Any physical or behavioral characteristic can be used as a biometric identifier if it has the
following properties;
 Universality: All people must have this characteristic.
 Distinctiveness: This characteristic must be unique to each individual.
 Permanence: The characteristic must not fade or change over time.
 Collectability: The characteristic must be measurable.
WORD COUNT: 2,806
The term “Biometrics” is derived from the
Greek words “Bios” (life) and “Metric” or
“Metry” (to measure). Biometrics, literally
translated, is a way to measure life.

5. BIOMETRICS - MARCH 2016 4
How do Biometrics Work?
On a fundamental level, biometrics is pattern recognition and comparison. It centers around the
idea of capturing a biological measurement and comparing it against a string of numbers
referred to as a template.
Once the template has been created and stored, anytime a request is made to access the
associated account, the incoming sample is processed and converted, then compared against
the reference template. If they match, access is granted. If they do not, access is denied.
Templates and the Public Privacy Concern
Templates are a key concept in biometrics and it is important to
understand exactly what they are and what they are used for.
Most people believe when someone submits a biometric sample, a picture
is taken of their finger, hand, or face, then the picture is kept on file to be
used for comparison at a later date. Unfortunately, this is a common
misconception and is one of the reasons biometrics has not yet been
widely accepted by the public.
There is no image stored in a file somewhere, rather there is a template. A
template is a mathematical representation of the original sample. The
process of converting a sample into a template is strictly one-way. That is
to say, you cannot just pull up the binary file of someone’s facial
recognition scan and then recreate the original image.
To put it further in context, imagine two company databases were
breached. One contained the typical user passwords, credit card
numbers, and social security numbers, the other contained biometric
reference templates. Your personal data was in both systems. Which
breach was more damaging to you?
The biometric templates cannot be reverse engineered and even if they
could, they could not be used to access any of the associated accounts
because they require a living sample. In this case you should be worrying
about your bank accounts, not your finger prints.

6. BIOMETRICS - MARCH 2016 5
What is a Biometric System?
Definition
A biometric system is an automated system that performs the following functions;
 Collects biometric samples via a sensor1
or other capture device.
 Processes samples into a data profiles (templates).
 Stores the template data and is able to retrieve it upon demand.
 Compares incoming sample templates against reference templates.
 Algorithmically generates a difference score2
from which it makes the decision to grant
or deny access.
Key Elements of a Biometric System
The following four elements are universal to all biometric systems.
Enrollment
This is the process of initially collecting a biometric sample from a person and subsequently
generating the reference template that will later be used for decision comparison.
Reference Templates
A Reference Template is a digital representation of the
original biometric sample. It is used during the
authentication process.
Biometric Matching
Refers to the process of checking a sample template against a stored reference template and
determining whether or not the two are a true match. The match decision is output in the form
of a Boolean determination but in fact the system’s decision algorithm calculates out how
1
Hardware found on a biometric device that converts biometric input into a digital or analog signal and
conveys this information to the processing device. (Division, 2013)
2
The Difference Score: A value returned by a biometric algorithm that indicates the degree of difference
between a biometric sample and a reference.
Sample Template

7. BIOMETRICS - MARCH 2016 6
“close”3
the two samples are then outputs a score4
. Based on the predetermined, acceptable
level of error, the system decides whether or not it should evaluate the two as a match.
Important Distinctions
Biometric Authentication: Verification
vs. Identification
Generally speaking, biometric authentication
uses one of the two following methods;
Identification systems are most notably used in law enforcement to identify individuals by
means of a biometric sample left at a crime scene.
Verification systems are more typical of a business case and more relevant in the context of IT.
3
Due to uncontrollable environmental variables, no two templates are ever precisely identical.
4
Refers to the Decision Score.
4a
A return of “many”, refers to several, statistically close matches.
Biometric Identification – “who is this person?”
In an identification system, a sample biometric is tested against an array of reference
templates via a one-to-many comparison. The results of an identification test are zero,
one, or many4a
. The subsequent decision is an implicit one.
Biometric Verification - “is this person who they say they are?”
In a verification system, a user’s identity is explicitly verified via a one-to-one
comparison of the testing sample against the stored reference template.
The system first captures the sample, then directly checks the sample against a
reference template stored with the user’s profile information. Because the system only
has to retrieve one stored template, this type of system is always faster than an
identification system.

8. BIOMETRICS - MARCH 2016 7
Fundamental Concepts
Authentication
Authentication is the automated process of recognizing an individual for security purposes. In
the context of business and IT, authorization is generally handled by Identity and Access
Management (IAM)
Identity & Access Management (IAM)
IAM is a broad administrative/security area that manages authentication within organizations.
In general, there are three approaches to authenticating individuals. They are listed below in
order of least, to most secure.
LEVEL I
The first and lowest level of IAM authentication is defined as “what you have”. This is
something like a key or an ID badge and is generally referred
to as a token.
LEVEL II
The second level of IAM authentication is defined as
“something you know”. This usually takes the form of a
password or a PIN number.
LEVEL III
The third level of IAM authentication is defined as “who you
are”. This is Biometrics.
The use of any one of these methods on its own, is referred to as single factor
authentication.
Multi-Factor Authentication (MFA)
MFA is the combination of two or more of the above methods with the intent of achieving a
much greater level of security. For example, requiring a user to swipe an ID card (a token) and
enter a PIN.
Multi-Modal Biometrics
Multi-modal biometrics is based on the same logic as MFA, the only
difference is multi-modal biometrics uses more than one biometric factor.
A good example is the M2-FuseID, a “smart” finger reader that combines
fingerprint and finger vein pattern identification. Sensors such as this
have become common in the finance and banking sector.
What You Have
What You Know
Who You Are

9. BIOMETRICS - MARCH 2016 8
The Process
Below is a representation of a basic authentication
process within a biometric system. There are three
primary stages within this process;
Key Performance Indicators – KPI
False Accepts (false matches)5
The probability that the system will incorrectly accept an imposter or that a live sample
coincidentally matches a template in the database.
False Rejects (false non-matches)6
The probability that the correct individual will be rejected by the system incorrectly.
Equal Error Rate
The proportion of false rejections that will be approximately equal to the proportion of false
acceptances when the threshold is appropriately set. A synonym for “Crossover Error Rate”
(CER).
Failure to Enroll
A situation where an individual is unable to submit their biometric sample for template creation.
Transaction Times
The time it takes the system to match a live template with the correct template stored in the
database.
5
This is the statistical equivalent of a Type I error.
6
This is the statistical equivalent of a Type II error (Beta).
The Observation/Collection stage which
encompasses the enrollment, verification, and
capture modules.
The Process/Compare stage which encompasses
the process, store, and compare modules.
The Decision/Action stage which encompasses
the decision and action modules.

10. BIOMETRICS - MARCH 2016 9
Types of Biometric Technologies
The Most Noteworthy
Fingerprint
This probably the oldest recognition system. Fingerprints
are incredibly distinct7
and do not change over time.
Fingerprinting technology is easy to use, highly accurate,
and relatively cheap compared to many other options.
Heartbeat ECG
This is the modality with the most immediate potential on
this list. Your hearts electric signals are distinct and
extremely difficult to imitate or replicate. The technology
for reading these signals has been around for years but
until very recently it was impractical to
incorporate the technology into a
biometric authentication system.
It is now being integrated into
wearables similar in size to the
bracelet version of the popular Fitbit. These devices have
the potential to be completely passive, geo-enabled biometric tokens. When combined with
other IoT technologies (in particular, smart homes and autos) there is a lot you could do with
this technology. (Kelly, 2014)
Iris Structure
Iris structure recognition works by mapping the structural patterns
within the iris itself. Like fingerprints, even identical twins have
different iris structures. The only down side to this technology is the
cost, which is comparatively higher than most and not widely
accepted by the public.
7
Even identical twins have different fingerprints
ARCH
TENTED
ARCH
RIGHT
LOOP
LEFT
LOOP
WHORL

11. BIOMETRICS - MARCH 2016 10
Vein Structure
Vein structure recognition has become popular
among business with a need for very high accuracy
and very little error. (e.g. the financial and banking
industries)
The Others
Hand Geometry Keystroke Pattern Recognition
Palm Print Retinal Scan
Skin Spectroscopy Speaker Verification
DNA Ear Shape
Gait Body Odor
Body Salinity Facial Thermography
Finger Geometry Skull Resonance
Fingernail Pattern
Recognition
Dynamic Signature Analysis
Rhythm/Tapping
Sequence
Facial Topography
What Does our CIO Need to Know?
How are Businesses are using Biometrics?
Logical Access Control
Logical access control generally refers to restricting access to an organizations computer
network.
How is it done now?
Primarily passwords. In some industries (banking, finance, defense) that handle highly
sensitive data, some multi-factor and even multi-modal approaches have been taken.
Why go Biometric?
Passwords are only as strong as the user makes them. Although they are a knowledge
based authentication factor (second tier), once they are written down, they fall back to
the first tier.

12. BIOMETRICS - MARCH 2016 11
Physical Access Control
Physical Access Control refers to controlling the access to a physical area.
How is it done now?
Traditionally businesses use tokens, the first level of security, and sometimes PINs
(second level) to manage access to sensitive physical areas.
Who’s using it?
Restaurant & Retail Industries, Point of Sale (POS)
Fingerprint scanners have been around for years in the restaurant industry but up until recently
their use has been limited to servers and bartenders who need frequent, quick access to the
POS system. Restaurants and Retail have recently started to offer their customers biometric
based payment solutions.
Banking, ATMs
In Korea and Japan, many ATM vendors are beginning to swap traditional PINs for physical
biometric alternatives. They are mostly using fingerprint scanners and finger vein structure
analysis.
Healthcare Candidate Verification
Hospitals have begun using biometrics to verify patient identities to combat insurance fraud.
Industry Trends
 There seems to be a shift towards multi-modal biometric systems. They are among the
most secure and because of the inherent redundancy, they future proof your investment,
to an extent. (Waxer, 2015)

13. BIOMETRICS - MARCH 2016 12
How About Some Examples?
Descartes Biometrics
HELIX Ear Recognition Software
Using your phones front facing camera, the software
recognizes the shape of your ear and unlocks the device.
It can be used for specific apps and transactions as well.
The company also offers Enterprise solutions for a wide range of industries and sectors.
(Descartes Biometrics Inc, 2016)
MasterCard Identity Check (“Selfie Pay”)
MasterCard’s Identity Check - Dubbed “Selfie Pay”
Identity Check is a mobile app that acts as the gatekeeper for payments you make using the
credit card information stored on your mobile device. To make the payment you need only snap
a quick selfie. If the app verifies your identity, your credit card information is sent out for
payment.
MasterCard says it’s algorithm has been rigorously test and
cannot be easily fooled. The app can tell the difference between
a live version of you and a photo or video recording. It also
requires you to perform a “liveness” test of blinking your eyes
before you can take the validation photo.
MasterCard ran a pilot program in California in 2015, in which 90% of participants said they
could see themselves using Identity Check or a similar biometric app, on a daily basis. 86% said
they found it easier to use than a password or PIN.
If your mobile device has a finger print scanner, Identity Check will let you use that for validation
in place of “Selfie Pay”.

14. BIOMETRICS - MARCH 2016 13
MasterCard is also working on other forms of Biometric Identification including; iris scanning,
voice recognition, and electrocardiogram(heartbeat) identification. (Wiggers, 2016)
Nok Nok Labs
Nok Nok helps organizations improve their authentication infrastructure. Instead of focusing on
any one biometric solution, they continual develop new solutions taking advantage of the latest
advances in technology.
They were one of the founding member companies of
The FIDO Alliance, which is responsible for the mobile
authentication standard FIDO 2.0.
Anything Else?
 If cost is a driving force, consider bundling several authentication types that have
lower implementation costs.
 Depending on the biometric type, it can actually be cheaper to manage a
biometric system in place of a token-based system. (Waxer, 2015)
 Earlier this year in February, the W3C approved the new mobile authentication
standard FIDO 2.0 and subsequently declared the password dead!

15. BIOMETRICS - MARCH 2016 14
Works Cited
Ahlm, A. A. (Dec 2014). Magic Quadrant for User Authentication. Stamford, CT: Gartner.
Branch, Defense Forensics and Biometrics Agency (DFBA) Architecture. (Apr 2013). The DoD Biometrics
Enterprise Architecture (Integrated) v2.0 (BioEA). Washington DC: Department of Defense.
Das, R. (2015). Biometric Technology: Authentication, Biocryptography, and Cloud-Based Systems. CRC
Press.
Descartes Biometrics Inc. (2016, Apr 05). Retrieved from DescartesBiometrics.com:
http://www.descartesbiometrics.com/helix-sdk/
Division, D. P. (2013). The DoD Biometrics Enterprise Architecture (Integrated) v2.0 (BioEA). Washington
DC: Defense Forensics and Biometrics Agency (DFBA) Architecture Branch.
Ferbrache, D. (Mar 2016, Issue 3). Passwords are broken – the future shape of biometrics. Biometric
Technology Today, 5-7.
John D. Woodward, K. W. (2001). Army Biometric Applications: Identifying and Addressing Sociocultural
Concerns. Rand Corporation.
Kelly, H. (2014, Apr 4). Biometric Alternatives to the Password. CNN.
National Biometric Security Project. (2008). Biometric Technology Application Manual Volume One:
Biometric Basics. Bowie, MD: NBSP.
Perkins, R. W. (Dec 2015). Predicts 2016: Identity and Access Management. Stamford, CT: Gartner.
Tilton, C. J. (Sep 2011). Planet Biometrics – Standards – Getting Started. Reading, UK: Planet Biometrics.
Unknown. (2016). THE DEFENSE FORENSICS & BIOMETRICS AGENCY. Retrieved from
References/Standards: http://www.biometrics.dod.mil/References/Standards.aspx
Waxer, C. (2015). Biometrics moves into the mainstream. Retrieved from I-CIO: http://www.i-
cio.com/management/best-practice/item/biometrics-moves-into-the-mainstream
Wiggers, K. (2016). MasterCard will soon let you pay for stuff by taking a selfie. Digital Trends.