Automated measurement of Physiological and/or behavioral characteristics to determine or authenticate identity”.“Automated measurement”.No human involvement.Comparison takes place in Real-Time.DNA is not a Biometric
3. 33
BiometricsBiometrics
Definition:Definition:
““Automated measurementAutomated measurement ofof Physiological and/or behavioral characteristicsPhysiological and/or behavioral characteristics
toto determine or authenticate identitydetermine or authenticate identity”.”.
““Automated measurementAutomated measurement””
No human involvement.No human involvement.
Comparison takes place in Real-Time.Comparison takes place in Real-Time.
DNA is not a BiometricDNA is not a Biometric
4. BiometricsBiometrics
““Physiological and/or behavioral characteristicsPhysiological and/or behavioral characteristics ““
Behavioral:Behavioral:
User speaks.User speaks.
Types on a keyboard.Types on a keyboard.
Signs name.Signs name.
Physiological:Physiological:
FingerprintFingerprint
HandHand
EyesEyes
FaceFace
5. BiometricsBiometrics
““determine or authenticate identitydetermine or authenticate identity ””
Identification Systems:Identification Systems:
Who am I?Who am I?
Determine IdentityDetermine Identity
Verification Systems:Verification Systems:
Am I who I claim to be?Am I who I claim to be?
Authenticate IdentityAuthenticate Identity
6. BiometricsBiometrics
““determine or authenticate identitydetermine or authenticate identity ””
Verification Systems (cont):Verification Systems (cont):
More accurate.More accurate.
Less expensive.Less expensive.
Faster.Faster.
More limited in function.More limited in function.
Requires more effort by user.Requires more effort by user.
13. 1313
BiometricsBiometrics
Facial scan:Facial scan:
Uses off-the-shelf camera to measure the following facial features:Uses off-the-shelf camera to measure the following facial features:
Distance between the eyes.Distance between the eyes.
Distance between the eyes and nose ridge.Distance between the eyes and nose ridge.
Angle of a cheek.Angle of a cheek.
Slope of the nose.Slope of the nose.
FacialFacial
Temperatures.Temperatures.
14. 1414
BiometricsBiometrics
Hand scan:Hand scan:
measures the top and side of the hand, not the Palm.measures the top and side of the hand, not the Palm.
Hand Geometry.Hand Geometry.
Most widely used technique for physical access.Most widely used technique for physical access.
INS pass systemINS pass system
15. 1515
BiometricsBiometrics
Voice scan:Voice scan:
Measures the sound waves of human speech.Measures the sound waves of human speech.
user talks to a microphone a passphrase.user talks to a microphone a passphrase.
Voice print is compared to a previous one.Voice print is compared to a previous one.
16. 1616
BiometricsBiometrics
Keystroke scan: Measures the time between strokes and duration of keyKeystroke scan: Measures the time between strokes and duration of key
pressed.pressed.
Most commonly used in systems where keyboard is already beingMost commonly used in systems where keyboard is already being
used.used.
18. 1818
BiometricsBiometrics
Informational privacy concerns:Informational privacy concerns:
MisuseMisuse
Addressed by:Addressed by:
System DesignSystem Design
Careful AuditCareful Audit
Personal privacy concernsPersonal privacy concerns
cultural or religious beliefscultural or religious beliefs
19. 1919
BiometricsBiometrics
Bioprivacy Framework (25 best practices)Bioprivacy Framework (25 best practices)
Scope & CapabilitiesScope & Capabilities
Data ProtectionData Protection
User Control of Personal DataUser Control of Personal Data
disclosure, auditing and accountability.disclosure, auditing and accountability.
20. 2020
CONCLUSIONCONCLUSION
Scope & Capabilities:Scope & Capabilities:
Limit system scope.Limit system scope.
Limit storage of identifiable biometric data.Limit storage of identifiable biometric data.
Data Protection:Data Protection:
Security Tools:Security Tools:
EncryptionEncryption
private networksprivate networks
secure facilitiessecure facilities
Limited System AccessLimited System Access
21. 2121
CONCLUSIONCONCLUSION
User Control of Personal Data :User Control of Personal Data :
Allow user un-enrollment (voluntarily)Allow user un-enrollment (voluntarily)
Allow user view, correct and update dataAllow user view, correct and update data
Disclosure, Auditing and Accountability:Disclosure, Auditing and Accountability:
Explain system purposeExplain system purpose
Third party auditingThird party auditing
This is the agenda for this morning.
I will be showing you at two minute, quick video that talks about biometrics in the news.
Then I’ll cover an overview of biometrics, its definition, classifications, etc.
Then I will present all the biometric technologies available, both been used today and under research.
Then I will be covering the accuracy metrics by which biometric systems are graded and which determine how secure is a biometric system.
And finally, I will cover bioprivacy, which are privacy concerns with the use of biometrics and how to address them.
The definition of biometrics is, “an automated measurement off physiological and/or behavioral characteristics, to determine or authenticate identity”.
Let’s spread the definition into it’s three major components, shown in diff. colors on the screen.
These components will determine what is and what is not a biometric and also its different types and functionalities.
The second component of the definition : “Physiological and/or behavioral characteristics”, determine the two main biometric categories:
behavioral and physiological.
The behavioral characteristics measure the movement of a user, when users walk, speak, type on a keyboard or sign their name.
The physiological characteristics would be the physical human traits like fingerprints, hand shape, eyes and face, veins, etc.
And the last component of the definition is “determine or authenticate identity”, which categorizes the two types of biometric functionalities.
The first type is identification systems or the systems that answer the question who am I ? and determine the identity of a person.
The second type is verification systems or systems that answer the question, am I who I claim to be ? and authenticate a person.
An example of an Identification System using biometrics would be: You approach an ATM with NO card, NO claimed identity, NO PIN.
The ATM scans your iris and determines who you are and gives you access to your money.
An example of a Verification System using biometrics would be: You approach an ATM and swipe a card or enter an account number.
The ATM scans your iris and uses it as a password to authenticate you are the rightful owner of the card and therefore give you access to your money.
Verification systems are more accurate, less expensive and faster than Identification systems.
However, their drawbacks are: they are more limited in function, and they require a lot more effort from the user, to use the system.
The benefits of biometrics are:
Enable security, because it helps protect data at the PC and/or network level.Also it may restrict access to buildings or specific rooms.
Enforce Accountability, because can improve the audit trail and recordkeeping process. For instance, recent HIPPA regulations require careful audit logs of who access special data and for what reason.
User Convenience, because users no longer have to memorize passwords or carry keys or badges that can get lost, stolen or forgotten.
Improve Savings, because Biometric implementers, no longer need to reset passwords or reissue badges, change locks, etc.
Recent primary drivers for the use of biometrics are:
Size and cost of biometric devices have decreased dramatically, with hardware getting smaller, faster and cheaper.
All types of Biometric systems have Improved their accuracy and reliability by improving on their metrics, like false acceptance rate, false rejection rate and failure to enroll rate which I will cover later on and explain what they are.
We can find today much more Mature standards and APIs (like BioAPI and BAPI) that have made it easier and less expensive to develop Biometric Applications.
And finally, recently there has been more public awareness of Biometric uses and their convenience.
There are two major classifications of biometric technologies:
Those that do identification and verification (like Finger scan, Iris scan, Retina scan and Facial scan) and those that do verification only (like Hand Geometry, Voice Print, Keystroke Behavior and Signature).
This classification is driven by the # of distinctive characteristics each technology is able to consistently measure.
Therefore biometric technologies that do Identification and verification will have more distinctive characteristics to work with, than the ones that only do verification.
There are also other Biometric Technologies in the making, at Universities and Colleges, which I will cover later on.
In the case of finger scan, It measures unique characteristics in a fingerprint.
These characteristics or minutiae (as they are called), are crossover, core, bifurcations, ridge ending, island, delta and Pores.
Fingerprint samples like the one you’re looking at, typically don’t have all the minutiae types available.
It is desirable but not always possible.
Today we may find many automated fingerprint identification systems or AFIS, because of the high quality scanners available.
This technique is used mostly for forensic and background checks and is being used in both logical and physical security.
Logical security costs are aprox. $50 - $200 and physical security costs aprox. $500 – $1,000 per device.
In the case of iris scan, It measures unique characteristics of the colored part of the eye also known as the Iris.
These characteristics are: Ridges or rings , Furrows and Straitions or freckles.
This technique just like finger scan is being used in both logical and physical security.
In the case of Retina scan, It measures unique characteristics of the back of the eye, which is called the Retina.
These characteristics are: Blood vessel patterns and Vein patterns.
Retina scan requires significant more effort to use than Iris scan, and it is more challenging because the slightest movement causes rejection by the system. It also needs more sophisticated cameras than Iris scan.
In the case of facial scan, It measures facial features like the Distance between the eyes And Distance between the eyes and nose ridge, Angle of a cheek, Slope of the nose, thickness of the lips, or facial temperatures.
Is the most common Biometric technique used to obtain a personal identification.
Facial scan has many challenges like changes in lightning, changes in camera angles, etc.
This technique is used at all US embassies worldwide, and government agencies.
Also used to guarantee uniqueness against an image databases usually to prevent identity theft.
Many ATMs and casinos around the country, use this techniques to identify users.
Very recent uses of this technique have been super bowl 35 to compare facial scans against known criminals.
Or at Ybor City, Florida in the west coast (for citizen surveillance in public streets).
In the case of hand scan, It measures the top and side of the hand, not the Palm as it is commonly thought.
It is typically known as the hand geometry. (Finger lengths, widths, curves etc)
Is the most widely used technique for physical access and their price ranges from $1,200 – $1,500 per door.
Recent uses include the I. N. S. pass System, which scans a hand of frequent travelers, so instead of presenting a passport for authentication these frequent travelers swipe a card and do a hand scan. It is both convenient to consumers and frees up human resources to attend for more higher risk passengers.
In the case of Voice scan, It measures the sound waves of human speech.
Voice scan could be based on either text-dependent or text-independent speech input.
If it is text-dependent, user talks to a microphone a passphrase and will repeat the same pass phrase when needed to be authenticated.
The most common use of voice scan biometric systems is where a telephone is already being used.
For instance home arrest verification is a very common use. Any time of the day or night a computer calls the home of a person under home arrest, and that person has to answer the phone and speak a passphrase to be authenticated.
Voice scan Biometrics is currently restricted to low security applications because of high variability in an individual’s voice (depends on the user mood) and poor accuracy performance of a typical speech-based authentication system (affected by background noise).
In the case of keystroke scan, It Measures the time between strokes and duration of key pressed.
Most commonly used in systems where keyboard is already being used.
False Acceptance Rate (FAR): Measures how often imposters would be let in into the system. (Type II Error)
False Rejection Rate (FRR): Measures how often legitimate users will be rejected by the system. (Type I Error )
Now all biometric systems have threshold levels to minimize the FAR and FRR as necessary depending on the application.
Failure To Enroll Rate (FTE): Measures the percentage of the population that are unable to enroll in the system (not only handicapped people), but for one reason or the other the user cannot enroll in the system.
Ability To Verify (AVT) is a metric based on FTE and FRR.
This metric usually characterizes user experience, cost of the system and level of security.
The higher this ATV metric the more users are able to be processed, the less number of exceptions, making criminals easier to identify.
Both AVT and FAR are excellent measures of a biometric system’s level of security.
There are two main categories of biometric privacy concerns: as informational privacy concerns and personal privacy concerns
Just like your name and address, biometric information can be sold, so there are valid concerns about the use of this information.
These concerns can be addressed through careful system design and careful audit.
Personal privacy concerns create inherent discomfort because of cultural or religious beliefs.
These concerns can be address by educating the users.
To help mitigate both informational privacy concerns and personal privacy concerns the bioprivacy framework was created and layouts the 25 best practices.
These bioprivacy best practices have been broken down into four main categories.
Scope & Capabilities, Data Protection, User Control of Personal Data and Disclosure, Auditing and Accountability.
The first category of bioprivacy best practices is scope and capabilities:
includes limiting the system scope (slight expansion may have significant privacy implications)
limit storage of the identifiable biometric data (actual Images and recordings should be discarded whenever possible).
The second category is data protection:
Use security tools to protect biometric information. These tools include encryption, private networks and secure facilities.
System access should be limited to the smallest number of operators to prevent internal compromise.
The third category of bioprivacy best practices is user control of personal data :
Systems should allow for the un-enrollment of a user in a voluntarily way.
System should allow user to view, correct and update Information stored in the system.
The last category of bioprivacy best practices is “Disclosure, Auditing and Accountability”:
Explain The purpose of The system to operators and enrollees.
Provisions should be made for third party auditing.
And now I will answer any questions you might have.