The Internet Protocol Journal - Volume 7, Number 1

The Lures of Biometrics

by Edgar Danielyan, Danielyan Consulting LLP

This article introduces biometrics and discusses some of the complex issues associated with use of biometrics for identification and authentication of individuals and its impact on both standalone and networked information systems, as well as on physical security. The agenda is not to show whether biometrics is your best investmentor a useless thing—these two polar viewpoints share the same quality of being over simplifications, to say the least. It also certainly does not purport or try to tell everything there is to tell about biometrics or its applications. Legal and social implications of biometrics are also not discussed in this article because these would differ considerably, depending on the legislation and cultural traditions of countries concerned; we also do not consider the complex performance, design, and implementation questions, because these are of too specialized nature—for more in-depth coverage of these topics a list of biometrics organizations and publications are provided at the end of this article, along with a list of references.

Before we continue, it would be useful to examine the current deployment of biometrics outside testing laboratories and the corporate perimeter. With the U.S. government fingerprinting and taking photographs of some of the visitors coming to the United States beginning January 5, 2004, under the US-VISIT program, biometrics and associated issues such as privacy and personal data protection are bound to get unprecedented levels of publicity [1]. Although it is too early to judge whether this innovation will actually contribute to overall security of the country or rather increase the general confusion surrounding security procedures, it has already resulted in more questions asked than answered. To some of its proponents, biometrics is a magic technology that would contribute to the security of their societies, to others the same technology heralds the coming of a police state and erosion of personal privacy and liberties and discrimination against (potentially not only) foreign citizens. Indeed, that was the opinion of Julier Sebastiao da Silva, a federal judge in Mato Grosso state of Brazil, who ordered similar measures to be taken in the case of U.S. citizens visiting Brazil [2]. Despite the announcement of Brazil's federal police that they may well seek to have this judgment overturned, this is a significant event because it illustrates that the use of biometrics is not only a technical procedure but also has its far-reaching social, legal, and international implications. It is immaterial whether this judgment will be upheld or overruled—it is the fact that introduction of the mandatory use of biometrics at borders resulted in such a response that is important.

Earlier announcement by the U.S. authorities that they expect the visawaiver countries whose citizens currently may enter the U.S. without visas, simply upon presentation of their passports, to provide biometric data in newly issued passports also resulted in different reactions, ranging from support for the measure to outright condemnation [3].

Aside from the huge technological and logistical work that must be done in order to introduce biometrics into passports, these requirements also pose considerable legal and social issues in countries with strong personal privacy and data protection legislation in place. However, one thing is clear—biometrics ceases to be an exotic and little-used technology and is bound to be increasingly used in one way or another.

This article is organized as follows. First biometrics and related concepts are introduced, along with descriptions of the most widely used and understood physiological and behavioral biometrics. We will also see how biometric systems fail when inadequately designed or implemented. Later we describe the system and design issues of biometrics, such as security, accuracy, speed, resilience, privacy, and cost of biometric identification and verification systems, as well as practical applications of biometrics in network authentication and international travel documents.

Definition of Biometrics
A biometric is a physiological or behavioral characteristic of a human being that can distinguish one person from another and that theoretically can be used for identification or verification of identity. For a biometric to be practically useful, ideally it should be unique, universal, permanent, recordable, and acceptable—more on these properties of practical biometrics later.

Authentication in General
Authentication is the second step in the identify-authenticate-authorize process, which is done countless times every day by humans and computers alike. When speaking about human authentication, basically we have three choices: using something we know (such as passwords and passphrases), something we have (such as access tokens, smart cards, and so on) or something we are (biometrics). There is no "best" authentication method; each has its pros and cons, depending on the application, the users, and the environment. Whatever authentication method we use, we can make it stronger by using one or both of the other methods. An example of strong authentication would be a system that requires possession of a smart card, knowledge of a password or Personal Identification Number (PIN), and biometric verification. Obviously to steal or fake all three would be much more difficult than to steal or fake any one of these—however, more expensive and laborious to operate as well. The other two factors—the time of access and the location of subject—may also be used for access control, but usually only as auxiliary factors.

What You Know
Unquestionably the most widely used method of authentication, passwords, passphrases, and PINs share both pros and cons with each other. Moreover, an advantage in one situation easily becomes a problem in another—an example being the ease of password sharing. Passwords are easy to change, but are also easy to intercept. Systems can force the use of strong passwords, but the user may respond by storing or transmitting them in such a way that the added security is effectively reduced to nil.

Unauthorized disclosure of a password is not usually detected until after unauthorized access has already taken place. Passwords are also vulnerable to guessing, dictionary, and brute-force attacks. On the other hand, they require no additional hardware, they are an accepted method of authentication, and they are well-understood—even by the most technologically challenged part of human species.

What You Have
Smart cards, access tokens (both challenge-response and time-based), and other "what you have" authentication methods solve some of the problems associated with "what you know" authentication, but they create a set of different problems. Unlike theft of a password, theft of a smart card or access token can, of course, be easily detected. Unlike passwords, smart cards usually cannot be used simultaneously by two or more parties in different places. However, "what you have" authentication devices may be lost, damaged, and stolen. They may also run out of power (if self-powered) or may be prone to power-, synchronization- and time-based attacks if externally powered. They may also be subjected to reverse engineering and other treatment, which may compromise their security.

What You Are: Biometric Authentication
There are two biometric authentication methods: biometric verification and biometric identification of identity. Biometric identification is also sometimes referred to as pure biometrics because it is based only on biometric data and is more difficult to design and operate—but alas, pure biometrics is not the most secure, useful, or efficient one. Also, both methods can not always be used with all biometrics—some biometrics can only be used in verification mode because of their intrinsic properties.

Verification
Biometric verification uses entity IDs and a biometric—in this case biometric merely serves to prove identity already declared by the entity—which may be done using something you know (a username) or something you have (a smart card). Biometric (something you are) works to actually complete the authentication process. Hence, the biometric database keeps a list of valid entity IDs (which may be said to serve as primary keys to the database) and corresponding biometric templates, and compares ("matches") the stored template with the biometric provided. The result of this comparison is either an accept or reject decision based on a complex algorithm and system settings (refer to the section "Matching").

Identification
Unlike biometric verification of identity, biometric identification is based solely on biometrics. The biometric serves as both the identifier and the authenticator. The biometric database contains the enrolled biometric templates, and they all are compared against the provided biometric to find a match. Biometric identification may be described as "putting all your eggs in one basket," partly because somehow faking or stealing a biometric compromises both the ID and the authenticator.

A biometric identification system may operate in one of the two modes: positive identification or negative identification. In a positive identification biometric system, the provided biometric must be in the database and there must be only one match to positively identify the person. The risks present in a biometric system are false acceptance and false rejection, whereas unauthorized subjects are incorrectly accepted, or authorized ones are denied identification, resulting in a denial of service. A negative identification system, in contrast, works by determining whether the provided biometric is not in the database.

Enrollment
Regardless of the type of a biometric system, enrollment is a mandatory part of the process. Biometric enrollment is the registration of subjects' biometrics in a biometric database. Positive enrollment results in a database of recognized persons' biometric templates that may be later used for positive identification or verification. Negative enrollment results in a database of "excluded" persons, a black list if you wish. Security and reliability of the enrollment process and the biometric database are fundamental to the security of the entire system, but in practice they are difficult to achieve because of the myriad of issues that affect collection, transmission, storage, and usage of biometric data (see "Security" and "Privacy," later in this article for an overview of just some of the risks).

Matching
After an individual is enrolled—that is, the individual's biometrics are scanned and registered in the biometric database—matching is the next step. Biometric matching is essentially the comparison of the enrolled person's known biometric data stored in the biometric database in the form of biometric templates—binary representation of biometric sample—with the biometric provided by the individual at the identification or verification time. However, biometric matching is a pattern-recognition problem and not a simple bit-by-bit comparison—representation of the same biometric taken by two input sensors or taken at two different points in time does not match bit by bit because of numerous factors such as sensor resolution, system noise, and so on. Therefore, a degree of likeness (usually referred to as the matching score) is used to express how like the stored biometric is to the provided biometric. A threshold level is used to decide whether the matching score is high enough to be considered a match—if the score is at or below the threshold level, matching fails. This threshold level is one of the many variables that affect the accuracy—and hence security—of biometric authentication systems.

For biometric identification applications, the provided biometric is compared against all entries in the database and should result in only one successful match to result in positive identification. In biometric verification systems, the provided biometric is compared only with the biometric template or templates corresponding to the specified identity. As a result of biometric matching, the following system errors may occur:
False match or acceptance: This occurs when the system decides that the two biometrics (the one stored in the database and the one provided now) are the same, when in reality they are not. The rate of false matches is known as False Matching Rate (FMR) or False Acceptance Rate (FAR). False acceptance is a confidentiality and integrity risk.
False nonmatch or rejection: This is expressed as False Rejection Rate (FRR), and False Nonmatching Rate (FNMR). False nonmatch is when the system erroneously decides that biometrics are from different identities while in reality they are from the same person. False rejection is an availability risk.

In practice, both FRR and FAR do not equal zero, and in different applications one of them may be more important than the other. In an application that requires higher security (and hence as low FAR as possible), users may be troubled with high false rejection rates; whereas in an application that can accept somewhat higher false acceptance rates (such as public transport), false rejection rate is of more concern because of convenience and manual processing concerns. When FAR and FRR meet, that is the Cross-over Error Rate (CER). The lower the CER, the better—hence it is frequently used to express accuracy of biometric systems (although it is not the infallible measure as some suppose). Additionally, Failure to Acquire (FTA) errors occur when an individual does not have the required biometric or the biometric cannot be read by the sensor; and Failure to Enroll (FTE) is when a part of the targeted population may not be enrolled for whatever reason (such as a FTA). These errors directly affect the practicality of biometrics and must be accounted for with regard to the projected population of users.

Practicality of Biometrics
Writing in the December 1994 issue of Information Technology & People ("Human identification in Information Systems: Management Challenges and Public Policy Issues")[4] ten years ago, Roger Clarke proposed some criteria that should be met in order for a biometric to be practically usable:
Universality: Every relevant person should have an identifier.
Uniqueness: Each relevant person should have only one identifier, and no two people should have the same identifier.
Permanence: The identifier should not change, nor should it be changeable.
Indispensability: The identifier should be one or more natural characteristics, which each person has and retains.
Collectibility: The identifier should be collectible by anyone on any occasion.
Storability: The identifier should be storable in manual and in automated systems.
Exclusivity: No other form of identification should be necessary or used.
Precision: Every identifier should be sufficiently different from every other identifier that mistakes are unlikely.
Simplicity: Recording and transmission should be easy and not errorprone.
Cost: Measuring and storing the identifier should not be unduly costly.
Convenience: Measuring and storing the identifier should not be unduly inconvenient or time-consuming.
Acceptability: Its use should conform to contemporary social standards.

Although some of these criteria may be argued over, this set is nevertheless a useful reference. An interesting point is that no known biometric completely satisfies all of these criteria, perhaps proving that these are not strict "must haves" but instead guidelines to be accounted for.

Types of Biometrics
Two broad categories of biometrics exist: physiological biometrics (such as fingerprints, hand geometry, iris recognition) and behavioral biometrics (such as signature and voice biometrics). Physiological biometrics is based on direct measurements and data derived from measurements of a part of the human body, whereas behavioral biometrics is based on measurements and data derived from human actions, and indirectly measures characteristics of the human body over a period of time.

Physiological Biometrics
Relatively widely understood and used physiological biometrics are fingerprint recognition, face recognition, hand geometry, and iris recognition. These methods are introduced in the following sections.

Fingerprint Recognition
It is believed that no two persons share the same fingerprints—not even identical twins—because the fingerprint patterns are part of a person's phenotype and do not apparently depend on genetics [5]. Fingerprints have been used to identify humans for a long time—there is some evidence that thousands of years ago ancient Chinese were aware of the uniqueness of fingerprints [6], not speaking about their current use in forensic science and law enforcement. The traditional fingerprint acquisition mechanism—finger into ink and then on to paper—obviously is not usable in many—if not most—noncriminal applications.

Currently there are four known inkless fingerprint acquisition mechanisms considered suitable for use in practical biometrics.

Optical Sensing
Optical fingerprint sensing works by acquiring light reflected from the finger surface through a special prism. The result is an image of the finger surface. The downside of this method is that wet, dirty, or dry finger skin may result in a bad image. [7]

Thermal Sensing
With the thermal sensing method, a thermogram of the finger surface is taken and the resulting image is used. [8]

Capacitance Sensing
Because of differing capacitance of the ridges and valleys of fingers, a Complementary Metal-Oxide Semiconductor (CMOS) capacitance sensor can obtain an image of the finger when it is touched. However, like optical sensing, cpacitance sensing may be negatively affected by dry, dirty, or wet skin. [9]

Ultrasound Sensing
Ultrasound sensing works by using an ultrasound beam to scan the skin surface. Ultrasound sensing is not affected much by dry, dirty, or wet skin but takes longer to perform and the ultrasound sensing equipment is usually not compact and consequently not widespread. [10]

In addition to the mentioned issues of wet, dry, or dirty skin, numerous other factors may also affect the quality or the very possibility of taking a fingerprint. For example, although the absolute majority of people have at least one finger, many people may also have damaged skin or skin illnesses that may degrade the quality of fingerprints or render them unusable. Fingerprint matching approaches may be broadly categorized into three classes: feature techniques, imaging techniques, and hybrids of the two. In feature-based fingerprint matching techniques, a symbolic representation of the fingerprint, defined by so-called minutiae, is created from the fingerprint image, and it is this representation that is later stored and used to match fingerprints—not the raw fingerprint image itself [11]. Imaging techniques use the fingerprint images directly—image correlation algorithms are then used to compare the fingerprints [12].

The Mighty Fingers
If the defending technology is expensive and complex, it does not mean the attacking technology will also be complex and expensive—this has been proven by many successful security attacks. Tsutomu Matsumoto of the Yokohama National University successfully fooled numerous fingerprint readers into accepting fake fingers made of gelatin with a 80-percent success rate, sending a shock wave among biometrics proponents [13].

In a paper ambiguously entitled "Impact of Artificial Gummy Fingers on Fingerprint Systems," co-authored with H. Matsumoto, K. Yamada, and S. Hoshino and presented at the Optical Security and Counterfeit Deterrence Techniques IV conferene (Proceedings of the International Society for Optical Engineering, 2002), Matsumoto describes relatively easy ways to create artificial clones of fingers using cheap and freely available materials such as gelatin, free molding plastic, and photosensitive printed circuit boards.

Not only was he able to create a copy of a live finger that was good enough to fool most fingerprint readers used in the experiment, he also created an artificial finger using a latent fingerprint left on a glass, which was also accepted as genuine. In addition, Matsumoto mentions several other attack vectors against fingerprint systems, including instances where the registered finger is presented by an armed criminal, under duress, or on a sleeping drug; a severed fingertip of the registered finger; or a genetic clone of the registered finger.

Even if we disregard the last possibility as too expensive and unlikely, the others are indeed very real and must be disturbing to current users of fingerprint-based identification or verification systems. After this research was published, Bruce Schneier wrote in the May 2002 issue of his monthly newsletter CRYPTO-GRAM [14]:

"There's both a specific and a general moral to take away from this result. Matsumoto is not a professional fake-finger scientist; he's a mathematician. He didn't use expensive equipment or a specialized laboratory. He used $10 of ingredients you could buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And he defeated eleven different commercial fingerprint readers, with both optical and capacitive sensors, and some with "live finger detection" features. (Moistening the gummy finger helps defeat sensors that measure moisture or electrical resistance; it takes some practice to get it right.) If he could do this, then any semi-professional can almost certainly do much much more. More generally, be very careful before believing claims from security companies. All the fingerprint companies have claimed for years that this kind of thing is impossible. When they read Matsumoto's results, they're going to claim that they don't really work, or that they don't apply to them, or that they've fixed the problem. Think twice before believing them."

Face Recognition
One of the most powerful drivers behind the use of face recognition is the fact that we all use face recognition every day to recognize people—so it seems to be one of the most acceptable biometrics we have (unlike, for example, fingerprints, which are often associated with criminal prosecution), not speaking about photographs that have been used for identification for many years [15]. However, despite progress in this area of biometrics, face recognition is still not accurate and dependable enough, and factors such as aging, changing hairstyles, beards, and moustaches only make reliable face recognition more difficult. Bruce Schneier, in his recent book Beyond Fear, had the following to say about the usefulness of face recognition systems [16]:

"I'll start by creating a wildly optimistic example of the system. Assume that some hypothetical face-scanning software is magically effective (much better than is possible today)—99.9% accurate. That is, if someone is a terrorist, there is a 1-in-1000 chance that the software fails to indicate "terrorist" and if someone is not a terrorist, there is a 1-in-1000 chance that the software falsely indicates "terrorist." In other words, the defensive-failure rate and the usage-failure rate are both 0.1%. Assume additionally that 1 in 10 million stadium attendees, on average, is a known terrorist (this system won't catch any unknown terrorists who are not in the photo database). Despite the high (99.9%) level of accuracy, because of the very small percentage of terrorists in the general population of stadium attendees, the hypothetical system will generate 10,000 false alarms for every one real terrorist. This would translate to 75 false alarms per Tampa Bay football game and one real terrorist every 133 or so games."

Of course these issues do not apply exclusively to face recognition systems, but we get the idea—a system that generates so many false alarms and catches so few terrorists is not going to be successful. This was proven on several occasions. First at the Palm Beach International Airport, where a face recognition system failed by providing less than 50-percent recognition rate and generating a large number of false positives, resulting in a decision by the airport not to use the system at all [17]. Almost the same happened in the second case, at a face recognition system trial at the Boston Logan International Airport [18].

Hand Geometry
Features measured and used by hand geometry biometrics typically include length and width of fingers, different aspect ratios of palm and fingers, thickness and width of the palm, and so on [19]. Existing hand geometry systems mostly use images of the hand. Like face recognition, hand geometry is a user-friendly technology that scores higher on the acceptability test than, for example, fingerprints. It is also relatively more easily measurable and recordable than some other biometrics. Several patents have been issued for hand geometry systems, but there is not as much research as on fingerprints [20]. However, because of its biometric properties, hand geometry is not suitable for use in the identification mode.

Iris Recognition
Iris recognition-based biometric systems are believed to be very reliable and accurate [21]. Like fingerprints, the iris image is a part of human phenotype and is believed to be unique in every individual. Perhaps one of the most known cases of deployment of the iris recognition system is the Privium at Amsterdam's Schiphol International Airport. Frequent travelers may enroll in the system to enjoy fast border crossing by simply looking at the iris scanner, which authenticates the person and opens the gate [22]. In February 2004, an iris recognition system will also be piloted at the Frankfurt International Airport, and if the six-months-long trial concludes successfully, the system may be installed and deployed in 18 European countries [33]. Obviously, iris recognition would not work for people who are missing both eyes or who have serious eye illnesses that affect the iris.

Behavioral Biometrics
Two of the most used behavioral biometrics are signature- and voicebased systems. Another behavioral biometric, keystrokes (where the timing between successive key pressings is used), seems to receive increasing attention and use.

Signature
In use for centuries, signatures enjoy a high degree of acceptance, largely because of their everyday use and familiarity, but as a behavioral biometric, signatures lack permanence: they may change at the will of a person, or under influence from such factors as illness, mental state, medicines, emotions, or age. For these and other reasons, signaturebased biometric systems function in the verification and not in the identification mode.

Two subtypes of signature verification systems exist: static signature verification systems, where only the graphical representation (image) of the signature is used, and dynamic signatures, where the dynamics, pressure, and speed of the movement of a special pen are used for verification. Although the first method does not require any special hardware, the dynamic signature verification requires the use of special electronic signature readers or high-quality tablets. It is understood that dynamic signature verification is more secure and reliable than static signatures [23]. However, some people do not have consistent signatures, resulting in increased false rejection rates to unacceptable levels and severely affecting the practical use of signature-based biometric systems.

Voice
Voice recognition systems (not to be confused with speech recognition systems, which are concerned with the actual words said and not the identity of the speaker) depend on numerous characteristics of a human voice to identify the speaker. Voice recognition holds much potential because it is acceptable and it does not require expensive input devices, unlike some other biometrics. Like face recognition, voice recognition is something we humans do many times a day; additionally, voice recognition is ideal for many practical and widespread telephony applications, and in theory voice recognition systems may even function in the background without forcing the users to go through a separate identification and verification process, saving us from another password to remember. But as usual, voice recognition systems also have their fair share of potential problems. As we all know, some people with exceptional vocal abilities may skillfully imitate others' voices, potentially defying such systems. Another issue is the ease of sound recording and replay, so any voice recognition system must be designed to withstand "record and replay" attacks.

Voice recognition also is influenced by the usual suspects—illness, mental state, emotions, age—which may substantially modify an enrolled subject's voice to a degree that it does not match the stored templates anymore. Several voice recognition models varying in accuracy and complexity exist.

The fixed-text model involves a person saying a word or phrase previously recorded and enrolled in the biometric database. The verification process is the simple comparison, possibly accounting for some allowable differences. However, if this word or phrase can be recorded, the entire system fails, because it is fairly easy to reproduce words and phrases.

Another model is text-dependent, meaning the system instructs the person to speak words or phrases—naturally this system is less prone to replay attacks because supposedly the person does not know in advance what words or phrases the system will ask for. A hybrid system, also known as conversational voice verification, combines something you are—your voice—and something you know—such as a password—to provide a higher degree of verification accuracy and reliability, and this system may well be the best choice in practice [24], so multimodal biometrics may hold the key to more accurate and practical biometric authentication. Again, we should keep in mind that some people cannot use this biometric for one reason or another.

System and Design Issues
The following is a quick overview of only some of the most important biometric system design and implementation considerations:

Security
Biometrics is invariably associated with security, hence the biometric system itself should be reasonably secure and trustworthy. Not only should the system provide the required functionality, but we also should have a degree of security assurance. Keeping in mind our track record of creating secure complex systems (almost an oxymoron), we should not really have high expectations this time either. If we have learned a lesson, it is that systems fail and malfunction, so recovery and compensating mechanisms should be in place from the beginning, and even the most sophisticated system should be expected to fail sooner or later, one way or another. Some of the biometrics security issues are discussed in the following section.

Rogue Sensors and Unauthorized Acquisition (theft) of Biometric Samples
One of the risks associated with the use of biometrics for identification or verification is that a biometric cannot be changed by definition—your fingerprint is your fingerprint and there is no easy way to change it—so if it is stolen and used to create a fake finger to impersonate you, there is not much you can do about yours. Therefore, the issue of mutual authentication of the individual and the sensor is of much importance. In practice, however, as illustrated by numerous stories about rogue Automated Teller Machines (ATM) harvesting unsuspecting victims' card and PINs, this would prove to be a difficult task. Unlike, for example, smart cards, which may use cryptographic protocols to establish with whom they are communicating, we humans have no secure way to ascertain whether the biometric reader attached to a computer somewhere is indeed under control of (let's say) a genuine Internet banking application and will not relay or store our biometric template without authorization.

In contrast, bank customers asked to authenticate themselves at a bank counter may have a reasonable expectation that their biometric will be used by the same bank for lawful purposes only—because of their and the sensor's physical location (so called location-based authentication). Still, unauthorized acquisition and use of biometrics remains one of the issues to be considered in any practical implementation.

The fact that not all biometrics require placing your finger on a fingerprint reader (such as face recognition systems) and that some biometric samples may be obtained without any action on part of the subject is further food for thought because one's biometrics may be acquired without knowledge or authorization.

Communications Security Between Sensors, Matchers, & Biometric Database(s)
Although as important as the previous issue, communications security between sensors, matchers, and biometric databases is easier to provide than to solve the problems of mutual authentication of humans and biometric sensors. Well-designed and well-implemented secure cryptographic protocols may provide the required security for sensitive data exchange between parts of a biometric identification or verification system, and they are unlikely to be the weak link in the biometrics chain.

Accuracy
A biometric system must be reasonably accurate—otherwise why would we need it? The widely used FAR and FRR, and their product, CER, are not really exact measures but often estimates made using assumptions—and these assumptions may not be reasonable in all circumstances.

Speed
Although the question of how fast the system works may not be a pressing issue in, say, a nuclear reactor access control system, it will be a crucial factor at installations such as airports or border crossing points where a large number of people needs to be reliably and quickly identified and authenticated.

Scalability
Biometric verification systems are significantly and inherently more scalable than biometric identification systems particularly because only oneto-one matching is required. A distributed, combined system using smart cards that store the owner's biometric template and compare the provided biometric in card is an example of a scalable distributed biometric verification system. However, as the previously described face recognition system experiences at airports show, system properties such as FRR must be considered in context—one false rejection a month may be acceptable, but a hundred false rejections a day clearly would not. Another scalability issue is the nature of biometrics. A scalable biometric—such as the iris—can theoretically be deployed on a large scale (with thousands or millions of enrolled users), but a biometric with weak scalability could provide acceptable error rates and performance only in small installations. Therefore, scalability is directly linked with the particular type of biometric used, and this seems to be accounted for by the International Civil Aviation Organization (see the section "Biometrics and Passports").

Resilience
A biometric system should be able to handle exceptions. An exception in this context might be a person without the required biometric or a person whose biometric may not be usable for some reason. In many cases exception handling means resorting to a manual process, which of course brings all the issues of human intervention (speed and social engineering, to name only two) with it and may mean life or death for a particular system or application.

Cost
Because laws of economics apply to almost every human activity, a biometric system should be reasonable in cost. Of course reasonableness of cost is a very subjective concept and would vary greatly between different environments and different uses.

Privacy
As mentioned in the beginning of this article, biometrics is argued to be one of the threats to privacy and anonymity in the modern age. The Electronic Frontier Foundation (EFF) lists the following as being the most important privacy concerns:
Biometric technology is inherently focused on individuals and interfaces easily to database technology, making privacy violations easier and more damaging.
Biometric systems are useless without a well-considered threat model.
Biometrics are no substitute for quality data about potential risks.
Biometric identification is only as good as the initial ID.
Biometric identification is often overkill for the task at hand.
Some biometric technologies are discriminatory.
Biometric systems accuracy is impossible to assess before deployment.
The cost of failure is high.

Indeed it is very depressing to imagine a society—or even worse, a world order—where everyone is forced into a biometric database and total control over all your actions and whereabouts during your entire life is maintained—and where you can never "change your username" or "log out." One cannot help but remember Benjamin Franklin's immortal statement that those who are willing to trade liberty for security deserve neither. However depressing, this image hopefully will not materialize—and to achieve that, biometric systems should provide reasonable privacy and specific use guarantees to the enrolled subjects; in addition, they must have effective systems of checks and balances to audit and assure conformance with these guarantees.

Standards in Biometrics
As Andrew Tanenbaum once supposedly said, the good thing about standards is that there are so many to choose from—regardless of whether he did or not, this statement perhaps does not yet seem to apply to biometrics standards.

The Common Biometric Exchange File Format (CBEFF) describes a set of data elements necessary to support biometric technologies in a unified way, and provides for the exchange of security, processing, and biometric data in a single file. The U.S. National Institute for Standards and Technology (NIST) describes CBEFF as facilitating interoperability between different systems or system components, forward compatibility for technology improvement, and software/ hardware integration [26].
BioAPI and Human Authentication API. BioAPI and HA-API efforts merged in 1999 under the umbrella of the BioAPI Consortium. The current version of the BioAPI Specification is Version 1.1, which aims to provide a "standardized Application Programming Interface (API) that will be compatible with a wide range of biometric applications and a broad spectrum of biometrics technologies" [27].
The Open Group's Human Recognition Services (HRS) is a module of the Common Data Security Architecture (CDSA), which in particular is used in Apple's Mac OS X. HRS is compatible with the CBEFF and, thanks to the CDSA modular and layered approach, can use services provided by other CDSA modules [28].
Biometrics Management and Security for the Financial Services Industry (ANSI X9.84-2000) specifies minimum security requirements for effective use of biometrics data in the U.S. financial services industry, including collection, distribution, and processing of biometrics data. In particular, it specifies the security of the physical hardware used throughout the biometric life cycle; the management of the biometric data across its life cycle; the use of biometric technology for verification or identification of bank clients and employees; and other aspects. The data objects specified in X9.84 are compatible with CBEFF [29].
The American Association of Motor Vehicle Administrations (AAMVA) Driver's License and Identification (DL/ID) standard provides a uniform way to identify holders of driver license cards within the United States and Canada. This standard specifies identification information on drivers' license and ID card applications, provides for inclusion of fingerprint data, and is compatible with BioAPI and CBEFF [30].
ANSI/NIST Data Format for the Interchange of Fingerprint, Facial, Scar Mark, and Tattoo Information (ANSI/NIST-ITL 1-2000). This standard defines the content, format, and measurement units for the exchange of the specified information that may be used for identification of persons, and it is mainly directed at U.S. law enforcement agencies and government. [31]

Additionally, one of the groups of the International Organization for Standardization (ISO) is working toward inclusion of biometrics specifications in the widely used ISO 7816 standard for smart cards (Part 11: personal verification through biometric methods) [32].

Practical Uses of Biometrics
Because there may be as many practical uses of biometrics as users, we address just two of them: the use of biometrics for network authentication and the use of biometrics in international travel documents.

Biometrics for Network Authentication
As we saw earlier in this article, the accepted and widely used what you know and what you have authentication methods are not always—nor are they necessarily—secure or convenient, and they have their share of weaknesses.

The additional challenge of using biometrics for network authentication is the fact that the subject and the object of access are separated by a (usually uncontrolled, untrusted, and possibly hostile) network, which does not add to the simplicity or security of the system as a whole. As illustrated by the case of gelatin fingers described earlier, the question of whether a live person provided the biometric to a remote biometric sensor is even more important in network authentication applications when there are no preventive or detective controls, such as a watching guard, in place.

Although we have relied mostly on passwords to serve as the only or the main authentication mechanism until today, it has been clear for a while that passwords do not provide strong authentication. Keeping this lesson in mind, a biometric network authentication system should not depend solely on biometrics but should use one of the other authentication methods (what you know or what you have) as well.

The remote biometric sensors required in any biometric network authentication system are one of the most vital parts of the entire system, yet they are most vulnerable ones as well. For our purposes, we define the remote part of a centralized network authentication system as including a human user who needs to be authenticated as being physically present at the site and time of authentication, a general-purpose computer running a general-purpose operating system, and a special purpose biometric sensor device directly connected to the general-purpose computer. This setup, therefore, includes the following high-level potential points of attack:
1. User
2. Path from the user to the sensor
3. Biometric sensor
4. Path from sensor to the general-purpose computer
5. Network
6. The central database

Even if the central authentication database is left out of the picture, the most simple risk assessment would reveal, among others, the following issues:
1. The user should be accurately identified or the declared identity should be verified; the sensor should be able to differentiate between a live human being providing live biometric and a biometric replica, such as an iris photograph or a gelatin finger. This includes, inter alia, reasonable assurance of the physical presence of the whole individual and not just the particular biometric at a particular point in time (hence, in part, the need for multimodal authentication involving not only what you are but also what you know or what you have).
2. The sensor should be sufficiently tamper-proof to withstand a defined set of attacks by a defined class of attackers, which would of course differ from environment to environment.
3. The communication protocol used between the sensor and the general-purpose computer should be simple, well-defined, and verified.
4. The role of the (untrusted) general-purpose computer and its software in such a system should be kept to a minimum. The biometric data acquired by the sensor should be cryptographically protected (encrypted and signed with the device key, for instance) inside the same sensor, without any dependence on action or inaction of the general-purpose computer. Their only role in this play should be to relay the bits from the sensor to the central authentication server for verification. Confidentiality and integrity of the biometric data should not be affected by a malicious, general-purpose computer or its software; the worst that can happen is the nondelivery of such data to the central authentication database.

An example of this approach would be a tamper-resistant fingerprint reader able to accurately recognize live human fingers (and reject fake ones), extract the required information, append a time stamp from an internal independent time source, encrypt and sign the resulting minutiae + time stamp data block using some digital signature algorithm, and send the resulting information through, for example, a Universal Serial Bus (USB) connection to the general-purpose computer. The general-purpose computer may then use the provided token to seek authentication from the central authentication database, provided all other requirements have been met.

Today a variety of network authentication systems that use or can use biometrics are available from numerous vendors. Aside from the objectively subjective information provided by vendors of such systems, little evidence of assurance exists that could enable potential users to evaluate them for their particular environments. The fact that most of these systems run as applications on the most widespread and arguably the least secure of operating systems perhaps speaks for itself.

Biometrics and Passports
For many years now more than 110 nations have issued machine-readable travel documents (mainly passports and visas) that conform to the International Civil Aviation Organization (ICAO) standard 9303. ICAO, a United Nations specialized agency, in addition to being responsible for international civil aviation matters, is also mandated to develop and adopt international standards on customs and immigration documents and procedures under the Chicago Convention. These machine-readable travel documents include a two-line area printed in Optical Character Recognition (OCR) B format, which contains information usually required for international travel (such as a person's name, date of birth, citizenship, document validity dates, and other information). These documents have greatly reduced the time necessary to check passports and visas by border officials, and have contributed to smoother international travel. In May 2003, the ICAO adopted a set of documents on integration of biometrics into machine-readable passports, choosing three most suitable for these purposes [25]. The main biometric chosen was a digitized face image, followed by two optional biometrics: fingerprints and irises. The ICAO also selected high-capacity, contactless smart cards as the storage method for this biometric data and gave other recommendations related to integration and use of biometrics in passports and other documents. It remains to be seen if or how and when 188 member states of the ICAO will integrate biometrics into their passports.

New Biometrics
It would be unreasonable to assume that we are aware of all possible biometrics. It may very well be the case that new biometrics are discovered and possibly, in the fullness of time, considered fit for practical use. An example would be a behavioral biometric proposed by Ross Anderson of Cambridge University, author of the already classic Security Engineering:

"Are there any completely new biometrics that might be useful in some circumstances? One I thought up while writing this chapter, in a conversation with William Clocksin and Alan Blackwell, was instrumenting a car so as to identify a driver by the way in which he or she operated the gears and the clutch."

Summary
Biometrics is a promising and exciting area, where different disciplines meet and provide an opportunity for a more secure and responsible world. However, the same biometrics, if misused or poorly engineered, may instead bring many hassles—if not troubles. Some biometrics are less usable than others, and different environments warrant different biometrics and design considerations. The best advice would be to differentiate between market-ready biometric technologies and technologies that are not yet (if ever) ready for deployment outside testing grounds. However much fervent proponents and keen vendors of biometric solutions market their wares, the guiding factor should be proven reliability and appropriateness of these solutions to specific uses, not marketing hype, which seems at times to dominate this arena.

Organizations and Publications
The following organizations and publications may be useful sources of further information on biometrics and biometric applications:

The International Biometric Society: www.tibs.org

Biometric Consortium: www.biometrics.org

BioAPI Consortium: www.bioapi.org

International Biometrics Industry Association: www.ibia.org

International Association for Identification: www.theiai.org

Journal of the International Biometric Society: http://stat.tamu.edu/Biometrics/

Biometric Digest: www.biodigest.com

Biometric Technology Today: www.biometrics-today.com

Additionally, the following books may serve as good introductions to biometrics:

Guide to Biometrics, by Bolle, Connell, Pankanti, Ratha, Senior, ISBN 0-387-40089-3, Springer Verlag, 2003

Practical Biometrics, Julian Ashbourn, Springer Verlag, 2003

One of the best publicly available works on security engineering is Security Engineering: A Guide to Building Dependable Distributed Systems, by Ross Anderson (Wiley, 2001).

References
[1] http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0333.xml

[2] http://news.bbc.co.uk/2/hi/americas/3358627.stm

[3] http://www.usatoday.com/tech/news/techpolicy/2003-08-24-biometrics-travel_x.htm

[4] http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html

[5] "On the individuality of Fingerprints. Pankanti," Prabhakar, Jain; Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, December 2001.

[6] "The History and Development of Fingerprinting," Lee, Gaensslen; Advances in Fingerprint Technology, CRC Press, 1994.

[7] Guide to Biometrics, Bolle et al., Springer Verlag, 2003.

[8] "Fingerchip: Thermal Imaging and Finger Sweeping in a Silicon Fingerprint Sensor," Mainguet, Pegulu, Harris; Proceedings of AutoID 99, October 1999.

[9] "Low-power and high-performance CMOS Fingerprint Sensing and Encoding Architecture," Jung, Thewes, Scheiter, Gooser, Weber; IEEE Journal of Solid-State Circuits, July 1999.

[10] "Ultrasound Sensor for Fingerprint Recognition," Biez, Gurnienny, Pluta; Proceedings of SPIE—Optoelectronic and Electronic Sensors, June 1995.

[11] "A Tree System Approach for Fingerprint Pattern Recognition. Moayer," Fu; IEEE Transactions on Computers, C-25(3).

[12] Guide to Biometrics, Bolle et al., Springer Verlag, 2003

[13] http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf

[14] http://www.schneier.com/crypto-gram-0205.html#5

[15] "Face Recognition: Features versus Templates," IEEE Transactions on Pattern Analysis and Machine Intelligence, 12(10), October 1993.

[16] Beyond Fear: Thinking Sensibly about Security in an Uncertain World, Bruce Schneier; Copernicus Books, 2003.

[17] http://www.theregister.co.uk/content/archive/25444.html

[18] http://www.theregister.co.uk/content/archive/26298.html

[19] "A Hand Shape Identification System," Biometric Systems Lab, http://bias.csr.unibo.it/research/biolab/hand.html

[20] U.S. Patent 3,576,537; U.S. Patent 3,648,240

[21] "Iris Recognition: An Emerging Biometric Technology," Wildes; Proceedings of the IEEE, 85(9), September 1997.

[22] http://www.schiphol.nl/schiphol/privium/privium_home.jsp

[23] "Automatic On-line Signature Verification," Nalwa; Proceedings of the IEEE, 85(2), February 1997.

[24] "Speaker Recognition," Campbell, in Biometrics: Personal Identification in Networked Society, by Jain, Bolle, Pankanti, ISBN 0-7923-8345-1, Kluwer Academic Publishers, 1999.

[25] http://www.icao.int/mrtd/download/technical.cfm

[26] http://www.itl.nist.gov/div895/isis/bc/cbeff/CBEFF010301web.PDF

[27] http://www.bioapi.org/

[28] http://www.opengroup.org/security/cdsa.htm

[29] http://www.ansi.org

[30] http://www.aamva.org

[31] ftp://sequoyah.nist.gov/pub/nist_internal_reports/sp500-245-a16.pdf

[32] http://www.iso.org

[33] http://news.com.com/2100-7348_3-5158973.html

The author of this article does not work for, is not affiliated with, and has no financial interest or shareholding in any vendor of any biometric technology at the time of submission of this article for publication.

EDGAR DANIELYAN, CISSP, is a self-employed consultant, published author, editor, and instructor specializing in information security, UNIX, and internetworking. He is the principal partner at Danielyan Consulting LLP (www.danielyan.com), an information security assurance consultancy, and a member of ACM, IEEE, ISACA, USENIX, and the British Computer Society's Information Security Specialist Group. E-mail: edd@danielyan.com