Organisations have goals and therefore acquire assets to ensure these goals are met and the continuity guaranteed. Financial sector while trying to promote convenient methods such as online banking and use of ATM for their customers to access their money strives to ensure only the right person has access to the account. Also, military and national security services store high sensitive and critical information that must only be accessed by specific individual thereby deploying security measures to keep this tradition. However, achieving these goals largely depends on securing and controlling the assets as documented which means only authorised individuals have access to these environments and eventually the assets. Sequel to the importance of access control, different security techniques have been deployed to safeguard these assets which ranges from PINs and passwords, ID cards, smart card est. Vulnerabilities to these methods have lead to the recent surge in biometrics industry as many believe this is the future. Reasons such that the physical presence of the authorized person is needed at the point of access and also, the fact that it is unique and almost impossible to duplicate emphasis the benefit of biometrics and explain its glooming popularity. However like any other security methods, biometrics has limitations and threats which can impact its effectiveness and efficiency. It is not suitable for every application and can be a very wrong choice for certain applications. Therefore, it is essential to manage these limitations and threats properly to enhance the success factor of biometrics. Finally, it is important for any sector deploying biometrics to understand the various issues associated with biometrics such as privacy, standards and what the law requires of biometrics.
Organizations strive to secure their assets and provide means of controlling access to these assets. This process requires identification and authorization to ensure the right person is accessing the right asset. Over the years, traditional methods of authentication, mainly passwords and personal identification numbers (PINs) have been popularly used. Recently, swipe card and PINs have been deployed for more security since one is something you have and the latter something you know. However, these methods still have vulnerabilities as swipe card can be stolen. Also, bad management of passwords has left people writing them on papers and desks or simply choosing easy and general words for quick remembrance which expose the password to intruders. More recently, stronger identification and authorization technologies that can assure a person is who he claims to be are becoming prominent and biometrics can be classified to this category. Biometric technology makes use of a person’s physiological or behavioral characteristics in identification. Every human being is unique in nature and possesses physical parts completely different from any other person. The September 11, 2001 terrorist attack did not help security concerns as governments and organizations all around the world especially the border security agencies have greatly embraced this human recognition technology. As both private and public entities continue to search for a more reliable identification and authentication methods, biometrics has been the choice and considered the future.
WHAT IS BIOMETRICS?
“Biometrics refers to the automatic identifications of a person based on his or her physiological or behavioral characteristics” (Chirillo and Blaul 2003, p. 2). It is an authorization method that verifies or identifies a user based on what they are before authorizing access. The search for a more reliable authorization method to secure assets has lead to the revelation of biometrics and many organizations have shown interest in the technology. Two main types of biometrics have been used mainly physical and behavioral. A physical biometrics is a part of a person’s body while, a behavioral biometric is something that a person does (Lockie 2002, p. 8). He added that although there are some more unusual biometrics which may be used in the future, including a person’s unique smell, the shape of their ear or even the way they talk, the main biometrics being measured include fingerprints, hand geometry, retina scan, iris scan, facial location or recognition (all physical), voice recognition, signature, keystroke pattern and gait (Behavioral). However, it has been argued by Liu and Silverman (2001) that different applications require different biometrics as there is no supreme or best biometric technology.
HISTORY OF BIOMETRICS
According to Chirillo and Blaul (2003, p. 3) “the term biometrics is derived from the Greek words bio (life) and metric (to measure).” China is among the first known to practice biometrics back in the fourteenth century as reported by the Portuguese historian Joao de Barros. It was called member-printing where the children’s palms as well as the footprints were stamped on paper with ink to identify each baby. Alphonse Bertillon, a Paris based anthropologist and police desk clerk was trying to find a way of identifying convicts in the 1890s decided to research on biometrics. He came up with measuring body lengths and was relevant till it was proved to be prone to error as many people shared the same measurement. The police started using fingerprinting developed based on the Chinese methods used century before by Richard Edward Henry, who was working at the Scotland Yard. Raina, Orlans and Woodward (2003, p. 25-26) stated references to biometrics as a concept could be traced back to over a thousand years in East Asia where potters placed their fingerprints on their wares as an early form of brand identity. They also pointed Egypt’s Nile Valley where traders were formally identified based on physical characteristics such as eye color, complexion and also height. The information were used by merchant to identify trusted traders whom they had successfully transacted business with in the past. Kapil et al also made references to the Bible, first pointing to the faith Gileadites had in their biometric system as reported in The Book of Judges (12:5-6) that the men of Gilead identified enemy in their midst by making suspected Ephraimites say “Shibboleth” for they could not pronounce it right. The second reference is to The Book of Genesis (27:11-28) where Jacob pretended to be Esau by putting goat skins on his hands and back of his neck so his skin would feel hairy to his blind, aged father’s touch. This illustrates a case of biometric spoofing and false acceptance. They finally wrote “Biometrics as a commercial, modern technology has been around since the early 1970’s when the first commercially available device was brought to market” (p. 26).
HOW BIOMETRICS SYSTEMS WORK
“A biometric system is essentially a pattern-recognition system that makes a personal identification by determining the authenticity of a specific physiological or behavioral characteristics possessed by the user” (Blaul 2003, p.3). Biometrics has so far been developed to work in two ways mainly verification and identification. Verification systems are designed to give answer to the question, “Am I who I claim to be?” by requiring that a user claim an identity in order for a biometric comparison to be performed. The user provides data, which is then compared to his or her enrolled biometric data. Identification systems gives answer to the question, “who am I?” and do not require a user to claim an identity as the provided biometric data is compared to data from a number of users to find a match (Nanavati 2002, p. 12). An illustration of a scenario using an identifying biometrics system is given below and thus gives an answer to the question “Who am I?” In October 1998 in the United Kingdom, Newham Council introduced face recognition software to 12 town centre cameras with the sole purpose of decreasing street robbery. Images are compared against a police database of over 100 convicted street robbers known to be active in the previous 12 weeks. In August 2001, 527,000 separate faces were detected and operators confirmed 90 matches against the database. Where a face is not identified with any in the database, the image is deleted; if a match is found a human operator checks the result. The introduction of face recognition technology to Newham city centre saw a 34% decrease in street robbery. The system has not led directly to any arrests, which suggests that its effect is largely due to the deterrence/displacement of crime. The face recognition system has been widely publicised by the council and 93% of residents support its introduction (Postnote Nov 2001, p. 1). The case study below illustrates a verifying biometrics system and supply answers to the question “Am I who I claim to be?” The US Immigration and Naturalization Service Passenger Accelerated Service System (INSPASS) has been introduced at eight airports in order to provide a quick immigration processing for authorised frequent flyers entering the US and Canada. On arrival at an airport, a traveller inserts a card that carries a record of their hand geometry into the INSPASS kiosk and places their hand on a biometric reader. A computer cross-references the information stored on the card at registration with the live hand geometry scan. The complete process takes less than 30 seconds. If the scans match, the traveller can proceed to customs; if not, travellers are referred to an Immigration Inspector. There are more than 45,000 active INSPASS users with, on average, 20,000 automated immigration inspections conducted each month (Postnote Nov 2001, p. 1). Verifying system is often referred to as a one-to-one process and generally takes less processing time compared to the identifying systems. This is due to the fact that in identifying systems, a user is compared to all users in the database (one-to-many). Verifying systems are also more accurate since they only have to match a user’s data against his or her stored data and do not need hundreds, thousands or even millions of comparisons like the identifying systems. However, it is important for an organization to decide the type appropriate for the applications.
The research methodology designed for this dissertation is mainly the qualitative approach. A quantitative approach has been overlooked due to limited time as designing surveys, distribution take time and response time could not be predicted. Therefore, my effort will be concentrated on critically reviewing previous literatures in order to acquire an overview of, and intakes on the topic. For more details, Journals, Books, Publications, Documentaries and previous dissertations related to the topic will be reviewed, compared and analyzed. The objectives will be achieved by purely reviewing literatures and previous researches and the literatures critically analyzed by comparing information obtained from different sources. Findings, recommendations and conclusions will be made from the analysis.
OBJECTIVES OF THE STUDY
The main aim of this research focus on critically analysis of biometric security as an emerging and booming industry by examining the positives and negatives and providing ways of improving the method effectively and most importantly efficiently. Since biometrics applies to many applications, access control will be the main focus of this dessertation. Also, issues such as privacy, laws governing biometrics and standards will be examined. The main objectives of this research are;
To review biometric security and issues related to it.
To evaluate the threats, advantages and disadvantages of biometrics.
To propose ways of improving the effectiveness and efficiency of biometrics from previous researches.
This chapter is aimed at critically reviewing and analysis of numerous works of researchers in the area of biometrics, threats to biometrics, advantages and disadvantages and ways of improving biometrics efficiency in access control. The effect of privacy (human rights) and the need to conform to biometrics standards will also be examined and reviewed.
DEFINITION OF BIOMETRICS
According to Jain, Ross and Pankanti (2006, p. 125), one great concern in our vastly interconnected society is establishing identity. Systems need to know “Is he who he claims he is,” “Is she authorized to use this resource?” or simply “who is this?” Therefore, a wide range of systems require reliable personal recognition schemes to either verify or identify of an individual seeking access to their services. The purpose of that scheme is to ensure that the rendered services are accessed by only the authorized and not any intruder or imposer (Ross 2004, p. 1). “Biometric recognition, or simply biometrics, refers to the automatic recognition of individuals based on their physiological and, or behavioral characteristics” (Jain, 2004 p. 1). Woodward (2003, p. 27) cited biometric industry guru Ben Miller’s 1987 biometric definition: “Biometric technologies are automated methods of verifying or recognizing the identity of a living person based on a physical or behavioral characteristic.” Shoniregun and Crosier (2008, p. 10) provided several definitions of biometrics which include:
“Biometrics is the development of statistical and mathematical methods applicable to data analysis problems in the biological science.”
“Biometrics = identification/verification of persons based on the unique physiological or behavioral features of humans.”
“Biometrics is the measurement and matching of biological characteristics such as fingerprint images, hand geometry, facial recognition, etc.”
“Biometrics is strongly linked to a stored identity to the physical person.”
Nevertheless the various definitions, it can be seen that the science of biometrics is based on the fact that no two people are the same and this has a significant influence on its reliability and success factor.
THE BIOMETRICS INDUSTRY
According to Lockie (2002, p. 10), the biometric industry did not really get established until the middle of the twentieth century. The researchers at that particular time were investigating whether various human parts and characteristics, such as the iris or the voice, could be used to identify an individual. This was made public by publishing papers and as a considerable number of these strands of research began to form a piece, the biometrics industry as we know it these days was established. “As organization search for more secure authentication methods for user access, e-commerce, and other security applications, biometrics is gaining increasing attention” (Liu 2001, p.27). Higgins, Orlan and Woodward (2003, p. xxiii ), emphasized that even though biometrics have not become an essential part of all systems requiring controlled access, “the emerging industry has come a long way from its modern founding in 1972 with the installation of a commercial finger measurement device on Wall Street”. He made reference to the highly respected MIT Technology Review called biometrics one of the “top ten emerging technologies that will change the world.” The growth in biometric industries is reflected in the numbers. The trio cited Rick Noton, the executive director of the International Biometric Industry Association (IBIA), who reported in the Biometrics 2002 Conference in London, United Kingdom, that the industry’s trade association has indicated the surge in biometric revenues over recent years. From $20 million in 1996, it has increased to $200 million in 2001 and Norton believes they will increase as the years pass on significantly in 5 years time. Also, a forecast made by the International Biometric Group (IBG), which is a biometric consulting and integration firm located in New York City, estimate that biometric revenues totaled $399 million in 2000 and will increase to $1.9 billion by 2005. Both IBIA and IBG believe that the private sector will be responsible for much of the growth. These give evidence of the relevance of biometrics in organizations in modern times.
BIOMETRICS AND ACCESS CONTROL
Over the years, biometrics has evolved rapidly and many vertical markets such as governments, transport, financial sectors, security, public justice and safety, healthcare and many more have adopted biometrics. Due to this wide range of users, biometrics has been deployed to many applications. Biometrics has been of high benefit to organization as they seek a reliable security method to safeguard assets. Fully understanding how biometrics work, it can be said that the ultimate aim of applying biometrics in the vertical markets listed above is to control access to a resource irrespective of the system used whether a verifying or an identifying process It has been stated by S. Nanavati, Thieme and R. Nanavati (2002, p. 14), that biometric systems are deployed for two primary purposes which are physical and logical access.
LOGICAL VERSUS PHYSICAL ACCESS
“Physical access systems monitors, restricts, or grant movement of a person or object into or out of a specific area” (Thieme 2002, p. 14). This could be implemented to control entry into rooms or even the main building. Popular examples are control towers, bank vaults, server rooms and many other sensitive rooms requiring controlled access. In physical access, biometrics replaces the use of keys, PIN codes access cards and security guards although any of these could be combined with biometrics as a complementation. Common physical access application is time and attendance. Thieme also gave a definition of logical access systems as one that monitor, restrict or grant access to data or information listing examples such as logging into a PC, accessing data stored on a network, accessing an account, or authenticating a transaction. In this case, biometrics replaces and can be designed to complement PINs, passwords and also tokens. Basic biometric functionality precisely acquiring and comparing of biometric data is often identical in both physical and logical systems. For example, the same iris scan data can be used for both doorway and desktop applications. Thieme explained that the only difference between the two is the external system into which the biometric functionality is integrated. The biometric functionality is integrated into a larger system. This applies for both physical and logical access system and actions such as access to any desktop application or access to a room via a doorway are effected by a biometric match. However, not every system can be classified as physical or logical access as the end result does not indicate access to data or a physical location and the result therefore may be to investigate more. An ATM secured by biometrics allows access to money, a physical entity. This is made possible by allowing the user logical access to his or her data. In the example above, the application is even difficult to classify as either physical or logical. Thieme (2002, p. 15) suggested that the distinction between physical and logical access systems is a valuable tool in understanding biometric. He noted that key criteria such accuracy, fallback procedures, privacy requirements, costs, response time and complexity of integration all vary effectively when moving from logical to physical access.
WHAT ARE BIOMETRIC STANDARDS
Stapleton (2003, p. 167) defined a standard in a general term as “a published document, developed by a recognized authority, which defines a set of policies and practices, technical or security requirements, techniques or mechanisms, or describes some other abstract concept or model.” The growth of the biometric industry has been relatively slowed by the absence of industry wide standards and this has also impeded various types of biometric deployment. Nanavati (2002, p. 277) stated that the relative youth of the technology in use, coupled with the disunified nature of the industry, has impacted the developments of standards resulting in a sporadic and frequently redundant standards. Nanavati also noted that the live-scan fingerprint imaging is the only segment of biometric industry with widely accepted and adopted standards. Due to this absence of biometric standards, some institutions have been concerned of being tied into technologies they actually believed as not mature or even developmental. However in an effort to actively address the standards issue, the biometric industry has finalized some blueprints and the process of getting industries to accept these standards is ongoing
WHY IS STANDARDIZATION NECESSARY?
The high rate of biometric development and rapid growth in adoption of biometric technologies in recent years has resulted in ever-increasing levels of what is expected in terms of accuracy, adaptability, and reliability in an ever-wider range of applications. Due to the adoption of biometric technologies in large-scale national and international applications, involving a potentially unlimited range of stakeholders, Farzin Deravi (2008, p. 483) stated that “it has become essential to address these expectations by ensuring agreed common frameworks for implementation and evaluation of biometric technologies through standardization activities.” Majority of biometric systems, including both the hardware and software are made and sold by the owner of the patent at this stage in their development. They are being proprietary in numerous aspects including the manner in which biometric devices and systems as a whole communicate with applications, the method of extracting features from a biometric sample, and among many more, the method of storing and retrieving biometric data. This resulted in many companies in most cases, being wedded to a particular technology, once they agree to implement that particular technology. Nanavati (2002, p. 278) stated that in order to incorporate a new technology, the companies are required to rebuild their system from scratch upward, and in some cases duplicating much of the deployment effort. Deravi (2008 p. 483) noted that “the need for interoperability of biometric systems across national boundaries has implied a rapid escalation of standardization efforts to the international arena”, stating that the sense of urgency for the need for standardization has been the priority of internal security concerns. The industry wide or universal adoption of biometric standard will not make biometric technology interoperable at least, to the state where an old device can be replaced by a new device without rebuilding the system. However, Nanavati (2002 p. 278) argued the core algorithms through which vendors locate and extract biometric data are very unlikely to be interoperable or standardized, the reason being that these algorithms represents the basis of most vendors’ intellectual property. Numerous reasons are responsible for the motivation towards standardization. These include the desire for reducing the overall cost of deploying biometrics technologies and optimize the reliability of biometric systems, to reduce the risk of deploying solutions to biometric problems, to ensure in the area of encryption and file format, that the basic building blocks of biometric data management have been developed based on best practice by industry professionals. Nanavati (2002 p. 278) concluded that “standards ensure that, in the future, biometric technology will be developed and deployed in accordance with generally accepted principles of information technology.”
EXISTING BIOMETRIC STANDARDS
Shoniregun and Crosier (2008 p. 22) stated that the evolving interest and developments have made developments of standards a necessity with the sole aim of allowing compatibility of different systems. The detailed standards in the Biometrics Resource Centre (2002) report are summarised below:
Common Biometric Exchange File Format (CBEFF):
The Common Biometric Exchange File Format (CBEFF) sets a standard for the data elements essential in supporting biometric technology in a common way irrespective of the application involved or the domain in use. It makes data interchange between systems and their components easier, while promoting interoperability applications, programs as well as systems based on biometrics.
INCITS MI-Biometrics Technical Committee:
The committee which was established by the Executive Board of the International Committee for Information Technology standards (INCITS) with the responsibility to ensure a focused and reasonably comprehensive approach in the United States for the rapid development and approval of previous national and international generic biometric standards (Shoniregun ad Crosier 2008, p. 22)
BioAPI Specification (Version 1.1):
“The BioAPI standard defines the architecture for biometric systems integration in a single computer system.” (Deravi 2008, p. 490). The Bio API specification has been one of the most popular standards efforts since it was formed in April 1998 according to Nanavati (2002, p. 279). Nnavati stated that the standard was formed to develop an API that is both widely accepted and widely available while being compatible with various biometric technologies. Other general standards available are Human Recognition Module (HRS), ANSI/NIST-ITL 1-2000, American Association for Motor Vehicle Administration and American National Standards Institute (ANSI) which specifies the acceptable security requirements necessary for effective management of biometric data especially for the financial services industry.
BRITISH BIOMETRICS STANDARDS
The British Standards Institution (BSI) commenced work in June 2004 on biometrics standards and since then, has published according to Shoniregun and Crosier (2008, p. 24) “a set of four new BS ISO/IEC 19794 STANDARDS,” reported to have covered the science of biometrics, and using biological characteristics in identifying individuals. The objective of publishing these standards is to promote interoperability between the several products in the market.
BS ISO/IEC 19784-2:2007:
This standard defines the interface to an archive Biometric Function Provider (BFP). The interface assumes that the collected biometrics data will be managed as a database, irrespective of its physical realization. Crosier (2008, p. 24) defined the physical realization as “smartcards, token, memory sticks, files on hard drives and any other kind of memory can be handled via an abstraction layer presenting a database interface.)”
BS ISO/IEC 19795-2:2006:
According to Shoniregun (2008, p. 25), this standard provides recommendations and requirements on collection of data, analysis as well as reporting specific to two types of evaluation (scenario evaluation and technology evaluation). BS ISO/IEC 19795-2:2006 further specifies the requirements in the development and full description of protocols for scenario and technology evaluations and also, in executing and reporting biometric evaluations.
BS ISO/IEC 24709-1:2007:
“ISO/IEC 24709-1:2007 specifies the concepts, framework, test methods and criteria required to test conformity of biometric products claiming conformance to BioAPI (ISO/IEC 19784-1).” (www.iso.org). Crosier (2008, p. 25) stated ISO/IEC 24709-1:2007 specifies three conformance testing models which allows conformance testing of each of the BioAPI components mainly a framework, an application and a BSP.
BS ISO/IEC 24709-2:2007:
The standard BS ISO/IEC 247 defines a number of test assertions composed in the assertion language explicitly required in ISO/IEC 24709-1. The assertions allow a user to test the conformance of any biometric server producer (BSP) “that claims to be a conforming implementation of that International Standard” to ISO/IEC 19784-1 (BioAPI 2.0) (www.iso.org).
BIOMETRICS AND PRIVACY
The fact that biometric technologies are based on measuring physiological or behavioral and archiving these data has raised concerns on privacy risks, and also raised discussion on the role biometrics play when it comes to privacy. As stated by Nanavati (2002, p. 237), increase in the use of biometric technology in the public sector, workplace and even at home has raised the following questions:
What are the main privacy concerns relating to biometric usage?
What kinds of biometric deployments need stronger protections to avoid invading privacy?
What biometric technologies are more prone to privacy-invasive usage?
What kinds of protections are required to ensure biometrics are used in a non privacy-invasive way?
Woodward (2003, p. 197) cited President Clinton’s speech in his commencement address at Morgan State University in 1997: “The right to privacy is one of our most cherished freedoms…We must develop new protections for privacy in the face of new technological reality.” Recently, Biometrics has been increasingly deployed to improve security and a very important tool to combat terrorism. Privacy issue is central to biometrics and many people believe that deploying biometrics poses a considerable level of risk to human rights, even though some are of the opinion that biometrics actually protect privacy. Human factors influence the success of a biometric-based identification system to a great extent. The ease as well as comfort in interaction with a biometric system contributes to how people accept it. Jain, Ross and Prabhakar (2004 p. 24) stated an example of a biometric system being able to measure the characteristic of a users without touching, such as those using voice, face, or iris, and concluded that it may be perceived to be a more user-friendly and hygienic system by the users. They added that on the other hand, biometric characteristics not requiring user participation or interaction can be recorded without the knowledge of the user, and this is perceived as a threat to human privacy by many individuals. According to Sim (2009, p. 81), biometrics compared to other security technologies has significant impacts on user’s privacy (Civil Liberties). It can protect privacy when deployed in an appropriate manner; but when misused, it can result in loss of privacy.
ADVANTAGES OF BIOMETRIC OVER TRADITIONAL METHODS
Password and PINs have been the most frequently used authentication method. Their use involves controlling access to a building or a room, securing access to computers, network, the applications on the personal computers and many more. In some higher security applications, handheld tokens such as key fobs and smart cards have been deployed. Due to some problems related to these methods, the suitability and reliability of these authentication technologies have been questioned especially in this modern world with modern applications. Biometrics offer some benefits compare to these authentication technologies.
Biometric technology can provide a higher degree of security compared to traditional authentication methods. Chirillo (2003 p. 2) stated that biometrics is preferred over traditional methods for many reasons which include the fact that the physical presence of the authorized person is required at the point of identification. This means that only the authorized person has access to the resources. Effort by people to manage several passwords has left many choosing easy or general words, with considerable number writing them in conspicuous places. This vulnerability leads to passwords easily guessed and compromised. Also, tokens can be easily stolen as it is something you have. By contrast, it is almost impossible for biometrics data to be guessed or even stolen in the same manner as token or passwords. Nanavati (2002 p. 4) was of the opinion that although some biometric systems can be broken under certain conditions, today’s biometric systems are highly unlikely to be fooled by a picture of a face…” He further added that this is based on the assumption that the imposter has been able to successfully gather these physical characteristics which he concluded as unlikely in most cases.
One major reason passwords are sometimes kept simple is because they can be easily forgotten. To increase security, many computer users are mandated to manage several passwords and this increases the tendency to forget them. Card and tokens can be stolen and forgotten as well even though attaching them to keyholders or chains can reduce the risk. Because biometric technologies are based on something you are, it makes them almost impossible to forgot or manage. This characteristic allows biometrics to offer much convenience than other systems which are based on having to keep possession of cards or remembering several passwords. Biometrics can greatly simplify the whole process involved in authentication which reduces the burden on user as well as the system administrator (For PC applications where biometrics replaces multiple passwords). Nanavati (2002 p. 5) stated that “Biometric authentication also allows for the association of higher levels of rights and privileges with a successful authentication.” He further explained that information of high sensitivity can be made more readily available on a network which is biometrically protected than one which is password protected. This can increase convenience as a user can access otherwise protected data without any need of human intervention.
Traditional authentication methods such as tokens, passwords and PINs can be shared thereby increasing the possibility of unaccountable access, even though it might be authorized. Many organizations share common passwords among administrators for the purpose of facilitating system administration. Unluckily, because there is uncertainty as to who at a particular point in time is using the shared password or token, accountability of any action is greatly reduced. Also, the user of a shared password or token may not be authorized and sharing makes it even hard to verify, the security (especially confidentiality and integrity) of the system is also reduced. Increase in security awareness in organizations and the applications being used has led to the need for strong and reliable auditing and reporting. Deploying biometrics to secure access to computers and other facilities eliminates occurrence such as buddy-punching and therefore provides a great level of certainty as to who accessed what computer at what point in time.
DISADVANTAGES OF BIOMETRICS
PROCESSES OF BIOMETRICS
Biometric technologies can either be physiological or behavioral. Physical biometrics includes fingerprint, facial recognition, hand geometry, iris scan, and retina scan. Voice recognition, signature and keystroke are all examples of behavioral biometrics. The commonly used biometrics are briefly described below.
“Fingerprints are the impressions of the papillary or friction ridges on the surfaces of the hand” (Higgins 2003, p.45). He stated further fingerprints are the oldest and most widely recognized biometric markers. This statement is backed by Chirillo and Blaul (2003, p. 4) who stated that fingerprint recognition is one of the oldest biometric technologies. Lockie (2002, p. 16) also stated that fingerprints are the most commonly used biometric. Fingerprints have been used by humans for personal identification and access control for centuries. The matching accuracy using the biometric type has shown very high figure. Fingerprints of even identical twins are different and so are the prints on each finger of the same person which increases the rate of accuracy. According to postnote (2001), at a national level, automated fingerprinting is the only biometric used generally in the United Kingdom. An investigative project, which was to be completed by April 2002, was looking at the concept of using a single biometric identifier, likely to be fingerprints by default, throughout the Criminal Justice System including police, prisons and courts. Prisons already take ink fingerprints from convicted prisoners. These can be compared against the police database as proof that the right person is being held. An automated system would give rapid confirmation of a person’s identity and allow Information about individuals to be shared quickly and easily. Below are some strengths and weaknesses of fingerprinting according to Nanavati (2002 p. 45). Strengths of deploying fingerprint technology include:
It can be used in a range of environment.
It is a mature and proven core technology capable of high level accuracy.
It employs ergonomic and easy-to-use devices.
The ability to enrol multiple fingers can increase system accuracy and flexibility.
Weaknesses of fingerprint technology include:
Most devices are unable to enrol some small percentage of users.
Performance can deteriorate over time.
It is associated with forensic applications.
Facial scan technology employs distinctive features of the human face in order to identify or verify a user. Face appearance is particularly, a compelling biometric because of its everyday use by nearly everyone as the primary source of recognizing other humans. It is more acceptable than most biometrics because of its naturalness. Faces have been institutionalized as a guarantor of identity in identity cards and passports since photography became prominent. However, Chirillo & Blaul (2003 p. 55) stated that most face recognition and identification devices do not indeed perform a scan but instead, capture an image of the face in a video or picture format. He further added that the information is converted to a template or a data representation of the captured information, while the initial information is stored. After this process, subsequent scanned faces can then be compared to the original captured faces. Strengths and weaknesses of face recognition technology are given below according to Nanavati (2002 p. 63). Strengths of facial recognition include:
It is capable of leveraging existing image acquisition equipment.
It is capable of searching against static image such as passports and driver’s license photographs.
It is the only biometric capable of operating without user cooperation.
Weaknesses of this technology include:
Matching accuracy is reduced by change in acquisition environment.
Matching accuracy is also reduced by changes in physiological characteristics.
Tendency of privacy abuse is high due to non-cooperative enrollment and identification capabilities.
Bolle et al (2004 p. 43) defined iris as “the colored part of the eye bounded by the pupil and sclera.” He added that iris has been purported as a universal biometric identifier with very good discriminating characteristics. Iris-scan technology uses the distinctive characteristics of the human iris in order identify or verify the identity of the users. Nanavati (2002 p. 77) stated that Iris-scan technology has the potential to play a major or large role in the biometric marketplace if real-world systems as well as solutions meet the theoretical promise of this technology. He further added that Iris-scan technology has been successfully deployed in high-security physical access applications, ATMs and also kiosks for banking and travel applications. The technology is also being positioned for desktop usage. Nanavati (2002) stated some strengths and weaknesses of Iris-scan technology. Strengths of Iris-scan technology:
It has the potential for exceptionally high levels of accuracy.
It is capable of reliable verification as well as identification.
It maintains stability of characteristics over a lifetime frame.
Weaknesses of Iris-scan technology:
It has a propensity for false rejection.
Acquisition of the images requires moderate attentiveness and training.
Some users exhibit a certain degree of discomfort with eye-based technology.
A proprietary acquisition device is required for deployment.
VOICE RECOGNITION; VOICE SCAN
According to Chirillo & Blaul (2003, p. 201), Voice recognition actually s comprised of two different types of technology which are voice scan and speech recognition. They explained further that voice-scan is deployed to authenticate a user based on his or her voice characteristics; while on the other hand, speech recognition is used for the “technological comprehension” of spoken words. Voice-scan technology makes use of the distinctive aspects of the voice to identify or verify the identity of users. Voice-scan is sometimes taken as speech recognition, a technology that works by translating what a user is saying (the process in speech recognition is unrelated to authentication). Nanavati (2002, p. 87) described voice-scan technology as one that verifies the identity of the user who is speaking. Bolle et al (2003, p. 40) stated that similar to face appearance, voice-scan (also known as voice recognition) is often used due to its prevalence in human communication and its day to day use. They further added that voice is a behavioral biometric but it depends on some underlying physical traits, which “govern the type of speech signals we are able and likely to utter.” Examples of these physical traits are the fundamental frequency (which is a function of the vocal tract length), cadence, nasal tone. Nanavati (2002, p. 87) stated the strengths and weaknesses of voice-scan. Strengths of voice-scan technology:
It is capable of leveraging telephony infrastructure.
It effectively layers with other processes such as speech recognition and verbal passwords.
It generally lacks the negative perceptions associated with other biometrics.
Weaknesses of voice-scan technology:
It is potentially more susceptible to replay attacks than other biometrics.
Its accuracy is challenged by low-quality capture devices, ambient noise, etc.
The success of voice-scan as a PC solution requires users to develop new habits.
The large size of the template limits the number of potential applications.
Hand -scan is one of the most established biometric technologies. It has been in use for years in several applications especially for verification of individuals. According to Nanavati (2002, p. 99), hand-scan technology make use of the distinctive parts of the hand particularly, the height and the width of the back of the hand as well as the finger. Hand-scan is more of an application specific solution than majorities of biometric technologies and is used exclusively for physical access and also, time and attendance applications. Although hand-scan geometry biometrics is still a technology that is growing slowly, Chirillo & Blaul (2003, p. 145) stated that estimates forecast revenues to increase to approximately $50 million in 2005, which is approximately 2 to 5 percent of the whole biometric market. They gave primary reason for the minimal forecast as limited usages and aptness mainly for access control and time and attendance applications. Nanavati (2002, p. 99) stated the strengths and weaknesses of hand-scan technology. Strengths of hand-scan technology:
It is able to operate in challenging environments.
It is an established, reliable core technology.
It is generally perceived as non intrusive.
It is based on relatively stable physiological characteristics.
Weaknesses of hand-scan technology:
It has limited accuracy.
The form factor limits the scope of potential applications.
The ergonomic design limits usage by certain populations.
Chirillo & Blaul (2003, p. 146) stated cost as a weakness stating that approximately, hand-scan reader cost $1,400 to $2000, placing the devices towards the high end of the physical security spectrum.
WHERE NOT TO USE BIOMETRICS
Biometrics offer great amount of benefits in safeguarding systems and is perceived as more reliable than other security techniques (traditional security methods). However, biometric technologies are not the perfect security to be deployed for every application and in some cases biometric authentication is just not the right solution.” One of the major challenges facing the biometric industry is defining those environments in which biometrics offer the strongest benefits to both individuals and institutions, and then showing that the benefits of deployment outweigh the risk as well as the costs (Nanavati 2002, p. 7).