SubscribeContinuation of Biometric White Paper.
Comparison of Biometrics for Electronic User Identity
It is useful to look in more detail at some of the more common biometrics being considered for incorporation into the electronic identification processes.
In some cases, for example the UK Identity Card, a combination of biometrics is being considered. Such approaches aim to overcome environmental and usability issues, while maintaining acceptable security levels.
Fingerprints
Fingerprints are often seen as the optimal biometric because of their wide acceptance of uniqueness. Fingerprints used for law enforcement identification use all fingers and a 'rolled' fingerprint. This provides maximum data input for analysis comparison.
Commercial fingerprint readers and solutions generally do not use all fingers or a 'rolled image'. Such readers have now been incorporated in a range of devices including keyboards, mice and Personal Digital Assistants (PDAs).
This approach lowers the cost but does decrease the performance in comparison with law enforcement solutions. For example, most commercial solutions suffer from problems with finger orientation. Many devices will suffer from dirty environments and generally deteriorate in performance as users leave dirt on the reader.
Fingerprints also do not provide a clear intention to authorise because that can be obtained from latent prints left on objects or forced onto readers by un-authorised users. More gruesomely many readers do not check for a 'live' finger.
Tsutomu Matsumoto a Japanese cryptographer along with his students at the Yokohama National University published a paper in January 2002, showing that they could reliably fool 11 commercially available fingerprint readers, with both optical and capacitive sensors, and some with "live finger detection" features - 80% of the time with artificial fingers made out of gelatine. These are sometimes referred to as "Gummy Fingers". He first of all gained the cooperation of users to mould their fingers. Later his trial lifted latent fingerprints from glasses, etc. (Just like police do at a scene of crime.), and using simple enhancement, digital photography, and PC photo software and printing was able to etch the fingerprint onto copper to then create a mould.
Fooling the fingerprint reader
A team of journalists at the European computer magazine C'T tested nine fingerprint readers. The team were able to fool them all with a variety of methods.
Breathing on readers can re-activate the last latent.
Simply pressing a copy of a latent can fool some readers.
Water in a bag being pressed can re-activate the last latent
All of these approaches were not sophisticated attacks from professionals. Although Tsutomu Matsumoto is a cryptographer, he didn't have to use any challenging cryptoanalysis to gain access. This work showed that fingerprint readers will often need to be in controlled environments to ensure they are not being fooled, or combined with additional ID methods to form 2 or 3 factor authentication.
Iris
Iris scanners are coming down in price, opening up their consideration, yet the infrastructure costs for associated workflow processes would still be prohibitive. Environmental lighting and user positioning are important factors in performance. Physical characteristics of the population also have an effect.
Dark iris colour intensity can affect the ability to correctly distinguish pattern markings, along with the use of coloured or tinted contact lenses. Long eye lashes can make the iris less visible. Enrolment difficulties together with user acceptance are the important factors in adoption.
Again the computer magazine C'T team, while testing fingerprint readers checked out one Iris scanner, and was able to fool it using a simple photo with a hole cut for the pupil.
Face
Facial recognition probably has greatest user acceptance because many of us already have photographs in passports, driving licenses, or on employee ID cards. However, facial biometric identification solutions are susceptible to environmental problems such as lighting and positioning of cameras.
They also have great difficulty in handling our everyday changes in appearance, such as cosmetics, hats, earrings, hair, glasses, beards, etc. Performance issues can lead to poor user experience and general distrust.
Facial recognition also deteriorates over time due to the natural process of aging. It is estimated that there is on average a 5% drop in accuracy per year due to aging. This means that regular annual registrations would have to take place.
Facial recognition was simply fooled by the team at C'T magazine by the simple replay of a video clip.
Voice
This would appear an obvious choice of biometric where microphones are already part of the electronic infrastructure (e.g. Mobile phones, PDAs, and PCs). However, the quality of data captured by such devices is poor, making exploitation of the voice as a biometric difficult. To overcome this, current voice biometric solutions use additional higher quality sound equipment, raising the infrastructure costs.
The performance of all voice biometric solutions is influenced by environmental background noise, making their deployment restricted. With commercial levels of computer power, voice verification has to be combined with a PIN or pass phrase to provide recognition. This means they are susceptible to misspoken phrases. They are also susceptible to conditions of poor health (colds, laryngitis), breathlessness, stress, etc.
Signature
Signatures are not universally accepted as a biometric because of their individual variability and the thought that they can easily be forged. In the paper world only the static image is ever checked and such checking has difficulty in distinguishing from an individual's variability in signing and a forger's attempt to impersonate.
A handwriting expert with closer analysis is able to deduce an individual's manner of signing and therefore eliminate attempted forgery. By capturing an individual's signature electronically the manner of an individual signing (the dynamics) can be exploited and signatures used as a true biometric. Signatures are a natural choice that is already used in the paper world and can be exploited electronically to provide the correct level of performance for a significant number of purposes and processes.
This is especially true where the biometric signature is to be used where devices themselves are built around their electronic inking capability (i.e. PDAs, Tablet PCs, or electronic scribble pads) and the biometric is replacing the wet ink signature. Users see the process remaining the same, yet the digital authentication and electronic capture of associated data provides the organisation improved efficiencies.
KeCrypt Biometric Signature
KeCrypt Signature verification analyses a handwritten signature produced on a touch screen or pad as a conventional waveform, extracting certain parameters of this waveform and assigning them numeric values in order to build a set of software filters.
These filters then provide the first stage in authenticating any subsequent specimens of the signature.
KeCrypt does not convert the signature itself to any time, frequency, or spatial-normalised template for use in techniques such as DTW (Dynamic Time Warping) or HMM (Hidden Markov Model) analysis.
The filters record data which state how much a given part of a given signature is allowed to vary. The variability of any particular signature heuristic is based upon standard deviation around the mean of the calibration samples.
Thus filters for each signature variable measured are set.
The filter data, therefore, may not be used to reconstitute any part of the signature. Unlike competitive biometric products, KeCrypt does not store a template, and therefore the signature cannot be replicated.
The KeCrypt biometric signature solution provides significant advantages:
- Nothing is stored that can reveal a user's signature.
- The authentication process cannot be reversed.
- It is not dependent on the user's written language.
- Registration of signatures are automatically optimised to obtain the best balance between security and usability.
KeCrypt User Trial in the NHS
To assess the viability of the KeCrypt signature verification in a working environment a trial was carried out in the pharmacy departments of a number of London hospitals. Within a pharmacy and prescribing environment a signature is used to authorise a wide range of activities.
The trial confirmed that the KeCrypt biometric signature has a high level of user acceptance. The trial also showed that KeCrypt signature verification was as successful as fingerprint recognition when compared with results from the Government's recent National ID trial. More importantly, all attempted forgeries were rejected by the KeCrypt system.
| Success Rate | Comment | |
| KeCrypt Signature | 81.7% | No forgeries accepted |
| Fingerprints | 82.3% | - |
| Iris Scans | 98.8% | 12% failed to register |
| Facial Scans | 69.2% | - |