Biometric Security Roles & Resources Part 1 Biometric Systems Skip Linehan Biometrics Systems Architect, Raytheon Intelligence and Information Systems
Outline Biometrics Overview Biometric Architectures (Non-Centralized and Centralized) BIAS: the connection between the capture front end and the storage and matching back end
Biometrics What are Biometrics? Measurements of certain physical or behavioral characteristics of an individual used to create a unique identifier which can be electronically stored, retrieved, and compared for positive identification purposes Examples of Biometric Types: - Fingerprint - Facial features -Voice -Signature -Iris -Retina - Hand geometry - Facial thermography - Keystroke dynamics - Palm print - Vein patterns - DNA (?)
How do biometrics work? www.oasis-open.org
Three basic processes Enrollment Adding a biometric identifier to the database Verification (1:1) Matching against a single record Answers Am I whom I claim to be? Identification (1:N) Matching against all records in the database Answers Who am I?
Primitive process steps Capture Measuring/sampling the raw biometric data using a sensing device Raw data may be a bitmapped image, audio stream, etc. A series of samples may be captured Sometimes includes a quality value Processing Converting the raw data into a numeric identifier (generally a binary record) Generally involves feature extraction, but can also include other manipulations (sample averaging/weighting, statistics calculations, cohort lists, etc.)
Example finger imaging Y Bifurcations Ridge Endings Minutia Algorithm X Physical Characteristics Numerical Result
Primitive process steps (cont d) Matching Comparing a processed biometric sample to a previously enrolled biometric template(s) to determine level of similarity Correlation process Not same as string or binary compare Many methods (types of algorithms) used Output of match process is a score Analogous to probability of match (i.e., belonging to the same subject) Decision Determination of match results Simple match/no-match Complex weighting, logic, lists, etc.
Scoring & Thresholding Score Candidate List ID 0004 ID 9998 ID 0002 ID 9999 ID 0003 1:N 1:1 Match Sample Template ID 0001 ID 0002 ID 0003 ID 0004 ID 0005 Match Match Score Threshold Output of match process is a score analogous to probability of match Match/no match declared based on comparison of match score to threshold For 1:1, result is boolean (match or no match) For 1:N, can have >1 score exceeding threshold ID 0001 ID 0005 ID 9998 ID 9999 Stored Templates
Accuracy Generally defined in terms of two parameters: 1) False Rejection Rate (FRR): Probability that a submitted sample will not match the corresponding enrollment template Measures how often an authorized user, who should be recognized by the system (granted access), is not recognized FRR = number of false rejections/number of legitimate recognition attempts x 100% Also called False Non-Match Rate (FNMR) or Type I Error Said to measure Robustness 2) False Acceptance Rate (FAR): Probability that a submitted sample will match the enrollment template of another subject Measures how often a non-authorized user, who should not be recognized by the system, is falsely recognized (and granted access) FAR = number of false acceptances/number of imposter recognition attempts x 100% Also called False Match Rate (FMR) or Type II Error Said to measure Distinctiveness
ROC Curves FAR/FRR inversely related Operating point is a compromise Accuracy frequently defined in terms of FRR % achieved for a set operating point FAR. Example:.02 FRR at FAR=.0001 (98% accuracy for FAR of 1 in 10,000) Error Rate FRR FAR FNMR Threshold FMR
Additional quality measurement Failure to Enroll (FTE) Rate Measures how often users are unable to enroll a biometric record Physical characteristic of user prevents creation of template User is not capable or willing to present biometric properly Sensitive to demographics of user population
Biometric system components What do I need to make it work? Capture device (sensor) Finger scanner, microphone, video camera Algorithms Processing (feature extraction) Matching (1:1 or 1:N comparisons) Repository Database to store enrolled biometric identifier records (for later comparison) Should be protected (secure area, signed/encrypted) Interconnections and communications Networks Protocols
Biometric Architectures Centralized or Non-centralized? Where are the reference templates stored? Where is the matching done? Physical Architectural Components Server Workstation (Client) Sensor Token (smart card)
Architectural Variations 16 possible variations 6 most likely Refer to INCITS M1/07-0185 Study Report on Biometrics in E-Authentication
Architecture F Store on Token / Match on Token Physical Token 7 Storage 6 9 Data Capture Signal Processing Matching Decision 2 4 8 1 3 5 10 Client/Device 11 Verifier Used for 1:1 matching based credentialing systems No Back-end communications Biometric data can be stored encrypted on-card Capture and sample processing can be incorporated on token Match confirmation can be used to enable authentication message to allow system access
Architecture A Store on Server / Match on Server 7 Storage 6 9 Data Capture Signal Processing Matching Decision 2 4 8 1 3 5 10 11 Verifier Client/Device Server Used for large-scale, centralized systems Back-end can scale Accommodates variety of network connected clients Supports services models (such as BIAS) Standard ENROLL, VERIFY, IDENTIFY Other low-level services such as identity create & delete, metadata maintenance