Recently I have been asked about our
response to several articles appearing in global press
announcing the "defeat of biometrics". Following is our
response to these articles and hopefully we will spark much
needed debate within this industry regarding the marketing
of biometric products and services while improving the
security of our homes, workplaces and country.
For those of you not "in the know",
let me start with a primer.
Biometrics is the method of
utilizing a physical identifier such as fingerprints, facial
geometry, iris scanning or other unique physiological
feature to identify and authenticate an individuals
credentials to access a facility, network or computer.
True biometric authentication is the
"holy grail" of credential management. Uniquely identifying
an individual and authenticating access based upon criteria
that cannot be duplicated virtually guarantees network and
There are many different types of
biometric authentication methods with more being implemented
every day. Of the currently available biometric
authentication methods, fingerprint technology has been and
continues to be the easiest to implement, among the least
invasive and most reliable technologies available. For the
purposes of this article we will concentrate on fingerprint
Scientific studies have proven that
fingerprints are unique at the rate of 1 in 1,000,000,000
individuals. What makes fingerprints unique is the multiple
characteristics that define them. These "minutiae points"
are the intersection of ridges, loops, swirls, whirls and
the position of these features within the fingerprint.
Fingerprint biometric devices take a
picture of these minutiae points and electronically converts
them using a mathematical algorithm into a string of
characters uniquely identifying each finger enrolled. This
"template" is then usually stored in an encrypted area of
the local hard drive or network user credential management
area. This is known as the enrollment phase of biometric
During the authentication phase, a
new template is made based upon the available minutiae
points presented and is compared with the stored template.
If the templates match, the user is authenticated and access
is granted. If the templates do not match, the user is
denied access. Current technology allows for authentication
of an individuals identity within a margin of error of .01
to .00001% based upon the algorithm and biometric identifier
Most devices today use between 16
and 40 minutiae points to create a template. It should be
noted here that the fingerprint itself is not stored
anywhere on the PC or network and creating a fingerprint
model from 16-40 minutiae points is virtually impossible.
It is virtually impossible for someone to "steal your
fingerprint" even if they had full access to your template
on the network or device.
While a margin of error of 1 in
10,000 to 1 in 1,000,000 may not seem "secure", it is
important to understand that there are different types of
errors and the way in which each transaction is processed
and how errors affect the processing of these transactions
can result in near impenetrable security.
Errata and "false acceptance"
- False Rejection Rate - This is the rate at which a device
will deny access based upon misreading or misidentifying
genuine biometric credentials as "false".
An example of this type of
error: Mary is authorized to access her facility by
authenticating her fingerprint on a fingerprint reader
at the door. Today, while trying to enter the facility,
Mary didn't have her finger properly centered on the
device, so the minutiae points captured and compared
during this attempt are notably different than what is
on the stored template. She is denied access even
though she has a valid biometric credential (her
finger). This is the most common type of error and most
devices will default to a FRR as opposed to FAR if the
templates are noticeably different.
- False Acceptance Rate - This is the rate at which a device
will accept false biometric credentials as acceptable. This
level of error is extremely rare, and usually falls within
the 1 in 1,000,000 or better range.
An example of this type of
error: Ben is not authenticated to access his corporate
network via biometric authentication. His fingerprint
on his right index finger is close enough to Mary's that
he is able to authenticate access by using her
identity. He is granted access even though he doesn't
possess valid biometric credentials. The odds of this
happening in reality with 16 minutiae points captured is
one in 16! or 16*1*2*3*4*5...16 or one in
- This is a method of using a copy of valid biometric
credentials to gain access.
An example of this type of false
acceptance: David does not have access to the payroll
computer in human resources. David knows that Mary's
right index finger is the one she uses to authenticate
herself on the network. He sneaks into her office after
hours, captures a high quality imprint of her right
index fingerprint, goes home and makes a perfect copy of
this fingerprint in gelatin using information he found
on the Internet, returns to Mary's office during off
hours and authenticates as Mary on her PC to change his
payroll information. Viola` he now has a VP's salary.
Much press recently has been
devoted to the so called "defeat" of biometric
authentication based upon the example described above.
In a much touted demonstration, the German Federal
Institute for Information Technology Security in
collaboration with the Frauenhoffer Research Institute
headquartered in the German city of Darmstadt announced
the "Defeat of Biometrics". For more information on
this article that would make James Bond proud, please
Another "test" performed by
Tsutomu Matsumoto, a Japanese cryptographer can be seen
Credential Theft - This is a method of an
unauthorized individual using a valid biometric credential
to gain access to a network or facility.
An example of this type of false
acceptance: As shown in the movie "The 6th Day" with
Arnold Schwarzenegger, the unauthorized individual cuts
off the finger that is used to biometrically
authenticate onto the network or facility and uses that
biometric credential to gain illegal access.
I have only one comment here...
In a standard day-to-day
corporate or medical environment, if you are really
anticipating this as a viable attack upon your network,
I would recommend seeking competent psychological
counsel. You've got bigger problems than network or
Biometrics in the Real World
Each of the above examples is based
upon an "identification" method of biometric credential
management. The two types of biometric credential
- Also known as 1:n or 1:Many.
This type of biometric
credential management relies solely upon the biometric
credential as the statement of user identity. As an
example, when I place my finger upon the biometric
reader, the program looks at the presented template and
goes to the template warehouse and attempts to identify
my fingerprint from the entire database. The program
asks: Who is this person? Then it asks: Does this
person have access? Then the program grants or denies
access based upon the business rules previously
assigned. This is the slowest form of authentication
and is also the most open to the types of errors
- Also known as 1:1
This type of biometric
credential management system utilizes a secondary
"statement of user identity". In other words, you must
also authenticate yourself by something you possess or
know and not just by something you are. An example her
is when I walk up to my PC I insert my smart card
(something I have) into a SC reader attached to my
fingerprint scanner or input my PIN or password
(something I know) and then authenticate biometrically
using my finger on the scanner. This type of credential
management system is the fastest template matching
method and is the most secure authentication method
Instituting a Biometric Credential
Management System utilizing the Authentication method
outlined above is the most secure method of end-user
authentication. It is exponentially better than existing
password, PIN, token and other knowledge or possession based
authentication methods and when implemented properly
represents a dramatic improvement in data and facility
So why all the noise
about the "defeat of biometrics"?
There are certain elements within
our society that have a misrepresentation of what biometrics
is and its capabilities. These elements need to be educated
in the science and technology of biometrics and how or how
not to use these elements in your security methods.
Other individuals need to have their
ego's stroked by touting the fact that they have defeated an
"impenetrable" system. These individuals need to find
something more fulfilling to occupy their lives: a career,
significant relationship, religion, hobby... pick one and
stick with it.
Still there are others that are
truly trying to improve the quality of security by pointing
out that one system alone is not sufficient for all needs.
These are the true pioneers of the security industry.
I count myself and other "champions"
I know within this industry in the last category.
Security is more than just creating
and implementing an impenetrable system... It is a mind-set
that every system is penetrable, all solutions are fallible
and the only secure system is one that is diligent in its
methods, rooted in the fundamentals of secure credential
management and uses multiple methods of authentication.
Please feel free to contact me
should you have any questions about this article or
biometrics in general.
CEO - Artemis Solutions Group, a Division of iQBio, Inc.