Printer Friendly

The nuts and bolts of biometrics.

BIOMETRICS HAVE A PROBLEM. MANY people think they should have become a raging success long ago . . . but they haven't. Nevertheless, biometrics have begun to nudge their way into the impressive array of security applications throughout the world, from airport control towers to computer rooms, government facilities to college meal plans, prison lockups to sperm banks.

Some of the perceived difficulties with biometrics are a direct result of the inherent attractiveness of machines that can identify a person through physical or behavioral characteristics.

Market researchers have repeatedly overvalued the appeal of the technology and underestimated the challenges associated with designing and marketing the devices. As a result, today's $10 million biometric industry looks tiny compared to some researchers' overeager $100 million forecasts.

Fortunately, a handful of biometric vendors have now succeeded in producing machines that perform well, are easily integrated into existing systems, and can help organizations meet objectives such as raising security levels, eliminating the need for security officers, and making the ID process more convenient for users in all types of environments.

BIOMETRIC TECHNOLOGY CONSISTS OF SIX primary techniques: fingerprint, hand geometry, retinal scan, signature dynamics, voice verification, and key stroke dynamics. The first three techniques deal with people's physiological characteristics; the last three deal with their behavior.

The difference among these techniques is important because each group has common attributes that may help you decide which type of machine to use in a certain situation, depending on your needs.

Specifically, physiological biometrics deals with static, generally unchanging characteristics. As a result the devices in this category do not have to contend with intrapersonal variations each time a user steps up to the machine. In other words, barring a traumatic injury, your finger, eye, or hand is the same every time you use the machine.

In contrast, behavior-based biometrics must incorporate algorithms that discern differences in the way an individual presents himself or herself each time the device is used. This subtle difference between the two types of devices manifests itself in a variety of operational attributes.

For instance, physiological biometric devices tend to have lower false acceptance rates (FARs) and false rejection rates (FRRs) than behavior-based devices. In fact, fingerprint and retinal scanners are the only devices to date to score 0.0 percent false acceptances in independent tests.

Generally these devices also have lower FRRs when set at high-security levels. Keeping FARs low, however, generally results in more expensive devices. In fact, no field-proven physiological biometric devices on the market today cost less than $1,800, and some still cost more than $4,000 per unit.

The major advantage of behavioral biometric devices is that they are perceived as less threatening. The techniques focus on behaviors that people already associate with identification, such as signing a check, typing a password at a computer, or speaking on a phone.

Also, the hardware needed to capture the behavioral biometric pattern is generally less costly. As a result behavioral biometric systems currently on the market cost between $600 and $1,500 per access point protected. These prices will be further reduced in a new generation of machines in development, but for the next year prices for commercially available devices in both categories are expected to fall only slightly.

Other performance attributes of biometric devices to keep in mind include the following:

* the size of the reference template, which ranges from 9 bytes for hand geometry to 1,000 bytes for some fingerprint and voice verification devices

* how and where the template is stored - on a mag stripe or smart card, in the biometric device, or in a host computer

* the throughput speed, which varies from a few seconds to nearly 20 seconds and is primarily influenced by the activities required by the user - such as presenting a card or entering a personal identification number, and presenting the characteristic - more than the actual processing time of the machine

* ease of integration, which is primarily a function of the device's support system, such as what interfaces are provided to emulate popular access cards and host hookups

* training and ease of use Perhaps the biggest determinant of the performance of a biometric device is how well trained the user is in its operation. The most successful implementations allow users some practice with the machine before going live. This is especially important in reducing FRRs.

APPROXIMATELY 500 ORGANIZATIONS currently use biometric verifiers. While this number is growing slowly this year, the number of 20 unit-plus orders is increasing.

The industry has been is a state of flux for the past year or so. A few companies, such as fingerprint-reader supplier Identix and hand geometry manufacturer Recognition Systems, have established regular production cycles. Voice Control Systems has also succeeded by initially marketing only in small geographic regions to facilitate working closely with users.

Retinal scan manufacturer Eyedentify underwent a complete management change in late 1990 and emerged with a strategic focus on custom-integrated systems for the government and other large users. The first success for the new Eyedentify is a contract with the Department of Energy (DoE) and the Department of Defense (DoD) valued at $1 million plus.

The Eyedentify Models 7.5 and 8.5 have long been among the best performers in the industry. IBM, which introduced a signature dynamics pen for computer access control in banking systems, has had limited success in the United States, but has placed some orders abroad.

Several biometric products found new homes during the past year. The Sign/On signature product, the first biometric device to break the $1,000 price barrier in 1986, was sold to Digital Signatures Inc., a subsidiary of Capital Security Systems Inc. (formerly D/A Capitol).

The company has placed a number of the signature dynamics devices for computer and physical access and in April announced that a version integrated with IBM point-of-sale terminals would soon be tested for credit card authorization.

Another major change occurred when Ecco Industries, whose VoiceKey verification device generated revenue of about $1.5 million in 1989, was acquired by International Electronics Inc. (IEI). Sales of VoiceKey dropped precipitously in 1990 because of performance problems.

IEI, a supplier of sensors and detectors used in industrial and residential security systems, is currently working on a new lower cost version of the technology scheduled for introduction this year.

A few of the long-time names in biometrics retreated from the access control market last year. Fingermatrix now focuses almost exclusively on law enforcement fingerprint systems, and Thumbscan dropped its fingerprint product in favor of more profitable computer security products.

Several other companies have undergone major cutbacks, including Alpha Microsystems, which has stopped marketing its voice verification system, and PIDEAC, which has had difficulties finding a niche for its hand geometry product.

The mixed results of the past year have not, however, dampened the flow of new development efforts. PIN (Personal Identification Newsletter) is currently tracking two dozen firms with products at various stages of development. A partial list includes the following:

* Alpha or beta testing: Xenetek (signature dynamics), Cross Electronics (fingerprint), Nippon Denso (fingerprint), Toshiba (full-finger patterns), Voice Sciences (voice), Electronic Warfare Associates (voice), and Technologia Systems (voice)

* Early development: The Bear Group (signature dynamics), Hand Scan Technologies (hand geometry), and about a dozen others not yet ready to release information

* Licensing made available: BellCore (voice), PrintScan (fingerprint), and British Technology Group (veins on the back of the hand)

THE MOST RECENT INDEPENDENT TEST of biometrics was conducted more than a year ago by DoE's Sandia National Laboratories. The evaluation concluded that "the present generation of biometric identification devices can provide reliable and cost-effective protection of assets." The tests included machines from six vendors.

Overall, the test results showed improvement over tests conducted by Sandia in 1987. However, several vendors, including Alpha MicroSystems and IEI, were hard-pressed to explain their disappointing performances to potential government customers who rely on the labs' results to justify purchases.

As in 1987, the ID-3D hand geometry device from Recognition Systems was the outstanding performer in the group. At a threshold of 75, the machine rejected only one authorized person out of 1,000 after three tries and accepted only one impostor in 1,000 after a single attempt.

Two of the machines in the test, the Eyedentify Model 8.5 and Identix TouchLock, allowed no false acceptances despite several thousand impostor attempts. The Eyedentify Model 8.5 also improved its false rejection performance significantly compared to the Model 7.5, which was tested in 1987.

After three access attempts, only four in 1,000 users were falsely rejected by the machine. The Sandia staff was also impressed with the Model 8.5 when operating in the recognize mode, which does not require the user to enter a personal identification number or present a card.

The Sign/On signature dynamics device from Digital Signatures also performed well, although nearly one in 10 users was falsely rejected on the first attempt at gaining access. The FRR improved drastically on the second try.

This phenomenon is considered a quirk of human psychology and indicates that when users think about what they are doing, which is often not the case on the first attempt, they can usually be accepted. The FAR for Sign/On was an impressive 0.7 percent based on three tries by the forgers.

In addition to the performance tests, Sandia also measured how long it took to use each machine and conducted surveys with users on how they liked the various machines.

The subjective test results found that users liked the ID-3D hand device best across a broad range of categories. The Eyedentify 8.5 and Identix TouchLock were the next most favored devices. Keep in mind that the survey respondents work in a secure national lab and their opinions may differ from those in other populations.

BEFORE DISCUSSING SEVERAL UNIQUE applications of biometrics, it is important to note that there is nothing fancy about most current installations of the technology. The best devices on the market are easily integrated into existing access control systems via standard interfaces and can emulate Wiegand, mag stripe, and other card formats when communicating with host systems.

Most can also operate in a stand-alone mode. Many biometric access control applications are at government installations, but it's not as high a proportion as one would think. In fact, during the past year more biometric systems were installed in corporations than in the military. Among the standard uses are protection of research facilities, computer installations, pharmacies, offices, and secure areas at airports.

Most major access control companies now carry at least one biometric device in their product line. They do this to project a high-tech image or to meet the specifications of a particular job.

Still, biometrics manufacturers report that local dealers are usually the best source of their sales because dealers are more likely to market aggressively to users in a particular industry sector. A few of the larger organizations that have recently added biometrics for access control are San Francisco International Airport, Washington-Dulles International Airport, the Automobile Club of America, Michigan National Bank, and the Drug Enforcement Administration (DEA).

The DEA application is probably the largest installation of biometrics outside of DoE, which is a longtime user of biometrics. DEA is installing 70 hand geometry machines at its New York City Task Force office.

The multifloor facility needs the additional positive identification because officers from a variety of police agencies are present, making it difficult for people to know whether someone belongs there or not.

The following are several other interesting applications of biometric technology:

College meal plan. The University of Georgia (U. of GA) uses biometrics to control its open meal plan, meaning that students can eat as many meals in a day as they want. About 50 colleges around the country offer similar programs. The program is a recruiting tool for selling students and parents on the school.

A card-only system, whether the "decrementing value" type or the on-line type, cannot prevent fraud in such a system. Therefore, positive identification via biometrics is required.

U. of GA holds the longevity record for the use of biometric systems, purchasing its first IdentiMat hand geometry machines in the early 1970s and adding more in the early 1980s.

Earlier this year, the school recorded a historic first in the annals of biometric technology by replacing its equipment because the original machines were worn out. While the school has not kept records, PIN estimates that the machines executed over 45 million transactions.

The new system uses modern ID-3D-U hand geometry units from Recognition Systems. The machines employ video imaging technology and contain no moving parts that could wear out. Each student's 9-byte hand reference template, ID number, and meal plan designation are stored on a magnetic stripe card.

Twenty machines were purchased, of which 10 are used at turnstiles at the front of lines at four campus cafeterias. Six more units are used for enrollment only, and four more are kept in reserve to replace temporarily out-of-service machines.

Welfare system. Ambitious, innovative, and controversial - three adjectives that describe the Automated Fingerprint Image Report and Match (AFIRM) system being installed by the Los Angeles County Department of Public Social Services to identify recipients of General Relief (GR) program payments. Electronic Data Systems (EDS) was awarded the five-year, $9.6 million contract to install the system.

The first of its kind, the system is used to control benefit issuance to more than 40,000 individuals in the county's GR program. That program provides $170 million of aid annually to indigents who are not eligible for any other federal or state assistance programs.

What differentiates the project from any other in the world is that recipients are recognized by the system after presenting only their fingerprints. No cards, personal identification numbers, or account numbers are used to help identify clients.

AFIRM has a specified response time of under five minutes to deliver its authorization or denial decision. To accommodate the many unique requirements of the project, EDS has established a network of six Hewlett-Packard central processors networked to workstations at 14 county district offices.

Each CPU maintains approximately 10,000 primary client records as well as a file of another 10,000 redundant records to back up any CPUs in the system that may be down. Two prints, the left and right index fingers, are stored for each recipient in case one finger is damaged.

When a recipient enters the district office, he or she presents his or her fingerprint on a live-scan image capture unit supplied by Digital Biometrics. The print is displayed on a workstation for review by a clerk, and a quality control score of 0, 1, 2, or 3 is assigned by local software.

If the print is not considered good enough to extract the necessary minutiae for comparison at the data base, another print is requested. Once a satisfactory print is obtained, the minutiae data is sent to all six CPUs, which search for the appropriate record in their files.

Alberta hospitals. Identity Systems International Inc. (ISI) has installed a number of fingerprint and smart card terminals at the University of Alberta Hospitals.

The company is the only firm in North America currently marketing security products that merge fingerprint and smart card technology, although several other integrators have demonstrated prototypes. The ISI system uses Toshiba smart cards and Identix fingerprint readers.

The initial units are located on computer room doors, but the hospital plans to expand the system to computer terminal security.

In the mid-1980s, several companies offered fingerprint units with built-in smart card readers, but all have abandoned the products at least temporarily. Some users have been frustrated by the lack of a product that combines the two technologies, but there has recently been some indication that such products will become more widely available from integrators. Most notably, Identix, Bull, and ASCOM are working on a joint venture to produce a new ID terminal using both technologies.

Maryland Department of Corrections (DoC). The Maryland DoC has procured more than 20 fingerprint verifiers from Identix to be used at facilities across the state. The machines will be used to confirm the identity of prisoners being transferred or released as well as for access control with prison personnel.

Northern California Sperm Bank. The most amusing application of biometrics to date is also one of the most logical. Sperm banks undertake a comprehensive background check of donors who are then paid for their contributions.

People paying for withdrawals need to feel assured that the sperm came from the proper donor. The hand geometry biometric system used for this application guarantees that someone did not send a friend to make the donation.

Department of the Environment. The Department of the Environment in Baltimore is using Sign/On signature dynamic devices from Digital Signatures Inc. to control access to office space and a computer room but with an interesting twist. Inkless pens are used for access attempts.

Employees sign their names directly on the metallic platen of the wired-pen device. This reduces the mess associated with the paper stock usually used in the system and improves security by eliminating a paper trail of users' signatures.

Another application of the technology is in computer-aided design and computer-aided manufacturing (CAD/CAM) systems, where anyone making changes to an engineering drawing must sign his or her name. The signature is recorded in a file associated with the specific drawing.

These are but a few of the many applications biometric technology is capable of performing. Though acceptance has been slow in the past, biometrics are sure to enhance and speed the path to security in the future.

About the Author . . . Ben Miller is editor and publisher of Personal Identification Newsletter (PIN) in Bethesda, MD. He also authors annual directories covering the biometric and smart card industries and is conference chairman of the CardTech/SecurTech conference in Washington, DC. He is a member of ASIS.

PHOTO : To date, retinal scanners have scored 0.0 percent false acceptances in independent tests.

PHOTO : Behavioral biometric devices, such as the signature dynamics device pictured here, are perceived by users as less threatening than physiological devices.

PHOTO : Hand geometry devices proved to be an outstanding performer in the test.
COPYRIGHT 1991 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1991 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Special Seminar Issue; usage of biometrics in enhancing security systms
Author:Miller, Ben
Publication:Security Management
Article Type:Cover Story
Date:Sep 1, 1991
Previous Article:Federal budget cuts jar DISP.
Next Article:Is business embracing biometrics?

Related Articles
The right look can open doors.
Pentagon Endorses Biometrics To Enhance Computer Security.
Smart Cards and Biometrics studied. (Tech Talk).
Biometrics: separating myth from reality. (Technology Update).
Biometrics in corrections: current and future deployment.
Passports and visas with embedded biometrics and the October deadline.
BIO-key awarded patents for biometric identification technology.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters