AuthenticationWorld.com
The business of authentication
- Authentication Categories
- Password Authentication
- Single Sign On Authentication
- Access Control Authentication
- Authentication - Enterprise Security
- Authentication Strength
- Authentication Transaction
- Authentication Management
- User Authentication
- Authentication Federation
- Authentication-Biometric
- Fingerprints vs. Fingerscan
- Iris Authentication
- Voice Authentication
- PKI Authentication
- Token Authentication
- Wireless Authentication
- Document Authentication
- Authentication -Outsourcing
Authentication - Biometrics
Biometrics used for authentication are currently in fashion in the authentication industry. The UK and US governments are rapidly deploying them in their visas, passports and personal identification cards. This has caused other governments to begin adopting similar technology. Many other industries are adopting biometrics as authentication mechanisms for accessing bank machines, doorway access control, time card reporting and general computer desktop access. However, as this site will show, biometrics is not a panacea for authentication.
Authentication is the process of determining if a user or identity is who they claim to be. The authentication process is based on risk. Higher risk situations require more identity verification certainty. Biometrics can play a useful role in verifying the identity along with other factors.
What is biometric authentication?
Biometric authentication is the process of verifying if a user or identity is who they claim to be using digitized biological pieces of the user. This can include finger scans, finger prints, iris scans, face scans, voice recognition and signature scans. Other biometrics in research for authentication include vein scans and DNA.
Are all biometrics equal?
No. The type of biometric used and the way it is used results in different authentication results.
The table below lists current estimates for common biometric authentication systems:
| Finger | Voice | Iris | Face | |
| Type | Physical | Behavioral | Physical | Physical |
| Method | Active | Active | Active | Passive |
| Equal Error Rate | 2-3.3% | <1% | 4.1-4.6% | 4.1% |
| Failure to Enroll | 4% | 2% | 7% | 1% |
| Nominal False Accept Rate | 2.5% | <1% | 6% | 4% |
| Nominal False Reject Rate | 0.1% | <1% | 0.001% | 10% |
| Liveness Aware | No | Yes | Bo | Possible |
| System Cost | High | Low | Very High | High |
Source: Biometric Technology Today and Opus Research, University of Canberra, European Commission Joint Research Centre, An Efficient One-Dimensional Fractal Analysis for Iris Recognition, FVC2004: Third Fingerprint Competition, Preliminary Report on Development and Evaluation of Multi-Biometric Fusion using the NIST BSSR 517-Subject Dataset)
Equal error rate: The error rate occurring when the decision threshold of a system is set so that the proportion of false rejections will be approximately equal to the proportion of false acceptances.
Failure to Enroll: Failure of the biometric system to form a proper enrolment template for an end-user. The failure may be due to failure to capture the biometric sample or failure to extract template data (of sufficient quality)
Nominal False Accept Rate: The probability that a biometric system will incorrectly identify an individual or will fail to reject an impostor. The rate given normally assumes passive impostor attempts.
Nominal False Reject Rate: The probability that a biometric system will fail to identify an enrollee, or verify the legitimate claimed identity of an enrollee.
Liveness Aware - Does the user has to be alive to present the biometric?
Why Biometrics Will Not Solve Identity Theft
Biometrics are very useful, in certain situations, as an authentication device. It is useful when someone is watching the user use a biometric authentication device. This way the enterprise can be relatively certain that there is no malfecance being done between the user, the biometric hardware reader and the enterprise security system.
However, when biometrics are done remotely, with the enterprise not able to see and control the authentication hardware, the chances increase that the identity presenting their biometric may not be the person who is registered with the biometric. Therefore, the use of mutli-factor authentication mechanisms is used.
The use of biometrics as a deterrent against identity theft is being much touted at the moment. However, the use of biometrics alone will not likely deter criminals from finding ways around the use of biometrics. Remember that what is being presented are a set of computer bits that represent the biometric to the authentication server. Therefore, it is extremely likely that criminals will adjust their attack vectors and try to capture the biometric from the person, and then replay these on the enterprise.
End User Risk Is High
The risk to the end user from having a password stolen is that they must create another password and also notify all sorts of government and commercial agencies if their identity is stolen. HOWEVER, when using biometrics the risk to the end user is much greater.
If the user's biometric is stolen, there is no way to change their fingerprint, fingerscan, voice or iris. the implications to the end user of having their biometric stolen is much greater. How can the individual effectively stop fraudulent people from using their stolen biometric?!
CAVEAT EMPTOR.
Digital fingerprints vs fingerscans
Password
Authentication
Single
Sign On Authentication Access
Control Authentication Authentication-Enterprise
Security Authentication
Strength Authentication
Transaction
Authentication
Management User
Authentication Authentication
Federation Biometric
Authentication PKI
Authentication Token
Authentication Wireless
Authentication Document
Authentication
Authentication - Outsourcing
