A. Biometrics technological overview
Although the topic of “biometrics” can be addressed in a number of ways, there are two fundamental points – the types or “what” information can be used, and the method or “how” that information is captured. Far beyond merely capturing an ink impression of an index finger or a partial of a thumb, today’s biomarkers cover a wide range of the human condition and are captured and stored in a myriad of ways that provide both great benefits and significant challenges. These are discussed below.
Biometric characteristics, the “whats,” are separated into two modalities, physiological and behavioral.1 Physiological characteristics include those identified from the fingers and hands, veins, face, eyes, ears, odor, and DNA. In contrast to physiological traits, behavioral characteristics (or a combination of both physiological and behavioral traits) also are increasingly utilized by biometric systems. Behavioral characteristics are generally dynamic and can be affected by various factors, including age, illness, or emotional state.
Fingerprints – Fingerprint recognition is one of the most well-known applications of biometrics. It is a commonly used physiological biometric for US Customs and Border Protection to control international border entry points.2 It is also an integrated authentication feature in most cellphones on the market today. Fingerprint recognition involves recognizing the unique differences in patterns of certain characteristics of fingerprints, such as whorls, ridge patterns, and minutiae points (the points plotted to ridge endings and ridge discontinuities) which differentiate the fingerprints of different individuals.
Fingerprints are first acquired and imaged by either off-line or online techniques. Off-line techniques first require that the fingerprint be captured on a substrate, such as inked fingerprint on paper, and then digitized. Online acquisition, such as a live scan of the fingerprint with optical or capacitive digital imaging technologies, would directly create a digital image.
Most scanners, however, do not scan the entire finger at once and also do not create a full image from all the partial images.3 Using software algorithms, the features of the fingerprint (e.g. ridge orientation and frequency, ridges, and minutiae) are extracted and a biometric template is created. This template is a sequence of binary data that can be used to compare another sequence acquired from a subject for identity or authentication purposes. These templates may be either proprietary templates that are coded to distinct fingerprint recognition systems or standard templates that are interoperable between vendors. In order to achieve interoperability between competing fingerprint recognition systems, an initiative led by the US Department of Commerce’s National Institute of Standards and Technology (NIST) created standards for fingerprint recognition.4 Depending on the purpose for which the fingerprints are acquired, the biometric data may be stored locally on the device or on a secure portable smart card (e.g. for mobile banking) or on a server (e.g. for government identification purposes).
Palm & hand – Palm recognition also utilizes physiological measurements similar to those used in fingerprint recognition (e.g. matching minutiae points and ridge patterns).5Some law enforcement agencies, including those in Connecticut, Rhode Island, and California, have established palm print databases to identify potential criminal offenders.6Interestingly, at a recent security conference, researchers from NYU were able to create artificial fingerprints that contained some features of
fingerprints that were more common than others.7 The artificial fingerprints were able to fool the fingerprint sensor more than one in five times. These manufactured fingerprints were designed to target fingerprint scanners like those in cellphones.
Another related physiological biometric is hand geometry. Hand geometry recognition is the longest implemented biometric type. Commercially available systems for measuring hand geometry have been available since the early 1970s.8 Hand scanners were used in the 1996 Olympic Games to control access to the Olympic Village.9 It can involve the measurement of the length, width, thickness, and surface area of the hand, as well as the distance between knuckles, and the height or thickness of fingers. However, unlike fingerprints, hand geometry is not as unique and an individual’s hand geometry may change over time.
Both palm prints and hand geometry can be captured as high or low resolution images from charge-coupled cameras, digital scanners, webcams, contactless systems, and thermal, among others. As with fingerprint technology, the palm has certain identifying features, including ridges, valleys, and minutiae, that can be used to generate a biometric template. One advantage palm prints have over fingerprints is that the palm is larger, and thus has more information to use to create the biometric template. The captured images are preprocessed to smooth the image and enhance contrast. Depending on the system, a variety of algorithms can be used to extract features from an identified region of interest on the palm and create a biometric template. For hand geometry, the image of the hand is processed by an algorithm and converted to a numerical representation, which is then stored as the user’s biometric template. These biometric templates are stored in a database that can reside on the device’s memory, an identification smart card, or on a server.
Veins & face/hand temperature – Vein patterns in the hands or fingers are another biometric characteristic that can be used to authenticate identity. Financial institutions have utilized vein pattern biometrics in ATMs and for customers accessing safe deposit boxes.10 Vascular patterns are captured through the use of near-infrared light, which is readily absorbed by the deoxygenated blood carried by veins and renders the vein patterns visible. An additional benefit to vein pattern biometrics is that the vein pattern is stable over an individual’s lifetime and, unlike fingerprint or hand geometry recognition, can only be used to authenticate a living individual. Another related biometric technology uses infrared thermograms that recognize the pattern of heat radiation from the face or hand. Thermograms are unique to an individual since the thermal patterns are derived from the vascular structure of the individual. Thermograms can serve to not only identify or authenticate identity but to also verify that the biometric measurements are from that of a living individual.
Infrared and near infrared imaging is used to capture the unique patterns of heat that the individual radiates from their blood vessels in their face, hands, and the veins of his or her hands. This is a non-intrusive and non-invasive technology. This imaging of heat is then converted into a temperature, and the patterns are encrypted and stored in a similar manner as with templates previously discussed above.
Face & ear – Biometric facial recognition is another technology widely used for authentication and identification purposes. Facial recognition technology is used worldwide by law enforcement agencies, including at least two separate FBI programs11 and with social media platforms like Facebook. Facial attributes are captured by photometric or geometric sensors. The geometric method analyzes the shape and position of facial features (e.g. the distance between the eyes, cheekbones, chin, and nose) and relies upon distinguishing facial features. The photometric method converts the facial features into numerical values, creating a template based on the values, and then compares that template to the values for facial features from another image for identification or authentication purposes. Similarly, ear recognition is used in biometric technology because the shape of the ear is stable over time and its growth is almost linear with aging. As with facial recognition, ear recognition can be assessed based on matching distances between structural points in the ear or by matching based on the appearance of the ear.
Sensors are used to capture facial or ear features. These distinguishing facial features are analyzed with respect to their size or relative position to other facial features. The shape of the face is also an important feature. The spectral band of the sensor can be visible, infrared or thermal, and the image may be rendered as a 2D photograph, 3D image, or video. Different algorithms create a biometric template based on these distinctive features for later authentication use. In order to facilitate interoperability, NIST has also propagated voluntary consensus standards for the interchange of facial biometric data.12 Similarly, ear recognition utilizes algorithms which extract distinctive features based on the shape of the ear and converts the images to a numerical format, which is incorporated into the individual’s biometric template.
Eye – The eye is also the source of multiple traits used in biometric systems. Iris recognition systems have been used in universities for access to on-campus dining halls and, recently, plans have been announced for facial and iris recognition for check-in and boarding purposes at the Dubai International Airport.13 The iris of the eye, the colored ring around the pupil, is considered the most accurate of biometric traits. The iris is also unique, even between the left and right eyes of the same individual, and there are many distinguishing features present in the iris (e.g. striations, rings, furrows, freckles; but generally not color) that can be utilized in an iris recognition system. The retina is another reliable and accurate trait of the eye that is used in biometric systems. The US military utilizes laptop computers and handheld identity detection equipment with retinal scanners in Iraq and Afghanistan to identify local suspects.14 The retinal vasculature is also considered a distinctive feature between individuals that is difficult to replicate. Similar to vein recognition, the eye is scanned with infrared light and the unique retinal vasculature is compiled into a template for the biometric system. However, due to the difficulties in image acquisition, the use of eye traits in biometric systems is not as well-adopted as fingerprint or facial recognition has been.
Although both the iris and the retina are essential parts of the eye, biometric data is gathered differently for the two. The iris is scanned with near infrared cameras to identify the distinctive textural details present in the iris. An algorithm converts the complex pattern in the iris into digital data that is stored in a database as a biometric template or used to compare against a stored template. In contrast to the iris, it is the vasculature of the retina that is of interest. In order to image the retina’s vasculature, visible light is beamed into the eye, where the retinal blood vessels absorb it. The amount of light reflected back changes as a result of the vasculature in the retina. These changes in the light pattern during the scan are then converted into code and stored in a database.
(iii) Intrinsic factors
Body odor – As with bloodhounds, body odor recognition relies upon identifying the unique chemical patterns of an individual’s scent.15 Every individual exudes an odor that is characteristic of its own chemical composition. These patterns of chemical composition are thought to be unaffected by the use of deodorant, diet or disease, and the detection methods are less intrusive than with biometric recognition systems involving the eye or fingerprints.
The characterization of an individual’s body odor is done by analyzing the air in the environment around the individual. A sensor reacts with the organic substances in the air and a chromatogram identifies the odor’s composition. The composition is then converted to digital format and stored in a database.
DNA – DNA patterns are distinct between individuals and, as such, DNA is a useful biometric modality for identification and authentication systems. However, the utility of DNA recognition in biometric systems outside of forensics is limited due to the lack of real-time recognition capabilities and the ease of sample contamination.
DNA identification involves measuring the lengths of short tandem repeat (STR) sequences present in the nuclear or mitochondrial DNA. The number of repeated DNA sequences in these STRs differs greatly between individuals. DNA is also inherently digital, and thus does not require an additional step to convert its data into another a template. However, the time required to complete a DNA analysis is prohibitively long for use in mass identification or authentication (e.g. border crossings). Care must be taken to not cross-contaminate the samples with another individual’s DNA.
Gait – The pattern of human locomotion, or gait, can be used for biometric systems based on behavioral characteristics. Algorithms are used to extract an individual’s gait features, both dynamic and static (such as body shape). Although gait recognition can be obtained non-intrusively, an individual’s gait can be altered by many outside factors (e.g. walking surface, footwear, clothing) or can change with age or weight variations.
Gait analysis can be performed with low-quality video footage of a person walking. In some instances, many cameras are placed all around the individual to capture all angles of a person’s gait. Sensors can also be placed on the floor to measure unique footstep patterns. The video footage can then be used to generate a blurred silhouette, which can also be used as the biometric template. Gait analysis involves not only dynamic gait motion but also static body appearance. Given that a person’s gait can be affected by a myriad of external issues (e.g. footwear, walking surface, etc.), there is a question as to how unique an individual’s gait actually is.
Signature – Another behavioral biometric is the way an individual signs their name. Signature recognition involves the measurement of the dynamic movements that an individual demonstrates as they sign their name. Such dynamic characteristics are difficult to mimic and include the direction of movement, the pressure exerted, stroke order and direction, speed and shape of the signature. However, an individual may have large variabilities in these dynamic movements between signatures, and signature recognition may be difficult.
The dynamic act of signing a signature can be measured and analyzed to isolate the unique dynamic movements used during the signing. Alternatively, the individual could provide a static sample signature, which is then turned into a digital image and analyzed by a software algorithm. Dynamic signature recognition is extremely difficult to replicate because the forger would have to physically copy the signer’s dynamic characteristics (e.g. acceleration, timing, pressure, etc.).
Keystroke – The behavioral biometric of keystroke rhythms is considered sufficiently distinct between individuals to use for identity verification purposes. Keystroke dynamics involve the manner and rhythm of an individual’s typing on a keyboard. An individual’s keyboard dynamic measurements may not be unique, but keystroke software can capture data based on the typing pattern, rhythm, strength and speed. Additional biometric parameters include the duration that a key is pressed, the dwell time, and the duration between releasing a key and pressing on the next key, flight time. These parameters are all utilized to generate a biometric template. Keystroke dynamics can, however, be affected by physical issues affecting the hands or muscles, emotional state, and the keyboard used. Monitoring of keystroke dynamics over the course of a session also allows for continuous verification of the individual’s identity. The Bank of Utah also incorporated keystroke dynamics software to enhance the security of its online banking platform.16 While keystroke dynamics are non-invasive and require no additional hardware, typing patterns are not as consistent as some believe. MIT found that keystroke patterns were affected by a change in the keyboard used, the keyboard layout, and physical discomfort in the hands.17
Gesture – More recently, gesture-based recognition systems have also been considered for biometric identification or authentication. Gesture recognition has been called “the mathematical interpretation of a human motion by a computing device.”18 Generally, gesture recognition tracks the movements of the hand or the face, but can also include tracking the head and/or body movements. Gesture parameters measured include acceleration, pressure, size, and time. Gesture recognition has been embraced in home game consoles, such as the Wii, Xbox, and Playstation, which have controllers with accelerometers and gyroscopes and readily respond to gestures. These same gaming companies also make their own gesture recognition software. Yamaha also introduced a gesture recognition feature on a motorcycle; it turned the engine on and off with a gesture.19 Algorithms used in gesture recognition software are 3D-based or appearance-based models. 3D-based models rely upon information gathered from the rest of the body.
Voice – Voice recognition is a combination of both physiological and behavioral characteristics. An individual’s voice results from the static physical aspects of the body that are responsible for generating sound, such as the mouth, jaw, larynx, throat, nasal cavity, or weight. The behavioral aspects may reflect factors including language, age, or physical or emotional state. Voice recognition technology is used by many financial services companies to authenticate their clients.20
Unlike speech recognition, which only attempts to recognize sound waves based on samples of words spoken from a large variety of people of different characteristics and backgrounds (e.g. sex, age, race, geographic, etc.), voice recognition is used to authenticate an individual and requires a match between the voice of the individual and a unique digital template of that individual’s voice. For example, the US previously used a 24-hour voice-activated US-Canada border crossing for registered local residents of Scobey, Montana.21 These residents would pick up a telephone at the border gate, enter a preselected four-digit personal identification number (PIN), and utter a secret pass phrase, which had previously been recorded at the border post. Once authenticated by the voice recognition system, the driver could proceed across the border.
This digital template is a master voice print generated by voice recognition software that often requires the individual to repeat a phrase or series of numbers or words several times before the software will have enough data points to accept the voice print as a template. These spoken words are reduced to segments of tones (dominant frequencies) that are captured by the software, converted into a digital equivalent, and stored as a template. These tones digitally represent the individual’s unique voice template. Other voice recognition software utilizes the voice patterns of the individual, instead of repetitive phrases, to create the master voice print. This generation of the master voice print can be affected by outside influences, such as unnatural speech, background noise, and poor microphones. Voice recognition can also be affected by an individual’s condition (e.g. have a cold, be affected by medications, or mood). Another challenge with voice recognition is that software recognition may be fooled by a voice recording, but most systems have either incorporated some form of liveness detection or use a secondary input, such as a unique PIN.