# Biometrics 101

Companies looking for a higher level of security may find it in new verification methods.
Author:
Publish date:
Updated on

# Biometrics 101

Oct 1, 2005 12:00 PM, By Steve Filippini

Companies looking for a higher level of security may find it in new verification methods.

Earlier in my career, when I was a field technician for a local security company, it wasn't uncommon for me to find the arm/disarm code of the alarm system posted prominently above the user interface keypad. When I tried to persuade the owner of the system to remove the number sequence, I was informed the posting was needed for the employees with memories resembling strainers. At the time, I scoffed at the practice and exhibited little sympathy for the users of the system. Today, my workstation is littered with yellow post-its boldly displaying the various passcodes I need to do my job. Being reduced to a collection of number sequences doesn't bother me as much as struggling with the fact that I need nametags on the photos of my family members to get it right.

With the advent of biometric verification such as fingerprinting, companies have options to supplement keypad-entered security passcodes.

We live in a world of character sequences. ATM codes, Internet passwords — and, the worst, telephone numbers — can reduce us to fits of rage and despair when someone informs us the sequence we committed to memory needs to be changed for security purposes and various other reasons.

Thankfully, the world of biometrics is creeping into our society to relieve us from some of the pressure to remain safe and discreet. Webster's New World Dictionary defines biometrics as that branch of biology that deals with its data statistically and by mathematical analysis. Simply stated, our individual existence and lifestyles can be reduced to a series of mathematical values and equations stored as an algorithm in a remote, unseen database. An algorithm, by the way, is a sequence of instructions that tells a system how to solve a problem.

The use of DNA, for example, pops up almost daily in the media. In the field of law enforcement, somewhere, someone is being identified or linked to an event through the science of DNA verification. There's been enough media coverage regarding DNA over the last few years to make experts out of the interested public, but there are other methods of individual identification and verification out there. These methods are being used to create a safer and more secure home and work environment for all of us.

In the world of security systems and access control, the most common methods of verifying and granting someone valid entry rely on data-embedded cards (or tokens) and keypad-entered passcodes. The limitation with these types of identification verification is that anyone can walk up and present a valid card or enter a valid sequence of numbers without the system really knowing who is being granted access. In high-security environments, this is not acceptable.

Before we continue, it's important to clarify a few terms used in the field of biometrics. Identification is when a collected biometric trait is compared to all of the biometric information saved in a database. Verification is when the individual identifies themselves through conventional means (passcodes and identification cards) and is then matched to a specific biometric feature or trait. Verification tends to be the faster way to go when the biometric database has a great many recorded traits in it.

Since we as individuals possess characteristics that differentiate us from everyone else in varying degrees, the following methods of isolating our personal traits are quickly gaining ground in research labs and consumer markets. Keep in mind that each of the following has its own list of advantages and disadvantages, and it's up to the product provider to determine what is best for users.

Sony’s Puppy Fingerprint Identity Token

## FINGERPRINTS

We have all watched enough television to know how important fingerprints are in the field of law enforcement, but few know the details surrounding the important smudges our fingers leave behind.

The tips of your fingers are covered with tiny swirls of ridges that provide friction and grip when we pick something up. These ridges randomly meet and separate across the surface of your fingers. The points where two ridges meet are called bifurcations and have the appearance of branch points between two lines. The ridge endings are known as minutiae and, along with the bifurcations, vary from finger to finger. When a fingerprint is collected from an individual, the number of minutiae is recorded for each finger. The specific locations for each of these minutiae are also determined and converted to numerical coordinates. These coordinates are then entered into a database for future comparison and verification purposes. Once the fingerprint is recorded, it's up to the collection process to come up with a valid match. So the next time the detective on television superimposes two prints on an overhead screen to confirm a match, you'll know there's more to it than that.

There are two types of collection processes for fingerprints: optical and capacitance. Optical scanners use a charged coupled device (CCD) similar to those used in digital cameras and camcorders. The scanner's array of light-sensitive diodes generates an electrical signal in response to light-reflected images. The image is then inverted causing the ridges (the area of light most reflected) of the print to be represented in a dark color and the space between the ridges (the area of light least reflected) to be represented in a light color. Sounds nifty, but because this method uses a photo-based process, the scanner can't always determine the difference between a real fingertip and a picture of one.

The capacitance scanner also generates an image of the fingertip's ridges and valleys, but it uses electrical current instead of light. Without getting into too much detail, the distance from the scanner and fingertip alters capacitance. The capacitance between the scanner and the fingertip's ridges and valleys are measured and recorded with the varying capacitance values, creating an image that replicates the fingerprint pattern. The capacitance scanner is the most reliable way to go since it requires an actual fingertip to generate an image. A concern for this type of setup, though, is the risk of electro-static discharge (ESD) damaging the capacitance-sensing plate since there is usually only a thin sheet of plastic separating the finger from the capacitors. This means the environment in which this device is to be used needs to be confirmed before installation and proper protection methods need to be included.

The use of fingerprint scanning isn't just for high-end customers or facilities either. Sony and ACP have both released USB mini flash drives that require a fingerprint scan before the contents of the drive can be accessed. They are a bit pricier than the earlier family of flash drives, but security-conscious and gadget-interested customers are buying them.

One final note about fingerprints before we move on. There are other factors to keep in mind before selecting this as a primary method of verification. It takes less than a minute of exposure to household chemicals to temporarily alter the appearance of your print, and many people have chronically dry hands (a winter in Minnesota will do that to you), which will reduce the clarity of the image. Caution and taking the surrounding environment into consideration are important when making a product-based decision.

## FACIAL STRUCTURE

This form of identification relies on the computer to capture and distinguish one face dimension from another. The detection unit will capture the facial characteristics and then compare specific geometric features against a database. The process of facial comparison begins with selecting a reference point, say the distance between one's eyes. From there, the different distance and angles of other facial features are measured and recorded. This is known as facial geometry analysis. Another method used is called Eigenface Comparison, and it uses a variety of around 120 to 150 facial abstractions to compare captured facial images. Now, there are critics who question the effectiveness of this technology and challenge its use during our day-to-day activities. They will remind you that identical twins can be hard to tell apart visually and electronically. There are others who support this technology and claim it's even effective against people who attempt to disguise themselves with different hairstyles and facial hair. Regardless of who believes what, it's interesting to note that gambling casinos have been using this technology since the late 1990s to identify banned players.

## HAND DIMENSIONS

Identification through hand recognition is based on the geometric shape of the hand. This would include the length and thickness of the digits and the width and radius of the palm. Unfortunately, the hand does not possess enough unique characteristics to be the primary form of verification. Add to that the fact that geometry of the hand may change over time due to injury, aging, or weight gain. Some systems, though, combine the scanning of a finger or palm print to supplement the process. Other systems rely on the entering of a unique passcode at a user keypad (attached to the scanning device) along with the hand comparison to complete the verification. This combination isn't so much used to positively identify a person requesting access as it is to clock them in and out of work. The intended use by these companies is to deter people from clocking in their friends who happen to be running late. Hand-geometry-based systems have been implemented at airports, prisons, and other large-scale locations where the presenting of the hand along with access card/tokens or passcodes will result in a valid entry/exit of a facility.

## VOICE PATTERNS

When I was in high school, I had an opportunity to view my voice pattern using an oscilloscope and microphone. My instructor lined up several of my peers and had us each recite a series words into the machine. The intent was to show us how the same word could look very different depending on who said it. The same principle is used in voice recognition technology and focuses on the physical characteristics of your voice.

Currently, a few companies use this technology as a secondary line of identification. The customer, or user, enters a valid personal identification number (PIN) before they are prompted to repeat a few predetermined words for voice pattern comparisons. These words are then matched with a stored collection of words, numbers, or phrases previously recorded by the customer and stored in the system's database. Recorded voiceprints do not take up a lot of hard drive room, but it does take the computer some time to compare the presented voiceprint against a large database of stored prints.

Initial tests of this method are encouraging, but there are a few hurdles to overcome before you see this type of security measure used daily. For one, there is an issue with the use of inexpensive microphones in telephones and intercoms. Poor communication lines, as well as background noises, can also adversely affect the quality of the voice. Another issue to keep in mind is that people's voices are affected by colds, allergies, aging, and severe emotional changes. Still, this technology is used to some degree in home PC processes, network accessing, and banking, and promises to grow as the technology improves.

One final comment on this one method. Despite what you've seen on old Mission Impossible episodes, it is very difficult for someone to imitate someone else's voice patterns without electronic means (taping or other methods of recording). People like legendary impressionist Rich Little may be able to imitate the sound and inflections of their target person, but they are unable to accurately reproduce the frequency and vocal timing of their speech. Incidentally, people who imitate celebrity voices have to exaggerate the voice tone and pattern to help us recognize them, so creating a match is practically impossible.

## IRIS SCAN

The iris, or colored portion of the eye, is as unique from one person to another as fingerprints. The iris patterns are formed six months after birth and stabilize at about a year. After that, the patterns remain the same for life. Scanning the iris requires a high-resolution infrared imaging camera, usually positioned no more than 3ft. away from the eye. A low-powered infrared source is used to illuminate the iris before the image is taken. This is an easier method of data collection when compared to a retina scan, but when compared to fingerprint verification, this method is considered expensive and not very practical for the average consumer.

## RETINA SCAN

The retina is the thin layer of nerve endings inside the eyeball that captures light and relays it back to the brain for image processing. The retina area includes a pattern of veins (or capillaries) located at the back of the eye. This pattern is unique to an individual. The retina scanning process, like the iris scan, also uses a low-intensity light source, but in this case it's used to illuminate the blood vessels enough for an image to be captured. The issue that arises during the scan is that people are required to remove their glasses, look into the scanning unit, and stare at a specific point or object during the image capture. This scan can take up to 15 seconds depending on the product and may prove to be too intrusive for some. Despite the discomfort, the possibility of faking out a retina scan is almost impossible. There is no known method of duplicating a human retina, and despite some of the more graphic action movies on TV, the retina of a deceased person decays much too quickly to be used for false verification.

## HANDWRITING

Handwriting comparison and verification is another interesting method of individual distinction. It's no longer just a matter of forging onto an excuse note your mother's pattern of loops and lines to get out of school for a few hours; now you need to know how she writes. There are two types of signature verification methods offered to the consumer: static and dynamic.

Static signature verification looks at the image of the presented product and compares it to the stored signature. Dynamic signature verification takes into account the speed, pressure of the pen, type of strokes, and duration during the act of signing.

This type of identification is widely used in a simpler form on the back of credit cards, but it relies on the store merchant to compare the signature on the credit card against the signature on your driver's license or purchase receipt. I know from personal experience that hardly anyone looks at my signature because I have not signed the back of any of my credit cards and no one calls me on it. Still, signature verification has always been a quick form of identification that started way back in the olden days when a man's mark was his word.

Of course, there are some drawbacks to this type of verification. The digitized tablet on which the signature needs to be written can be expensive and may prove difficult to locate. Another thing to keep in mind is that there are always inconsistencies to how someone writes their name. These inconsistencies can be blamed on things such as mood swings and lack of patience.

The above methods of biometric verification are the most common I have come across in my field. Others, such as odor, ear structure/dimension, and recording the vein structure of the back of the hand, are being used by some research companies on a limited basis. When you get right down to it, if there is a way to record, convert, and store a mathematical equation of any part of your body for the purpose of biometric verification, someone is looking into it.

Contrary to conspiracy theorists, it is very difficult for someone to have a complete database of our biometric characteristics without our knowledge. The collecting of an individual's biometric information is an involved process and for the most part needs our cooperation. Companies that use various forms of biometric data to verify our identity still have to collect, store, and provide a means to authenticate the presented person's data. Fingerprints can be lifted from almost anything we touch. Voiceprints can be recorded without our knowledge. Our facial structure can be photographed without our knowledge and stored for future reference. This was proven at the 2001 Super Bowl when Tampa, Fla., police scanned the faces of the fans without their knowledge. Their intent was to locate known terrorists in the crowd but the public at large denounced the practice, citing identity theft and intrusion. Of course, the New Orleans police did the same thing at the 2002 Super Bowl, but there were little complaints, the country having just witnessed the horrors of Sept. 11.

## CHOOSING A VERIFICATION SYSTEM

Okay, so now you know a little bit more about the various biometric traits we as individuals possess, but which ones are most suitable for your verification needs? The first thing you need to do is identify the criteria in making a good decision by asking yourself a few questions. What comfort level will your customer or employee need to have for you to collect and record their personal traits? Which process will produce the highest level of accuracy? What will it cost you to implement these methods in the home or workplace? Fingerprints, for example, rank high for accuracy and low cost. Iris and retina scanning rate very high for accuracy but are also very costly. Facial and hand geometry rank high on the comfort level but low on the accuracy chart. It all comes down to what level of verification and authentication you and your customer are willing to invest in.

And speaking of investments, it's interesting to note what the biometric markets are doing these days. Fingerprint verification takes up about 48 percent of the market, with hand and facial verification coming in at 11 percent and 12 percent respectively. According to the 2004 Biometric Group, the biometric revenue was projected to be at \$1.2 billion by the end of 2004 and will grow to \$4.64 billion by 2008. This is good news for the victims of identity theft, which numbered more than 86,000 in 2001 according to the Federal Trade Commission. The Aberdeen Group estimated there were more than \$8.75 billion in related losses in 2002. Of the 6.5 million reported identity theft victims in 2004, 67 percent reported that their credit card accounts were misused. Nineteen percent reported that their checking and savings account were tampered with. Biometric verification can help reduce the number of identity theft victims, but nothing as of yet is foolproof. Since the problem of identity theft won't be going away anytime soon, it's comforting to know there is a growing market just waiting to become part of the mainstream in the field of security, personal protection, and access control.

Steve Filippiniis a senior technician with more than 26 years of experience in the security and installation industry.