Circumventing the limitations of Biometric Systems

Biometrics offers multiple usability advantages over traditional based authentication techniques, but raises privacy and security concerns. However, when traditional authentication methods are compromised can be replaced while biometrics is permanently associated with a user and cannot be replaced. Advanced biometrics research has been conducted by many research groups world-wide to circumvent the limitations of biometrics. The aim of the research is to utilise the positive characteristics of traditional authentication methods by using advanced mathematical models to produce biometric template which can be cancelled and be revoked like a password which is unique to every application. Instead of storing the original biometric, advanced mathematical models are applied to transform the original biometric into a unique domain. The transformed biometric and the advanced transforming mathematical model are either stored on a smart card or centrally in a database. The model preserves privacy because it is not possible or computationally very hard to recover the original biometric template. In an unfortunate situation where a user’s biometric has been compromised, the followings steps can be taken:

  • Simply re-enrol the user using another advanced mathematical model and thus providing revocability.
  • The model prevents cross-matching between the databases as each application applying the same biometric uses a different advanced transformation model.
  • Biometric feature representation is not changed by the advanced mathematical models. This allow the use of standard biometric discriminating feature extraction and matching algorithms.

In summary, cancellable biometric scheme offers the following:

  • Diversity: Different applications must use different advanced models to transform the original biometric and thus resulting in a large number of protected templates from same biometric feature is required.
  • Revocability: Cancellable biometrics simplifies the process for revocation and reissue in the event of compromise.
  • Non-invertible: Cancellable biometrics prevents the original biometric from been recovered from the template.
  • Performance: The performance of the biometric systems is not impacted by the advanced models and hence the performance of the system does not deteriorate.

For more information on the solution from Biometric Research Laboratory, BRL, we refer all reader to the book published by our senior researcher title “Secure Biometric Face Recognition: A Case Study for Non-Reversible and Cancellable Biometric Transforms”.

More information on the implementation of biometrics based solutions can be requested from info@namibiabiometricsystems.com.

What you didn’t know about Biometrics: System Limitations

Securing biometric information and ensuring the privacy of personal identities is a growing concern in today’s society. Our previous articles have highlighted the limitations of tradition authentication schemes. Traditional authentication schemes mainly utilize tokens or depend on some secret knowledge possessed by the user for verifying his or her identity. These traditional based techniques have been very popular and have several limitations. Traditional based approaches such as token and knowledge-based approaches cannot differentiate between an authorized user and a person having access to the tokens or passwords. Knowledge-based authentication systems require user to remember and manage multiple passwords/pin numbers which results in user inconvenience. The limitations of traditional authentication methods can easily be overcome by biometrics-based authentication schemes using fingerprints, face recognition, etc., while offering usability advantages such as user convenience as the user does not have to remember multiple passwords and their associated cards. It is likely that most people who hold more than one bank card have mixed up their pin numbers. However, despite its obvious advantages, the use of biometrics raises several security and privacy concerns as outlined below:

Biometrics is authentic but not secret: Unlike passwords and cryptographic keys that are known only to the user, biometrics such as voice, face, signature, and even fingerprints can be easily recorded and potentially misused without the user’s consent. There have been several instances where artificial fingerprints [14] have been used to circumvent biometric security

Biometrics is taking the Military by storm, both as a tool to fight war on the battlefield and as a way for efficient business practices. Biometrics is now becoming an integral part of a soldier’s mission, allowing troops to identify potential threats and confirm the link between name and face.

Biometrics can enable the Military to achieve the followings:

  • To identify an individual and associate that individual with certain actions.
  • To identify individuals’ associates and their activities or what they have been involved in.
  • To link events such as an improvised explosive device at one place and another and to assist build a picture of what has happened.

The modern warfare takes place in urban environments, unlike conventional warfare where the two sides face each other on the battlefield using weapons against each other. The Military needs to re-think how to approach warfare.

In the event that improvised explosive devices would be discovered by the Military at various locations, the Military could take the following actions:

  • Enrol the Fingerprints found on the improved explosive devices into the database. Record vital information such as location, number of prints etc.
  • Search for a match against available criminal database. If a match is found, then they know the perpetrators.
  • If a match is not found, the Military can set up operations within the area where live biometric samples are obtained from individuals and compared against the stored fingerprints found on the improvised explosive devices.

Biometrics can be used in an effort to combat insurgent forces interspersed within an indigenous population. Therefore biometric identification and tracking of individuals becomes a core mission in such a war.

In addition to the above, the Military can use biometrics in its own facilities as a type of universal access: every member of the Military, their families and civilian employees have a common access identification card that is embedded with their fingerprints.

For example:

  • Use biometric technology to clear veterans who are receiving treatment at the veteran’s clinic for access to the base hospital.
  • Use biometric technology to provide keyless entry to sensitive areas.
  • Use biometric technology to confirm identities as they board foreign ships.

 

More information on the implementation of biometrics based solutions can be requested from info@namibiabiometricsystems.com

Biometric System Limitations

Securing biometric information and ensuring the privacy of personal identities is a growing concern in today’s society. Our previous articles have highlighted the limitations of tradition authentication schemes. Traditional authentication schemes mainly utilize tokens or depend on some secret knowledge possessed by the user for verifying his or her identity. These traditional based techniques have been very popular and have several limitations. Traditional based approaches such as token and knowledge-based approaches cannot differentiate between an authorized user and a person having access to the tokens or passwords. Knowledge-based authentication systems require user to remember and manage multiple passwords/pin numbers which results in user inconvenience. The limitations of traditional authentication methods can easily be overcome by biometrics-based authentication schemes using fingerprints, face recognition, etc., while offering usability advantages such as user convenience as the user does not have to remember multiple passwords and their associated cards. It is likely that most people who have more than one bank card have mixed up their pin numbers. However, despite all the obvious advantages, researchers at the Biometric Research laboratory, BRL, within Namibia Biometric Systems are keen to raise several security and privacy concerns as outlined below:

Biometrics is not a secret: Unlike passwords and cryptographic keys that are known only to the user, biometrics such as face and fingerprints can easily be recorded and potentially misused without the user’s consent by biometrics experts. Our researchers at BRL are keen to outline that there have been several instances where artificial fingerprints have been used to circumvent biometric security systems. Face and voice biometrics are similarly vulnerable to being captured without the user’s explicit knowledge. In contrast, tokens and knowledge have to be willingly shared by the user to be compromised.

Biometrics cannot be cancelled: Passwords, PINs, etc., can be reset if compromised. What about your biometrics? It is clear that tokens such as credit cards can be replaced if stolen. However, biometrics are permanently associated with the user and cannot be replaced if compromised.

Compromised biometrics: Biometrics provides usability advantages since it obviates the need to remember and manage multiple passwords. However, this also means that if a biometric is compromised in one application, essentially all applications where the particular biometric is used are compromised.

Tracking: It is likely that the same biometric might be used for various applications and locations, the user can potentially be tracked if organizations collude and share their respective biometric databases While traditional authentication schemes requires the user to maintain different identities to prevent tracking. The fact that a biometric remains the same presents a privacy concern.

To circumvent the limitations of biometrics, researchers at BRL published a book titled “Secure Biometric Face Recognition: A Case Study for Non-Reversible and Cancellable Biometric Transforms” which is available on Amazon. The next article will provide a high level solution to the limitations of Biometrics.

More information on the implementation of biometrics based solutions can be requested from info@namibiabiometricsystems.com.

Accuracy in Biometric Systems

Although biometric technology is characterised by providing strong user authentication, there is very little informative discussion of accuracy in the biometric industry. There is also very little understanding of what accuracy means in a real-world environment as opposed to a laboratory environment. Most vendor statements on accuracy bear little relevance to real-world performance of biometric systems. That is, most commercial and government organisations generally employee biometric systems without any knowledge and understanding of the real-world accuracy of the systems.

The lack of discussion and understanding of real-world performance on biometric technology is due to the fact that biometric companies primarily concerned themselves with performance in highly controlled environments. That is, biometric companies often assess their technology’s accuracy by using static or artificially generated templates, images and data, not by processing live data. When biometric companies perform tests using actual users, the test environments do not generally replicate operation with untrained or poorly motivated subjects, as are often found in real-world deployments. The sample population used during the testing phase tend to be very general and has very little similarities to the target population and environment.

The basic algorithm testing is a necessary step in the development of any technology and most biometric technologies have proven their theoretical capabilities in a closed controlled environment. However, it is necessary to evaluate and assess the capabilities of biometrics as a solution to problems in individual and institutional authentication, not as just a developmental technology. In order for companies to be comfortable in deploying biometrics technology, statements on biometric accuracy must reflect operation in real-world environments. The key performance metrics in biometrics such as false match rate, false nonmatch rate, and failure-to-enroll rate must be well understood and explained. No single metric indicates how well a biometric system or device performs, the analysis of all three metrics is necessary to assess the performance of a specific technology. In addition, biometric system performance is affected by a variety of external factors. These performance metrics must be assessed in the context of their usage and deployment environment. Assessing accuracy without understanding the reasons behind a company’s biometric deployment or the rationale for an individual’s biometric usage is largely fruitless.

Researchers at Biometric Research Laboratory (BRL) within Namibia Biometric Systems (NBS) made astonishing discoveries that majority of institutions employing biometric technologies in third world countries have limited knowledge or don’t know how accurate the biometric technology their institution is deploying. Most technology companies employee highly skilled individuals to market their products. However, most commercial and governmental organisations have limited skills and knowledge to accurately make an independent assessment of the technology in relation to their needs.

More information on the implementation of biometrics based solutions can be requested from info@namibiabiometricsystems.com.

Importance of Biometrics

The main aim of Biometrics is to solve the limitations of the old traditional access controls to humans. The extent to which biometrics solve the limitations of the old traditional access control can be impacted by how biometrics is implemented, the biometrics algorithms, the algorithm implementer. These are some of the important factors which must not be undermined. More traditional means of access control include token-based identification systems, such as a driver’s license or passport, and knowledge-based identification systems, such as a password or personal identification number. In particular, traditional methods have the following limitations:

Weak passwords are easy to guess (by non legitimate user) and difficult passwords may be hard to remember (by a legitimate user). This could lead to a security breach where personal or business secrets are stolen by an outsider.

Sharing credentials is generally common with colleagues although this is forbidden by policy. A computer user shares his or her password with a colleague who requires access — even though, in most organizations (and in many security-related laws and regulations), this is forbidden by policy.

User convenience may not be possible using traditional security techniques. For example, users maintaining different passwords for different applications may find it challenging to recollect the password associated with a specific application.

Lost key cards can easily be obtained by non legitimate users. Often they have the name of the organization on them, so it’s like finding a key with an address on it, permitting the person who found it a free after-hours tour of the organisation.

Sophisticated Criminals have acquired great expertise in circumventing the old identification systems. This has resulted in a global rise of identity fraud and theft and the use of sophisticated means to evade detection.

It is vital to realise that the above limitations may apply to biometric solution if it is not implemented with strict guidelines and if it does not adhere to international standards.

By using biometrics it is possible to establish an identity based on `who you are’, rather than by `what you possess’ (e.g., an ID card) or `what you remember’ (e.g., a password). Biometrics is based on Physiological and Behavioural characteristics. Physiological characteristics include fingerprints, hand geometry, facial image, retina and iris. The behavioural characteristics are actions carried out by a person in a characteristic way and include signature, voice pattern, keystroke sequences and gait (the body movement while walking).

Researchers at Biometric Research Laboratory (BRL) within Namibia Biometric Systems (NBS) recommend that it is vital to understand biometrics implementation guidelines and international standards prior to implementation. Biometrics should not be treated like a black box. This ensures that the limitations of traditional security methods are eliminated.

More information on the implementation of biometrics based solutions can be requested from info@namibiabiometricsystems.com.