Common Mistakes when Implementation Biometrics Based Systems

In today’s modern society biometric identification is integral to improved security and information management in both private and government applications to reduce risk and improve business efficiencies.

The 1st step in implementing a biometrics solution is been able to select a suitable biometric system meeting predefined criterions. It is important to understand not just the differences between the biometric systems, but also which factors are the most importance for a particular environment and target population. There are quite a large number of biometric technologies and applications out there. For example, usability may be more important than uniqueness for clocking into an engineering plant, whereas uniqueness is likely to be the main consideration in a corrections facility. The factors to consider are:

Universality – How common is the biometric characteristics? Every individual accessing the application should possess the trait. For example, signature biometrics might not be suitable for illiterate users who may not be able to sign. Similarly, a biometric system may not be able to acquire meaningful biometric data from a subset of individuals resulting in a failure to enroll (FTE) error. For example, a fingerprint system may fail operate on some individuals due to the poor quality of their fingerprints.

Uniqueness – It is desirable that the given trait is sufficiently different across individuals comprising the population. It is critical to understand how similar a biometric characteristic is to that of others and therefore how likely it is to be mistaken for another? One of the most common biometric questions is that of uniqueness, how unique is a human face, human fingerprints or DNA? Such a measure is important for biometric system vulnerabilities, especially as a measure of the strength of cryptosystems and for privacy measures.

Permanence – It is desirable that the biometric trait of an individual is sufficiently invariant over a period of time with respect to the matching algorithm. Therefore it is vital to understand to the extent to which the trait remains unchanged over a lifetime. For example, signature biometrics might low permanence, as the handwritten signature tends to vary along time and vulnerability to direct attacks using forgeries.

Collectability –It is desirable that the biometric trait can easily be captured using suitable devices that do not cause undue inconvenience to the individual. For example, face recognition might be convenient for recognizing suspected criminal from a distance by the authorities while retina scan would be inconvenient for the policy. It is important to further understand if the biometric technology will operate indoors where lighting, temperature and other variables are controlled, or outdoors where things are more variable.

Performance – It is desirable that the associated technology is robust in terms of speed. Different biometric technologies can perform human verification at different speeds. In addition, a biometrics system operating in verification mode is significantly faster than a similar system operating in identification mode. See previous articles for reference.

Acceptability – Individuals in the target population that will utilize the application should be willing to present their biometric trait to the system. It’s important to be familiar with the target population who’ll be using the biometric solution. For example, are they members of the general public with a mix of ethnic and education levels and a variety of attitudes?

Circumvention – How likely it is that a person could find a way around the technology and therefore achieving unauthorised access? This requires a good understanding of the False accept and false reject rate which was introduced in the previous articles.

More information on the implementation of biometrics based solutions can be requested from

An Introduction to Statistical Measures of Biometrics

The main aspect used to measure or evaluate the performance of a biometric system is its accuracy. From the user’s point of view, an error of accuracy occurs when the system fails to authenticate the identity of a registered person or when the system erroneously authenticates the identity of an intruder. For example, for Cars we can measure fuel consumption. Biometrics systems have their own similar performance measures unlike traditional authentication methods based on Something You Know or Something You Have.

To know if a car has a good fuel economy or not, we look at how much fuel it consumes per kilometre on average. We then compare to our expectations or some other accepted measures. Therefore, knowing what a performance measurement means is significantly important. The statistical performance measures employed for biometrics are:

  • FAR (False Acceptance Rate)
  • FRR (False Rejection Rate)
  • FTE (Failure to Enroll)
  • EER (Equal Error Rate)

False acceptance rate, or FAR, is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. For example, if Mr. A goes to a biometrics system and claims to be Mr. B, Mr. A has just made a false claim that he is Mr. B. The biometrics system then measures Mr. A’s biometric for verification. If the biometric system agrees that Mr. A is Mr. B or matches Mr. A to Mr. B, then there is a false acceptance. The reason why this can occur will be discussed in later articles.

False rejection rate, or FRR, is the measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user. For example, if Mr. B goes to a biometrics system and claim to be Mr. B, then Mr. B has just made a true claim. If the biometric system does not match Mr. B to Mr. B, then there is a false rejection. The reason why this can occur will be discussed in later articles.

Failure to Enroll Rate or FTE is the measure of the likelihood that the biometric security system will fail to enrol a user. For example, Mr. A attempts to have his biometric trait enrolled. At this time, he is unable to be enrolled. The reason why this can occur will be discussed in later articles.

Equal Error Rate, or EER, is the measure of the likelihood that the biometric security system has the FAR equal to the FRR. This is a very important measure for any biometrics system. The reason why this can occur will be discussed in later articles.

Why Use Biometric Authentication

The primary aim of Biometrics is to solve the limitations of the old traditional access controls to humans. More traditional means of access control include token-based identification systems, such as a driver’s license or passport, and knowledge-based identification systems, such as a password or personal identification number. In particular, traditional methods have the following limitations:

Weak passwords are easy to guess (by non legitimate user) and difficult passwords may be hard to remember (by a legitimate user). This could lead to a security breach where personal or business secrets are stolen by an outsider.

Sharing credentials is generally common with colleagues although this is forbidden by policy. A computer user shares his or her password with a colleague who requires access — even though, in most organizations (and in many security-related laws and regulations), this is forbidden by policy.

User convenience may not be possible using traditional security techniques. For example, users maintaining different passwords for different applications may find it challenging to recollect the password associated with a specific application.

Lost key cards can easily be obtained by non legitimate users. Often they have the name of the organization on them, so it’s like finding a key with an address on it, permitting the person who found it a free after-hours tour of the organisation.

Sophisticated Criminals have acquired great expertise in circumventing the old identification systems. This has resulted in a global rise of identity fraud and theft and the use of sophisticated means to evade detection.

By using biometrics it is possible to establish an identity based on `who you are’, rather than by `what you possess’ (e.g., an ID card) or `what you remember’ (e.g., a password). Biometrics is based on Physiological and Behavioural characteristics. Physiological characteristics include fingerprints, hand geometry, facial image, retina and iris. The behavioural characteristics are actions carried out by a person in a characteristic way and include signature, voice pattern, keystroke sequences and gait (the body movement while walking).

How Biometric Authentication Works

In general, biometric systems collect a sample of a physiological or behavioural characteristic, then, utilizing an algorithm, translate the sample into a unique template. A template is the digital representation of a biometric characteristic. In many cases, characteristics are recorded as images, but for speaker recognition a waveform is recorded and for signature recognition, time series data. This phase is called enrollment. This reference may be stored in a central database or on a card (or both) depending on the needs of the application. The enrollment phase is similar to a user registering their password to protect access to their valuable data such as an online banking account.

Once an individual has been enrolled an algorithm will allow the matching of an enrolled template with a new template just created for verifying an identity called a live template. When a stored template and a live template are compared, the system calculates how closely they match. If the match is close enough, a person will be verified. If the match is not close enough, a person will not be verified and rejected. Physiological or behavioural characteristics of non legitimate users who are rejected could be stored and shared with local or international authorities. This is similar to a user claiming ownership of protected information and using their password for verification.

There are two modes for biometric recognition: verification and identification. In verification, an identity is claimed and the comparison process is limited to checking the reference corresponding to this identity. In identification, no claim of identity is necessary and the system searches its reference database to find if a stored reference matches the biometric characteristics recorded.

Planning for Biometrics Scenarios – Part 4

This article focuses on malicious software, malware, on a server that contains biometrics sensitive information. This scenario happens hundreds or thousands of times each day around the world. The impact of malware on a biometric server can be devastating. It is therefore critical to plan for this scenario. Planning for this scenario must consider at least the followings:

  • Clear definition of what is a malware.
  • Clear guidelines on the use of biometric systems.
  • Clear action plan to follow in an emergency situation.

The problem in this scenario is what you don’t know: Suppose you discover that a program with some sort of ill intent has been installed on a system containing your biometric database and you don’t know for sure what that program code may have done or had access to. In the worst-case scenario, it granted hackers direct access to that server (and possibly the rest of your network) and the hackers downloaded all the information to see what they could do with it. All the information on that system may be in the hands of someone that intends to do you harm. The biometric data on the database could have been compromised. The action plan to follow will depend on what action the malware performed on the database. If the biometric information was not compromised, all you need to do is eliminate the malware. On the other hand, if the biometric data was compromised, a strict action plan is required to ensure that the impact to the system and users is minimal.

Any action on the biometric database must address the followings:

  • What are the security requirements for the installation?
  • What is the legal, regulatory and public relations environment for the organization?
  • If the malware is well known to the antivirus/antispyware community, do you also know what it really does?

The other biometric scenarios to plan for are (i) high security hosting which focuses on a high volume of people requiring access to a highly secure facility and access is granted if you are on a master list of authorized individuals. (ii) Other Entry Access which focuses securing all the entry accesses to the facility including side entrances. (iii) Port of entry which focuses a high volume of people requiring access to a highly secure facility without the advantages of a master list for authorised individuals. (iv) And biometrics limitation scenarios which focuses on situations where the chosen biometrics technology may not be suitable.

Researchers at Biometric Research Laboratory (BRL) within Namibia Biometric Systems (NBS) will continue to further highlight the most common use scenarios and some possible pitfall scenarios for biometrics in the next few articles.

More information on the implementation of biometrics based solutions can be requested from