SWE577 2010F 1

Biometric Techniques for Personal Identification Ozan Can Çalı

Abstract - In the modern-day Information Era, various methods are used to recognize

and verify a person for performing actions such as access management and access

control in working places, in houses and on the internet. Formerly, these methods relied

on processes such as username- and password verification. Today, this kind of methods

that solely use non-intrinsic personality traits are not regarded as safe enough. Every

single person is differentiated from one another by means of their distinct physiological

and behavioral characteristics. Today, it is regarded as the optimum way to include

these distinct personality traits into personal identification processes.

I. INTRODUCTION

It is obvious that the constantly developing technology affects our world and everyday tasks

significantly. With the help of technology, we have become a more interactive society,

especially by the use of the Internet. This also brought some security issues regarding the

protection of the identity and data of individuals, since securing information on virtual

platforms is not always as safe and doubtless as keeping valuable papers in a safe as in old

times. Hence, security and protection of identity and valuable data should be of great concern

and should not be ignored.

Since improvements in technological fields let us share information and perform tasks more

easily, they also make it more difficult to maintain and manage access while protecting the

identity and data of the user.

II. IDENTITY THEFT

The most encountered crime causing the misuse of personal data is the so-called “identity

theft”, which covers a broad range of identification-based crimes that can be grouped into the

following categories:

Financial Identity Theft: By this kind of theft, usually your name and social security

number is stolen and used for buying telephone/internet service, personal loan, or for

car renting and application for credit cards etc.

Criminal Identity Theft: Upon coming across lawmakers, the thief provides the stolen

information instead of his/her own. Hence, the legal arrangements are issued in the

name of the innocent person whose information is stolen but not the imposter.

Business or Commercial Identity Theft: In this method, the imposter uses the name of

a business / the name of the business he/she is working for to get credit cards or loans.

Identity Cloning: The thief lives like the person whose identity information he/she has

stolen. This method is mostly preferred by the illegal aliens in a country.

Researches on identity theft show that in the USA between 2003 and 2006, the total number

of victims has decreased but the “quality” of the thefts has increased over time, meaning that

less people are affected by identity theft, but the lost value has increased1. This can prove that

1 cf. Bochkov, Y./Chiem J./Ying Sai, L. - Marymount University-LA, 2006. Use Biometric Techniques in

Combating Identity Theft

SWE577 2010F 2

the society has become more conscious about identity theft, but still the optimal required

precautions must be taken since the imposters tend towards thefts wherein more money is

involved.

Consequently, the most essential type of security that should be established in order to protect

personal data is the identification authentication, which is the verification process of the user

who he/she claims to be. The following sentence reveals an important distinction:

“Identification says who you are and authentication specifies what you can do with that

identity.”2

III. SOLUTIONS FOR IDENTITY THEFT

We can group the methods/tools used for identity authentication in three categories:

Something you know: This kind of information comprises passwords and PIN-codes,

which are required to be known by only one person. Its insecurity arises from the fact

that this kind of information can be easily stolen by imposters since it is not part of

personal characteristics. It is usually easy to guess as users tend to use passwords/PIN-

codes that are not complicated and easy to remember. A common issue is that people

usually create passwords similar to their birthdate or license plate numbers. Besides,

because of the increasing number of different passwords used by individuals for every

other platform, their management gets more difficult over time.

Something you have: These include smart cards, pass-cards, smart cards or ID-grid

cards that are owned by only one individual. This has the similar problem as above;

they can be easily stolen or get lost.

Something you are: This kind of identity authentication techniques composes

“biometrics”. The information involved in these techniques is a part of the user and

thus cannot be forgotten or easily replaced, preventing thefts. Hence, biometrics can

also test whether the rightful owner is trying to access to the data.

In most security systems, two or more of these methods, as well as more than one biometric

method are combined for enhanced security.

In this paper, biometric techniques for identity authentication are detailed.

A. Biometric Techniques

Today, techniques for personal identification increasingly base on biometric techniques or on

their combination with other techniques mentioned above. Biometric features of people are

very diverse and each of them is unique to that person, which makes it more secure than other

techniques. Biometric characteristics are studied in two groups:

Physiological biometrics

Behavioral biometrics

Physiological biometrics is rather tangible; they relate to the shape of users body. Most

common examples of physiological biometrics are fingerprint, palm-print, hand geometry,

face recognition, ear recognition, retina- and iris recognition, odor/scent and DNA.

2 http://www.itrportal.com/absolutenm/templates/article-storage.aspx?articleid=1613&zoneid=21 – access on

19.11.2010

SWE577 2010F 3

On the other hand, behavioral biometrics relate to the behaviors of the user in certain fields

such as typing rhythm and gait of the user.

Theoretically, voice of a person is also a physiological feature since everyone has a unique

vocal tract, but voice recognition is mainly based on the way a person speaks, therefore is

considered as behavioral biometrics.

Biometric systems have two operation modes: In the first mode, the collected samples are

enrolled by the user and the templates created therefrom are stored in the database. In the

other mode, the user presents his/her characteristics and a match with the pre-enrolled

templates is searched in the database.

1) Physiological Biometrics The most widely used biometrics technology for personal identification is the fingerprints. Its

individualization rate is amongst the highest. In this technique, the distinct protrusions and

recesses on the outermost skin of an individual’s finger, portioned between the fingertip and

the first knuckle, are captured and distinguished. Fingerprints are grouped in two types: flat or

rolled. Flat fingerprints capture only the area at the center of the finger, while rolled

fingerprints additionally capture the details on sides of the finger.

Hand geometry is another extensively used biometrics technique, wherein approximately 90

dimensional traits of the hand of a person are captured. These include the width, height and

length of the fingers, shapes of the knuckles and the distances therebetween are measured.

The measurement devices are optical cameras and light-emitting diodes that create templates

out of two-dimensional images of the hand.

Facial recognition captures the facial traits of one’s face wherein the traits include the

position of the eye socket and the distances of the main bones and features of a face. The main

disadvantage of facial recognition is that the images of a face can vary greatly under any other

condition such as the facial expression, the angle or the ambient light. Another problem is that

faces of people change a lot in the course of time. It is reported that even the best facial

recognition algorithms have error rates of nearly 50 percent when inspecting images of the

same face taken one year apart; the rates excluding the above-mentioned disadvantages3.

Besides, facial recognition is not as distinctive as the other physiological biometrics since

different faces can share similar characteristics (as in the identical twins).

Retinal scanning is performed by electronically scanning the retina of the eye. It analyzes the

characteristics of the blood vessels at the back of the eye. Retina is scanned by low-intensity

light and an optical reader records the provided data, which is highly accurate. During the

retinal scanning process, the user removes glasses and holds still for 15 seconds for the device

to perform the scan. Retinal scan is the most accurate and one of the most secure biometrics

technique since every retina is unique and it is almost impossible to replicate a retina. The

main disadvantages of retinal scanning are the high costs of the required devices and the

hardness of its implementation. Therefore, retinal scanning is mostly used in high-security

facilities instead of public areas such as universities and hospitals.

3 Sandy Pentland of the Massachusetts Institute of Technology and Jonathon Phillips of the National Institute of

Standards and Technology

SWE577 2010F 4

Iris scanning is the process of taking a high definition picture of the colored portion of the eye

that surrounds the pupil. Iris of an individual can comprise up to 200 distinctive

characteristics, as opposed to 13 to 60 for other biometric technologies. Iris is so distinctive

that even the same person can have different iris patterns in each eye. These characteristics of

iris makes iris scanning extremely accurate that "the entire planet could be enrolled in an iris

database with only a small chance of false acceptance or false rejection."4 On the other hand,

the high costs of iris scanning process and the lack of ease-of-use for the user make it

undesirable.

2) Behavioral Biometrics Behavioral biometrics are usually utilized as complementary to “something you know” or

“something you have”. Dynamic signature verification is one type of behavioral biometrics. It

is used to recognize the changes in speed and timing of the user while signing on a special pad

or signing with a special pen. Although it is an important advantage that it is hard to imitate

the way someone signs, the frequently faced variations in how people put signature under

different conditions such as elderliness, stress or sickness makes this technology impractical.

Keystroke dynamics is a type of behavioral biometrics similar to the dynamic signature

verification. This time, it accompanies the password the user enters through an input device

such as keyboard by measuring the typing speed of the user and the interval between two

keystrokes. Since the speed of the user most probably changes over time or the user does not

enter his/her password with the same speed and tempo every time, the system periodically

calculates the average speed and tempo of the user after it collects sufficient data and this

provides the false rejection rates to be reduced. The main advantage of keystroke dynamics is

that it does not try to replace any existing technology; it just tries to enhance the level of

security in facilities that utilize password protection, which is the most common security

method in today’s technology era. It is also a cheap technology since no additional hardware

is required and the technology is implemented only by means of a software.

Voice recognition is another extensively used biometrics technique. A predetermined phrase

spoken by the user is matched with the one in the database and when the adequate matching is

provided, the user is identified. It is widely used because it is a relatively inexpensive

technology and is easy-to-use. On the other hand; although it cannot be easily imitated, it is

easier to steal the required “pass phrase” from the user by i.e. secretly recording it without the

user realizing and afterwards, the system can be faked without even requiring the user to be

present in the identification process. The voice recognition technique can also be unreliable

especially in noisy environments.

4 cf. Bochkov, Y./Chiem J./Ying Sai, L. - Marymount University-LA, 2006. Use Biometric Techniques in

Combating Identity Theft

SWE577 2010F 5

B. Error Probabilities

In an identity authentication process, there are mainly three cases that are tried to be reduced:

False Acceptance Rate (FAR) refers to the probability that the identification system

unintentionally authorizes the entrance attempts that should have been rejected.

False Rejection Rate (FRR) refers to the probability that the identification system does

not authorize the appropriate entrance attempts.

Failure to enroll (FTE): Depending on the used biometrics technology, the enrollment

process can sometimes be troublesome substantially depending on the poor quality of

the input. For instance, in an iris recognition system, recognizing the iris of a user

wearing sunglasses can end up with erroneous and deficient results. This consequently

causes FRR.

As might be expected, FAR and FRR contrast with each other and the optimal way to solve

the contradiction therebetween is to elaborately adjust the determination threshold that

regulates the similarity between the template stored in the system and the input (which base

on the so called Receiver Operating Characteristic (ROC)). Namely, if the detection threshold

of the system is too low, the number of false non-matches between the template and the input

will be reduced, but the false accepts will be increased. In contrast, when the threshold is set

too high, the system will hardly accept any entrance attempts. Of course, in systems that need

higher security and thus have no tolerance for any false acceptance, the threshold should be

set very high, which may result in a lot more false rejection rates but make the system more

secure by not allowing any unauthorized user.

The optimal threshold value for a system is equalized to the equal error rate – EER (also

called crossover error rate – CER), which is obtained from FAR-FRR Diagram, the visual

presentation of the FAR-FRR figures calculated at different threshold values. The EER is the

value of the intersection point between the FAR and FRR curves (Figure 1).

SWE577 2010F 6

Figure 1 - Error-Sensitivity Diagram of FAR and FRR. The point indicates EER

5

The efforts for minimizing the conflicts between FAR-FRR are mainly achieved by using

combined biometrics. For example, in a research conducted in Alexandria, the combined

application of face and ear biometrics resulted in an overall performance rate of 96.67% when

using a 0.995 threshold, which makes it more accurate than most of the biometric techniques.

In this research, there are a total of 300 entrance attempts, 200 of which are fraud attempts

and only 100 of which are authorized attempts. In Figure 2, we see that at low threshold

values, the number of FAR cases is high (59) and gets lower as the threshold value increases.

On the other hand, at high threshold values, there are no FAR cases but the number of FRR

cases is gradually increased.

Figure 2 - System Classification at Different Thresholds [5]

C. Comparison of Biometric Technologies

Biometric techniques are measured and compared by four main characteristics: their

permanence, performance, uniqueness and acceptability. Facilities employ these systems

according to their needs and the comparison of biometric technologies gives them a good

clue: If the security is not required to be extremely high and the identification process is

performed many times in a day, which is usual in libraries and cafeterias, the facility tend to

prefer the biometric technique which is faster and more accepted by the users but not as

5 http://www.biometricsdirect.com/Biometrics/biometricsterms.htm - - access on 02.01.2010

SWE577 2010F 7

highly secure as the other biometric techniques. Figure 3 shows the level of various features

of different biometric techniques. As it is seen, acceptance of the users and the overall quality

of the biometrics in terms of security often contradict with each other.

Biometrics Permanence Performance Uniqueness Acceptability Fingerprint H H H M

Hand Geometry M M M M

Retinal Scanning M H H L

Iris Scanning H H H L

Facial Recognition M L L H

Dynamic Signature L L L H

Keystroke Dynamics L L L M

Voice Recognition L L L H

H= High, M= Medium, L= Low Figure 3 - Comparison of Various Biometric Techniques [4]

For example, fingerprinting process is considered highly secured whereas users are not very

fond of it because of hygiene reasons. On the other hand, voice recognition is usually not that

effective but is widely accepted by the users since it is a rather easy process just to say a

word. But in the end, the security concerns overcome the comfort of users: Fingerprint, hand

geometry, iris scanning and retinal scanning are widely used in biometric security systems

(Figure 4).

Figure 4 - Usability-Security Comparison of Various Biometric Techniques

6

6 URL: http://www.hitachi-ics.co.jp/product/english/about_fv.htm - access on 01.01.2010

SWE577 2010F 8

The disadvantages of biometric techniques for personal identification are not much security

related; they are rather ethics- or cost related or caused by the lack of ease-of-use. In most of

the biometric technologies, most notably in fingerprinting and hand geometry, people

sometimes feel uncomfortable since they feel like being treated as criminals when their

fingerprints/hand geometry/iris/retina characteristics are captured for security purposes. The

discomfort caused by the fact that collecting personal data of people is also a major problem

about biometrics. Another concern is that the devices to collect fingerprint/hand images are

extensively used every day and that may cause sanitary problems. Problems with the iris- and

retinal scanning arise from the fact that the user should stand very still during the scanning

and should not wear glasses or contact lenses, which make these techniques impractical.

Another example for the difficulty of enrollment for the biometric techniques is that elderly

people often have worn-out fingers which make the fingerprint and hand geometry techniques

useless for them. Apart from these, some biometrics are disliked by forensic medicine as they

left no trace; for instance iris is not (and naturally cannot be) left as evidence by criminals on

the crime scene when an incident breaks out with an iris recognition-biometrics system.

IV. CONCLUSION

Technology is the emerging tool for any other field in our daily lives and the security of

important data as well as identification/authorization of individuals is done by means of

technology. Usernames and passwords as well as keys/cards – in other words, “something we

know” and “something we have”- are intensively used for these purposes. However,

management of these passwords/cards are hard; people often get frustrated when trying to

keep in mind a lot of different passwords or keeping the entrance card with them all the time.

Besides, these techniques are often vulnerable to theft; they can be easily stolen or cloned.

On the other hand, “something we are” is always more advantageous since it cannot be stolen

or forgotten. Besides, its uniqueness makes it more secure than any other personal

identification technique and thus, the system cannot be easily tricked when biometric

techniques are utilized. Nowadays, multimodal biometric systems are utilized wherein more

than one biometric technology is combined, enhancing the security.

SWE577 2010F 9

V. REFERENCES

[1] Wikimedia Foundation, Inc. - Biometrics [16 November 2010]. Available from Internet:

<URL: http://en.wikipedia.org/wiki/Biometrics>

[2] Wikimedia Foundation, Inc. - Identity Access Management [16 November 2010].

Available from Internet:

<URL: http://en.wikipedia.org/wiki/Identity_access_management>

[3] IT Reseller Magazine - Biometrics: how do they work and what should we be asking [14

November 2010]. Available from Internet:

<URL: http://www.itrportal.com/absolutenm/templates/article-

storage.aspx?articleid=1613&zoneid=21>

[4] Bochkov, Y./Chiem J./Ying Sai, L. - Marymount University-LA, 2006 - Use Biometric

Techniques in Combating Identity Theft. Available from Internet:

<URL: http://www.academic-papers.org/ocs2/session/Papers/D7/843.doc>

[5] Hamdy, N./Ibrahim, H./El-Habrouk - M. Electronics & Communication Department,

Arab Academy of Science & Technology, Alexandria, Egypt, 2009 - Personal

Identification Using Combined Biometrics Techniques

[6] Iris Recognition PowerPoint Presentation – Natalia Schmid and John Daugman

<URL: www1.cs.columbia.edu/~belhumeur/courses/biometrics/.../IRIS_long.ppt>

[7] Masek, Libor – The University of Western Australia, 2003, Recognition of Human Iris

Patterns for Biometric Identification, page 1, 2, 27