biometrics 101 · in general, modern fingerprint scanners have a far of 0.001% and a frr of 0.1%,...
TRANSCRIPT
Biometrics 101 -
Getting started with biometrics can be a daunting task. There are
so many aspects to consider when choosing a biometric modality.
Our goal with this ebook is to make that process easier by giving
you a 101 crash course into biometrics.
Below, we will walk you through what to consider when choosing
a biometric modality and explain pros and cons of palm-vein, face
recognition, fingerprint, iris and voice. Finally we end with some
thoughts around privacy and sanitation. Hope you enjoy thing
quick guide. If you have any thoughts or question let us know.
K E Y O . C O 2
What Makes a Good Biometric? Broadly speaking, a biometric is any measurable biological factor.
Images, hair length, shoe size, voice pitch. However, any biometric
that is useful for precise identification must have the following
four qualities:
K E Y O . C O 3
Easy to collect -
The biometric data should be easily captured
from users without extensive training needed or
highly specific conditions.
Distinctively -
The trait must be highly unique within
significant populations of people. Non-distinctive
traits lower key efficacy around identification
speed and accuracy.
Permanent -
The constant nature of a trait is important. The
more a trait changes over time, the less accurate
it will be as a long-term identifier.
Universal -
Any person should possess the trait.
K E Y O . C O 4
Choosing the optimal biometric - Fingerprints, iris patterns, face patterns, heart beat, voice,
vein patterns, behavior - these are some of the more popular
biometrics on the market today. They are utilized for a diverse
range of purposes including identity verification, customer
convenience, security, anti-fraud, anti-theft, humanitarian
response, and surveillance.
Any biometric solution on the market that fulfills the four
qualities listed above should then be compared using the
following secondary qualities:
K E Y O . C O 5
Cost -
The cost associated with implementing a given
technology, related to production and shipping
costs as well as competition in the market.
Acceptability -
How likely people are to use and trust a
biometric technology or the user experience tied
to it.
Resilience -
Quality of light, temperature, weather, or other
environmental concerns such as the presence of
oil or dirt should not significantly affect the
reliability of a biometric technology.
Safety -
Use of a biometric technology should be safe,
non-invasive, and hygenic. Any technology
should provide safeguards respecting physical
K E Y O . C O 6
safety as well as personal information security.
Legality -
The biometric technology should comply with all
legal restrictions and standards in the relevant
areas of operation.
Speed -
The biometric technology should function
quickly to reduce unnecessary friction at the
point of interaction.
You’ll find a helpful matrix with both sets of qualities at the end of
this document. We hope it helps you categorize the solutions you
are exploring. Of course these comparisons depend heavily on the
intended use case for the technology. Palm-vein technology
requires close proximity and so couldn’t be used for surveillance,
for example. Similarly, facial recognition is less acceptable in
cultures where covering the face is common practice.
Now let’s dive deeper some of the biometrics modalities:
K E Y O . C O 7
Palm-Vein -
Palm-vein technology is a relative newcomer to the
biometric scene. Developed in 2011, palm-vein uses near infrared
light to create a unique image of the blood flowing through the
vein structure of a user’s palm.
Palm-vein is nowhere close to as established as fingerprint or iris
scans. Palm-vein has been used for years throughout Japan on the
basis of its security, primarily by banks and at ATMs (though also
occasionally by public libraries). The technology also expedites
security in airports.
Keyo is the only company currently building a consumer-focused
network around palm-vein technology. We're replacing keys,
cards, tokens, fobs, and tickets with a simple palm scan, as well as
offering software that makes it easy to integrate palm-vein into
existing systems.
How does it work?
K E Y O . C O 8
Palm-vein technology utilizes near-infrared light and the
hemoglobin in blood to map the internal vein structure of the
palm. Hemoglobin bonds with oxygen molecules as blood flows
through the lungs, distributing that oxygen to the tissues of the
body as it continues to circulate. Deoxygenated hemoglobin,
which is on its way back to the lungs, absorbs light in the near
infrared range at roughly 760nm. Palm-vein technology measures
those deoxygenated blood flow patterns, registering
approximately 5 million distinct points of reference.
Vein structure is unique to each individual and remains
highly stable throughout the lifespan. Like with fingerprint whorls,
patterns are determined by environmental factors in-utero and so
are unique between twins. Since it is internal, palm-vein
signatures are less susceptible to surface injury or contamination
than are other biometrics such as fingerprint or palmprint. It is
also virtually impossible to spoof using a flat image or a 3D model,
unlike facial recognition, iris, or print, which are frequently
“tricked” with copied biometrics.
Upsides -
Use of the Keyo terminal is very fast, it involves a .2 second,
contactless scan of a palm, a motion that is both easy and
K E Y O . C O 9
acceptable in diverse cultures and contexts. The technology is
relatively more accurate than other similar biometric technologies.
The following table compares several biometric on their False
Acceptance Rate (FAR) and False Rejection Rate (FRR). These
indicators define the security level of a biometric system (FAR) and
the usability of a biometric system (FRR).
K E Y O . C O 10
FAR = false acceptance rate: The probability that
the system incorrectly matches the input pattern
to a non-matching template in the database. It
measures the percentage of invalid inputs which
are incorrectly accepted.
FRR = false rejection rate: The probability that the
system fails to detect a match between the input
pattern and a matching template in the
database. It measures the percentage of valid
inputs which are incorrectly rejected.
In the case of Keyo, the probability of an
unauthorized person falsely gaining access (FAR
case) is about 0.00001%. And the probability of an
authorized person being incorrectly denied
access is about 0.01% (valid for 1:1 verification)
K E Y O . C O 11
Downsides -
As indicated above, palm-vein technology is limited by
proximity. The angle of the scan must also fall within a certain
range, and the scanner must capture the entire palm. Therefore,
the user must be near the terminal, presenting her palm forward.
When applied to a user-focused, consent-driven network,
however, these technological limitations should make palm-vein
significantly more acceptable than competing biometrics. The
motion provides a moment of friction commensurate with what
users would wish during a transaction, and it also requires a
measure of consent. A user must choose to scan, versus passive
identification that is possible with biometrics external to the body.
K E Y O . C O 12
Facial Recognition -
There’s something inherently appealing about Facial
Recognition as a biometric. It’s the one humans typically use to
identify each other, so there’s a strong convenience factor. There’s
a long-standing tradition of registering the face as a biometric
(think drivers licences and mugshots). Faces are also tied more
closely to identity than say a hand or an eye. A retinal pattern may
be unique, but it doesn’t speak to who we are and how we see
ourselves in the same way a face can.
How does it work?
Newer facial recognition technology uses 3D scanners to
register an image, making it viable under diverse lighting
conditions and from various angles. Images work best if registered
under ideal conditions initially. For secure systems a liveness test
might also require subtle movements in the face like blinking.
Though the technology is advancing quickly, facial recognition is
still significantly behind the competition in terms of accuracy. It
has the highest false acceptance rate (FAR) of any of the options
we’ll be covering here, at 1.3%, and also the highest false rejection
rate (FRR) at 2.3%. Liveness tests typically increase the FRR beyond
that baseline.
K E Y O . C O 13
Upsides -
Facial recognition is familiar, acceptable, even broadly
appealing on its surface. With a large enough scanner and good
lighting conditions during registration, the high-end options
provide significant security, especially in conjunction with other
forms of verification.
Downsides -
By far the most damning critiques of facial recognition
technology center not around security but possible infringements
on privacy and consent.
Certain information can be inferred from facial scans which
people may be less than fully comfortable sharing without explicit
consent. A recent Stanford University study found that a deep
neural network could learn to accurately detect sexual orientation
from 2D facial images. The computer program was 91% accurate
for men and 83% accurate for women, given five images. The
authors of the study saw a “threat to the privacy and safety of gay
men and women” exposed by their findings. A 2016 study found
that a deep neural network could learn to identify individuals with
criminal records with 89.5% accuracy given only facial images. The
K E Y O . C O 14
face can also potentially reveal certain medical information we
may not be comfortable casually associating with identity, such as
certain neurological or chromosomal diseases. With so much
camera technology already in place around the world, critics fear
facial information could be too easily accessible without an
individual’s consent.
In the near future we can expect facial recognition
technology to make significant strides and probably to stay
popular, but concerns about privacy and consent should only
continue to increase as well.
K E Y O . C O 15
Fingerprint -
Of all the biometric modalities, fingerprint has the longest history
and the most established infrastructure. Fingerprints are universal,
unique, widely acceptable, fairly permanent (they wear and scar),
familiar, and convenient. The biometric is usually registered as
part of an authentication system, including in most smartphones,
as well as part of an official identity in large government-funded
databases such as the FBI database and India’s Aadhaar program.
In general, modern fingerprint scanners have a FAR of 0.001% and
a FRR of 0.1%,
How does it work -
There are a handful of different types of fingerprint scanner.
I’m only going to touch briefly on three: capacitive, which can be
found in 99% of smartphones, optical, and ultrasonic. Low-tech ink
rolled images are also still widely collected, for example by local
police departments; and I mention that here only to dismiss it as
almost uselessly inaccurate, despite the best efforts of TV police
dramas. While none of these types have proven immune to
spoofing, they are often good enough for their purposes.
K E Y O . C O 16
Capacitive -
The system works by using electrical charge to measure the
ridges and valleys of the fingerprint to form a 3D model. Because
of the proximity required between fingertip and sensor, capacitive
scanners won’t work through glass or plastic. They also have
trouble with surface grime and oil. They are relatively inexpensive.
As previously mentioned, capacitive systems dominate the current
market.
A study by New York University and Michigan University
recently found that generic “masterprints” could be created which
would unlock 65% of smartphones. Still, in the absence of a
fingerprint reader, many smartphone users might not lock their
phones at all, for convenience.
Optical -
The system registers a high definition 2D image of the
fingerprint. Unlike capacitive scanners, these can be spoofed with
2D images, though spoofers would likely also need to circumvent
a liveness test. Optical sensors work through glass and plastic and
despite dirt, grime, and oil on the surface of the fingertip.
Currently optical sensors control a negligible percentage of the
market for consumer products like laptops and smartphones.
K E Y O . C O 17
Ultrasonic -
The system uses soundwaves to form a 3D image of both the
surface and subsurface of the fingertip, using technology similar
to an ultrasound during a pregnancy. It registers the most raw
data of the three types, making it theoretically the most accurate
but also greatly increasing the cost.
Upsides -
Cheap, familiar, broadly-acceptable, and well-established.
Downsides -
Fingerprints are strongly associated with criminal
background, and not all fingerprinting technologies are equally
accurate. Older methods often require rolling and pressing to get
a complete image, which produces unpredictable distortions and
noise.
A 2005 study found that even fingerprint experts employed
by the US criminal justice system had only a 44% success rate in
K E Y O . C O 18
matching a set of fingerprints to an individual, despite having all
ten fingers and thumbs for comparison. And because of the
widespread use of fingerprinting by governments, providing this
biometric can be a requirement for exercising important political
and economic rights, for example in certain Indian states, or for
traveling to certain countries.
Fingerprint verification is not accurate enough by itself for
security purposes.
K E Y O . C O 19
Iris -
Iris recognition is an automated method of biometric
identification that uses mathematical pattern-recognition
techniques on video images of one or both of the irises of an
individual's eyes, whose complex patterns are unique, stable, and
can be seen from some distance.
How it Works -
Iris scanners use near infrared light to photograph the ridge
pattern of the iris, a pattern both unique and complex enough to
be quite secure. The technology is well-established. Iris scans can
be spoofed by high-definition images and models, and so require
an additional liveness test. The FAR and FRR values come in at a
respectable 0.0001% and 0.01%
Upsides -
Iris patterns are unique and remain stable throughout life
(with the exception of severe eye damage, intraocular lens
implants, glaucoma, or cataracts). Once registered, verifying iris
information is quick and easy. Iris scans can conveniently identify
people wearing the naqab (burka) or other face veils. Production
K E Y O . C O 20
and supply chains are already established. The technology makes
up for many of the defects of fingerprint scanning, so the two are
often used in conjunction to increase accuracy and security.
Downsides -
Initial registration typically requires multiple scans, which can
be uncomfortable or annoying. In practice, the machines can be
annoying to adjust for different heights. Cheaper commercial
versions can be fooled with a high-definition image.
Controversy surrounding iris scanning revolves mainly
around privacy and consent, for two main reasons. First, providing
iris information is essentially compulsory for many people. In parts
of India, for example, exercising voting rights or collecting a
pension requires registration in the Aadhaar program. Law
enforcement agencies in many countries regularly register iris
information as a matter of protocol, without soliciting consent.
Second, several institutions claim to have developed long-range
iris scanners. While some laud its usefulness for law enforcement,
with the potential to find missing persons or prevent human
trafficking, others point to its potential for covert identification and
police-state repression.
K E Y O . C O 21
K E Y O . C O 22
Voice -
Voice biometrics are used in a number of different ways, for
convenient authentication, at call centers, for help desk
automation, as part of security system, and as a police
investigative tool. At Keyo we use it for customer support. We
verify the identity of callers during support requests to further
ensure we are only divulging any sensitive information to those
who should have it. For that service we use Fujitsu’s
Biometrics-as-a-Service (BIOaaS).
How it works -
It registers basic information related to a person’s physical
vocal tract - the shape of the larynx, mouth, and nose. This
information is conveyed by the waveforms of a person’s voice. It is
difficult, though not impossible, to disguise, and remains constant
regardless of language or content. Voice biometrics are used
primarily for authentication. They are roughly as accurate as
fingerprint technology, and even more so if the user is saying a
preassigned phrase.
K E Y O . C O 23
Upsides -
Identity can be conveniently verified over the phone.
Emergency services such as 911 can identify voices during
emergency situations. The addition of voice print technology can
improve security systems.
Downsides -
Voice biometrics are incredibly easy to give without consent.
Anyone who has ever given a recorded speak or posted a public
video could theoretically be identified without her knowledge
using her voice biometric. Agnitio’s VoiceID only needs 7 seconds
of speech for identification. As with fingerprint, iris scan, and
especially facial recognition technology, there is a need for greater
restrictions and guidelines to protect privacy and guarantee
consensual identification.
K E Y O . C O 24
Privacy and Consent - When dealing with biometrics privacy, consent and accuracy
are a big consideration. When biometric data is compromised by
overbearing governments or malicious actors, it can be easily used
in conjunction with existing camera networks for dangerous levels
of citizen surveillance and invasion of privacy.
External biometric identificators, such as iris, face, fingerprint
and voice often can often be captured and collected without a
person’s knowledge or consent. This poses serious areas of
concern, both from a security perspective as well as privacy. Under
Europe’s GDPR and similar legislations in the US, capturing
biometric data from users without “informed consent” is fineable
at tens of thousands of dollars per infraction. Unfortunately, there
is no way to guarantee with external biometric that this will not
happen.
A truly secure and private biometric identity system should
require explicit interaction in order for identification to take place.
This is why after reviewing all biometric modalities Keyo chose
palm-vein.
K E Y O . C O 25
Built on trust - Keyo Inc, offers a broad, user-centered, and consent-driven
biometric identity network, grounded in the safety and security of
palm-vein biometric technology. We are building a company that
reflects the world in which we want to live - one that brings the
convenience and security of biometrics without compromising
privacy, data security, and personal freedom.
Learn what we can do for you
Schedule a demo -
keyo.co/schedule-demo
Visit us at - www.keyo.co
Find us in Twitter / Linkedin /
Instagram / Facebook - @onlykeyo
K E Y O . C O 26
The Perfect Biometric
Solution Matrix -
Keyo #2 #3 #4 #5 #6 #7 #8
Easy to collect
Distinctive
Permanent
Universal
Cost
Acceptability
Legality
Resilience
Safety
Speed
K E Y O . C O 27