You are in the: Small Business Computing Channelarrow
Small Business Technology
» ECommerce-Guide | Small Business Computing | Webopedia | WinPlanet

http://www.ecommerce-guide.com/news/news/article.php/929651

Back to Article

Biometrics in the Digital Realm
By Don Sussis
November 27, 2001

How do biometrics work?
How do biometrics work? A series of measurements are taken from an individual's relevant characteristics (e.g., a finger, palm, or facial scan). This is then converted into a digital template by an algorithm. The template is stored in one of several ways:

  1. Within the biometric device itself, such as a single thumb print scanner with memory and small database capacity. (Think of a PDA address book.)
  2. In a central location that is accessible from several locations in a closed loop architecture. (Think of multiple desktops connected to a server.)
  3. Externally, such as on portable media, such as a smart card or other token retained by the user and submitted at the time of transaction. (Think of your ATM or phone card.)
  4. On a central database and downloaded to the biometric device from a distributed architecture. (Think of a wireless computer in a police car that can check an out-of -state license with an actual physical driver.)

After a template is stored, it is then retrieved for comparison when someone wants so gain access to a system or a location. To do so, they interact with a scanning device, which takes a new sample of the relevant physical characteristic and compare it with the one stored during enrollment. If the two samples match, they are granted access. If not, access is denied. Using a "hash function," and then checking back to the full template if there is a discrepancy can expedite the process.

There are also two main types of biometric scanning devices: 1) optical and 2) semi-conductive. Optical scanner are less expensive but less reliable. Smudges, for example, may interfere with results. In rare instances, oil from a fingerprint may be left on a scanner, thus enabling someone to re-use, or re-produce the print at a later time. James Bond made use of this weakness by "lifting prints" and using them to access the computers of various villians.

Semi-conductive scanning eliminates this possibility because it detects the ridges and valleys of a fingerprint by reading the differences in capacitance caused by electrical variations made by the distance between biometric markers (such as the ridges and valleys in a fingerprint). An additional benefit of this technology is that it is heat sensitive (on a fine scale basis) and, therefore, knows the difference between a finger attached to a living person and one that is attached to a corpse or severed from one. This rules out some intriguing schemes found in Bond films, such as the fake eye used to gain access to nuclear warheads in "Never Say Never."

The use of templates means that it is not necessary to compare complete biometric measurements against one another. A simpler and more efficient method would be to generate a number for each subject's measurements and then compare the numbers (which are expressed digitally). Using algorithmic generated numbers reduces storage, increases efficiencies and makes for faster routing and searching. In cases of police or military surveillance, authorities instead of the individual may handle "enrollment." This, for example, might be the case with facial templates made from photographs of suspected felons or terrorists.

One of the recurrent problems with non -biometric security solutions, such as passwords or magnetic strip cards (with or without PIN numbers), is that they control access but do not authenticate identity. Therefore, an unauthorized person or an impostor can gain access if they know the code or have the pass card.

At many airline terminals, for example, metal doors leading to the runway are controlled by a numbered keypad. Unless the combination is rotated regularly (which means re-distributing the combination and having personal memorize it again and again), it is easy to determine the combination by using the most worn out keys! So, too is it possible, if you know the PIN number, to use someone's credit card without authorization. Obviously, anyone can use someone else's Metro-card with near impunity. The level of security can change dramatically with a biometric identifier because it can provide both verification and identification.

Verifying vs. Indentifying
Verifying access is the simpler process. It is achieved by matching a stored template against a submitted template. The user usually calls up a template in machine memory by using a card or a password or a PIN. The system retrieves the template. The user then submits a "fresh sample." Both template and sample are automatically compared according to criteria set-up in the system. With a good algorithm, good quality templates, and a robust system, the match will be compared quickly and a decision-yes or no-will be given. In some systems, access will permanently be denied after several unsuccessful attempts. In some cases, the "mismatch" may alert guards or the police.

This provides access but does not establish the identity of the user. It is more reliable than a simple PIN, password, or card in that it doesn't require memorization, is a greater deterrent to theft, and can limit the routine replacement of lost of portable media.

A system operating in identification mode is quite different. In this case the user does not call up a stored template. Instead, s/he submits their biometric information through a scan and then asks the system to "identify them." This is much more complicated because the system must go back and search through its database to find a match. In effect the challenge is: "here is a template (created by the scan) -go and find a match and tell me who it is!" Thus, the larger the database, the more difficult the task. Finding a match for members of an office staff of 3,000 is one thing; finding a match for a driver's license in a batch of 500,000 is another. Also, the more critical the mission, the more complex the algorithm should be (i.e., the more variables it should express) and, consequently, the more time and computing power will be needed to return a reliable and efficient decision.

In the next few articles, we'll take a look at some of the companies providing biometric-based security solutions, the issues of privacy vs. security, and the factors driving growth in this industry.


  Go to page: Prev  1  2  3