Introduction and definition:
This blog entry is meant to provide a brief introduction to the field and go through some of the types and metrics. In addition, a brief discussion is included regarding the perceived primary advantage of biometrics and the cyberattacks that can be used to bypass its security protocols. Biometric security implementation is often referred to as the next stage of human authentication and while it might have been considered as part of a dystopian future of a highly surveyed society in the previous decades it is steadily gaining significant support.
Below follows a brief definition of this astonishing field of research. The discipline of Biometrics can be defined as the study and measurement of human characteristics, both physical and behavioral; which can be collected, stored, and utilized as part of an authentication process. It is a multidisciplinary research including in its midst the disciplines of biology, computer science, psychology, and advanced statistics.
Types of Biometrics:
Fingerprint scanners are by far the most popular biometric scanners ranging from the lower-end market scanners which simply scan the actual print (up to a certain degree of confidence) going up to the higher-end scanners with liveness detection, blood and vein processing, and multiple imaging. Currently, there is a plethora of biometric measurements intended both for companies, governments, and law enforcement agencies.
The Defense Forensics & Biometrics Agency (established in 2012) mentions the following physiological and behavioral types of biometrics used as an authentication process.
- Physiological Biometrics: Iris, Fingerprint (including nail), Hand Geometry (including knuckle, palm, vascular), Face, Voice, Retina, DNA.
- Behavioral Biometrics: Signature, Keystroke, Voice, Gait (movement and weight placement).
It is also mentioned that there are even some secondary physiological biometrics including: odor, earlobe, sweat pore, and lip scanning. However, I highly doubt that the latter physiological traits will be used in a commercial way in the near future. Although it would be fun to see how Apple or Samsung try to incorporate in innovative, futuristic commercials the earlobe, lip, or sweat biometrics for their flagship iPhone or Galaxy devices.
There are a number of metrics that measure the degree performance of biometric devices and algorithms. Biometric vendors, however, usually advertise two metrics: False Acceptance Rate (FAR) and False Reject Rate (FRR) - what in statistical science are often called Type I and Type II errors, and False Positive and False Negative in medical testing.
Other performance metrics used are the following:
- Receiver Operating Characteristic (ROC) which involves a cost/benefit analysis;
- Equal Error Rate (EER) which is a comparison analysis of the previous ROC metric;
- Failure To Enroll rate (FTE) and Failure To Capture rate (FTC); and the
- Template Capacity, which refers to the data storage.
As personal authentication defences increase through technological innovation, so do the cybercriminals’ adaptability to the emerging technology. Cybercriminals may utilize different kinds of attacks to breach biometric security measures, such as:
- Spoof attacks can be utilized to bypass the security in the data collection point.
- Artificially created biometric samples can be forged in order to “fool” the verification algorithm software.
- Cyberattacks on the database itself and the encryption algorithm can be used to ‘confuse’ the system.
The primary advantage of biometrics in an authentication procedure is uniqueness. Individual measurements are virtually unique to every person and, if used correctly, they can indeed provide an unparalleled degree of security. It is advertised that biometric measurements cannot be shared, lost, or copied. However, in the past years there have been reports that not only biometric security measures can be breached but also that the effects of the compromised security of this magnitude reaches far beyond a simple username and password hack. A compromised biometric fingerprint or iris scan will have personal and legal ramifications that far exceed a simple transaction or point-of-entry authentication.
When biometric data is transformed into digital data then it becomes apparent that no amount of encryption will be of much use if that data is compromised or stolen. Imagine how a customer or citizen will react if their information of such a highly personal nature was compromised. Given the fact that large corporations might have already granted a certain degree access to some governmental agencies regarding their customer’s personal information then biometrics by themselves reveal a brand new data privacy chapter. Should a password or credit card information be compromised one can easily replace it with a new one. Replacing fingerprints or a retina is, however, impossible to copy. Should that happens, then the compromised biometric measurements can be used by cybercriminals or even cyberterrorists to plant false data, frame, and conduct criminal activities under the guise of a law-abiding citizen.
However, research has shown that there are indeed ways to combat these occurrences from happening and even react to stolen or compromised biometrics. Scientists have developed an effective way of optimizing the authentication process by combining multiple measurements from a particular individual. These multi-modal biometric systems (or multi-level biometrics) utilize two or more biometric measurements in order to increase significantly the security level and accuracy of the procedure. Looking at the statistical analysis and correlation curve of the successful authentication rate one can see that a variable which includes combined measurements far exceeds variables of individual measurements. In other words, the sum of using at the same time both e.g. a fingerprint scanner and an iris or a vein recognition scanner is far superior that those individual measurements.
ABI Research will deliver more updates, insights, and products regarding Biometrics research in the following months in the Digital Security Practice. Insights will be dedicated to a plethora of issues ranging from specific cybersecurity threats, to product analyses, and even consumer reaction to biometric protocols.