Authenticated access to a system or facility has always been about determining the probability that the person attempting to gain access is who they claim to be. Traditionally – and this goes back long before computer systems were even dreamed off – authentication was proven on the strength of a shared secret or password. Sentries or custodians would issue a challenge in the form of “what’s the password?” Even today, it’s the most popular and widely accepted form of authenticating a user on computer systems. Today, security technology wants to know more. They want to know who you are rather than just requiring a password.
Passwords by their very nature are a problem when positively authenticating a person. This is because passwords are a shared secret between the user and system. This, of course, relies on the fact that it is actually a secret to start with, and that it is something that only you are likely to know. This is where passwords are flawed. Passwords must be remembered, which means users create passwords that are easily recalled. For everyday use on a family computer, this is sufficient. However, it’s not the strongest method on a company’s secure server. System administrators enforce a strong password policy, but that does not address a major weakness, which is that a password is simply something that the person knows.
High security systems and facilities do not just rely on “something you know.” They combine this question with a card or token that the access control system uses in conjunction with a password or PIN to provide another layer of security. This is termed two-part authentication, as the security is now based on “something you know” and “something you have.” This authentication method is preferred by banks when a customer uses a bank’s ATM service. The customer uses an ATM card (“something you have”) and then the system challenges the card customer’s identity with a PIN or “something you know.” Of course, for this to be true, two-part authentication and the PIN must never be stored on the card, whether encrypted or not. There must be no possibility that one part can be derived from the other.
Two-part authentication is a big step forward in securing a computer system or facility, as it requires someone who is fraudulently attempting to gain access to have both a physical item and a secret. It has worked well for banks for decades with measurable success. Customers have accepted the system and embraced ATM services and on-line banking, even though the bank has actually transferred its responsibility for security onto the customer. The bank unambiguously states that it is the customer’s responsibility to keep an ATM card safe and the PIN secret. This is because, as secure as two-part authentication is, it is not actually secure enough. This is where biometrics comes into the picture.
In the era before ATMs became commonplace, most people did personal banking through a local high street branch of the bank, which issued and held the customer’s account. The bank relied then on a signature and an item of picture identification such as a passport or drivers license. If it was the customer’s local branch, then cash withdrawals could still take place even if the customer had no identification. This was possible through natural biometrics — the staff recognized the customer. This trumped the requirement for further identification, because personal recognition convinced the bank teller that the customer was who he claimed to be. This is the purpose of biometric systems — to recognize the person present and to determine with high probability that they are who they claim to be.
For any biometric security system to be fit a purpose, it has to have certain characteristics:
- Accuracy – a system must be able to determine the difference between an authentic person and an impostor. This is measured by the number of false rejects (when the system rejects an authentic person) and false accepts (when a system accepts an impostor). Cross-over error rate is the measurement when both are equal this is a measure of a systems accuracy
- Speed and throughput rate – this is related to the speed of the processing equipment. It is measured in throughput of a single task — one person in 5 seconds or against how many it handles per 10 minutes, 6/10 equates to 6 persons in 10 minutes.
- Acceptability to users – this must be a method that is non-intrusive
- Uniqueness of the biometric organ and action – only three characteristic of human organs used in biometrics are unique — fingerprints, the iris of the eye, and the retina of the eye. Unique characteristics provide positive identification and other biometrics such as voice or face scans provide only high probability
- Resistance to counterfeiting –the ability to reject attempts to fool the system by using photographs, rubber fingerprints or recorded voice
- Reliability & availability – must have 99.999% availability
- Data storage requirements – requirement to securely store biometric files and templates
- Enrolment time – needs to be quick and efficient
- Intrusiveness of data collection – should be non-intrusive and not cause the user any distress, such as lasers in eyes
- Subject and system contact requirements – hygienic touch points
Types of Biometric Systems
- Signature recognition – the oldest but now optimized system for recognizing a person’s handwriting, including pressure points and writing speed
- Typing patterns – can be used with password to measure speed and time between characters
- Eye scans – unique identification of the iris and the retina and provides for positive identification
- Fingerprint scans – unique identification as above
- Hand or palm scans – like fingerprints but less acceptable due to hygiene concerns
- Voice recognition – compares to stored voice patterns
- Facial recognition – uses distinctive facial features including distance between eyes, depth of eye sockets, cheekbones and length of jaw line. Non-intrusive system used in passports and surveillance systems
Fingerprint and facial recognition are the most commonly used and accepted forms of biometrics in use today. This is because they are non-intrusive and provide all categories of biometric characteristics.