The Biometrics Consortium, a leading industry group, defines biometrics as “automated methods of recognizing a person based on a physiological or behavioral characteristic. Among the features measured are; face, fingerprints, hand geometry, handwriting, iris, retinal, vein, and voice. Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions.”

Dissecting the definition:

“automated methods”
Biometrics, as the term is used today, require machine readability.

“of recognizing a person”
Obviously, the intent of biometrics is to define human beings.

Now this is where it gets interesting …

“based on a physiological or behavioral characteristic.”
Biometrics can measure physiological traits (things that we are) or behavioral traits (things that we do). In the list of biometrics presented in the definition, the physiological traits include face, fingerprints, hand geometry, iris, retinal, and vein. Each of these is a trait that we are, in essence, born with rather than a trait that we learn. The list also includes two behavioral traits of handwriting (e.g. signature) and voice. Other common behavioral traits include our gate (our unique walk) and keystrokes patterns.

“identification and personal verification solutions.”
Too often, the concepts of identification and verification are used interchangeably. They are, in fact, very different processes-and they form one of the most fundamental concepts in biometric technology. Actually, the concepts extend across the range of what we consider ID technologies.

Identification involves knowing or isolating an individual from a group. It is an act of knowing one from many. Verification, also commonly called authentication, involves ensuring that an individual is who he or she claims to be-or who the identifying entity believes he or she to be. This process is an act of ensuring one to one.

Eric Bowman, biometric industry representative and standards body member, describes it this way:

” Identification occurs when an individual’s characteristics are being selected from a group of stored images. Called a “one-to-many” search, the question put to the machine is “Do I know you?” The search algorithm will search a database and return a likely list of candidates.”

“Authentication occurs when an individual makes a claim of identity by presenting a code or a card. Called a “one-to-one” search, the question put to the machine is “Are you who you claim to be?” In this sense, the individual’s characteristics are being measured against an enrolled image that is stored on a token or in a local database with the image presented.”

Biometric systems are great at authentication. Think of it this way, the system is told what record from the database to use for comparison. It need only check the biometric from the reader with the one stored in the database.

Systems have a much harder time with identification using biometrics. These one-to-many searches require that the system compare the biometric from the reader to the world of biometrics stored in the database.

To illustrate this concept, imagine a system in which all individuals were required to provide a fingerprint when they applied for a driver license. If that system were to be used for authentication, a law enforcement officer would take the license number and a finger scan of an offender and transmit it for comparison against the stored biometric that matches that license number. If it matches, the individual could safely be assumed to be the person on the license and the license could reasonably be considered valid. This is biometric authentication.

If the offender refused to provide a drivers license, the officer might take a finger scan and transmit it for comparison against all existing records. If a match was found that person’s identity could then be known. This is biometric identification.

According to Cathy Tilton, representative of biometric vendor Saflink and chair of the INCITS biometric technical committee (M1), “most biometric deployments are done using one-to-one matching so they need a claimed identity (e.g. card, token, number). If it is a personal workstation then you don’t need the claimed identity cause it can be assumed to be the user of the PC.”

The concept of templates

Creating and entering a biometric indicator into a system is known as enrollment. During the enrollment process a digital representation of the individual’s characteristic (either physiological or behavioral) is created. For the purpose of this discussion, we will continue to use the example of a fingerprint biometric.

The process begins by scanning the finger. Though there are different methodologies and techniques used to create the templates, a common means involves mapping the minutia of the finger. Think of minutia as the key points on the print (e.g. the core, bifurcation points where the ridges branch apart). By mapping these points and then applying a mathematical algorithm to this map, a number representation of finger is created and enrolled into the system.

When a biometric identification of authentication procedure is conducted at a later point, the same process occurs. The finger is scanned, minutia is mapped, the algorithm applied, and the number or template is created. This newly created template can then be compared to other templates in the database for identification or compared directly to the individual’s record for authentication.

The margin for error

Because biometric systems rely on numeric templates, there is a margin of error inherent in a system. This is a necessary trade-off, because if a system was to check actual fingerprint images against other images, the processing power, transaction times and cost would be unacceptable. There are two categories of errors that occur in biometric systems: False Rejection Rates (FRR) also known as Type I Errors and False Acceptance Rates (FAR) also known as Type II Errors.

FRR describes frequency that an authorized person is deemed unauthorized (i.e. a match for the biometric is not found) by the system. FAR is the frequency with which an unauthorized person is deemed a match by the system. Obviously, in most situations it is more dangerous to falsely accept a person (e.g. grant an intruder access) than falsely reject a person (e.g. deny an employee access).

FRR and FAR are inversely proportional to each other. When one is lowered, the other will typically rise. Thus, biometric systems are a balancing act between false acceptance and false rejection.

Today many systems enable the thresholds for FAR and FRR to be adjusted based on time, level of threat, or other criteria. As an example, during the day or during times of normal threat levels a military installation might choose to lower the FRR to ensure that few if any authorized personnel are denied access. After hours or during times of heightened security threats, the FRR might be raised to make it virtually impossible for unauthorized persons to gain entry.

In the next issue, we will continue the investigation of biometric concepts exploring key issues including the location of the stored biometric (e.g. in a database, on a card or token) and the location for conducting the comparison (e.g. match on card, in the reader, at the system level).

This article originally appeared in a 2004 issue of SecureIDNews.