Biometric Applications

This is an overview of existing and possible future applications of biometrics.

Access control
Obtaining access to a secured area or system is mostly a two-step process:

Identification, the process by which the user professes an identity by providing a username, a pin code or some other form of ID. Authentication, the process of verification or testing to make sure that the user is who he claims to be.

Mobile hard disk with fingerprint reader

Biometrics can be used for both steps, identification requiring a one-to-many search in the templates database and authentication a one-to-one comparison of the measured biometric with the template that is associated to the claimed identity. There exist three types of authentication factors: something you know (e.g. password), something you have (e.g. token device, badge) and something you are. Biometrics fall in the third category, which is by definition the most secure because most companies still struggle to implement good password practices and when token devices or badge readers are used they get lost or are shared among colleagues. A lot of commercial, biometric access control solutions are available, and many more are in development.

Access control to computer systems (workstations): USB fingerprint readers, voice and face recognition software using standard camera and microphone hardware, etc. Door security: doors with biometric locks using iris recognition, fingerprint readers, etc. Portable media such as USB sticks and mobile hard drives with integrated biometric access control and mostly encrypting your data using a built-in algorithm. Safes with biometric locks

Time and attendance management

The problems with time registration and attendance management are very similar to those encountered with access control. Nowadays most systems identify employees with a pin code or a badge. In practice employees lose their badge or forget their pin code, even worse some employees let colleagues who arrive early apply their badge or pin code to the system. Using biometric time registration or attendance management avoids fooling and also reduces overhead for security personnel when badges are lost or pin codes forgotten. A number of commercial solutions already exist.

Surveillance
Screening large crowds for fugitive criminals or missing children, or border control in for example airports can be largely automated using biometrics. The cost of such implementations of biometrics is very high and for existing surveillance systems the success rates vary.

Fingerprint reader used for border control by the US department of Homeland Security

US-Visit program The US department of Homeland Security applies fingerprint recognition for border control. Non-US citizens between 14 and 79 years old, entering the United States have all 10 fingerprints taken by electronic means. This is part of the US-Visit program. Fingerprints of tourists and immigrants are cross-checked with different databases to identify terrorists, criminals and illegal immigrants.

a total of 46,298,869 entries were recorded at air and sea ports; 236,857 were identified as possible overstays; 11,685 biometric watch-list hits occurred at the port of entries, these included individuals with criminal histories for crimes such as murder and drug trafficking as well as immigration violations.

Japan implemented a similar system under the name J-VIS, scanning both index fingers of foreign visitors. Also the United Arab Emirates implemented a border control system using iris recognition.

This type of immigration and border control system is reason for much controversy. Most debate is actually on how databases, or so-called watch-lists, containing the biometrics of criminals were compiled. Also it is common believe that criminals or terrorists will find a way to pass the biometric controls unhindered. Face recognition for surveillance It is said that some casinos are using face recognition to automatically search the crowd for card counters and cheaters, it is unknown whether they are successful with this or not. Face recognition was trialed in the UK; at the London Borough of NE wham 250 surveillance cameras were installed to scan faces within their view. Images were compared against a database of criminals, if a match was found an alert was sent to the police. It is said, however, that not every one criminal was arrested thanks to the system. We must add to this that the system was installed already in 1998 and that seen the technological difficulties to scan and recognize faces in a crowd it is clear that face recognition was 10 years ago not yet up to that challenge. A more interesting way to use face recognition for surveillance is with so called face traps. The difficulty with using surveillance camera footage is that subjects are only seldom looking directly into the camera; the resulting images are therefore difficult to process for face recognition algorithms. A face trap is a location where a camera can be set up in such a way that the subject, without even realizing it, automatically looks directly into the camera. Examples of such locations are counters, elevators, clocks or television screens at which visitors look.

Keystroke Dynamics
Keystroke dynamics or typing dynamics refers to the automated method of identifying or confirming the identity of an individual based on the manner and the rhythm of typing on a keyboard. Keystroke dynamics is a behavioral biometric, this means that the biometric factor is 'something you do'. Already during the Second World War a technique known as The Fist of the Sender was used by military intelligence to distinguish based on the rhythm whether a Morse code message was send by ally or enemy. These days each household has at least one computer keyboard, making keystroke dynamics the easiest biometric solution to implement in terms of hardware.

How it works
With keystroke dynamics the biometric template used to identify an individual is based on the typing pattern, the rhythm and the speed of typing on a keyboard. The raw measurements used for keystroke dynamics are dwell time and flight time.

Dwell time is the time duration that a key is pressed Flight time is the time duration in between releasing a key and pressing the next key

When typing a series of characters, the time the subject needs to find the right key (flight time) and the time he holds down a key (dwell time) is specific to that subject, and can be calculated in such a way that it is independent of overall typing speed. The rhythm with which some sequences of characters are typed can be very person dependent. For example someone used to typing in English will be quicker at typing certain character sequences such as 'the' than a person with French roots. There exists software which combines keystroke dynamics with other interactions the user has with the computer, such as mouse movements (acceleration time, click frequency).

Application of keystroke dynamics

Keystroke dynamics can be used for authentication, and then it is used mostly together with user ID / password credentials as a form of multifactor authentication. Another use is as a very specific form of surveillance. There exist software solutions which, often without end-users being aware of it, track keystroke dynamics for each user account. This tracking, historization of keystroke dynamics is then used to analyses whether accounts are being shared or in general are used by people different from the genuine account owner. Reasons for such an implementation could be verification of users following security procedures (password sharing) or to verify that no software licenses are being shared (especially for SAAS applications). Companies which develop software products applying keystroke dynamics are:

ID Control is a Dutch company developing strong but affordable authentication solutions, some of which use keystroke dynamics. Their software integrates with MS Windows logon, Citrix, VPN and many others. Psylock is a German company developing IT security solutions based on keystroke dynamics, providing software products for implementations on different scales from MS Windows login, to web login, to Citrix and VPN integration. The Psylock website offers an online demo. BehavioSec is a Swedish company specialized in continuous authentication systems; this is software which monitors activity on a computer to make sure that it is the genuine account owner who is using the computer. BehavioSec uses not only keystroke dynamics but also mouse dynamics and the general way in which the user interacts with the computer.

Suitability of keystroke dynamics

In general behavioral biometrics such as keystroke dynamics are less reliable than physiological biometrics. We use the following 7 criteria to evaluate the suitability of keystroke dynamics:
Universality Uniqueness This biometric solution can be used by all individuals that are able to use a keyboard. Unlike physiological biometric factors, there can be no such thing as an absolute match with behavioral biometrics. Therefore it is difficult to discuss uniqueness of a typing

pattern. It must be clear that with keystroke dynamics it is not possible to have FAR and FRR as low as for the better physiological biometric factors, therefore it cannot be the sole factor to identify or authenticate a subject. A major problem with keystroke dynamics is that a subject's typing rhythm varies considerably in between days and even within the same day. There are numerous reasons for this: tiredness, switching computers / keyboards, mood, influence of alcohol and medications, etc. An important advantage of keystroke dynamics is that there is no special hardware needed as with other biometrics, a standard computer keyboard is sufficient. It is also possible to capture the keyboard dynamics in the background, during longer periods without causing any additional overhead for the subject. This might allow triggering an alarm when another subject takes over the session on a logged in workstation.

Permanence

Collectability

Acceptability

Depending of the country or state you are in using key logging software might be a direct violation of local laws. Even if the actual typed text is not analyzed or retained, applicable legislation is sufficiently unclear to be in your disadvantage when you intend to actually use keystroke dynamics. Request legal advice before implementing or experimenting without written consent from people on the keyboard.

It is certainly difficult, if not impossible to mimic another person's typing rhythm. Electronically capturing using key logging software is possible, thus implementing this Circumvention biometric solution requires that data security is guaranteed from the input (keyboard) to the matching algorithm. Behavioral biometrics has higher variations because they depend on a lot of (external) factors such as ergonomics, fatigue, mood, etc. This causes higher FAR and FRR when compared to solutions based on a physiological biometric factor such as fingerprint recognition.

Performance

Key biometric terms and processes

Biometrics. 'Biometrics' as a term refers to the measurement of a physical feature or repeatable action of an individual. There are many forms of biometric measurements taken. For example: fingerprints, retinal/iris scans, facial recognition, hand geometry, signatures, DNA, and of course voiceprints. Voice biometrics is simply a reference to the study and measurement of how individuals speak.

Classification. Classification means that a voice sample is going to be categorized or classified according to some previously defined rules -- for instance, male or female, young or old, or perhaps according to language or dialect. Classification systems can be used within verification and identification systems to help pair-down comparative samples and provide further confidence in scoring. VBG offers gender classification as a custom option.

Enrollment. This is the initial process of collecting data. In the case of voice biometrics, enrollment is the capture of voice samples from an individual with the intent of creating a voiceprint from the unique characteristics (or features) of their speech patterns. Enrollment can be active and voluntary or passive and involuntary.

Equal Error Rate (EER). This is the most common term used to judge the accuracy of biometric and other security systems. The equal error rate (or EER) of any security tool is simply the operating point where the percentage of false acceptances is equal to the percentage of false rejections. The lower the EER value, the better, as it is desireable to be both very good at recognizing valid system users as well as very good at screening out imposters and fraudsters.

False-Acceptance Rate (FAR). In biometric and other security systems, the false acceptance rate (or FAR) is the percentage of times when the system will incorrectly let an imposter or fraudster in as a valid user. This scenario is sometimes also referred to as a 'Type II' error. Giving unauthorized users access to any system can have profound implications, so it is very important to tune biometric systems to low FAR levels. False-Rejection Rate (FRR). In biometric and other security systems, the false rejection rate (or FRR) is the percentage of times when the system will incorrectly reject a valid user. This scenario is sometimes also referred to as a 'Type I' error. Rejecting a valid user is an inconvenience and this can have implications for long-term user acceptance. To help manage these types of errors, tuning is recommended, along with offering retries for users that 'pass' other security factors.

Feature Extraction. When audio samples are submitted to a voice biometric engine during enrollment, verification, or identification, unique vocal characteristics are identified, analyzed, and captured from the audio source(s) using sophisticated audio signal processing software. The process that performs these tasks is commonly referred to as 'feature extraction'.

Identification. During identification a user submits speech samples to the voice biometric engine without first making any claim of identity. The engine then extracts vocal features from the temporary sample and performs comparisons to a set of previously stored voiceprints, identifying the best/closest match. Because databases can contain literally millions of voice prints, identification systems are not yet practical for real-time commercial use. However, identification systems are quite useful for offline forensic analysis.

Interactive Voice Response (IVR). Interactive voice response, or IVR, refers to telephony technology in which someone uses a telephone to interact with an application or database system. IVR technology does not require that a live person answer the phone; in fact, IVR systems allow for callers to answer questions or navigate menus using either a touch-tone phone, their voices, or a combination of both. IVR systems are very common -- they are prevalent in almost every industry. Voice biometric authentication within IVR systems is a growing topic of interest, as fraud committed in IVR systems in on the rise in many industries.

Multi-Factor Authentication (MFA). An authentication factor refers to a piece of information and/or a technique used to authenticate someone's identity. Factors are something you have (like a picture ID or token), something you know (like a password, PIN, or answer to a shared secret), or something you are (such as a biometric -- fingerprint, voiceprint, etc). Multi-Factor Authentication, or MFA, is a system where multiple factors are obtained during a single session to authenticate an individual, yielding a greater match confidence.

Speech Recognition (ASR). Speech recognition is also referred to as voice recognition or automatic speech recognition (ASR). ASR is a technology where spoken words are recognized for specific content. This technology is typically used in call centers and IVR systems. Essentially, a caller speaks when prompted, then his or her response is captured and converted to an electronic format. The electronic content is processed and transformed into patterns that are identified by a computer system as specific words. Based on the content identified, the computer system typically takes some kind of action. As an example ... please say 'sales' to speak with a sales agent or 'tech support' to get technical support, etc.

Text-Dependent System. A text-dependent voice biometric system prompts users to speak specific words, phrases, or numbers -- placing known limits on what can be said. These same limits are then imposed during all enrollment, verification, and identification processes. Text-dependent systems tend to be easy to understand and use due to these constraints. Also, they are often less expensive to build, operate, and maintain.

Text-Independent System. A text-independent voice biometric system does not require users to say specific words, phrases, or numbers -- almost any speech can be used. However, the enrollment process for text independent systems typically needs to be longer than text dependent systems, as more speech is needed to create a more "complete" voiceprint for users. And although setup, operating, and maintenance costs can be higher for these systems, developers appreciate the high levels of design felicity.

Text-to-Speech (TTS). The term 'text-to-speech' (or TTS) refers to speech synthesis or a process where a computer converts written text into spoken voice output. Early TTS systems were developed to aid the visually impaired by offering them computer-generated speech that would 'read' text passages to them. Today, TTS technology is widely used within IVRs and call centers to dynamically generate and speak information to callers.

Voice Verification. Voice verification, or voice authentication, or speaker verification refers to the process of verifying someone's identity by evaluating their unique vocal characteristics. In a voice verification application, users make an initial claim of identity (perhaps by entering a user id and password to a web-based system, or by keying in a partial account number with their telephone keypad). The application then prompts users for a speech sample and sends it to a voice authentication system. The voice authentication system extracts unique vocal features from the sample, compares them to the stored voiceprint for that user, and then returns the result to the application. The application can then decide whether to "pass" the user and let them continue or "fail" them and perform some alternate process.

Voiceprint. A voiceprint is a mathematical representation of the unique physiological and behavioral features of a person's voice stored in electronic format (frequently proprietary). A voiceprint is not a recording or file that can be played back or otherwise listened to. Rather, a voiceprint is derived from audio analysis and statistical modeling of vocal features. Voiceprints cannot be reverse-engineered back into original speech, so this gives voiceprints very high innate security levels relative to information storage concerns.

VoiceXML. VoiceXML is a voice-based Extensible Markup Language that has fast become the de-facto standard within call centers and IVR systems. Specifically, VoiceXML is a standard used for specifying interactive voice dialogs between people and computing systems. It does not require specific hardware to run, nor does it require proprietary extensions for any of the major telephone systems providers. Many client applications leverage the simplicity and power of VoiceXML within their IVR systems to gather speech samples from their users and send them to the VBG system.