What method is the basis of biometric scales? Comparison of biometric methods for resistance to data falsification. Where is biometric security used?

ZlodeiBaal August 11, 2011 at 9:54 pm

Modern biometric identification methods

Information Security

Recently, many articles have appeared on Habré devoted to Google’s facial identification systems. To be honest, many of them reek of journalism and, to put it mildly, incompetence. And I wanted to write a good article on biometrics, it’s not my first! There are a couple of good articles on biometrics on Habré - but they are quite short and incomplete. Here I will try to briefly outline the general principles of biometric identification and modern achievements of mankind in this matter. Including identification by faces.

The article has, which, in essence, is its prequel.

A joint publication with a colleague in a journal (BDI, 2009), revised to suit modern realities, will be used as the basis for the article. Habré is not yet a colleague, but he supported the publication of the revised article here. At the time of publication, the article was a brief overview of the modern market of biometric technologies, which we conducted for ourselves before launching our product. The applicability judgments put forward in the second part of the article are based on the opinions of people who have used and implemented the products, as well as on the opinions of people involved in the production of biometric systems in Russia and Europe.

general information

Let's start with the basics. In 95% of cases, biometrics is essentially mathematical statistics. And matstat is an exact science, the algorithms from which are used everywhere: in radars and in Bayesian systems. Errors of the first and second types can be taken as two main characteristics of any biometric system). In radar theory they are usually called “false alarm” or “target miss”, and in biometrics the most established concepts are FAR (False Acceptance Rate) and FRR (False Rejection Rate). The first number characterizes the probability of a false match between the biometric characteristics of two people. The second is the probability of denying access to a person with clearance. The lower the FRR value for the same FAR values, the better the system. Sometimes used Comparative characteristics EER, which determines the point at which the FRR and FAR graphs intersect. But it is not always representative. You can see more details, for example.
The following can be noted: if the characteristics of the system do not include FAR and FRR for open biometric databases, then no matter what the manufacturers declare about its characteristics, this system is most likely ineffective or much weaker than its competitors.
But not only FAR and FRR determine the quality of a biometric system. If this were the only way, then the leading technology would be DNA recognition, for which FAR and FRR tend to zero. But it is obvious that this technology is not applicable at the current stage of human development! We have developed several empirical characteristics that allow us to assess the quality of the system. “Forgery resistance” is an empirical characteristic that summarizes how easy it is for a biometric identifier to be fooled. “Environmental stability” is a characteristic that empirically evaluates the stability of the system under various external conditions, such as changes in lighting or room temperature. “Ease of use” shows how difficult it is to use a biometric scanner, and whether identification is possible “on the go.” An important characteristic is “Speed of operation” and “Cost of the system”. We should not forget that a person’s biometric characteristic can change over time, so if it is unstable, this is a significant disadvantage.
The abundance of biometric methods is amazing. The main methods using static biometric characteristics of a person are identification by papillary pattern on the fingers, iris, facial geometry, retina, pattern of hand veins, hand geometry. There is also a family of methods that use dynamic characteristics: identification by voice, handwriting dynamics, heart rate, and gait. Below is the breakdown of the biometric market a couple of years ago. Every other source fluctuates by 15-20 percent, so this is just an estimate. Also here, under the concept of “hand geometry,” there are two different methods hidden, which will be discussed below.

In this article we will consider only those characteristics that are applicable in access control and management systems (ACS) or in tasks similar to them. Due to its superiority, these are primarily static characteristics. Of the dynamic characteristics at the moment, only voice recognition has at least some statistical significance (comparable to the worst static algorithms FAR~0.1%, FRR~6%), but only under ideal conditions.
To get a feel for the probabilities of FAR and FRR, you can estimate how often false matches will occur if you install an identification system at the entrance of an organization with N employees. The probability of a false match of a fingerprint scanner for a database of N fingerprints is FAR∙N. And every day about N people also pass through the access control point. Then the probability of error per working day is FAR∙(N∙N). Of course, depending on the goals of the identification system, the probability of an error per unit of time can vary greatly, but if we accept one error per working day as acceptable, then:

(1)
Then we find that stable operation of the identification system at FAR=0.1% =0.001 is possible with a staff size of N≈30.

Biometric scanners

Today, the concepts of “biometric algorithm” and “biometric scanner” are not necessarily interrelated. The company can produce these elements individually, or together. The greatest differentiation between scanner manufacturers and software manufacturers has been achieved in the finger papillary pattern biometrics market. The smallest 3D face scanner on the market. In fact, the level of differentiation largely reflects the development and saturation of the market. The more choice there is, the more the theme is worked out and brought to perfection. Different scanners have different sets of abilities. Basically it is a set of tests to check whether a biometric object is tampered with or not. For finger scanners this could be a bump test or a temperature check, for eye scanners it could be a pupil accommodation test, for face scanners it could be facial movement.
Scanners greatly influence the resulting FAR and FRR statistics. In some cases, these numbers can change tens of times, especially in real conditions. Typically, the characteristics of the algorithm are given for a certain “ideal” base, or simply for a well-suited one, where blurry and blurry frames are discarded. Only a few algorithms honestly indicate both the base and the full issuance of FAR/FRR for it.

And now in more detail about each of the technologies

Fingerprints

Dactyloscopy (fingerprint recognition) is the most developed biometric method of personal identification to date. The catalyst for the development of the method was its widespread use in forensic science of the 20th century.
Each person has a unique papillary fingerprint pattern, which makes identification possible. Typically, algorithms use characteristic points on fingerprints: the end of a pattern line, the branching of a line, single points. Additionally, information is used about the morphological structure of the fingerprint: the relative position of the closed lines of the papillary pattern, “arched” and spiral lines. The features of the papillary pattern are converted into a unique code that preserves the information content of the fingerprint image. And it is the “fingerprint codes” that are stored in the database used for searching and comparison. The time to convert a fingerprint image into a code and identify it usually does not exceed 1s, depending on the size of the database. The time spent raising your hand is not taken into account.

VeriFinger SDK statistics obtained using the DP U.are.U fingerprint scanner were used as a source of FAR and FRR data. Over the past 5-10 years, the characteristics of finger recognition have not made much progress, so the above figures show the average value of modern algorithms quite well. The VeriFinger algorithm itself won the International Fingerprint Verification Competition for several years, where finger recognition algorithms competed.

The characteristic FAR value for the fingerprint recognition method is 0.001%.
From formula (1) we find that stable operation of the identification system at FAR=0.001% is possible with a staff size of N≈300.

Advantages of the method. High reliability - the statistical indicators of the method are better than the indicators of identification methods by face, voice, and painting. Low cost devices that scan a fingerprint image. Enough simple procedure fingerprint scanning.
Disadvantages: the fingerprint papillary pattern is very easily damaged by small scratches and cuts. People who have used scanners in enterprises with several hundred employees report a high rate of scanning failure. Many of the scanners do not treat dry skin adequately and do not allow older people to pass through. When communicating at the last MIPS exhibition, the head of the security service of a large chemical enterprise said that their attempt to introduce finger scanners at the enterprise (scanners of various systems were tried) failed - minimal exposure to chemical reagents on the fingers of employees caused a failure of the scanners' security systems - the scanners declared the fingers a fake. There is also insufficient security against fingerprint image forgery, partly caused by the widespread use of the method. Of course, not all scanners can be fooled by methods from MythBusters, but still. For some people with “inappropriate” fingers (body temperature, humidity), the probability of being denied access can reach 100%. The number of such people varies from a fraction of a percent for expensive scanners to ten percent for inexpensive ones.
Of course, it is worth noting that a large number of shortcomings are caused by the widespread use of the system, but these shortcomings do exist and they appear very often.

Market situation

Currently, fingerprint recognition systems occupy more than half of the biometric market. Many Russian and foreign companies are engaged in the production of access control systems based on the fingerprint identification method. Due to the fact that this direction is one of the oldest, it has become most widespread and is by far the most developed. Fingerprint scanners have come a really long way to improve. Modern systems are equipped various sensors(temperature, pressing force, etc.), which increase the degree of protection against counterfeiting. Every day systems become more convenient and compact. In fact, the developers have already reached a certain limit in this area, and there is nowhere to develop the method further. In addition, most companies produce ready-made systems that are equipped with everything necessary, including software. Integrators in this area simply do not need to assemble the system themselves, since this is unprofitable and will take more time and effort than buying a ready-made and already inexpensive system, especially since the choice will be really wide.
Among the foreign companies involved in fingerprint recognition systems, one can note SecuGen (USB scanners for PCs, scanners that can be installed in enterprises or built into locks, SDK and software for connecting the system with a computer); Bayometric Inc. (fingerprint scanners, TAA/Access control systems, fingerprint SDKs, embedded fingerprint modules); DigitalPersona, Inc. (USB scanners, SDK). In Russia, the following companies operate in this area: BioLink (fingerprint scanners, biometric access control devices, software); Sonda (fingerprint scanners, biometric access control devices, SDK); SmartLock (fingerprint scanners and modules), etc.

Iris

The iris of the eye is a unique characteristic of a person. The pattern of the iris is formed in the eighth month of intrauterine development, finally stabilizes at the age of about two years and practically does not change throughout life, except as a result of severe injuries or severe pathologies. The method is one of the most accurate among biometric methods.
The iris identification system is logically divided into two parts: a device for capturing an image, its primary processing and transmission to a computer, and a computer that compares the image with images in the database and transmits the admission command to the executive device.
The time for primary image processing in modern systems is approximately 300-500ms, the speed of comparing the resulting image with the database is 50,000-150,000 comparisons per second on a regular PC. This speed of comparison does not impose restrictions on the use of the method in large organizations when used in access systems. When using specialized computers and search optimization algorithms, it even becomes possible to identify a person among the residents of an entire country.
I can immediately answer that I am somewhat biased and have a positive attitude towards this method, since it was in this field that we launched our startup. A paragraph at the end will be devoted to a little self-PR.

Statistical characteristics of the method

The FAR and FRR characteristics for the iris are the best in the class of modern biometric systems (with the possible exception of the retinal recognition method). The article presents the characteristics of the iris recognition library of our algorithm - EyeR SDK, which correspond to the VeriEye algorithm tested using the same databases. We used CASIA databases obtained by their scanner.

The characteristic FAR value is 0.00001%.
According to formula (1) N≈3000 is the number of personnel of the organization, at which employee identification is quite stable.
Here it is worth noting an important feature that distinguishes the iris recognition system from other systems. When using a camera with a resolution of 1.3MP or more, you can capture two eyes in one frame. Since the FAR and FRR probabilities are statistically independent probabilities, when recognizing using two eyes, the FAR value will be approximately equal to the square of the FAR value for one eye. For example, for a FAR of 0.001% using two eyes, the false admission rate would be 10-8%, with an FRR only twice as high as the corresponding FRR value for one eye at FAR=0.001%.

Advantages and disadvantages of the method

Advantages of the method. Statistical reliability of the algorithm. Capturing an image of the iris can be done at a distance of several centimeters to several meters, without physical contact between a person and the device. The iris is protected from damage - which means it will not change over time. It is also possible to use a high number of methods that protect against counterfeiting.
Disadvantages of the method. The price of a system based on the iris is higher than the price of a system based on finger recognition or facial recognition. Low availability of ready-made solutions. Any integrator who comes to the Russian market today and says “give me a ready-made system” will most likely fail. Mostly sold expensive systems turnkey, installed by large companies such as Iridian or LG.

Market situation

At the moment, the share of iris identification technologies in the global biometric market is, according to various estimates, from 6 to 9 percent (while fingerprint recognition technologies occupy over half of the market). It should be noted that from the very beginning of the development of this method, its strengthening in the market was slowed down by the high cost of equipment and components necessary to assemble an identification system. However, as digital technologies developed, the cost of a single system began to decrease.
The leader in software development in this area is Iridian Technologies.
The entry of a large number of manufacturers into the market was limited by the technical complexity of the scanners and, as a consequence, their high cost, as well as the high price of the software due to Iridian’s monopoly position in the market. These factors allowed development in the field of iris recognition only to large companies, most likely already engaged in the production of some components suitable for the identification system (optics high resolution, miniature cameras with infrared illumination, etc.). Examples of such companies include LG Electronics, Panasonic, OKI. They entered into an agreement with Iridian Technologies, and as a result of joint work, the following identification systems appeared: Iris Access 2200, BM-ET500, OKI IrisPass. Subsequently, improved models of systems emerged, thanks to the technical capabilities of these companies to independently develop in this area. It should be said that the above companies also developed their own software, but in the end they prefer Iridian Technologies software in the finished system.
The Russian market is dominated by products of foreign companies. Although even that can be purchased with difficulty. For a long time, the Papillon company assured everyone that they had iris recognition. But even representatives of RosAtom, their direct buyer, for whom they made the system, say that this is not true. At some point, another Russian company appeared that made iris scanners. Now I don’t remember the name. They purchased the algorithm from someone, perhaps from the same VeriEye. The scanner itself was a 10-15 year old system, by no means contactless.
In the last year, a couple of new manufacturers have entered the global market due to the expiration of the primary patent for human eye recognition. The most trustworthy of them, in my opinion, is AOptix. At least their previews and documentation do not raise suspicions. The second company is SRI International. Even at first glance, to a person who has worked on iris recognition systems, their videos seem very deceitful. Although I wouldn’t be surprised if in reality they can do something. Both systems do not show data on FAR and FRR, and also, apparently, are not protected from counterfeiting.

Face recognition

There are many recognition methods based on facial geometry. All of them are based on the fact that the facial features and shape of the skull of each person are individual. This area of biometrics seems attractive to many because we recognize each other primarily by our faces. This area is divided into two areas: 2-D recognition and 3-D recognition. Each of them has advantages and disadvantages, but much also depends on the scope of application and the requirements for a particular algorithm.
I’ll briefly tell you about 2-d and move on to one of the most interesting methods today - 3-d.

2-D facial recognition

2-D facial recognition is one of the most statistically ineffective biometric methods. It appeared quite a long time ago and was used mainly in forensic science, which contributed to its development. Subsequently, computer interpretations of the method appeared, as a result of which it became more reliable, but, of course, it was inferior and every year is increasingly inferior to other biometric methods of personal identification. Currently, due to poor statistical indicators, it is used in multimodal or, as it is also called, cross biometrics, or in in social networks.

Statistical characteristics of the method

For FAR and FRR, data for the VeriLook algorithms were used. Again, for modern algorithms it has very ordinary characteristics. Sometimes algorithms with an FRR of 0.1% with a similar FAR flash by, but the bases on which they were obtained are very questionable (cut out background, identical facial expression, identical hairstyle, lighting).

The characteristic FAR value is 0.1%.
From formula (1) we obtain N≈30 - the number of personnel of the organization, at which employee identification occurs quite stably.
As you can see, the statistical indicators of the method are quite modest: this eliminates the advantage of the method that it is possible to covertly photograph faces in crowded places. It’s funny to see how a couple of times a year another project is funded to detect criminals through video cameras installed in crowded places. Over the past ten years, the statistical characteristics of the algorithm have not improved, but the number of such projects has increased. Although, it is worth noting that the algorithm is quite suitable for tracking a person in a crowd through many cameras.

Advantages and disadvantages of the method

Advantages of the method. With 2-D recognition, unlike most biometric methods, expensive equipment is not required. With appropriate equipment, recognition is possible at significant distances from the camera.
Flaws. Low statistical significance. There are lighting requirements (for example, it is not possible to register the faces of people entering from the street on a sunny day). For many algorithms, any external interference is unacceptable, such as glasses, a beard, or some elements of a hairstyle. A frontal image of the face is required, with very slight deviations. Many algorithms do not take into account possible changes in facial expressions, that is, the expression must be neutral.

3-D facial recognition

The implementation of this method is a rather complex task. Despite this, there are currently many methods for 3-D facial recognition. The methods cannot be compared with each other, since they use different scanners and databases. Not all of them issue FAR and FRR; completely different approaches are used.
The transitional method from 2-d to 3-d is a method that implements the accumulation of information about a person. This method has better characteristics than the 2d method, but it also uses only one camera. When a subject is entered into the database, the subject turns his head and the algorithm connects the image together, creating a 3D template. And during recognition, several frames of the video stream are used. This method is rather experimental and I have never seen an implementation for access control systems.
The most classic method is the template projection method. It consists of projecting a grid onto an object (face). Next, the camera takes pictures at a speed of tens of frames per second, and the resulting images are processed by a special program. A beam incident on a curved surface is bent - the greater the curvature of the surface, the stronger the bend of the beam. Initially, a source of visible light was used, supplied through “blinds”. Then visible light was replaced by infrared, which has several advantages. Typically, at the first stage of processing, images in which the face is not visible at all or in which there are foreign objects that interfere with identification are discarded. Based on the resulting images, a 3-D model of the face is reconstructed, on which unnecessary noise (hairstyle, beard, mustache and glasses) is highlighted and removed. Then the model is analyzed - anthropometric features are identified, which are ultimately recorded in a unique code entered into the database. Image capture and processing time is 1-2 seconds for the best models.
The method of 3-D recognition based on images obtained from several cameras is also gaining popularity. An example of this is the Vocord company with its 3D scanner. This method gives positioning accuracy, according to the developers, higher than the template projection method. But until I see FAR and FRR at least in their own database, I won’t believe it!!! But it has been in development for 3 years now, and progress at exhibitions is not yet visible.

Statistical indicators of the method

Complete data on FRR and FAR for algorithms of this class are not publicly available on manufacturers’ websites. But for the best models from Bioscript (3D EnrolCam, 3D FastPass), working using the template projection method with FAR = 0.0047%, the FRR is 0.103%.
It is believed that the statistical reliability of the method is comparable to the reliability of the fingerprint identification method.

Advantages and disadvantages of the method

Advantages of the method. No need to contact the scanning device. Low sensitivity to external factors, both on the person himself (the appearance of glasses, a beard, a change in hairstyle) and in his environment (lighting, turning the head). High level of reliability comparable to fingerprint identification.
Disadvantages of the method. High cost of equipment. Commercially available systems were even more expensive than iris scanners. Changes in facial expressions and facial noise impair the statistical reliability of the method. The method is not yet well developed, especially in comparison with the long-used fingerprinting, which makes its widespread use difficult.

Market situation

Recognition by facial geometry is considered one of the “three big biometrics”, along with recognition by fingerprints and iris. It must be said that this method is quite common, and it is still preferred over recognition by the iris of the eye. The share of facial geometry recognition technologies in the total volume of the global biometric market can be estimated at 13-18 percent. In Russia, there is also greater interest in this technology than, for example, in iris identification. As mentioned earlier, there are many 3-D recognition algorithms. For the most part, companies prefer to develop ready-made systems, including scanners, servers and software. However, there are also those who only offer the SDK to the consumer. Today, the following companies are involved in the development of this technology: Geometrix, Inc. (3D face scanners, software), Genex Technologies (3D face scanners, software) in the USA, Cognitec Systems GmbH (SDK, special computers, 2D cameras) in Germany, Bioscrypt (3D face scanners, software) - a subsidiary of the American company L- 1 Identity Solutions.
In Russia, the companies Artec Group (3D facial scanners and software) are working in this direction - a company whose head office is located in California, and development and production are carried out in Moscow. Also several Russian companies own 2D facial recognition technology – Vocord, ITV, etc.
In the field of 2D face recognition, the main subject of development is software, because... regular cameras do a great job of capturing facial images. The solution to the problem of recognition from a face image has to some extent reached a dead end - for several years now there has been virtually no improvement in the statistical indicators of algorithms. In this area, a systematic “work on mistakes” is taking place.
3D facial recognition is now a much more attractive area for developers. Many teams work there and we regularly hear about new discoveries. Many works are in the “about to be released” state. But so far there are only old offers on the market; the choice has not changed in recent years.
One of interesting moments, which I sometimes think about and to which Habr may perhaps answer: is the accuracy of kinect enough to create such a system? There are quite a few projects to pull out a 3D model of a person through it.

Recognition by veins of the arm

This new technology in the field of biometrics, its widespread use began only 5-10 years ago. An infrared camera takes pictures of the outside or inside of the hand. The pattern of veins is formed due to the fact that hemoglobin in the blood absorbs infrared radiation. As a result, the degree of reflection is reduced and the veins are visible on the camera as black lines. Special program Based on the received data, it creates a digital convolution. No human contact with the scanning device is required.
The technology is comparable in reliability to iris recognition, being superior in some ways and inferior in others.
The FRR and FAR values are given for the Palm Vein scanner. According to the developer, with a FAR of 0.0008%, the FRR is 0.01%. No company provides a more accurate graph for several values.

Advantages and disadvantages of the method

Advantages of the method. No need to contact the scanning device. High reliability - the statistical indicators of the method are comparable to the readings of the iris. Hiddenness of the characteristic: unlike all the above, this characteristic is very difficult to obtain from a person “on the street,” for example, by photographing him with a camera.
Disadvantages of the method. The scanner should not be exposed to sunlight or halogen lamps. Some age-related diseases, such as arthritis, greatly worsen FAR and FRR. The method is less studied in comparison with other static biometric methods.

Market situation

Recognition of hand vein patterns is a fairly new technology, and therefore its share in the world market is small and amounts to about 3%. However, there is increasing interest in this method. The fact is that, being quite accurate, this method does not require such expensive equipment as, for example, recognition methods based on facial geometry or iris. Now many companies are developing in this area. For example, by order of the English company TDSi, software was developed for the biometric palm vein reader PalmVein, presented by Fujitsu. The scanner itself was developed by Fujitsu primarily to combat financial fraud in Japan.
The following companies also operate in the field of vein pattern identification: Veid Pte. Ltd. (scanner, software), Hitachi VeinID (scanners)
I don’t know of any companies in Russia working on this technology.

Retina

Until recently, it was believed that the most reliable method of biometric identification and personal authentication was a method based on scanning the retina. It contains the best features of iris and arm vein identification. The scanner reads the pattern of capillaries on the surface of the retina. The retina has a fixed structure, unchanged over time except as a result of disease, such as cataracts.
A retinal scan uses low-intensity infrared light directed through the pupil to the blood vessels at the back of the eye. Retinal scanners have become widespread in access control systems for highly sensitive facilities, since they have one of the lowest percentages of denied access to registered users and there is virtually no erroneous access permission.
Unfortunately, a number of difficulties arise when using this biometric method. The scanner here is a very complex optical system, and the person must not move for a significant amount of time while the system is aimed, which causes unpleasant sensations.
According to EyeDentify, for the ICAM2001 scanner with FAR=0.001%, the FRR value is 0.4%.

Advantages and disadvantages of the method

Advantages. High level of statistical reliability. Due to the low prevalence of systems, the likelihood of developing a way to “deceive” them is low.
Flaws. Difficult to use system with high processing time. High cost of the system. Lack of a wide market supply and, as a consequence, insufficient intensity of development of the method.

Hand geometry

This method, which was quite common 10 years ago and originated from criminology, has been on the decline in recent years. It is based on obtaining the geometric characteristics of the hands: finger lengths, palm width, etc. This method, like the retina of the eye, is dying, and since it has much lower characteristics, we will not even introduce a more complete description of it.
It is sometimes believed that vein recognition systems use geometric recognition methods. But we have never seen anything like this explicitly stated on sale. And besides, often when recognizing by veins, a picture of only the palm is taken, while when recognizing by geometry, a picture of the fingers is taken.

A little self-PR

At one time, we developed a good eye recognition algorithm. But at that time, such a high-tech thing was not needed in this country, and we didn’t want to go to bourgeoistan (where we were invited after the first article). But suddenly, after a year and a half, there were investors who wanted to build themselves a “biometric portal” - a system that would feed 2 eyes and use the color component of the iris (for which the investor had a worldwide patent). Actually, this is what we are doing now. But this is not an article about self-PR, this is a short lyrical digression. If anyone is interested, there is some information, and sometime in the future, when we enter the market (or don’t), I will write a few words here about the ups and downs of the biometric project in Russia.

conclusions

Even in the class of static biometric systems, there is a large selection of systems. Which one should you choose? It all depends on the requirements for the security system. The most statistically reliable and forgery-resistant access systems are the iris and hand vein access systems. For the first of them there is a wider market of offers. But this is not the limit. Biometric identification systems can be combined to achieve astronomical precision. The cheapest and easiest to use, but with good statistics, are finger tolerance systems. 2D face tolerance is convenient and cheap, but has a limited range of applications due to poor statistical performance.
Let's consider the characteristics that each of the systems will have: resistance to counterfeiting, environmental resistance, ease of use, cost, speed, stability of the biometric feature over time. Let's put ratings from 1 to 10 in each column. The closer the score is to 10, the better the system in this regard. The principles for selecting assessments were described at the very beginning of the article.

We will also consider the relationship between FAR and FRR for these systems. This ratio determines the efficiency of the system and the breadth of its use.

It is worth remembering that for the iris, you can increase the accuracy of the system almost quadratically, without loss of time, if you complicate the system by making it for two eyes. For the fingerprint method - by combining several fingers, and recognition by veins, by combining two hands, but such an improvement is only possible with an increase in the time spent working with a person.
Summarizing the results for the methods, we can say that for medium and large objects, as well as for objects with the highest security requirements, the iris should be used as a biometric access and, possibly, recognition by hand veins. For facilities with up to several hundred personnel, access using fingerprints will be optimal. Recognition systems based on 2D facial images are very specific. They may be required in cases where recognition requires the absence of physical contact, but it is impossible to install an iris control system. For example, if it is necessary to identify a person without his participation, using a hidden camera, or an external detection camera, but this is only possible if there is a small number of subjects in the database and a small flow of people filmed by the camera.

A note for young technicians

Some manufacturers, for example Neurotechnology, have demo versions of the biometric methods they produce available on their website, so you can easily connect them and play around. For those who decide to delve into the problem more seriously, I can recommend the only book that I have seen in Russian - “Guide to Biometrics” by R.M. Ball, J.H. Connell, S. Pankanti. There are many algorithms and their mathematical models. Not everything is complete and not everything corresponds to modern times, but the base is good and comprehensive.

P.S.

In this opus I did not go into the problem of authentication, but only touched upon identification. In principle, from the characteristics of FAR/FRR and the possibility of forgery, all conclusions on the issue of authentication suggest themselves.

Tags:

biometrics
fingerprint scanners

Add tags

Modern science does not stand still. More and more often, high-quality protection for devices is required so that someone who accidentally takes possession of them cannot take full advantage of the information. In addition, methods of protecting information from are used not only in everyday life.

In addition to entering passwords digitally, more individualized biometric security systems are also used.

What it is?

Previously, such a system was used only in limited cases, to protect the most important strategic objects.

Then, after September 11, 2011, they came to the conclusion that such access could be applied not only in these areas, but also in other areas.

Thus, human identification techniques have become indispensable in a number of methods of combating fraud and terrorism, as well as in such areas as:

Biometric access systems to communication technologies, network and computer databases;

Database;

Access control to information storage facilities, etc.

Each person has a set of characteristics that do not change over time, or those that can be modified, but at the same time belong only to to a specific person. In this regard, it is possible to highlight following parameters biometric systems that are used in these technologies:

Static - fingerprints, ear photography, retinal scanning and others.

Biometrics technologies in the future will replace conventional methods of authenticating a person using a passport, as built-in chips, cards and similar innovations scientific technologies will be implemented not only in this document, but also in others.

A small digression about personality recognition methods:

- Identification- one to many; the sample is compared with all available ones according to certain parameters.

- Authentication- one to one; the sample is compared with previously obtained material. In this case, the person may be known, the obtained data of the person is compared with the sample parameter of this person available in the database;

How biometric security systems work

In order to create a base for a specific person, it is necessary to consider his biological individual parameters as a special device.

The system remembers the received biometric characteristic sample (recording process). In this case, it may be necessary to make several samples to create a more accurate reference value for the parameter. The information received by the system is converted into a mathematical code.

In addition to creating the sample, the system may require additional steps to combine the personal identifier (PIN or smart card) and the biometric sample. Subsequently, when scanning for compliance occurs, the system compares the received data, comparing the mathematical code with those already recorded. If they match, that means the authentication was successful.

Possible mistakes

The system may produce errors, unlike recognition using passwords or electronic keys. In this case, the following types of issuing incorrect information are distinguished:

Type 1 error: false access rate (FAR) - one person may be mistaken for another;

Type 2 error: false access denial rate (FRR) - the person is not recognized in the system.

In order to eliminate, for example, errors this level, the intersection of the FAR and FRR indicators is necessary. However, this is not possible, since this would require DNA identification of the person.

Fingerprints

At the moment, the most famous method is biometrics. When receiving a passport, modern Russian citizens are required to undergo the procedure of taking fingerprints in order to add them to their personal card.

This method is based on the uniqueness of fingers and has been used for quite a long time, starting with forensics (fingerprinting). By scanning fingers, the system translates the sample into a unique code, which is then compared with an existing identifier.

As a rule, information processing algorithms use the individual location of certain points that contain fingerprints - branches, the end of a pattern line, etc. The time it takes to convert the image into code and produce the result is usually about 1 second.

The equipment, including the software for it, is currently produced in a complex and is relatively inexpensive.

Errors when scanning fingers (or both hands) occur quite often if:

There is unusual wetness or dryness of the fingers.

Hands are processed chemical elements, which make identification difficult.

There are microcracks or scratches.

There is a large and continuous flow of information. For example, this is possible in an enterprise where access to the workplace is carried out using a fingerprint scanner. Since the flow of people is significant, the system may fail.

The most famous companies that deal with fingerprint recognition systems: Bayometric Inc., SecuGen. In Russia, Sonda, BioLink, SmartLok, etc. are working on this.

Eye iris

The pattern of the membrane is formed at the 36th week of intrauterine development, is established by two months and does not change throughout life. Biometric iris identification systems are not only the most accurate among others in this range, but also one of the most expensive.

The advantage of the method is that scanning, that is, image capture, can occur both at a distance of 10 cm and at a distance of 10 meters.

When an image is captured, data about the location of certain points on the iris of the eye is transmitted to the computer, which then provides information about the possibility of admission. The speed of processing information about the human iris is about 500 ms.

For now this system recognition in the biometric market takes up no more than 9% of the total number of such identification methods. At the same time, the market share occupied by fingerprint technologies is more than 50%.

Scanners that allow you to capture and process the iris of the eye have a rather complex design and software, and therefore such devices have a high price. In addition, Iridian was initially a monopolist in the production of human recognition systems. Then other large companies began to enter the market, which were already engaged in the production of components for various devices.

Thus, at the moment in Russia there are the following companies that create human iris recognition systems: AOptix, SRI International. However, these companies do not provide indicators on the number of errors of types 1 and 2, so it is not a fact that the system is not protected from counterfeiting.

Facial geometry

There are biometric security systems associated with facial recognition in 2D and 3D modes. In general, it is believed that the facial features of each person are unique and do not change throughout life. Such characteristics as distances between certain points, shape, etc. remain unchanged.

2D mode is a static identification method. When capturing an image, it is necessary that the person does not move. The background, the presence of a mustache, beard, bright light and other factors that prevent the system from recognizing a face also matter. This means that if there are any inaccuracies, the result given will be incorrect.

At the moment, this method is not particularly popular due to its low accuracy and is used only in multimodal (cross) biometrics, which is a set of methods for recognizing a person by face and voice simultaneously. Biometric security systems may include other modules - DNA, fingerprints and others. In addition, the cross method does not require contact with the person who needs to be identified, which makes it possible to recognize people from photographs and voices recorded on technical devices.

The 3D method has completely different input parameters, so it cannot be compared with 2D technology. When recording an image, a face in dynamics is used. The system, capturing each image, creates a 3D model, with which the received data is then compared.

In this case, a special grid is used, which is projected onto the person’s face. Biometric security systems, taking several frames per second, process the image entering them software. At the first stage of image creation, the software discards inappropriate images where the face is difficult to see or secondary objects are present.

Then the program identifies and ignores unnecessary objects (glasses, hairstyle, etc.). Anthropometric facial features are highlighted and remembered, generating a unique code that is entered into a special data warehouse. The image capture time is about 2 seconds.

However, despite the advantage of the 3D method over the 2D method, any significant interference on the face or changes in facial expressions degrade the statistical reliability of this technology.

Today, biometric facial recognition technologies are used along with the most well-known methods described above, accounting for approximately 20% of the total biometric technology market.

Companies that develop and implement facial identification technology: Geometrix, Inc., Bioscrypt, Cognitec Systems GmbH. In Russia, the following companies are working on this issue: Artec Group, Vocord (2D method) and other, smaller manufacturers.

Veins of the palm

About 10-15 years ago, a new biometric identification technology arrived - recognition by the veins of the hand. This became possible due to the fact that hemoglobin in the blood intensively absorbs infrared radiation.

A special IR camera photographs the palm, resulting in a network of veins appearing in the image. This image is processed by the software and the result is displayed.

The location of the veins on the arm is comparable to the features of the iris of the eye - their lines and structure do not change over time. The reliability of this method can also be correlated with the results obtained from identification using the iris.

There is no need to make contact to capture an image with a reader, but using this present method requires that certain conditions be met in order for the result to be most accurate: it cannot be obtained by, for example, photographing a hand on the street. Also, do not expose the camera to light during scanning. Final result will be inaccurate if there are age-related diseases.

The distribution of the method on the market is only about 5%, but there is great interest in it from large companies that have already developed biometric technologies: TDSi, Veid Pte. Ltd., Hitachi VeinID.

Retina

Scanning the pattern of capillaries on the surface of the retina is considered the most reliable identification method. It combines best characteristics biometric technologies for recognizing a person by the iris of the eye and veins of the hand.

The only time when the method can give inaccurate results is cataracts. Basically, the retina has an unchanged structure throughout life.

The disadvantage of this system is that the retina is scanned when the person does not move. The technology, which is complex in its application, requires a long processing time for results.

Due to its high cost, the biometric system is not widely used, but it provides the most accurate results of all methods for scanning human features on the market.

Hands

The previously popular method of identification by hand geometry is becoming less used, as it gives the lowest results compared to other methods. When scanning, fingers are photographed, their length, the relationship between the nodes and other individual parameters are determined.

Ear shape

Experts say that everything existing methods identifications are not as accurate as recognizing a person by However, there is a way to determine identity by DNA, but in this case there is close contact with people, so it is considered unethical.

Researcher Mark Nixon from the UK states that methods at this level are new generation biometric systems; they provide the most accurate results. Unlike the retina, iris or fingers, on which extraneous parameters may most likely appear that make identification difficult, this does not happen on the ears. Formed in childhood, the ear only grows without changing its main points.

The inventor called the method of identifying a person by the organ of hearing “beam image transformation.” This technology involves capturing an image with rays of different colors, which is then translated into a mathematical code.

However, according to the scientist, his method also has negative sides. For example, hair that covers the ears, an incorrectly chosen angle, and other inaccuracies can interfere with obtaining a clear image.

Ear scanning technology will not replace such a well-known and usual way identification, like fingerprints, but can be used along with it.

It is believed that this will increase the reliability of recognizing people. Particularly important is the combination various methods(multimodal) in catching criminals, the scientist believes. As a result of experiments and research, they hope to create software that will be used in court to uniquely identify guilty parties from images.

Human voice

Personal identification can be carried out both locally and remotely using voice recognition technology.

When talking, for example, on the phone, the system compares this parameter with those available in the database and finds similar samples in percentage terms. A complete match means that the identity has been established, that is, identification by voice has occurred.

In order to access something the traditional way, you must answer certain security questions. This is a digital code, mother's maiden name and other text passwords.

Modern research in this area shows that this information is quite easy to acquire, so identification methods such as voice biometrics can be used. In this case, it is not the knowledge of the codes that is subject to verification, but the person’s personality.

To do this, the client needs to say a code phrase or start talking. The system recognizes the caller's voice and checks whether it belongs to this person - whether he is who he claims to be.

Biometric information security systems of this type do not require expensive equipment, this is their advantage. In addition, to carry out voice scanning by the system, you do not need to have special knowledge, since the device independently produces a “true-false” result.

By handwriting

Identification of a person by the way they write letters takes place in almost any area of life where it is necessary to sign. This happens, for example, in a bank, when a specialist compares the sample generated when opening an account with the signatures affixed during the next visit.

The accuracy of this method is low, since identification does not occur using a mathematical code, as in the previous ones, but by simple comparison. There is a high level of subjective perception here. In addition, handwriting changes greatly with age, which often makes recognition difficult.

It is better in this case to use automatic systems that will allow you to determine not only visible matches, but also other distinctive features of the spelling of words, such as slope, distance between points and other characteristic features.

Biometric authentication systems are systems designed to verify a user's identity based on his biometric data. Such systems cope most effectively with providing access to specially protected areas where it is not possible to deploy personal security for one reason or another. They can be combined with the system automatic notification, alarms and security systems.

Methods of biometric identification (authentication)

Today, many methods exist and are used biometric authentication(identification). They are divided into two types.

Statistical methods. They are based on unique (physiological) characteristics that do not change throughout human life and cannot be lost in any way. Copying by fraudsters is also excluded.
Dynamic methods. Based on the characteristics of the everyday behavior of a particular person. Less common than static ones and practically not used.

Statistical

A fingerprint is a method of recognizing the uniqueness of papillary lines (patterns) on a person’s finger. Using a scanner, the system receives a print, then digitizes it and then compares it with previously entered templates (sets of drawings).
Retinal imaging is a method of scanning and recognizing the unique pattern of blood vessels in the fundus of a person. This procedure uses low-intensity radiation. Radiation through the pupil is directed to the blood vessels that are located on the back wall of the eye. Special points are identified from the received signal, information about which is stored in the system template.
Using the iris of the eye is a method for determining the human uniqueness of the iris features. This technology is designed to minimize retinal scanning, as it uses infrared rays and bright light, which negatively affect the health of the eye.
The geometry of the hand is the shape of the hand. This method uses multiple characteristics because individual parameters are not unique. The following are scanned: the back of the hand, fingers (thickness, length, bends) as well as the structure of bones and joints.
Facial geometry is a scanning method that identifies the contours of eyebrows and eyes, lips and nose, as well as other elements of the face. After this, the distance between these elements is calculated and a three-dimensional model of the face is built. It takes from twelve to forty specific elements, characteristic of a particular person, to create and recreate a unique template.
According to the facial thermogram, there is a unique distribution of temperature fields on the face. Used with infrared cameras. Due to their frankly low quality, such systems are not widely used.

Dynamic

By voice - an easy-to-use method using only an audio card and a microphone. Today, there are many ways to build templates for such a system. Widely used in business centers.
By handwriting - based on the specific movement of the hand during painting (signing documents, etc.). Special pressure-sensitive pens are used to create templates and save them.

Combined (multimodal)

Similar methods are used in complex, strict and complex security systems. In such cases, several types of biometric characteristics of a person (user) are used, which are combined in one system.

Biometric security systems

The essence of biometric security systems is to prove that you are you. These systems eliminate the possibility that the system itself may mistake you for someone else. Due to the uniqueness of human characteristics, biometric systems are used to prevent various types fraud, hacking and unwanted access.

Biometric security systems can operate in two modes, depending on what the user intends to provide to the system.

Verification - comparison of the user with a ready-made biometric template.
Identification is a comparison of a user with many others. After receiving biometric data, the system searches the database for information to determine the user's identity.

Biometric access control systems are used:

at large enterprises;
at certain facilities requiring increased security;
for recording working hours;
to register attendance;
to restrict access to special premises.

Biometric access control systems

Fingerprint terminals

They are used to organize restrictions on access to premises. Often such devices are used to track working time. Depending on the type and model, they may have different appearance housings, different degrees of protection, many options for scanners (fingerprint readers) and additional functions.

Possibilities:

storing in a database from 100 to 3,000 fingerprint templates;
saving thousands of attendance records.

Basic operating principles:

User programming occurs using a special card or when connected to a computer;
USB is used to transfer attendance files to a computer;
it is possible to build network access distribution systems via the Ethernet interface.

Image recognition terminals (facial geometry)

Such biometric access control allows contactless identification of the user. They are successfully used in enterprises where the quality of fingerprints is unsatisfactory for recognition, due to the workflow. Depending on the type and model, the case may have a different appearance, different degrees of protection, design features and a set of additional functions.

Possibilities:

infrared optical systems allow you to recognize the user in dark or poor lighting;
built-in wireless communications (GPRS, Wi-Fi) for operational control;
electronic locks, alarm sensors, door sensors, backup batteries to expand functionality;
up to 100,000 face templates.

Terminals with built-in iris recognition system

Allows for user identification (authentication) in real time. Scan both statically and in motion. Capacity is up to twenty people per minute. These terminals are used for time tracking, access control and often in financial payment systems to confirm transactions.

Basic characteristics (vary depending on the device model):

POE+ power supply (via Ethernet);
registration and verification takes place in the terminal itself;
scanning occurs with built-in cameras;
event memory up to 70,000 entries;
Various additional interfaces are available (eg Wiegand).

Readers with finger vein recognition

Since veins are located inside the human body, their image cannot be faked. Recognition is possible even in the presence of scratches and cuts. Therefore, such biometric security and access control systems are practically the most reliable way to identify a user. The use of systems of this class is recommended at particularly critical facilities.

Possibilities:

the terminal can be used as a direct electronic lock controller;
can act as a reader with connection to third-party controllers;
various access control modes, in addition to finger vein pattern recognition: contactless card, code or a combination of both;

Palm vein pattern recognition systems

Such devices provide high recognition accuracy and eliminate the possibility of forging an identifier.

Principle of operation:

the palm is illuminated with light that is close to infrared;
this light is absorbed by deoxygenated hemoglobin inside the veins, revealing the pattern;
to authorize the user, unique samples of vein patterns are checked against existing (previously registered) patterns (samples) in the database;

Biometric terminals based on hand geometry

Unique three-dimensional characteristics of the geometry of their palms are used to identify users. The identification process consists of one action - you need to place your hand on a special surface of the terminal.

Features (varies by model):

identification speed is less than one second;
ease of registration of templates;
outputting information to a printer (via various built-in interfaces);
Autonomous memory for more than 5,000 events;
possibility of forced entry.

Benefits of using biometric security systems

high reliability;
simple scanning procedures;
large selection of models available for sale;
affordable prices for popular devices.

Biometric access control systems not only allow you to control access to local areas, but also allow you to control and maintain time sheets, provide feedback to staff about tardiness and delays, which encourages them to increase responsibility for the work process.

Biometric identification is the presentation by the user of his unique biometric parameter and the process of comparing it with the entire database of available data. To extract this kind of personal data, .

Biometric access control systems are convenient for users because the storage media is always with them and cannot be lost or stolen. is considered more reliable, because cannot be transferred to third parties or copied.

Biometric identification technologies

Biometric identification methods:

1. Static, based on the physiological characteristics of a person that are present with him throughout his life:

Identification;
Identification;
Identification;
Identification by hand geometry;
Identification by facial thermogram;
Identification by DNA.
Identification
Identification

Dynamic ones take as a basis the behavioral characteristics of people, namely subconscious movements in the process of repeating any ordinary action: handwriting, voice, gait.

Identification;
Identification by handwriting;
Identification by keyboard handwriting
and others.

One of the priority types of behavioral biometrics is typing style on the keyboard. When determining it, the typing speed, the pressure on the keys, the duration of pressing a key, and the time intervals between keystrokes are recorded.

A separate biometric factor can be the manner in which you use the mouse. In addition, behavioral biometrics covers big number factors not related to the computer - gait, features of how a person climbs stairs.

There are also combined identification systems that use several biometric characteristics, which makes it possible to satisfy the most stringent requirements for the reliability and security of access control systems.

Biometric identification criteria

To determine the effectiveness of ACS based on biometric identification, the following indicators are used:

- false miss rate;
FMR is the probability that the system incorrectly compares an input pattern with an unmatched pattern in the database;
- false refusal rate;
FNMR is the probability that the system will make a mistake in determining matches between the input sample and the corresponding template from the database;
ROC graph - visualization of the trade-off between FAR and FRR characteristics;
Registration refusal rate (FTE or FER) – the rate of unsuccessful attempts to create a template from input data (if the quality of the latter is low);
False Hold Rate (FTC) - the probability that an automated system is unable to detect biometric input when it is submitted correctly;
Template capacity is the maximum number of data sets that can be stored in the system.

In Russia, the use of biometric data is regulated by Article 11 of the Federal Law “On Personal Data” dated July 27, 2006.

Comparative analysis of the main methods of biometric identification

Comparison of biometric authentication methods using mathematical statistics (FAR and FRR)

The main parameters for evaluating any biometric system are two parameters:

FAR (False Acceptance Rate)- false miss rate, i.e. percentage of situations where the system allows access to a user who is not registered in the system.

FRR (False Rejection Rate)- false refusal rate, i.e. denial of access to a real user of the system.

Both characteristics are obtained by calculation based on the methods of mathematical statistics. The lower these indicators, the more accurate the object recognition.

For the most popular biometric identification methods today, the average FAR and FRR values are as follows:

But to build an effective access control system, excellent FAR and FRR indicators are not enough. For example, it is difficult to imagine an access control system based on DNA analysis, although with this authentication method the indicated coefficients tend to zero. But the identification time increases, the influence of the human factor increases, and the cost of the system increases unjustifiably.

Thus, for a qualitative analysis of a biometric access control system, it is necessary to use other data, which, sometimes, can only be obtained experimentally.

First of all, such data should include the possibility of falsifying biometric data for identification in the system and ways to increase the level of security.

Secondly, the stability of biometric factors: their immutability over time and independence from environmental conditions.

As a logical consequence, the speed of authentication and the possibility of quickly contactless capture of biometric data for identification.

And, of course, the cost of implementing a biometric access control system based on the authentication method under consideration and the availability of components.

Comparison of biometric methods for resistance to data falsification

Falsification of biometric data In any case, this is a rather complex process, often requiring special training and technical support. But if you can fake a fingerprint at home, then successful falsification of the iris is not yet known. And for retinal biometric authentication systems, it is simply impossible to create a fake.

Comparison of biometric methods for strong authentication capabilities

Improving the security level of the biometric system Access control is usually achieved using hardware and software methods. For example, “living finger” technologies for fingerprints, analysis of involuntary twitches for the eyes. To increase the level of security, a biometric method can be one of the components of a multifactor authentication system.

The inclusion of additional security features in a hardware and software system usually significantly increases its cost. However, for some methods, strong authentication based on standard components is possible: using several templates to identify the user (for example, multiple fingerprints).

Comparison of authentication methods based on the immutability of biometric characteristics

Constancy of biometric characteristics over time the concept is also conditional: all biometric parameters can change as a result of a medical operation or injury. But if an ordinary household cut, which can complicate the user’s fingerprint verification, is a common situation, then an operation that changes the pattern of the iris of the eye is rare.

Comparison of sensitivity to external factors

The influence of environmental parameters on the efficiency of ACS depends on the algorithms and operating technologies implemented by the equipment manufacturer, and can differ significantly even within the same biometric method. A striking example of such differences is fingerprint readers, which are generally quite sensitive to the influence of external factors.

If we compare other methods of biometric identification, 2D facial recognition will be the most sensitive: the presence of glasses, a hat, a new hairstyle or a grown beard can be critical here.

Systems using the retinal authentication method require a fairly rigid position of the eye relative to the scanner, immobility of the user and focusing of the eye itself.

Methods for identifying a user by the pattern of veins and the iris of the eye are relatively stable in operation, unless you try to use them in extreme operating conditions (for example, contactless authentication over a long distance during “mushroom” rain).

Three-dimensional facial identification is the least sensitive to the influence of external factors. The only parameter that can affect the operation of such an access control system is excessive illumination.

Authentication speed comparison

Authentication speed depends on the time of data capture, the size of the template and the amount of resources allocated for its processing, and the main software algorithms used to implement a specific biometric method.

Comparison of contactless authentication capabilities

Contactless authentication provides many advantages of using biometric methods in physical security systems at facilities with high sanitary and hygienic requirements (medicine, food industry, research institutes and laboratories). In addition, the ability to identify a remote object speeds up the verification procedure, which is important for large access control systems with high throughput. And also, contactless identification can be used by law enforcement agencies for official purposes. That is why, but have not yet achieved sustainable results. Particularly effective are methods that allow you to capture the biometric characteristics of an object at a great distance and during movement. With the spread of video surveillance, the implementation of this operating principle is becoming increasingly easier.

Comparison of biometric methods for the psychological comfort of the user

Psychological comfort of users– is also a fairly relevant indicator when choosing a security system. If in the case of two-dimensional facial recognition or iris recognition it happens unnoticed, then scanning the retina is a rather unpleasant process. And identification by fingerprint, although it does not bring unpleasant sensations, can cause negative associations with forensic methods.

Comparison of the cost of implementing biometric methods in access control systems

Cost of access control and accounting systems Depending on the biometric identification methods used, it varies extremely. However, the difference can be noticeable within one method, depending on the purpose of the system (functionality), production technologies, methods that increase protection against unauthorized access, etc.

Comparison of the availability of biometric identification methods in Russia

Identification-as-a-service

Identification as a Service in the biometric technology market is a fairly new concept, but it promises a lot of obvious advantages: ease of use, time saving, security, convenience, versatility and scalability - like other systems based on Cloud storage and data processing.

First of all, Identification-as-a-service is of interest for large projects with a wide range of security tasks, in particular for state and local law enforcement agencies, allowing the creation of innovative automated biometric identification systems that provide real-time identification of suspects and criminals.

Cloud identification as the technology of the future

The development of biometric identification is parallel to the development Cloud services. Modern technological solutions are aimed at integrating various segments into comprehensive solutions that satisfy all client needs, and not only in ensuring physical security. So the combination of Cloud services and biometrics as part of access control systems is a step that fully meets the spirit of the times and looks into the future.

What are the prospects for combining biometric technologies with cloud services?

The editors of the site addressed this question to the largest Russian system integrator, the Technoserv company:

"Let's start with the fact that the intelligent integrated security systems that we are demonstrating are, in fact, one of the cloud options. And the option from the movie: a person walked past the camera once and he was already logged into the system... This will happen. Over time, with increasing computing power, but it will be.

Now for one identification in a stream, with guaranteed quality, you need at least eight computer cores: this is to digitize the image and quickly compare it with the database. Today this is technically possible, but commercially impossible - such a high cost is simply not reasonable. However, with increasing capacity, we will come to the point that single base Bioidentification will still be created,"- answers Alexander Abramov, director of the department of multimedia and situation centers at Technoserv.

Identity as a Morpho Cloud Service

The first deployment indicates the acceptance of Cloud services as a convenient and secure solution automated system biometric identification for government law enforcement in a commercial cloud environment, completed September 2016: MorphoTrak, a subsidiary of Safran Identity & Security, and the Albuquerque Police Department successfully deployed MorphoBIS on the MorphoCloud. Police have already noted a significant increase in processing speed, as well as the ability to recognize prints of significantly lower quality.

The service developed by MorphoTrak) is based on Microsoft Azure Government and includes several biometric identification mechanisms: fingerprint biometrics, facial and iris biometrics. In addition, tattoo recognition, voice recognition, services (VSaaS) are possible.

The system's cybersecurity is guaranteed in part by its hosting of the government's criminal justice server, Criminal Justice Information Services (CJIS), and in part by the combined security expertise of Morpho and Microsoft.

"We designed our solution to help law enforcement agencies achieve time savings and increased efficiency. Security is, of course, a key element. We wanted a cloud-based solution that would meet the government's stringent CJIS security policies and found Microsoft the ideal partner to ensure tight controls on criminal cases." and national security data, within a distributed data center environment." says Frank Barrett, Director of Cloud Services at MorphoTrak, LLC.

As a result, Morpho Cloud is an outstanding example outsourced identity management, which can provide effective and cost-effective improvements to law enforcement security systems. Identity as a service provides benefits not available to most institutions. For example, geo-distributed disaster recovery is generally not feasible from a high project cost perspective, and improving security in this way is only possible due to the scale of Microsoft Azure and Morpho Cloud.

Biometric authentication on mobile devices

Fingerprint authentication on mobile devices

Study by Biometrics Research Group, Inc. is devoted to the analysis and forecast of the development of the market for biometric authentication in mobile devices. Study sponsored by leading biometrics market manufacturers Cognitec, VoicePIN and Applied Recognition.

Mobile biometrics market in numbers

According to the study, the volume of the mobile biometrics segment is estimated at $9 billion by 2018 and $45 billion by 2020 worldwide. At the same time, the use of biometric characteristics for authentication will be used not only for unlocking mobile devices, but also for organizing multi-factor authentication and instant confirmation of electronic payments.

The development of the mobile biometrics market segment is associated with the active use of smartphones with pre-installed sensors. It is noted that by the end of 2015, mobile devices At least 650 million people will use biometrics. The number of users of mobile phones with biometric sensors is projected to grow by 20.1% per year and by 2020 will be at least 2 billion people.

Material from the special project "Without a Key"

The special project “Without a Key” is an accumulator of information about access control systems, convergent access and card personalization

Identity theft is a growing public concern—millions become victims of identity theft every year, according to the Federal Trade Commission, and “identity theft” has become the most common consumer complaint. In the digital age, traditional authentication methods - passwords and IDs - are no longer sufficient to combat identity theft and ensure security. “Surrogate representations” of personality are easy to forget somewhere, lose, guess, steal or transfer.

Biometric systems recognize people based on their anatomical features (fingerprints, facial image, palm line pattern, iris, voice) or behavioral traits (signature, gait). Because these traits are physically associated with the user, biometric recognition is reliable as a mechanism to ensure that only those with the necessary credentials can enter the building, access computer system or cross the state border. Biometric systems also have unique advantages - they do not allow one to renounce a completed transaction and make it possible to determine when an individual uses several documents (for example, passports) under different names. Thus, when properly implemented in appropriate applications, biometric systems provide a high level of security.

Law enforcement agencies have relied on biometric fingerprint authentication in their investigations for over a century, and recent decades have seen rapid growth in the adoption of biometric recognition systems in government and commercial organizations around the world. In Fig. 1 shows some examples. While many of these implementations have been highly successful, there are concerns about the insecurity of biometric systems and potential privacy violations due to the unauthorized publication of users' stored biometric data. Like any other authentication mechanism, a biometric system can be bypassed by an experienced fraudster with sufficient time and resources. It is important to allay these concerns to gain public trust in biometric technologies.

Operating principle of the biometric system

At the registration stage, the biometric system records a sample of the user's biometric trait using a sensor - for example, films the face on camera. Individual features - such as minutiae (fine details of the lines of a finger) - are then extracted from the biometric sample using a feature extractor software algorithm. The system stores the extracted traits as a template in a database along with other identifiers such as name or ID number. For authentication, the user presents another biometric sample to the sensor. The traits extracted from it constitute a query that the system compares to a template of the claimed personality using a matching algorithm. It returns a match score that reflects the degree of similarity between the template and the query. The system only accepts an application if the compliance rating exceeds a predefined threshold.

Vulnerabilities of biometric systems

The biometric system is vulnerable to two types of errors (Fig. 2). When the system does not recognize a legitimate user, a denial of service occurs, and when an impostor is incorrectly identified as an authorized user, an intrusion is said to occur. For such failures there are many possible reasons, they can be divided into natural restrictions and malicious attacks.

Natural restrictions

Unlike password authentication systems, which require an exact match of two alphanumeric strings, a biometric authentication system relies on the degree of similarity of two biometric samples, and since individual biometric samples obtained during registration and authentication are rarely identical, as shown in rice. 3, the biometric system can make two kinds of authentication errors. A false match occurs when two samples from the same individual have low similarity and the system cannot match them. A false match occurs when two samples from different individuals have high similarity and the system incorrectly declares them a match. A false match leads to denial of service to a legitimate user, while a false match can lead to an impostor intrusion. Since he does not need to use any special measures to deceive the system, such an intrusion is called a zero-effort attack. Much of the research in biometrics over the past fifty years has focused on improving authentication accuracy—minimizing false nonmatches and matches.

Malicious attacks

The biometric system can also fail as a result of malicious manipulation, which can be carried out through insiders, such as system administrators, or through a direct attack on the system infrastructure. An attacker can bypass the biometric system by colluding with (or coercing) insiders, or taking advantage of their negligence (for example, not logging out after completing a transaction), or by fraudulently manipulating the registration and exception handling procedures that were originally designed to help authorized users. External attackers can also cause a biometric system to fail through direct attacks on the user interface (sensor), feature extraction or matching modules, or connections between modules or the template database.

Examples of attacks targeting system modules and their interconnections include Trojan horses, man-in-the-middle attacks, and replay attacks. Since most of these attacks also apply to password authentication systems, there are a number of countermeasures such as cryptography, timestamping, and mutual authentication that can prevent or minimize the effect of such attacks.

Two serious vulnerabilities that deserve special attention in the context of biometric authentication are UI spoofing attacks and template database leaks. These two attacks have a serious negative impact on the security of the biometric system.

A spoofing attack consists of providing a fake biometric trait that is not derived from a living person: a plasticine finger, a snapshot or mask of a face, a real severed finger of a legitimate user.

The fundamental principle of biometric authentication is that although the biometric features themselves are not secret (a photo of a person's face or a fingerprint can be secretly obtained from an object or surface), the system is nonetheless secure because the feature is physically tied to a living user. Successful spoofing attacks violate this basic assumption, thereby seriously compromising the security of the system.

Researchers have proposed many methods for determining the living state. For example, by verifying the physiological characteristics of the fingers or observing involuntary factors such as blinking, it is possible to ensure that the biometric feature recorded by the sensor actually belongs to a living person.

A template database leak is a situation when information about a legitimate user's template becomes available to an attacker. This increases the risk of forgery, since it becomes easier for an attacker to restore the biometric pattern by simply reverse engineering the template (Fig. 4). Unlike passwords and physical IDs, a stolen template cannot simply be replaced with a new one, since biometric features exist in a single copy. Stolen biometric templates can also be used for unrelated purposes - for example, to secretly spy on a person in various systems or to obtain private information about his health.

Biometric template security

The most important factor in minimizing the security and privacy risks associated with biometric systems is protecting the biometric templates stored in the system's database. While these risks can be mitigated to some extent by decentralized template storage, such as on a smart card carried by the user, such solutions are not practical in systems like US-VISIT and Aadhaar, which require deduplication capabilities.

Today, there are many methods for protecting passwords (including encryption, hashing and key generation), but they are based on the assumption that the passwords that the user enters during registration and authentication are identical.

Template security requirements

The main difficulty in developing biometric template security schemes is to achieve an acceptable compromise between the three requirements.

Irreversibility. It must be computationally difficult for an attacker to recover biometric traits from a stored template or to create physical forgeries of a biometric trait.

Distinguishability. The template protection scheme must not degrade the authentication accuracy of the biometric system.

Cancellability. It should be possible to create multiple secure templates from the same biometric data that cannot be linked to that data. This property not only allows the biometric system to revoke and issue new biometric templates if the database is compromised, but also prevents cross-matching between databases, thereby maintaining the privacy of user data.

Template protection methods

There are two general principles for protecting biometric templates: biometric trait transformation and biometric cryptosystems.

When transformation of biometric traits(Fig. 5, A) the protected template is obtained by applying an irreversible transformation function to the original template. This transformation is usually based on the individual characteristics of the user. During the authentication process, the system applies the same transformation function to the request, and the comparison occurs for the transformed sample.

Biometric cryptosystems(Fig. 5, b) store only part of the information obtained from the biometric template - this part is called a secure sketch. Although it is not sufficient by itself to restore the original template, it still contains the necessary amount of data to restore the template if there is another biometric sample similar to the one obtained during registration.

A secure sketch is typically obtained by associating a biometric template with a cryptographic key, however a secure sketch is not the same as a biometric template encrypted with standard methods. In conventional cryptography, the encrypted pattern and the decryption key are two different units, and the pattern is secure only if the key is also secure. In a secure template, both the biometric template and the cryptographic key are encapsulated. Neither the key nor the template can be recovered with only a protected sketch. When the system is presented with a biometric request that is sufficiently similar to the template, it can recover both the original template and the cryptokey using standard error detection techniques.

Researchers have proposed two main methods for generating a secure sketch: fuzzy commitment and fuzzy vault. The first can be used to protect biometric templates represented as fixed-length binary strings. The second is useful for protecting patterns represented as sets of points.

Pros and cons

Biometric trait transformation and biometric cryptosystems have their pros and cons.

The mapping to feature transformation in a schema often occurs directly, and it is even possible to develop transformation functions that do not change the characteristics of the original feature space. However, it can be difficult to create a successful transformation function that is irreversible and tolerant of the inevitable change in a user's biometric traits over time.

Although there are techniques for generating a secure sketch based on information theory principles for biometric systems, the challenge is to represent these biometric features in standardized data formats such as binary strings and point sets. Therefore, one of the current research topics is the development of algorithms that convert the original biometric template into such formats without loss of meaningful information.

The fuzzy commitment and fuzzy vault methods have other limitations, including the inability to generate many unrelated patterns from the same set of biometric data. One of possible ways A way to overcome this problem is to apply the trait transformation function to the biometric template before it is protected by the biometric cryptosystem. Biometric cryptosystems that combine transformation with the generation of a secure sketch are called hybrid.

Privacy puzzle

The inextricable connection between users and their biometric traits gives rise to legitimate concerns about the possibility of disclosure of personal data. In particular, knowledge of information about biometric templates stored in the database can be used to compromise private information about the user. Template protection schemes can mitigate this threat to some extent, but many complex privacy issues lie beyond the scope of biometric technologies. Who owns the data - the individual or the service providers? Is the use of biometrics consistent with the security needs of each specific case? For example, should a fingerprint be required when purchasing a hamburger at a fast food restaurant or when accessing a commercial Web site? What is the optimal tradeoff between application security and privacy? For example, should governments, businesses, and others be allowed to use surveillance cameras in public places to secretly monitor users' legitimate activities?

Today there are no successful practical solutions for such issues.

Biometric recognition provides stronger user authentication than passwords and identification documents, and is the only way to detect impostors. Although biometric systems are not completely secure, researchers have made significant strides towards identifying vulnerabilities and developing countermeasures. New algorithms to protect biometric templates address some of the concerns about system security and user privacy, but more improvements will be needed before similar methods will be ready for use in real conditions.

Anil Jain([email protected]) - professor of the faculty computer science and Engineering Design from the University of Michigan, Karthik Nandakumar([email protected]) is a research fellow at the Singapore Institute of Infocommunications Research.