|
Forgotten your
password again? Read on to find out how you’ll be logging on, checking in,
and signing off in the very near future.
The
technologies have been available for some time, and the ideas even longer,
but interest in biometrics has picked up a great deal during the last six
months.
According to Andrew
Lysikatos, VP of operations and marketing at managed security services
provider Zento, the greatest interest in Australia comes from Government
and the 50 largest companies. They are past the initial scepticism and
accept biometrics as something that should be considered. There are “some
excellent people in government and defence who know this stuff really
well,” he says. Although there have been some small deployments of
biometrics in Australia, they have not been publicly visible or publicised,
Lysikatos says. Instead, they have involved access to specific buildings or
systems, and are mainly about seeing how biometrics fits in with other
technologies.
The technologies
Biometric identification
requires stable body measurements that are—in combination—essentially
unique for each individual. Another requirement is that the measurements
can be made quickly and as non-intrusively as possible. It is also
important that these measurements or patterns can be reduced to a small
amount of data—a template—to allow either storage in simple devices such as
smart cards or rapid transmission where the measurements are matched with a
remotely stored template that was created at the time of enrolment.
Regardless of the
sensing technology used, a key part of the process is the conversion of the
raw data into a template in a way that maintains the person’s uniqueness
(to prevent false matching) yet which is not sensitive to minor changes
such as a cut on a fingertip, a new hairstyle or spectacles, or a sore
throat.
Biometrics can be used
in two ways: identification and verification. Identification involves a
database search to find the individual among all those who have been
enrolled; verification checks the template against the one created at
enrolment. In the latter case, the template can be embedded in a physical
credential (eg, a smart card) carried by the person, reducing privacy
concerns.
Four main technologies
are in use: iris, fingerprint/handprint, face, and voice.
1.
Iris
Current interest in biometrics around the world appears to mainly centre on
the use of iris recognition, according to Zaid Alsaji, associate director
at CMG (Canberra), one of only three companies licensed by the Commonwealth
Government perform security evaluations of products and technologies as
part of the Australasian Information Security Evaluation Program. (Alsaji
is also business manager of CMG’s Australasian Information Security
Evaluation Facility, which provides security evaluation services to
companies wishing to sell their products to Government).
Based on test results from the UK, iris has the lowest rate of false
match and false non-match errors, he claims.
Retina scanning, though beloved by moviemakers, has fallen out of
favour in the local marketplace. This seems to result from iris
recognition’s good performance, use of commodity hardware and end-user
acceptance. That latter point is important, as anecdotal reports suggest it
is important to explain to users the difference between iris
recognition—which is based on a digital photograph of the eye’s surface—and
retina scanning, which uses laser light to obtain an image of the blood
vessels at the back of the eye.
Traditionally, retina recognition has involved putting the eye up
against a scanner. A relatively new entrant called Retinal Technologies has
developed an inexpensive device that can do the job from around 30cm away.
When this goes into production it may draw renewed attention to the
technology, especially as retina templates can be one-tenth the size of
those for the iris.
According to scientists at the former British Telecom Laboratories
(now BTexact Technologies), “The textural variation, coloured tissue, and
complex pattern of striations, freckles and fibrous structure which make up
the iris, is unique to each individual and remains constant throughout
life, and makes it perfect for recognition purposes.” This structure can be
reduced to a numeric representation with the equivalent of approximately
260 independent variables, “much greater than had ever been claimed for
other biometrics, such as fingerprint systems or facial or speech
recognition systems.”
Iris recognition has a good reputation for avoiding false
recognitions: Iridian Technologies’ system has generated no false
acceptances in over two billion attempts, according to Greg McAweeney,
ebusiness services management consultant at Siemens Business Services.
Off-the-shelf digital cameras now offer sufficiently high resolution
to get a good capture of iris patterns, according to Tim Cranny, senior
consulting engineer with managed security services provider 90East, and
iris recognition can piggyback on such advances.
CMG’s Alsaji pointed to the Privium system installed at Amsterdam’s
Schiphol Airport as a flagship example of iris recognition. The system was
originally conceived as part of a loyalty program to ease the use of
facilities by frequent flyers while retaining the ability to track that
usage. Now the Dutch border police use it to provide faster and more reliable
identification of those frequent flyers. “It’s difficult to forge someone’s
iris pattern,” says Alsaji.
Much of the work on Privium was performed by GMG’s Dutch operation,
Alsaji says.
Privacy is a critical consideration in Holland, he adds. According
to Dutch law, only the individual concerned is allowed to hold biometric
data, so the templates are stored on smart cards.
The operator of Schiphol Airport is now offering the system to other
airports and airlines.
Iris recognition is inherently non-contact, which gives it an
advantage in some markets where there is a cultural objection to touching a
device that has already been touched by many people. It is also suitable
for use in operating theatres and clean manufacturing environments (eg,
semiconductor fabrication, satellite assembly).
2.
Fingerprint/handprint
Despite the high level of current interest in iris recognition, a report by
the International Biometric Group estimated that finger scanning accounted
for almost half the revenue of the biometrics sector in 2001, with hand
scanning adding another 10 percent.
Scandinavian airline SAS is testing a fingerprint biometric system
for passenger identification. As in Schiphol Airport, the airline is using
smart cards to store the template. “Using this ‘local’ matching of the
customer’s fingerprint and a smart card, the process becomes simpler, safer
and quicker for the traveller,” says Peter Söderlund, who is responsible
for product development on ground at SAS. “We don’t think our customers
want to leave their fingerprints, so the information is not saved after
matching is completed.”
Various relatively inexpensive fingerprint readers are available,
typically packaged in a PC Card or as a USB peripheral (or even built into
a mouse or trackball). While they provide some defence against casual
inspection of data stored on a notebook computer, “if we’re talking about
targeted industrial espionage . . . these things just don’t cut the
mustard,” says 90East’s Cranny.
Marek Rejman-Green, a biometrics advisor to the European Commission,
has warned that research has shown plastic dummy fingers with stamped
fingerprint patterns can be enrolled on many commercial units. Tsutomu
Matsumoto, a graduate student of environment and information science at
Yokohama National University has developed a technique for lifting latent
fingerprints and creating a gelatine replica that fooled 11 different
commercial sensors between 80 and 100 percent of the time—reminiscent of
that nifty gadget used by the heroine of the TV series Alias, though that
fictitious device did a much faster job.
Other issues with fingerprint recognition include sensitivity to
dirt, or to especially dry skin. Some people are uncomfortable with the use
of fingerprints in this way because of the association with police
investigations.
Hand recognition systems can either work on palm prints (using
similar technology to fingerprint systems), or by analysing the geometry of
the hand or a portion of it. Around 100 measurements of hand geometry are
taken and reduced to a template as small as nine bytes.
3.
Face
Although face recognition has been around for several years, it entered the
limelight in early 2001 when US authorities used it in an attempt to
identify known criminals entering a stadium for a major sporting event.
Some critics question the reliability of face recognition. The
American Civil Liberties Union claims “Facial recognition software is
easily tripped up by changes in hairstyle or facial hair, by aging, weight
gain or loss, and by simple disguises. A study by the [US] Department of
Defense found very high error rates even under ideal conditions, where the
subject is staring directly into the camera under bright lights.”
Zento’s Lysikatos is less scathing, but characterises face
recognition as “not what I’d call fully robust” for identifying
individuals.
Apart from any ethical concerns, we need to distinguish between the
use of face recognition by law enforcement authorities in public or
semi-public areas where people may be trying to conceal their identity, and
IT security where people want to be recognised. It is generally easier to
disguise yourself than to make your face closely resemble that of another
person.
Face recognition systems typically reduce a face to around 100 bytes
of data. There’s even an off-the-shelf biometric network appliance from
face recognition vendor Visionics that performs this encoding at up to 100
faces per minute, with a companion appliance to perform the matching.
Basically, face recognition works by mapping the relative positions
of key features, providing (at least theoretical) robustness against
changes such as growing a beard. To improve the quality of recognition, a
similar process can be applied within individual features such as eyes and
mouth.
4.
Voice
Voice identification has a certain appeal to the Star Trek generation.
Although voice recognition for the purposes of identification is not as
arduous a task as continuous speech recognition, it doesn’t seem to work
very well for some people (including this author, who experienced such poor
results with one voice-controlled login system that it was unusable).
Conversely, a quality recording of an enrolled person’s voice may fool some
systems.
Noisy environments can affect voice recognition, and speech may be
unpopular in quiet workplaces even when used only for recognition rather
than dictation or control of applications.
Voice recognition has relatively poor performance when it comes to
metrics such as failure to enrol (being able to obtain consistently repeatable
measurements during enrolment) and failure to acquire (getting a usable
voiceprint), suggests Alsaji, but “no system is ever perfect”, so you
shouldn’t rely on technology alone. Security requires cost-effective
technology, coupled with appropriate physical, personnel, and business
processes, he says.
Which technology?
Whichever technology is
used, “biometrics should always be seen as part of an overall [security]
solution,” says Lysikatos. “Most clients have a specific requirement . . .
but it should be seen in the broader context,” he added.
Phil Dodd, director of
e-Government programs at Unisys Australia says each technology does a
particular job well, and different tasks call for different technologies.
Furthermore, a single
biometric is not acceptable for high security, so attention is turning to
multimode systems that use two or three traits in parallel. One example is
the BioID system that combines face and voice recognition with an analysis
of lip movements.
It is not essential to
create your own infrastructure for biometric authentication, as this can be
outsourced. Siemens Business Services offers biometric authentication using
iris recognition as part of its portfolio of managed e-security services.
The service costs around AU$260 per user per year for access control to IT
systems (including a small camera for each desktop or notebook machine),
and it can also be used in conjunction with access control systems.
|
