Biometry
Biometry is the statistical analysis of biological observations and phenomena([1]). Biometry is coupled with the measurement of biometrics: measurable, physical characteristic or personal behavioral traits used to recognize the identity, or verify the claimed identity of a person.
In the context of Security Engineering there are traditionally two links between a person and her identity:
- Something I know (Passwords)
- Something I have (tokens)
With biometry it should —in theory— be possible to establish a third link:
- Something I am
Therefore biometric systems can play an important role in authenticating a user.
Modes of Operation
Two different modes must be distinguished:
- Identification
- “Who is it?”
- Authentication
- “Is it her?”
Not all biometric systems can feasibly operate in both modes. For example if it takes a given system 1 second to authenticate a given user this would generally be deemed acceptable. If however the same system should be used to identify a user in a database of 10.000 users by simply trying the authentication on each database record in turn this would take 10.000 seconds or more than 2 hours and 46 minutes. In almost all but very few scenarios this will be completely unacceptable.
On the other hand some identification systems simply return the record that best matches the query. So when the person that is to be identified is not part of the database some —more or less— random record is returned. For that reason a common design for an identification system is to chain a indexing system which returns the best matches and an authentication system.
Quality indices
Several quality indices are defined to compare different systems:
- False Rejection Rate (FRR)
- This is the rate of authentication attempts from legitimate users that are rejected.
- False Acceptance Rate (FAR)
- This is the rate authentication attempts from illegitimate users (e.g. attackers) that are accepted.
- Equal Error Rate (EER)
- This is the false acceptance rate (or the false rejection rate) when the system is set up so that the FRR equals the FAR.
- Failure to Enroll Rate (FER)
- This is the rate of users that can't enroll into the system at all.
Quite naturally the first three only apply to authentication systems.
In most real world systems a high FAR is worse than a high FRR: When a legitimate user is rejected she simply tries again causing only a slight comfort loss. Accepting a illegitimate user, though, compromises the system and would usually lead to a loss of whatever the system was meant to protect.
As different environments have different requirements regarding the security of the system and the convenience of the users most systems have some sort of adjustment possibility, e.g. a threshold value for the number of matches features. This can usually be set to trade off a higher FAR in favor of a lower FRR or vice versa. To aid in comparison of biometric systems one then uses the equal error rate: The adjustment is set so that FRR=FAR which then gives the EER. The EER of different systems can then be compared. (In reality mostly no one would use a system configured this way, as detailed above.)
A fundamental index in all systems that employ some sort of database of reference templates is the Failure to Enroll Rate, e.g. the rate of users that can't enroll into the system. In these systems a reference dataset must be aquired from each user prior to all operations (enrollment). This is an operation that can fail, for example due to intrinsic properties of the person trying to enroll. It would be impossible to enroll into a system based on hand geometries for a person that has no hands. Similarly a dumb person won't be able to enroll into a speech verification system, etc. And what use is a system with the best possible EER if two thirds of the prospective users can't enroll into it?
References
- Ashbourn, J. (2000). Biometrics: Advanced identity verification: The complete guide. London: Springer.
- Bhanu, B., & Tan, X. (2004). Computational algorithms for fingerprint recognition. Boston / Dordrecht/ London: Kluwer Academic Publishers.
- Thalheim, L., Krissler, J., & Ziegler, P.-M. (2002). Koerperkontrolle [Body check]. In c’t 11/2002. Hannover: Heise. (English version at heise online)
Also see the slides at [2] (PDF format, 5.5 MB).