Category: 
Let’s talk again about biometrics.
First, I would like to distinguish biometric technologies that do not work or must not work. I mean both behavioral (keystroke dynamics, handwriting) and physical (voice, face and palm) recognition systems. Why do I think that these technologies are not working? Simple. The error ratio is too high for real life implementation; it is too easy to trick these systems even for non-experienced hacker.
I am also not going to talk about iris scan and retina scan. These systems are accurate. It is much harder to trick them. But these systems are too expensive. For the same token I will not talk about DNA, odor identification systems and alike.
Let’s talk about biometrics that works in real world conditions – fingerprint.
What are concerns?
1. Accuracy.
Regular fingerprint identification system has standard FAR of 0.001% and FRR of 0.1%. What does it mean for us? FAR (False Accept Ratio), a possibility to accept a wrong finger instead of registered one, of 0.001% mean that if one fingerprint is registered, the system can once in 100,000 attempts the system can wrongly grant access to a impostor. Pretty high accuracy. If 10 fingerprints are registered – the same statistical mistake accumulates resulting to one in 10,000 attempts. That is also fine. But let us imagine a public system with 1,000 registered users (not rare situation). Every user has 10 fingerprints registered. What is the resulting false accept ratio? 10fingerprints*1000users*0.001%=0.1%. That is already alarming. That means that every passer-by may enter the gate from maximum 10 attempts.
For the system with 10,000 registered users the resulting false accept will be “1”, meaning that ANYONE can enter from the first attempt. Scary!
2. Response time, user acceptance and FRR
It was tested and proved that FRR (false reject) rises exponentially with the number of attempts. If the person trying to pass the gate is a bit nervous, the possibility of false reject is 1% at the first attempt, 12% at the second, 48% at the third time. Imagine a huge line of employees trying to get their workplace in time.
3. Psychological resistance
The fingerprint technology has still some criminal “aura”; it is deep in our minds. We do not want to leave our fingerprints somewhere. Even though we know that there are no fingerprints, only templates and it is impossible to reproduce image from the template we are still concerned.
4. Hygiene
Another issue that is important – a hygienic problem. During the first epidemic splash of SARS employees at many factories refused to touch a sensor at the gate access control. Rather stupid situation. They did not want to touch a sensor but did not mind door handles.
5. Vandalism
That is also common problem not just for biometric systems. Fingerprint devices with sensors, mostly optical, lighted with red, attract vandals.
What can be done?
1. Some additional identifier shall be used to narrow the database and to eliminate the FAR growth. It may be PIN code, magnetic or smart card, etc. It is actually weird situation. We are integrating biometrics to eliminate the need of secondary identifiers.
2. Personal fingerprint sensor is a good solution as well. Fingerprint Cards AB were the first one to make it. This solves most of problems, but… the total cost of ownership of such system is beyond the normal corporation budget.
3. Integration of layered biometric system. E.g. face recognition with error ratio of 20% and more can select some templates from database; palm recognition will narrow this search and leave only few of them for verification by fingerprint.
Conclusion:
1. Biometric vendors shall try to improve matching algorithms, their matching accuracy and response time
2. Biometric vendors shall develop better fingerprint acquisition systems (scanners)
3. Government and industry shall educate clients
4. Biometrics shall be used in logical access control and consumer market rather than physical access control and public sectors.
