Biometric Authentication


Nov 30, 2013 (4 years and 7 months ago)



Presenter: Yaoyu, Zhang


We can authenticate an identity in three
ways: by something the user knows
(such as a password or personal
identification number), something the
user has (a security token) or something
the user is (a physical characteristic,
such as a fingerprint, called a biometric).


Introduction to biometric authentication

Some related concepts

Biometric Methods

Can biometric authentication be fooled

Some issues about Access Control

Biometric Authentication

Biometric Authentication

Authentication based on body
measurements and motions

It is easy b
ecause you always bring your
body with you

Biometric Systems


Later access attempts

Acceptance or rejection

Biometric Authentication System

1. Initial Enrollment

2. Subsequent Access

User Lee




Template Database









3. Match Index

Decision Criterion

(Close Enough?)


(Key Feature Extraction)

A=01, B=101, C=001

User Lee




Access Data



(Key Feature Extraction)

A=01, B=111, C=001

Biometric Authentication

Verification Versus Identification

Verification: Are applicants who they claim to be? (compare with
single template)

Identification: Who is the applicant? (compare with all templates)

More difficult than verification because must compare to many templates

Watch list: is this person a member of a specific group (e.g., known

Verification is good for replacing passwords in logins

Identification is good for door access and other situations where
entering a name would be difficult



False acceptance rates (FARs): Percentage
of unauthorized people allowed in

Person falsely accepted as member of a group

Person allowed through a door who should not
be allowed through it

Very bad for security



False rejection rates (FRRs): Percentage of
authorized people not recognized as being
members of the group

Valid person denied door access or server login because
not recognized

Can be reduced by allowing multiple access attempts

High FRRs will harm user acceptance because users are
angered by being falsely forbidden

Biometric Authentication


Vendor claims for FARs and FRRs tend to be
exaggerated because they often perform tests
under ideal circumstances

For instance, having only small numbers of users in
the database

For instance, by using perfect lighting, extremely
clean readers, and other conditions rarely seen in
the real world

Biometric Authentication

User Acceptance is Crucial

Strong user resistance can kill a system

Fingerprint recognition may have a criminal

Some methods are difficult to use, such as
iris recognition, which requires the eye to be
lined up carefully.

These require a disciplined group

Biometric Authentication

Biometric Methods

Fingerprint recognition

Dominates the biometric market today

Based on a finger’s distinctive pattern of whorls,
arches, and loops

Simple, inexpensive, well

Weak security: can be defeated fairly easily with

Useful in modest
security areas

Biometric Authentication

Biometric Methods

Iris recognition

Pattern in colored part of eye

Very low FARs

High FRR if eye is not lined up correctly can
harm acceptance

Reader is a camera

does not send light into the

Biometric Authentication

Biometric Methods

Face recognition

Can be put in public places for

surreptitious identification

(identification without citizen or

employee knowledge). More later.

Hand geometry: shape of hand

Voice recognition

High error rates

Easy to fool with recordings

Biometric Authentication

Biometric Methods

Keystroke recognition

Rhythm of typing

Normally restricted to passwords

Ongoing during session could allow continuous

Signature recognition

Pattern and writing dynamics

Biometric Standards

Almost no standardization

Worst for user data (fingerprint feature databases)

Get locked into single vendors

Biometric Authentication

Can Biometrics be Fooled?

Airport face recognition

Identification of people passing in front of a camera

False rejection rate: rate of not identifying person as being in the database

Fail to recognize a criminal, terrorist, etc.

FRRs are bad

week trial of face recognition at Palm Beach International Airport

Only 250 volunteers in the user database (unrealistically small)

Volunteers were scanned 958 times during the trial

Only recognized 455 times! (47%)

53% FRR

Biometric Authentication

Can Biometrics be Fooled?

Airport face recognition

Recognition rate fell if wore glasses (especially tinted), looked

Would be worse with larger database

Would be worse if photographs were not good

Department of Defense

Tests indicate poor acceptance
rates when subjects were not attempting to evade

person test

Face recognition recognized person only 51 percent of time

Even iris recognition only recognized the person 94 percent of the

Biometrics Authentication

Can Biometrics be Fooled?

Other research has shown that evasion is
often successful for some methods

German c’t magazine fooled most face and
fingerprint recognition systems

Prof. Matsumoto fooled fingerprint scanners 80
percent of the time with a gelatin finger created
from a latent (invisible to the naked eye) print on
a drinking glass

Access Control

Access Control

Access control is the policy
driven limitation of
access to systems, data, and dialogs


Prevent attackers from gaining access, stopping them if
they do

Provide appropriate limitations on the access rights of
authorized users

Access Control

First Steps

Enumeration of Resources

Sensitivity of Each Resource

Next, who Should Have Access?

Can be made individual by individual

More efficient to define by roles (logged
in users,
system administrators, project team members, etc.)

Access Control

Based Access Control and Protection

Have a specific access control policy and an access protection
policy for each resource

For example, for a file on a server, for instance, limit
authorizations to a small group, harden the server against attack,
use a firewall to thwart external attackers, etc.

Focuses attention on each resource

Guides the selection and configuration of firewalls and other

Guides the periodic auditing and testing of protection plans