<%BANNER%>

Evaluation and Combination of Biometric Authentication Systems

HIDE
 Title Page
 Dedication
 Acknowledgement
 Table of Contents
 List of Tables
 List of Figures
 Key to abbreviations
 Abstract
 Introduction to biometric authentication...
 Background on biometric authentication...
 Previous work in combining biometric...
 Experimental goals and methods
 Results and discussion
 Conclusions and future work
 References
 Appendices
 Biographical sketch
 

PAGE 1

EVALUATIONANDCOMBINATIONOFBIOMETRICAUTHENTICATIONSYSTEMSByDAVIDC.HITCHCOCKATHESISPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFMASTEROFSCIENCEUNIVERSITYOFFLORIDA2003

PAGE 2

Copyright2003byDavidC.Hitchcock

PAGE 3

Idedicatethisworktomywife.

PAGE 4

ACKNOWLEDGMENTSThanksareowedtothefollowingpersons,groups,andcompanies: Dr.RichardNewmanforhishelp,encouragement,andstimulatingdiscus-sionsduringtheresearchandwritingofthisthesis. TheRetinatorsIPPDteam,CharlesAmmon,MarisaArvesu,PeterDrwiega,JohnHildebrant,SeanMcDonald,DavidNelson,andJeannetteVizuete,fortheirworkonthisresearch. RaytheonCorporationfortheirsupportforthisresearch. iv

PAGE 5

TABLEOFCONTENTS page ACKNOWLEDGMENTS ............................. iv LISTOFTABLES ................................. viii LISTOFFIGURES ................................ ix KEYTOABBREVIATIONS ........................... xi ABSTRACT .................................... xii CHAPTER 1INTRODUCTIONTOBIOMETRICAUTHENTICATIONSYSTEMS 1 2BACKGROUNDONBIOMETRICAUTHENTICATIONSYSTEMS .. 11 2.1Authentication ............................ 11 2.1.1WhatYouKnow" ...................... 11 2.1.2WhatYouHave" ....................... 13 2.1.3WhatYouAre" ........................ 14 2.2EvaluationofBiometricAuthenticationSystems .......... 17 2.2.1FalseAcceptanceRateandFalseRejectionRate ...... 17 2.2.2FailuretoEnrollRate ..................... 18 2.2.3EqualErrorRate ....................... 19 2.2.4Ability-to-VerifyRate ..................... 20 2.2.5ReceiverOperatingCharacteristicandDetectionErrorTrade-oCurves ...................... 21 2.2.6Cost .............................. 21 2.2.7NumberofAuthenticationAttemptsAllowed ........ 21 2.3DecisionRules ............................. 23 2.4TypesofBiometricAuthenticationSystems ............ 26 2.4.1Fingerprint ........................... 27 2.4.2IrisScan ............................ 47 2.4.3RetinaScan .......................... 51 2.4.4DynamicSignatureScan ................... 53 2.4.5VoiceScan ........................... 56 2.4.6FaceScanbyVisibleLight .................. 59 2.4.7InfraredFaceScan ....................... 62 2.4.8HandScan ........................... 65 2.5ArchitectureofBiometricAuthenticationSystems ......... 66 v

PAGE 6

2.6BiometricStandards ......................... 68 2.7Summary ............................... 69 3PREVIOUSWORKINCOMBININGBIOMETRICAUTHENTICATIONSYSTEMS ................................. 72 3.1OptimalBayesDecisionRule ..................... 73 3.1.1ProductRule .......................... 75 3.1.2SumRule ............................ 76 3.1.3MaxRule ............................ 78 3.1.4MinRule ............................ 78 3.1.5MedianRule .......................... 79 3.1.6MajorityVoteRule ...................... 79 3.1.7ExperimentalTestofRulesforCombiningClassiers ... 80 3.2NonparametricMethodsandLikelihoodRatio ........... 81 3.3MajorityVoting ............................ 83 3.4WeightedSumRule .......................... 83 3.5CascadingMethodofCombiningClassiers ............. 85 3.6HierarchicalMethodsofCombiningClassiers ........... 85 3.7Summary ............................... 86 4EXPERIMENTALGOALSANDMETHODS ............... 88 4.1MeaningandMeasurementofFalseAcceptanceRate ....... 88 4.2TestingProcedures .......................... 91 4.3CurveFitting ............................. 92 4.4TheoryofCombiningMultipleBiometricSystems ......... 94 4.4.1MajorityVoting ........................ 95 4.4.2SumRule ............................ 97 4.5Summary ............................... 98 5RESULTSANDDISCUSSION ....................... 100 5.1SoftproDynamicSignatureVerication ............... 100 5.2BiolinkBiomouse ........................... 114 5.3PanasonicAuthenticam ........................ 116 5.4VoiceScan ............................... 117 5.5MultipleSystemResults ....................... 118 5.6Summary ............................... 121 6CONCLUSIONSANDFUTUREWORK .................. 124 REFERENCES ................................... 128 vi

PAGE 7

APPENDICES ATESTSUBJECTS .............................. 134 BDYNAMICSIGNATUREVERIFICATIONDATA ............ 135 CRESULTSOFAUTHENTICATIONATTEMPTSONMULTIPLEDEVICES .................................. 143 BIOGRAPHICALSKETCH ............................ 146 vii

PAGE 8

LISTOFTABLES Table page 4{1Equationsttedtogenuineandimpostorsignaturedata ........ 93 5{1Equalerrorratesfordynamicsignatureverication ........... 105 5{2Equationsttedtogenuineandimpostorsignaturedataforoneat-tempt,sumrule,inFigure 5{7 above ................. 107 5{3Equationsttedtogenuineandimpostorsignaturedataforoneat-tempt,minrule,inFigure 5{8 above ................. 107 5{4Numberandpercentofsumscoresinvariousranges .......... 113 5{5Errorratesfordierentdecisionrules .................. 113 5{6Falserejectionrates ............................ 115 5{7Falseacceptancerates ........................... 115 5{8Comparisonofsinglebiometricauthenticationsystemswithacascad-ingmultiplebiometricsystem.Thehighestfalseacceptancerateforeachdeviceisused. ........................... 120 A{1Testsubjects ................................ 134 B{1Signaturegenuinescores .......................... 136 B{2Signatureimpostorscores,tracing .................... 139 B{3Signatureimpostorscores,impostorlooksatvictim'ssignatureandcopiesit. ................................. 140 B{4Signatureimpostorscores,impostorknowsnameofvictimbuthasnotseensignature. ........................... 141 B{5Signatureimpostorscores,impostorknowsonlytheusernameofthevictim. .................................. 142 C{1Authenticationattemptsinwhichtheuserattemptedonngerprint,signature,andirissystems.A1inthesuccesscolumnindicatessuccesswithinthreeattempts,anda0indicatesfailure. ....... 144 viii

PAGE 9

LISTOFFIGURES Figure page 2{1Inenrollment,auser'sbiometricdataarecaptured,informationisextractedandstoredinanenrollmenttemplate,andthetemplateisstoredinadatabase. ......................... 15 2{2Inauthentication,auser'sbiometricdataarecaptured,informationisextractedandstoredinanenrollmenttemplate,whichiscom-paredtotheenrollmenttemplatefromthedatabase. ........ 15 5{1Softprosignaturematchscoresforgenuineusersandimpostors,oneattempt,sumrule. ........................... 102 5{2Softprosignaturematchscoresforgenuineusersandimpostors,oneattempt,minrule. ........................... 102 5{3Softprosignaturematchscoresforgenuineusersandimpostors,twoattempts,sumrule. ........................... 103 5{4Softprosignaturematchscoresforgenuineusersandimpostors,twoattempts,minrule. ........................... 103 5{5Softprosignaturematchscoresforgenuineusersandimpostors,threeattempts,sumrule. ........................... 104 5{6Softprosignaturematchscoresforgenuineusersandimpostors,threeattempts,minrule. ........................... 104 5{7Softprosignaturematchscoresforgenuineusersandimpostors,oneattempt,sumrule,withttedcurves. ................. 106 5{8Softprosignaturematchscoresforgenuineusersandimpostors,oneattempt,minrule,withttedcurves. ................. 107 5{9Softprosignaturematchscoresforgenuineusers,oneattempt,sumrule,withderivativeofcurvettedtodatapoints. .......... 108 5{10Softprosignaturematchscoresforimpostorstracingagenuineuser'ssignature,oneattempt,sumrule,withderivativeofcurvettedtodatapoints. ............................... 108 ix

PAGE 10

5{11Softprosignaturematchscoresforimpostorswhoknowagenuineuser'sname,butdonothaveaccesstotheuser'ssignature,oneat-tempt,sumrule,withderivativeofcurvettedtodatapoints. ... 109 5{12Softprosignaturematchscoresforimpostorswholookatagenuineuser'ssignaturewhiletheycopyit,oneattempt,sumrule,withderivativeofcurvettedtodatapoints. ............... 109 5{13Softprosignaturematchscoresforimpostorswhoknowtheusernameofagenuineuser,butnottheirfullname,anddonothaveaccesstotheirsignature,oneattempt,sumrule,withderivativeofcurvettedtodatapoints. .......................... 110 5{14Softprosignaturematchscoresforgenuineusers,oneattempt,minrule,withderivativeofcurvettedtodatapoints. .......... 110 5{15Softprosignaturematchscoresforimpostorstracingagenuineuser'ssignature,oneattempt,minrule,withderivativeofcurvettedtodatapoints. ............................... 111 5{16Softprosignaturematchscoresforimpostorswhoknowagenuineuser'sname,butdonothaveaccesstotheuser'ssignature,oneat-tempt,minrule,withderivativeofcurvettedtodatapoints. ... 111 5{17Softprosignaturematchscoresforimpostorswholookatagenuineuser'ssignaturewhiletheycopyit,oneattempt,minrule,withderivativeofcurvettedtodatapoints. ............... 112 5{18Softprosignaturematchscoresforimpostorswhoknowtheusernameofagenuineuser,butnottheirfullname,anddonothaveaccesstotheirsignature,oneattempt,minrule,withderivativeofcurvettedtodatapoints. .......................... 112 x

PAGE 11

KEYTOABBREVIATIONSATV:abilitytoverifyrateBAPI:biometricapplicationprograminterfaceBioAPI:biometricapplicationprograminterfaceBSP:biometricserviceproviderCCD:chargecoupleddeviceCDSA:commondatasecurityarchitectureDET:detectorerrortrade-oEER:equalerrorrateFAR:falseacceptancerateFRR:falserejectionrateFTE:failuretoenrollrateHAAPI:humanauthenticationapplicationprograminterfaceHRS:humanrecognitionserviceMDF:mostdiscriminatingfeaturesMEF:mostexpressivefeaturesPDF:probabilitydensityfunctionROC:receiveroperatingcharacteristic xi

PAGE 12

AbstractofThesisPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofMasterofScienceEVALUATIONANDCOMBINATIONOFBIOMETRICAUTHENTICATIONSYSTEMSByDavidC.HitchcockDecember2003Chair:RichardE.NewmanMajorDepartment:ComputerandInformationScienceandEngineeringWhilepasswordsmaybestolen,guessed,orforgottenandtokensmaybelostorstolen,biometricauthenticationsystemsattempttolinkauthenticationdirectlytotheuser.Wehavedevisedacascadingbiometricauthenticationsystemwhichtakesadvantageofuniquestrengthsofthecomponentbiometricsystemstoachievebetterperformancethaneithertheindividualbiometricsystemsalone,orasystemthatcombinesthebiometricsinagenericway,suchasamajorityvoteorsumrule.Inthissystem,theuserrstattemptstoauthenticateonanirisscansystem.Userswhosucceedhereareacceptedbythecombinedsystembecausetheirisscansuerednofalseacceptancesinourtesting.Userswhofailtheirisscanmustthenattempttoauthenticateonngerprintscananddynamicsignaturevericationsystems.Iftheyfaileitherofthese,theyarerejectedbythecombinedsystem.Iftheysucceedinboth,theyareaccepted.TwoofthemostimportantcharacteristicsofabiometricauthenticationsystemarethefalserejectionrateFRR;thefractionofauthenticationattemptsbygenuineusersthatarerejected,andthefalseacceptancerateFAR;thefractionofimpostorauthenticationattemptsthatare xii

PAGE 13

accepted.ThissystemyieldslowerFRRand/orFRRthananyoftheindividualsystems,andsavestime,becausemorethan80%ofgenuineusersareacceptedbytheirisscan,andneednotattempttoauthenticateontheotherdevices.Thedynamicsignaturevericationsystemprovidedascore,insteadofsimplyaharddecision,allowingamoredetailedstudyofitsbehavior.Curveswerettedtothedatafromthissystem.Althoughtheamountofdatacollectedwassmall,curvesfortracingbyimpostorsshowedanunexpecteddistributionofscores,whichappearedtobebimodal.Basedonaknowledgeofthedistributionofimpostorscores,adecisionrulehasbeentailoredtorejectalargeproportionofimpostorsattheexpenseofrejectingaslightlyincreasednumberofgenuineusers.DeterminationoftheFARpresentsdicultiesbecauseitdependsstronglyonthemethodusedbytheimpostor.Also,dierentsystemsarevulnerabletodierentkindsofattacks,andmustbetestedindierentways.ComparisonofFARsofdierentbiometricdevicessubjectedtodierentattacksisdiscussed. xiii

PAGE 14

CHAPTER1INTRODUCTIONTOBIOMETRICAUTHENTICATIONSYSTEMSAuthenticationisfundamentaltosecurityofcomputersystems.Theremustbesomemeansofknowingwhetherapersonwhoattemptstoaccessthesystem,orsomeresources,isauthorizedtoaccessthesystemorresourcesinquestion.Peoplemaybeauthenticatedonthebasisofwhattheyknow,"whichinthecaseofauthenticationbyaninformationsystemcouldbeapasswordorPIN,bywhattheyhave,"whichcouldbeasmartcardoracardwithamagneticstrip,orbywhattheyare,"bymeasuringsomephysicalfeature,suchasangerprintorfaceimage,orbehavior,suchasasignature.Similarmethodsareusedforauthenticationofindividualsrequestingphysicalaccesstolocationsrangingfromsecretcommandandcontrolfacilitiestoamusementparks,andwhilethemainfocusofthisthesisisonauthenticationforaccesstocomputersystems,occasionalreferencewillbemadetoauthenticationinothercontexts.Allauthenticationsystemssuerfromtwokindsoferrors,falseacceptanceofimpostorsandfalserejectionofauthorizedusers.Unlessrestrictionsareinplaceonchoiceofpasswords,mostuserswillchooseeasilyguessedpasswordssuchasthenameofafamilymemberorpet,oracommonword.Evengoodpasswordsmaybecrackedbyoinepasswordguessing,orstolenbypeakingovertheuser'sshoulder.Ifrestrictionsareplacedonchoiceofpasswordstopreventtheuseofeasilyguessedpasswords,usersmayforgettheirpasswords,resultinginlostproductivityandinincreasedworkforadministrators.Authenticationtokens,suchassmartcards,mayalsobelostorstolen.Inanattempttoovercometheseproblems,biometricauthenticationsystemsseektolinkauthenticationdirectlytothepersonoftheuser.Usersmightbe 1

PAGE 15

2 authenticatedbyplacingtheirngeronascanner,whichwillrecordthengerprintandsendittothecomputer.Uniqueinformationwouldbeextractedfromtherecordedngerprintandcomparedtoinformationextractedfromtheuser'sngerprintwhentheywereenrolledintheauthenticationsystem.Ideally,theuser'sinformationwillalwaysbeaclosematch,sothattheuserwillbeaccepted,andanimpostorsinformationwillalwaysbeverydierentfromtheenrollmentinformation,sothattheimpostorwillberejected.However,inrealbiometricauthenticationsystemsusersmayfailtointeractproperlywiththebiometricsystem.Forexample,ifanirisscansystemisinuse,theusermustplacetheireyetheproperdistancefromtheirisscanner,andmustopentheireyeenoughsothattheeyelidandeyelashesdonotinterferetoomuchwithimageacquisition.Also,insomecasestheuser'sbiometricfeaturemaybechanged.Forexample,ifauserofavoicescansystemgetsacold,theirvoicemaybechangedtothedegreethattheycannotbeauthenticated.Casessuchastheseresultinfalserejection.ThefalserejectionrateFRRofabiometricauthenticationsystemisthefractionofauthorizeduserauthenticationattemptsthatresultinrejection.Impostorsmayhappentohavebiometriccharacteristicsverysimilartothoseoftheauthorizeduser,ormayobtainacopyoftheuser'sbiometricfeature,suchasaphotographofauser'sface,thatcanbeusedforspoongthebiometricauthenticationsystem.ThefractionofauthenticationattemptsbyimpostorsthatsucceedisknownasthefalseacceptancerateFAR.Ifthesystemrequiresaveryclosematch,FARwillbelow,butFRRwillbehigh,andviceversa.Therefore,testingofabiometricauthenticationsystemmustdetermineboththeFARandFRRofthesystem,andthereportofonlyoneoftheseparametersisnotveryuseful.Frequently,theFARisdeterminedbyhavingtestsubjectAusetheirownngerprint,iris,etc.toattempttoauthenticateasB,andviceversa.Itiscertainlyimportantthatabiometricauthenticationsystemrejectsuchattempts,butwe

PAGE 16

3 willshowthatFARcanbemuchhigherwhentheimpostorusesothermethods,suchasasiliconecopyofangerprint.BiometricauthenticationsystemsshouldbesubjectedtowhateverattackscanbedevisedinordertogetarealisticideaoftheFARadeterminedintrudermightachieve.Ifthethresholdforauthenticationcanbevaried,theFARandFRRshouldbedeterminedasafunctionofthisthreshold.Thiswillallowtheadministratorofthesystemtomakearationalchoiceofadecisionruleforacceptingorrejectingauthenticationattempts.Therearetwomethodsforchoiceofadecisionrule.ANeyman-PearsondecisionruleresultswhenamaximumacceptablevalueissetforoneoftheFARandFRR,andtheothertypeoferrorisminimizedsubjecttothisconstraint.Insomecases,highsecurityisneeded,anditismuchmoreimportanttopreventfalseacceptance,evenatthecostofinconveniencingauthorizedusers.Inthiscase,alowFARmightbespecied,andathresholdhighenoughtoachievethisFARwouldbechosen.Inothercases,thelossduetorejectinganauthorizedusermaybegreaterthanthatofacceptinganimpostor,andalowFRRwouldbespecied,andathresholdlowenoughtoachieveitwouldbeused.Alternatively,ifacostcanbeassignedtoeachtypeoferror,anoptimalBayesdecisionrulewillsetthethresholdtominimizethetotallossfromfalseacceptancesandfalserejectionsinthesystem.Basedonalonghistoryofforensicuseandmanyscienticinvestigations,thereisgoodevidencefortheuniquenessandpermanenceofngerprints[ 40 ],[ 41 ],[ 51 ].Also,itmightseemimpossibleforangerprinttobelostorstolen.However,duetoabrasionofngerprintsorconditionoftheskin,itmaybeimpossibleforascannertodetectthengerprintdetailwellenoughtoauthenticatetheperson[ 18 ].Fingerprintscanalsobecopiedfromobjectssuchasglasshandledbyauser,andreplicatedingelatin[ 47 ],ortheimagemaybecapturedasitisbeingtransmittedfromthescannertothecomputerandreplayedbyanattackeratalaterdate[ 49 ].

PAGE 17

4 Avarietyofothercharacteristicsareusedforbiometricauthenticationwithvaryingdegreesofsuccess.Theiris,likethengerprint,hasagreatdealofuniqueandpermanentinformationthatcanbeusedforauthentication[ 8 ].However,itmayalsobespoofedwithaphotographofauser'siris[ 49 ],andmaysuerfromahighFRR[ 35 ].Thebloodvesselsoftheretinaalsohaveuniqueinformation,andasfarasisknownretinascansystemsareinvulnerabletoauthenticationattemptsbyimpostors[ 19 ],butmedicalconditions,suchaspregnancy,maycausechangesinthevesselsresultinginfalserejection[ 36 ].Dynamicsignaturevericationmeasuresboththeshapeofthesignature,andalsodynamicfactorssuchasspeedandpressure.Inconsistentsignaturesmaycauseincreasederrorrates[ 35 ],Also,wehavefoundthatimpostorsmayachieveahighsuccessratewhentracinganauthorizeduser'ssignature.Voicescanisconvenientforuseoverthetelephone,andmaymakeuseofexistinghardwareinacomputer,suchasamicrophoneandsoundcard,butisvulnerabletoambientnoiseandreplayattacks.Facescancanbecarriedoutbyvisibleorinfraredlight.Facescanwithvisiblelightsuersfromasmallnumberoffeaturescomparedtootherbiometricauthenticationmethods,andthosefeaturesmaybechangedbydisguiseorbyweightchange[ 44 ].Itisalsosubjecttospoongwithapictureofanauthorizeduser[ 49 ].Infraredfacescanusesathermalimagetodetectpatternsduetobloodowbeneaththesurfaceoftheface.Thepositionsofthebloodvesselsarepermanent,andprovidemuchinformationforauthentication[ 44 ].Themaindisadvantageisthehighcostofacamera[ 44 ].Handscansystemsmeasurethedimensionsofauser'shand.TheyareusedtoauthenticateseasonpassholdersatDisneyamusementparks[ 30 ],andachievean

PAGE 18

5 errorrateof0.1%intesting[ 55 ].Theredoesnotappeartobeanyinformationonspoongofhandscansystems.BiometricdevicesarefrequentlyconnectedtoacomputerviaaUSBport.Devicesconnectedbythisorsomeothersortofbusornetworkthatisphysicallyaccessiblemaybesubjecttosnooping.Thedatabeingsenttothecomputerbyangerprintscannerbeenrecordedandusedtoreconstructthengerprintimage[ 49 ].Theftofangerprintimageismuchmoreseriousthantheftofapassword.Astolenpasswordcanbechanged,butastolenngerprint,orotherbiometricinformation,cannotbe.Thedatarecordedcouldalsobeusedforareplayattack.Toavoidsuchattacks,communicationbetweenthebiometricdeviceandthecomputershouldbeencrypted.Abiometricauthenticationsystemconsistsofhardwaretocapturebiometricinformation,andsoftwaretocomparethisinformationtothatstoredinthesystemwhentheuserenrolled.Thissystemmustinteractwiththeauthenticationsoftwareoftheoperatingsystem.Itofteninteractsviaamiddleware.Ifso,themiddlewarecaninteractwiththesoftwarecomponentofthebiometricauthenticationsystemviaastandardAPI.Severalsuchstandardshavebeendeveloped,andcurrentlythebiometricindustryseemstobeconvergingonasinglestandard,BioAPI.Adoptionofsuchastandardwouldmakethebiometricdevicetogetherwithitsdevice-specicsoftwareinterchangeable.Itwouldalsoalloweasycombinationofmultiplebiometricauthenticationsystemstomeettheauthenticationneedsofasinglecomputersystem.Becausebiometricauthenticationsystemsareinmanycasessusceptibletospoong,andgenerallyhaveunacceptablyhighfalseacceptanceorrejectionrates,therehavebeenseveralattemptstocombinemultiplebiometricauthenticationsystems.Ifanintruderisabletoobtainormakeanartifact,suchasagelatincopyofauser'sngerprintoraphotographofauser'sfaceoriris,theymight

PAGE 19

6 beabletoauthenticateonasinglebiometricsystem.However,ifauthenticationrequiresanacceptablecombinationofscoresonseveraldevices,animpostorwithanartifactforonlyasingledevicewouldprobablybedefeated.Also,auserwhosengerprintisdamagedbyaweekendofbricklayingorrockclimbingmightfailasinglengerprinttest,butmightstillbeabletoauthenticateviaotherdevicesifmultiplebiometricsareinuse.Biometricauthenticationisacaseofpatternmatching,inwhichapatternconsistingofbiometricdatafromapersonmustbeclassiedasbelongingtothepersonwhoseidentityisbeingclaimed,ornotbelongingtothatperson.Abiometricauthenticationsystemisthenaclassier,andwhenmultiplebiometricsystemsaretobecombined,methodsfromtheliteratureoncombiningclassierscanbeused.Therearethreebroadgroupsofmethodsforcombiningclassiers;parallel,cascading,andhierarchical[ 23 ].Mostcombiningmethodsdiscussedintheliter-atureoncombiningclassiersingeneral,aswellasinbiometricauthentication,fallintotheparallelcategory.Inthiscategoryaresuchmethodsasvoting,sum,min,andproductrules.Italsoincludesschemesinwhichthescoresfromindi-vidualclassiersareweightedbeforecombining.Theproduct,sum,min,andmajorityvoteruleshaveallbeenderivedfromBayesiantheorybymakingvariousassumptionsandsimplications[ 27 ].Ifthevariousclassiersareassumedtobeindependent,theproductrulecanbederived.Withtheproductrule,asinglelowscorecanhavealargeeectontheresult.Withthefurtherassumptionthattheaposterioriprobabilityofagenuineuseroranimpostordoesnotdiergreatlyfromtheaprioriprobability,thesumrulecanbederived.Whileitmightseemundesirabletomakesuchanassumption,errorsinthescoresfromtheclassiershavelesseectonthesumthantheydoontheproduct,whichcouldbeanimportantadvantage.

PAGE 20

7 Themedianrulewouldassignthepatternbasedontheclassierwiththemedianscore.Dividingthesumbythenumberofclassiersinuse,whichisaconstant,yieldsthemean.Themedianisunaectedbythevalueofoutlierscores,whilethemeanisaected,sothemedianmightbeexpectedtobeamorerobustclassierthanthesum.Theminruleclassiesapatternbasedontheclassierthatgivesthepatternthelowestscore.Itcouldthusbesensitivetoasingleoutlier.However,ifasingleclassierassignsalowscoretoanimpostortheminrulewouldbeabletorejecttheimpostor.Ifthescorefromeachindividualclassierishardenedtogiveabinaryvalue,perhapsa1fortheclasstheclassierconsidersmostprobableanda0otherwise,amajorityvoteresults.Whentheseandotherruleswereappliedtotwosetsofexperimentalresults,thesumrulewasbestononedataset,themedianrulewasbestontheother,ma-jorityvotewasclosetothesetwo,andtheminandproductrulesweresignicantlylower.ClassicationnormallydependsondeterminingaprobabilitydensityfunctionPDFforeachclassier'sscoreforeachclass.Iftheclassiersarenotindepen-dent,thenjointprobabilityfunctionsareneeded.Parametricmethods,whichassumethedistributionstofollowsomefunction,ornonparametricmethods,whichmakenosuchassumption,canbeused.nonparametricmethodsrequiremoredatathanparametricmethods,butifsucientdataareavailable,theymayachievebetterresults.Also,theamountofdataneededtoderiveajointPDFincreasesasthenumberofclassiers,andthereforethenumberofdimensionsinthePDF,in-creases.Therefore,beyondsomepoint,additionofmoreclassiersmaydegradetheaccuracyofclassication.Withalargedatasetofngerprintimages,anonpara-metricmethod,theParzenwindowdensity,wasfoundtobesuperiortoparametric

PAGE 21

8 methods[ 43 ].Thenthebestclassicationwasobtainedbycombiningonlyfourofvealgorithmsthatweretested.Alikelihoodratio,theratioofthePDFforimpostorstothatforgenuineusers,wascomputedforthefour-dimensionalspacegeneratedbythescoresfromthesefourclassiers.Thenscoresinregionswheretherewasahighratioofimpostorstogenuineuserswererejected,andscoresfallinginregionswheretheratiowaslowwereaccepted.Thismethodwasfoundtobesuperiortothesumrule,whichwassuperiortotheproductrule.Aweightedsumrulehasalsobeenusedtocombinescoresfrommultiplebiometrics.Weightingfactorshavebeendeterminedempiricallytoachievethebestclassicationaccuracyontrainingdata[ 25 ],andtheinverseofthevarianceofaclassier'sscoreshasbeenusedasaweightingfactor[ 12 ].Incascadingmethods,classiersareusedinasequence.Abiometricidenti-cationsystemusesfacerecognition,whichrequireslittlecomputation,toselectasmallnumberofclosematchesfromadatabase,andthenangerprintscansystem,whichisslower,isusedtoidentifythesubjectasthebestngerprintmatch,ifthatmatchmeetsathreshold.Otherwise,thesystemreportsnomatch[ 20 ].Hierarchicalmethodsdonotseemtohavebeenusedinbiometrics.Therstgoalofourworkistotestavarietyofbiometricauthenticationsystems,todeterminetheFRRandtheFAR.Inordertoaccomplishthisgoal,agroupoftestsubjectsauthenticatedonfourdierentbiometricauthenticationsystems,athumbprintmouse,adynamicsignaturevericationsystem,anirisscansystem,andavoicevericationsystem.Thetestsubjectsauthenticatedfourtimesoveraperiodofsixweeks.However,thiswillnotgiveadequateinformationonthevulnerabilitiesofthesesystems.ThePrincipleofEasiestPenetration"statesthatintruderswilluseanyavailablemeansofpenetration.Thisisnotnecessarilythemostobviousmeans,norisitnecessarilytheoneagainstwhichthemostsoliddefensehasbeeninstalled"[ 39 ].ThereforedeterminationoftheFARthatcould

PAGE 22

9 beachievedbyspoongofbiometricdevicesbyavarietyofmethodswasafocusofourresearch.Spoongwassuccessfulonthevoiceverication,thumbprintandsignaturesystems,butnotontheirisscansystem.However,thevoicevericationsystemwasfoundtobeunreliable,andtheacceptancerateforimpostorswassimilartotheacceptancerateforgenuineusers.Falseacceptanceratewasfoundtodependstronglyonthemethodusedbytheimpostor.AFARof50%wasachievedbytracinganauthorizeduser'ssignature.Becauseonlythedynamicsignaturevericationgaveascore,asopposedtoaharddecisiontoacceptorreject,morecouldbedonewiththeresultsfromthatsystem.FalseacceptancerateandFRRdataforthedynamicsignaturevericationwereplotted,andcurveswerettedtothedatainordertobettercharacterizethepatternsofscoresforgenuineusersandforimpostorsusingdierentmethods.Datafortracinginparticularhasanunexpectedshape,withmostofthedatapointsconcentratedathighscores,wherethegenuineuserscoresareexpected.Theverylimiteddatatabimodalcurve,andbasedonthisbimodaldistributionareducedFARcanbeachievedbyrejectingveryhighscores,wheremanyofthetracingscoresareconcentrated,attheexpenseofanincreasedFRR.Nosinglebiometricsystemwasfoundtobesatisfactory.TheIrisscansystemhadahighFRRof16.1%whentheuserwasallowedthreeattempts.ThethumbprintsystemsueredfromanFARof12.9%whentheimpostorusedasiliconecopyofauser'sthumbprint.Thesignaturescansystem'sFARwas50%fortracing.Thereforethepossibilityofloweringerrorratesbycombiningscoreswasinvestigated.Theoreticalresultsshowthatcombiningscoresofseveralsystemsbythesumrulecouldsignicantlyimproveerrorrates.Theorypredictsalesserimprovementviaamajorityvote.However,onlyoneofourdevicesprovidedascore,renderinguseofthesumruleimpossible.Therefore,acascadingmethodhasbeendevisedinwhichauserrstauthenticatesontheirisscan.Becausethere

PAGE 23

10 werenofalseacceptancesonthissystem,userswhoauthenticatesuccessfullyontheirisscanareacceptedbythecombinedsystem.Thosewhofailthengoontoattemptauthenticationonthengerprintsystem.Iftheyagainfail,theyarerejectedbythecombinedsystem.Iftheysucceedtheyattempttoauthenticateonthesignaturesystem.Iftheysucceedhere,theyareaccepted.Otherwisetheyarerejected.TheFARandFRRofthecombinedsystemdependonthenumberofthumbprintattemptsallowedandthedecisionruleforthesignaturesystem,butwithonethumbprintattemptandnotrejectingveryhighsignaturescoresthatmightrepresenttracing,theFARis6.5%andtheFRRis3.2%.Also,themajorityofusers,whopasstheirisscan,neednotspendfurthertimeandeortonauthentication.

PAGE 24

CHAPTER2BACKGROUNDONBIOMETRICAUTHENTICATIONSYSTEMS2.1AuthenticationIfacomputersystemisaccessibletomorethanoneperson,eitherphysicallyorviaanetwork,thensomeformofauthenticationisnecessaryifsecurityisdesired.Thosewhoareauthorizedtousethesystemshouldsomehowberecognizedandallowedaccess,whileanyonemakingafalseclaimtobeanauthorizedusershouldberejectedandnotallowedaccess.Evenifthecomputerisinaphysicallysecurelocation,ifitissharedbyseveralusers,dierentuserswillprobablyhavedierentprivilegesforaccessingdierentresources,sothesystemwillneedtoauthenticatetheuserstodeterminewhattheyshouldbeallowedtodo.Peoplecanbeauthenticatedbythreemainmethods;whatyouknow,"whatyouhave,"andwhatyouare"[ 26 ].2.1.1WhatYouKnow"Peoplearecommonlyauthenticatedbypasswords,anexampleofwhatyouknow."However,passwordssuerfromseveralweaknesses.Lefttotheirowndevices,userswilltendtochoosepasswordsthatareeasyforthemtoremember,suchascommonwordsandnames.Suchpasswordsarelikelytoalsobeeasytoguess[ 39 ].Ifpasswordscanbeenteredon-line,andthereisnorestrictiononthenumberofattemptsorrate,thepasswordcanoftenbefoundbymeansofadictionaryattack,"simplyusingallwordsinanon-linedictionaryasguesseswhenattemptingtoauthenticate. 11

PAGE 25

12 Ifthepasswordscannotbeguessed,theymightbestolen.Passwordscanbestolenbymethodsassimpleaslookingoverauser'sshoulder.Ifasecurity-consciousadministratorrequireshard-to-guesspasswordsandfrequentchanges,userswhoareunabletorememberthemmaywritethemonpost-itnotes.OperatingsystemssuchasUNIXandVMSstorecryptographicallyhashedpasswords.Ifthelecontainingthehashedpasswordscanbestolen,theattackercanhashpossiblepasswordsuntiloneofthehashesmatchesahashinthepasswordle.Ifapasswordislargeenough,itwillbecomputationallyinfeasibletotryallpossiblepasswords.Inordertoprevento-linepasswordguessing,thereshouldbeabout64bitsofrandomness,or264possiblepasswords[ 26 ].Ifthepasswordisarandomstringofanyletters,upperorlowercase,anydigit,orpunctuationmarks,foratotalof64possiblecharacters,an11-characterpasswordwouldbesucient.However,fewpeoplewouldremembersuchapassword.Ifitisconstrainedtobeapronounceable,case-insensitivestringofletters,sothatitcanbemoreeasilymemorized,a16-characterpasswordwouldbeneeded.Ifusersareallowedtochoosetheirownpasswords,therandomnessisthoughttobeabout2bitspercharacter,and32characterswouldbeneeded.AccordingtoKaufmanetal.[ 26 ],allthreepossibilitiesaretoolongforhumanstomemorize.However,theauthorsuspectsthatalotofpeoplecouldremembera32-characterphrase,particularlyiftheyuseditregularly.Wheninthecourseofhumanevents,"therstsevenwordsfromtheDeclarationofIndependence,isalready34characters.Then,insteadofadictionaryattack,"acompilationoffamiliartextswouldhavetobeusedasasourceofpossibleguessesforalibraryattack."Finally,ifusersforgetpasswords,extraworkisimposedonadministratorstoresetthepasswords,andusersaredeniedaccesstoneededcomputingresourcesuntilthenewpasswordisavailable.

PAGE 26

13 Authenticationbymeansofwhatyouhave"orwhatyouare"mustoftenbeconvertedtoorsupplementedbyauthenticationbywhatyouknow."Ifauserauthenticatesoveranetwork,onlybits,notpossessionsorcharacteristicsoftheuser,canbepresentedtothesystem.Also,ifdevicesusedforotherformsofauthenticationarenotthemselvesauthenticatedbymeansofacryptographicchallenge,thesystemmaybevulnerabletospoongorreplayattacks.2.1.2WhatYouHave"Themostcommonauthenticationtoken,orphysicaldeviceusedforauthenti-cation,isakey.Earlypc'softenhadalockonthefrontpanelthatcouldbeusedtoblockaccesstoanyonewithoutthekey.Whilekeysremainthemethodofchoiceforauthenticatingusersofautomobilesandhouses,theywouldnotbepracticalfornetworkedcomputers,orforsystemswithmultipleuserswhohavedierentprivileges.Twotypesofauthenticationtokenscurrentlyusedarecardswithmagneticstripsandsmartcards.Bothtypescontainpasswordsorkeys,buttheyarenotconstrainedbyhumanforgetfulness,sothesecretcanbetoolongtobeguessed.SmartcardshaveembeddedCPUs.SomerequiretheuseofaPINbeforeallowingtheirinformationtoberead.Thisprovidesmoresecurityforthesecretthanamagneticstrip.Otherswillnotallowtheirsecretkeytoberead,butwillonlyuseittoencryptordecryptanumberinordertoauthenticateviaacryptographicchallengeandresponse.Thenitisdicultorimpossibleforthesecrettobestolen[ 26 ].Authenticationtokenscanbelostorstolen.Forthisreasontheyareoftencombinedwithanotherformofauthentication,suchasaPINorpassword[ 26 ].Becauseusersmayoccasionallyleavetheirtokensathome,theremustbesomemechanismtoauthenticateforgetfulusers.Aswithlostpasswords,there

PAGE 27

14 willbealossofaccesstoneededresourcesuntiltheusercanbeauthenticatedbythealternativemeans,andtherewillbesomecostforadministrator'sworkinauthenticatingtheuser.2.1.3WhatYouAre"Biometricauthenticationattemptstolinkauthenticationdirectlytothepersonoftheuser,basingitsdecisiontoacceptorrejectanattemptatauthenticationonameasurementofaphysicalorbehavioralcharacteristicoftheuser.Itisanattempttoavoidtheproblemsoflostorstolenpasswordsorauthenticationtokens.Evaluationofthedegreetowhichitmaysucceed,andthetypesoferrorsthatcanoccur,isinthefollowingsection.Biometricauthenticationhasalonghistory.InancientEgypt,forlegalandbusinesspurposespeoplewereidentiedbycharacteristicssuchasscars,complexion,eyecolor,andheight[ 21 ].FingerprintswerealsousedinancientChinaonsealsandinBabylononclaytablets[ 14 ].Therstreporteduseofanautomatedbiometricauthenticationsysteminthebusinessworldwasin1968,whenngerprintswereusedonWallStreettoopenavaultcontainingstockcerticates.Thesystemcost$20,000[ 38 ].AsofMay,2003,amousewithangerprintscannercostsabout$90-$140,andanirisscansystemcosts$205-$250.Avarietyofbiometricdevicesallowausertoauthenticatebymeansofangerprint,animageoftheirhand,face,iris,orretina,handwriting,orthesoundoftheirvoice.Theircommonfeaturesaredescribedhere,anddetailsofthevarioustypesofdevicesfollow.Beforeabiometricdevicecanbeusedforauthentication,ausermustrstenroll,asshowninFigure 2{1 .Inthecaseofangerprintsystem,thiswouldinvolveputtingangeronangerprintscanner.Thescannerwouldrecordanimageofthengerprint,perhapsina.bmp"le.Thethesoftwarecomponentof

PAGE 28

15 BBBBk' &$ % BiometricDevice -BiometricData CreateTemplate ?EnrollmentTemplate' &$ % Database Figure2{1:Inenrollment,auser'sbiometricdataarecaptured,informationisextractedandstoredinanenrollmenttemplate,andthetemplateisstoredinadatabase. BBBBk' &$ % BiometricDevice -BiometricData CreateTemplate ?MatchTemplate CompareTemplates -EnrollmentTemplate' &$ % Database Figure2{2:Inauthentication,auser'sbiometricdataarecaptured,informationisextractedandstoredinanenrollmenttemplate,whichiscomparedtotheenroll-menttemplatefromthedatabase. thebiometricsystemwouldprocessthisle,extractinguniquecharacteristicsandsavingtheminanenrollmenttemplate.Mostbiometricauthenticationsystemsrequireuserstorepeatthisprocessseveraltimesinthecourseofanenrollment,inordertogetmoredataontheuser'scharacteristics[ 35 ].Later,whensomeoneclaimstobetheuserandattemptstoauthenticate,theyagainplacetheirngeronthengerprintscanner,theimageisprocessed,the

PAGE 29

16 uniquecharacteristicsareextracted,andasecondtemplate,thematchtemplate,"isproduced,asshowninFigure 2{2 .Thistemplateiscomparedtotheenrollmenttemplate,andamatchscoreisgenerated[ 35 ].Notethattheimagesofthengerprintfromenrollmentandauthenticationcouldnotbedirectlycompared,becausethepositionandorientationofthengerprintwouldbedierenteachtime.Eventhetemplateswouldgenerallynotbeidentical.Thisisincontrasttoauthenticationbyapasswordorothersecret,whetherstoredinthememoryofauserorofanauthenticationtoken,whereaperfectmatchisexpected.Thereforeadecisionruleisneededtogetfromthematchscoretoadecisiontoacceptorrejectanattemptatauthentication,asdescribedbelow.Atrstthought,biometricauthenticationwouldseemtobeimmunetolossandtheft,exceptinrarecases,suchasaccidents.However, Ahackerwhobrokeintoapoorlydesignedsystemmightbeabletostealotherpeople'sdigitalbiometrictemplatesandusethemtoaccesssecurenetworks.Thistrick,called"replay,"couldtakeidentitythefttoawholenewlevel."Yourngerprintisuniquelyyours,forever.Ifit'scompromised,youcan'tgetanewone,"saysJackieFenn,atechnologyanalystattheGartnerGroup[ 18 ],p.61.Stealingoftemplatesisnotacertainwayforahackertogetaccess.Normallythebiometricdata,suchasangerprintoririsimage,cannotbecomputedfromthetemplate.Ifthesoftwareexpectsthebiometricdataratherthanatemplate,ahackermightbeabletocomputebiometricdatathatproducesthesametemplate.However,thecontentsofthetemplatewoulddependonthealgorithmused,andifatemplateforangerprintusingonealgorithmwasstolen,itmightbearnoresemblancetothetemplateforanotherngerprintdevicewithadierentalgorithm.Likewise,angerprintcomputedtoyieldthattemplatemightnotworkonasystemusingadierentalgorithmwhichmightextractdierenttypesofdatafromthesignature.

PAGE 30

17 2.2EvaluationofBiometricAuthenticationSystemsInthissection,severalmetricsusefulintheevaluationofbiometricdevicesarediscussed.ImportantparametersforabiometricdeviceincludeFalseAcceptanceRateFAR,FalseRejectionRateFRR,theFailuretoEnrollrateFTE,AbilitytoVerifyrate,ATV,andcost.2.2.1FalseAcceptanceRateandFalseRejectionRateAsdescribedabove,abiometricauthenticationsystemderivesamatchscorebycomparingbiometricdatafromapersonattemptingtoauthenticatewithenrollmentdatafortheidentitytheyclaim.Thecloserthematch,thehigherthematchscorewillbe.Ifthematchscoreexceedsathreshold,thepersonauthenticatingisaccepted.Ifthethresholdissettoohigh,genuineuserswillberejected.Ifitissettoolow,impostorswillbeauthenticated.Ideally,thelowestscorefromagenuineuserwouldbehigherthanthehighestimpostorscore.Thenthethresholdwouldbesetsomewherebetweenthetwo.However,inreality,thegenuineandimpostorscoresoverlap.Thenthesystemwillgenerateagreaterorlessernumberoftwotypesoferrors.Inordertoquantifytheseerrors,thefalserejectionrateFRRandthefalseacceptancerateFARforabiometricdevicearedenedas:FRR=numberoffailedattemptsatauthenticationbyauthorizedusers numberofattemptsatauthenticationbyauthorizedusers.1FAR=numberofsuccessfulauthenticationsbyimpostors numberofattemptsatauthenticationbyimpostors.2BothFARandFRRdependonthreshold.AhigherthresholdwillgenerallyreduceFAR,butattheexpenseofincreasedFRR,andviceversa.MethodsandconsiderationsrelatedtochoiceofathresholdarediscussedinSection 2.3 below.

PAGE 31

18 Becauseimpostorsmaybeabletoauthenticatebyavarietyofmeans,suchastheuseofartifactslikecopiesofngerprintsandreplayattacks[ 47 ],[ 49 ],informationonsuchvulnerabilitiesisneededforproperevaluationofbiometricdevices[ 54 ].ThePrincipleofEasiestPenetration"statesthatintruderswilluseanyavailablemeansofpenetration.Thisisnotnecessarilythemostobviousmeans,norisitnecessarilytheoneagainstwhichthemostsoliddefensehasbeeninstalled"[ 39 ].Therefore,biometricauthenticationsystemsshouldbetestedbyanymeansthatcanbedevised.However,mosttestingthatisreportedconsistsofpersonAattemptingtoauthenticateaspersonB[ 10 ],orwithadatabaseofbiometricdatacapturedinthisway[ 12 ],[ 20 ],[ 25 ],[ 43 ],[ 28 ],[ 27 ].2.2.2FailuretoEnrollRateWhenauserattemptstoenrollonabiometricauthenticationsystem,ifthesystemcannotextractenoughuniquecharacteristicstoreliablyauthenticatetheuser,theuserwillnotbeabletoenroll.ThenthefailuretoenrollrateFTEisdenedasFTE=numberofuserswhofailintheirattemptsatenroll numberofuserswhoattempttoenroll.3Obviouslyauserwithouthandscouldnotbeenrolledonangerprintscanner.However,evenwhenauserhasthefeatureinquestion,thesystemmaynotbeabletoextractenoughuniqueinformationinordertoreliablyauthenticatetheperson.AccordingtoInternationalBiometrics,about2.5%ofoceworkersdonothavengerprintsofsucientqualitytoallowforauthentication"[ 21 ].SeveralmethodshavebeenproposedtoreduceFTE.First,improvedtrainingandimprovedergonomicsofthesystemcansignicantlyreduceFTE.Nanavatietal.saythatbythesemeansFTEmightbereducedfrom10%to1%[ 35 ].

PAGE 32

19 TheFTEcanalsobedecreasedbyloweringthestandardsforanacceptableenrollment,butwhenusersareenrolledinspiteofinsucientuniquecharacteris-tics,theFARand/ortheFRRwillbeincreased[ 35 ].Finally,ifusersareallowedmoreattemptstoenrollFTEcanbedecreased,butuserswhoneedmanyattemptstoenrollwillprobablyalsohavedicultyauthenticating,soatsomepointitisprobablybesttogiveupanduseanothermethodofauthenticating[ 35 ].Ahighfailuretoenrollratewilltendtonegateanyadvantagesofthebiomet-ricauthenticationsystem,becauseanalternativemeansofauthenticationmustbeprovidedforuserswhocannotbeenrolled.Ifthealternativesystemislesssecure,thenintrudersshouldbeexpectedtoattempttopenetratethisalternativeauthen-ticationschemeratherthanthebiometricauthenticationsystem.Ifthecostofthealternativeauthenticationmethodishigher,ahighFTEwillincreasethecostofauthentication.Ifthealternativesystemisnotlesssecureormoreexpensive,thenthebiometricsystemisprobablynotneededanyway.Asecondauthenticationsystemiscertaintoincreasetheadministratortimeneededforauthentication,becausetheywillhavetomaintaintwosystemsratherthanone.2.2.3EqualErrorRateAtasucientlylowthreshold,fewornouserswillberejected,sotheFRRwillbelow.Mostorallimpostorswillbeaccepted,sotheFARwillbehigh.Thenasthethresholdisincreasedmoregenuineuserswillberejectedandlessimpostorswillbeaccepted.AtsomepointFRRandFARwillbeequal.ThevalueoftheFARandFRRatthispointistheequalerrorrateEER.Theequalerrorratemaybeusefulasasinglevaluetoallowcomparisonbetweendierentbiometricauthenticationsystems.However,itcanbemisleadingbecausesystemswillseldombeoperatedattheEER.Insomecasesitwillbemoreimportanttokeepimpostorsout,evenattheexpenseofrejectingauthorizedusers,andinother

PAGE 33

20 casesitwillbemoreimportanttoavoidrejectingauthorizedusers.[ 35 ]TheEERtellsusnothingaboutwhattheFARandFRRwillbeatanyotherthreshold.Also,ifthestandardsforenrollmentaremadehigh,theEERwillbelow,butattheexpenseofahighFTE.IftheEERisreportedbuttheFTEisnot,itisimpossibletoknowhowgoodthesystemreallyis.2.2.4Ability-to-VerifyRateInorderforthebiometricauthenticationsystemtoworkproperlyforagivenuser,theusermustbeabletoenroll,andthentoauthenticate.TheAbility-to-VerifyRateATVthengivestheproportionofusersforwhomthesystemworksproperly,ATV=)]TJ/F23 11.955 Tf 11.955 0 Td[(FTE)]TJ/F23 11.955 Tf 11.955 0 Td[(FRR.4AlongwiththeFAR;theATVprovidesimportantinformationonthreekeyissuesforbiometricauthenticationsystems[ 35 ]: 1. Cost:Ifsomeuserscannotbeauthenticatedbythebiometricsystem,somealternativeauthenticationprocesswillbeneeded.Itcouldbeanalternatebiometricauthenticationsystem,orasystembasedonapasswordorauthenticationtoken,orevenanadministratorwhowouldcomeandverifytheindividualswhocannotbeauthenticatedonthebiometricsystem.Inanycase,itwillincreasecosts. 2. Security:IftheATVislow,manyusersarenotbeingveriedbythebiomet-ricauthenticationsystem.Unlessthealternativemeansofauthenticationisatleastassecureasthebiometricsystem,thesecurityofthesystemwillbedegraded. 3. Convenience:AlowATVindicatesthatthebiometricsystemisdiculttouse,becausemanyuserscannotenrollorauthenticatesuccessfully.

PAGE 34

21 OfcoursetheATVcouldbemadehighbyloweringthestandardforenroll-mentandthethresholdforauthentication,butthiswouldresultinahighFAR.Likewise,theFARcouldbemadeverylowbymakingthestandardforenrollmentandthethresholdforauthenticationhigh,butthentheATVwouldbelow.Forthisreason,bothofthesemetricsshouldbereportedtogether,andnotjustoneortheother.2.2.5ReceiverOperatingCharacteristicandDetectionErrorTrade-oCurvesReceiveroperatingcharacteristicROCcurvesdisplaythegenuineacceptancerateontheyaxisvs.theFARonthexaxis.Theyareanacceptedmethodforsummarizingtheperformanceofimperfectdiagnostic,detection,andpatternmatchingsystems"[ 32 ].However,forbiometricsystems,detectionerrortrade-oDETcurves,whichplotFRRontheyaxisvs.FARonthexaxis,arepreferredbecausetheytreatbothtypesoferrorinthesameway[ 32 ].Ifdesired,theerrorratescanbeplottedonlogarithmicscalestocoverawiderrangeoferrors.Thesecurvesallowarelativelycompleteviewofthecharacteristicsofabiometricsystem.Fromsuchacurve,onecanndtheEER,theFARcorrespondingtoanydesiredFRR,ortheFRRcorrespondingtoanydesiredFAR.2.2.6CostThecostofabiometricsystemwouldincludethepurchasepriceofthedevice,aswellasadministrativecostofsettingupandmaintainingthedevice,andthecostofthetimespentbyusersinauthenticating.Itmightalsoincludethecostofanalternativesystemforuserswhocannotbeenrolled,andthecostofdealingwithuserswhoarefalselyrejectedbythesystem.2.2.7NumberofAuthenticationAttemptsAllowedAnimportantpolicydecisioninthedesignandadministrationofabiometricauthenticationsystemisthenumberofattemptsallowed.Ifmultipleattemptsare

PAGE 35

22 allowed,theFRRwillbedecreasedandtheFARwillbeincreased.Inthesimplestcase,iftheprobabilityofsuccessforallattemptsisindependent,theFARandFRRforasystemthatallowsnattemptsareFARn=1)]TJ/F15 11.955 Tf 11.955 0 Td[()]TJ/F23 11.955 Tf 11.956 0 Td[(FAR1n.5FRRn=FRR1n.6whereFAR1andFRR1arethevalueswhenonlyoneattemptisallowed.However,probabilityofsuccessformultipleattemptsisnotlikelytobeindependent.If1%ofimposterscanauthenticateonaparticularngerprintsystemasuserA,theremaybesomewithngerprintsveryclosetoA's,whocanauthenticateeverytime.Othersmaybeabletoauthenticateoccasionally.Others,withngerprintsverydierentfromA,mayneverbeabletoauthenticateasA.Likewise,ifauserisfalselyrejectedbyavoicesystemduetoacold,theuserwouldcontinuetohaveaverylowprobabilityofsuccessuntiltheyrecover.Multipleattemptswouldbelittlehelp.Imposingalimitonthenumberofauthenticationattemptscreatesthepossibilityofanotherkindofattack[ 26 ].Ifaccesstotheaccountisblockedaftersomenumberofunsuccessfulattempts,attackercansimplymaketherequirednumberofattemptstoauthenticate,blockingtheaccount.Anattackercouldevenblocktheadministrator'saccount,creatingasevereproblem.Analternativeapproachestopreventingrepeatedattemptsbyanattackermightbetoimposeadelaybetweenattempts.Thedelaymightbeafewminutes,andbeginaftersomesmallnumberofattempts.Inaddition,theadministratorcouldbealertedwhentherearerepeatedfailedauthenticationattempts,andcouldinvestigatetocatchtheimpostor.

PAGE 36

23 2.3DecisionRulesBecauseFARandFRRforagivendevicedependonthreshold,selectionofthethresholdisacriticalpolicydecision.Adecisionrulemustbechosenbasedontherequirementsofthesystem.Anattemptatauthenticationonabiometricauthenticationsystemproducesascorex.Ingeneral,xisavector,thecomponentsofwhicharescoresreturnedbyoneormorebiometricdevices,eachofwhichmayreturnmultiplescores,eitherfromprocessingthesamedatabydierentalgorithms[ 43 ],orbyprocessingdierentmeasurements,asinthecaseoftheSoftproDynamicSignatureVericationsystem,whichreturnsbothdynamicandstaticscores,asdescribedbelow.Thedecisionrulemustmapthescoretooneoftwoclasses,!1foracceptand!2forreject.Twomethodsofchoosingadecisionrulemightbeappropriatedependingontherequirementsofthesystem.Ifamaximumacceptablerateforonetypeoferrorisspecied,anderrorsoftheothertypeshouldbeminimizedsubjecttothisconstraint,weareusingtheNeyman-Pearsonmethodofselectingadecisionrule[ 31 ].Inthecaseofasinglebiometricdevice,assumingthatthedistributionofimpostorscoresdecreasesmonotonicallyandthedistributionofgenuineuserscoresmonotonicallydecreasesasscoreincreases,thisruleisalmosttrivial.Forexample,ifalimitof0.001isplacedontheFAR;thenthethresholdissettoproduceaFARoftherequiredlevel,0.001.AlowerthresholdwouldnotachievetherequiredFAR,andwhileahigherthresholdwouldfurtherdecreasetheFAR,itwouldalsoincreasetheFRR.Ifeitherorbothofthedistributionsofscoresforimpostorsandgenuineusersarenotmonotonic,thensimplyacceptingeverythingaboveathresholdandrejectingeverythingbelowmaynotbeoptimal.Instead,weneedtodenethelikelihoodratio,asin[ 43 ]R=Pxj!2=Pxj!1.7

PAGE 37

24 wherePxj!2andPxj!1aretheconditionalprobabilitiesofthescorexgiventhatthepersonauthenticatinginanimpostor,belongingtoclass!2,oragenuineuser,belongingtoclass!1,respectively.RegionsofhighRhaveahighproportionofimpostors,andregionsoflowRhaveahighproportionofgenuineusers.IfweagainconsidertheexampleofamaximumFARof0.001,thenwewouldselecttheregionstoacceptbeginningwiththelowestR,andcontinueaddingprogressivelyhigherRregionstotheaccept"areauntiltheproportionofimpostorsbeingacceptedreachesthemaximumacceptableFARof0.001.IfamaximumFRRisspecied,regionswithhighestRarerejecteduntiltheproportionofgenuineusersrejectedreachesthemaximumallowedvalue.TheoptimalBayesdecisionrulecanbeusedwhenbothtypesoferrorscanbeassignedaloss.Thisruleminimizestherisk,orexpectedvalueofloss,byassigningapatternxthetheclass!iwhichminimizestheconditionalrisk,r!ijx=2Xj=1L!i;!jP!jjx.8whereL!i;!jisthelosswhenapatternbelongingto!jisassignedto!i.Thus,L!2;!1isthelossincurredwhenanauthorizeduserisrejected,andL!1;!2isthelossincurredwhenanimpostisaccepted.Thelossincurredinassigningapatterntothecorrectclassisnormallygivenavalueof0.P!jjxistheposteriorprobability,ortheprobabilitythatthepatternbelongsto!jgiventhevaluesofthemeasurementsthatmakeupthevectorx[ 27 ].Thevaluesofthelossesforassigningtothewrongclasswilldependontheapplicationofthebiometricdevice.InatestofasystemofthreebiometricdevicesusedtoauthenticatepeopleenteringtheFraunhofer-InstituteforIntegratedCircuits,afalserejectionwasassignedtwicethecostofafalseacceptance[ 10 ].Ontheotherhand,ifwearedesigningabiometricauthenticationsystemtoprotectthegoldinFortKnox,thelossduetoafalseacceptancewouldbemuch

PAGE 38

25 greaterthanthatduetoafalserejection.PimpostorjxandPgenuinejxaretheposteriorprobabilitiesthatthepersonattemptingtoauthenticateisanimpostororagenuineuser,giventheyachievedascorex,respectively.TheposteriorprobabilitiesP!1jxandP!2jxarenotlikelytobeknownforabiometricauthenticationsystem.AccordingtoBaye'sformula,theyareP!kjx=pxj!kP!k Px.9wherepxj!kistheconditionalprobabilitydensityfunctionformeasurementsofxonclass!kandpxistheunconditionalprobabilityfunctionofx[ 27 ].Nowpxj!1,theprobabilitythatagenuineuserwillgetascorex,canbedeterminedbyallowinggenuineuserstoauthenticateanddeterminingtheprobabilitydistri-butionoftheirscores.Theprobabilityofanimpostorgettingascorex,pxj!2,willdependonthemethodusedbytheimpostor,becausesomemethodswillallowtheimpostortopresentdatathatmatchesthegenuineuser'sdatamoreclosely.AswithFAR0s,valuesofpxj!2shouldbedeterminedforeachpossiblemethodthatimpostorsmayuse.Wearestillleftwithtermsthatmightormightnotbemeasurable;P!2,theprobabilitythatapersonwhoattemptstoauthenticateisanimpostor,andP!1,theprobabilitythatapersonwhoattemptstoauthenti-cateisagenuineuser.Ifitisdesiredtoapplybiometricauthenticationinasystemcurrentlyusingsomeothermethodofauthentication,suchaspasswords,theseprobabilitiesmightbeestimatedbyloggingallattemptsatauthentication,andassumingthatthesuccessfulattemptsaregenuineusers,andunsuccessfulattemptsareimpostors.However,errorwillresultifsomeimpostorsaresuccessfulunderthecurrentsystem,andifgenuineusersforgettheirpasswordsormaketypingerrors.Amoresophisticatedapproachtothelogmightreducethenumberoferrorsintheestimates.Genuineusersmightbeexpectedtosucceedontheirsecondtry,ortoasktheadministratortoresettheirpasswordsoonaftertheyfailseveraltimes.A

PAGE 39

26 largenumberofunsuccessfulattemptsinrapidsuccessionwouldindicateon-linepasswordguessing.Substitutingequations 2.9 intoequation 2.8 wecanarriveatadecisionrule,AcceptifL!1;!2pxj!2P!2
PAGE 40

27 isnotunique,therewillbesomeerror,butthecharacteristicmaystillbeusefuliftheerrorissmallenoughorifthecharacteristicisusedincombinationwithothercharacteristics.Ifitisnotconstant,errorwillagainresult.Gradualchangesinthecharacteristicmightrequireperiodicre-enrollment.Thecharacteristicshouldalsobemeasurablebysometechniquethatisinexpensiveintermsofequipmentandsoftwarecost,administratortime,andusertime,andnotobjectionabletotheuser.Inthissectionthedegreetowhichngerprint,iris,voice,face,hand,andsignaturescansmeetthesecriteriawillbediscussed.Arecentlegalchallengetongerprintevidenceincourtswillalsobereviewed.2.4.1FingerprintFingerprintshavealonghistoryofscienticinvestigationandforensicuse.Biometricsystemsusingthisfeatureseemtobeboththemostnumerousandmosthighlydeveloped.Fingerprintshavethreelevelsofdetail,allofwhichareusefulforidenticationorauthentication.Leveloneistheoverallpattern,includeswhorlpatterns,looppatterns,andarchpatterns.Itisnotsucienttoindicateamatch,butcanindicateanon-match.Leveltwoincludesridgeendings,bifurcations,dots,andcombinationsofthesefeatures.Levelthreeincludesdetailsofridges,suchaspores,breaks,width,shape,andscars[ 22 ].Thepermanenceandindividualityofthesefeatureshavemadengerprintsausefulmeansofidenticationinmanycontexts,includingbiometrics.Formation,Permanence,andUniquenessofFingerprintsThemechanismofformationofngerprintsisofinterestbecauseitprovidesreasonforthepermanenceanduniquenessofthengerprintpattern.Inacaseinwhichtheadmissibilityofngerprintevidencewaschallenged,WilliamBabler,ananatomyprofessor,embryologist,andformerpresidentoftheAmericanDermato-

PAGE 41

28 glyphicsAssociation, 1 testiedonthemechanismofformationoffrictionridges,theridgesthatmakeupngerprintsandpalmprints,andalsoexistontoesandthesolesoffeet[ 42 ].ThistestimonywasusedbythejudgeinUnitedStatesv.Plazaindecidingontheadmissibilityofngerprintsinthatcase.BablerstatesthatPrimaryfrictionridges,whichdevelop`deeptothesurfaceoftheskin'"begintoformintheninthortenthweekofafetus.Ataboutfourteenweeks,sweatglandsorsweatductsbegintoform,`start[ing]outasproliferationsfromtheprimaryridge.Theygrowdownintothedermisandtheyultimatelymatureintoaductandintoagland.'"Sometimefromthefteenthtotheseventeenthweektheprimaryridgeshaveallformed,andthesecondaryridgesbegintoappearontheskinsurfaceatabouttheseventeenthweek.Bablerstatedthat thisinterfacebetweentheepidermisandthedermisreallyprovidesatemplateofthecongurationofthefrictionridgesonthesurface.Andthistemplatetendstobepermanent.Itdoesnotchange.Unlessitgetsinjured,anditwouldtakeadeepinjury.Itwouldtakeaninjurythat 1Thisassociationconsistsofphysicalanthropologists,geneticists,andbiolo-gistswhostudythepatternsoffrictionridgesonthehandsandfeetofhumansandotherprimateslookingattherelationshipsofthesecongurationsforde-terminingpredictabilityfor,say,amedicalconditionoravarietyofotherrelatedsituations"[ 42 ].ItisinterestingtonotethatFrancisGaltonexpectedtondsim-ilaritiesinngerprintswithinvariousethnicandracialgroups,anddistinctionsbetweenthegroups,butconcludedAsarstandonlyanapproximatelycorrectdescription,theEnglish,Welsh,Jews,Negroes,andBasques,mayallbespokenofasidenticalinthecharacteroftheirngerprints;thesamefamiliarpatternsap-pearinginallofthemwithmuchthesamedegreesoffrequency,thedierencesbe-tweengroupsofdierentracesbeingnotlargerthanthosethatoccasionallyoccurbetweengroupsofthesamerace.TheJewshave,however,adecidedlylargerpro-portionofWhorledpatternsthanotherraces,andIshouldhavebeentemptedtomakeanassertionaboutapeculiarityintheNegroes,hadnotoneoftheirgroupsdieredgreatlyfromtherest."Helaterstatesthat[t]heonlydierencessofarobservedarestatistical,andcannotbedeterminedexceptthroughpatienceandcaution,andbydiscussinglargegroups"[ 17 ].Whateversimilaritiestheremaybeinngerprintpatternswithingroupsareonlystatisticalsimilarities,andshouldnotinterferewiththeuseofngerprintsforidentication.

PAGE 42

29 wouldpiercethroughthatinterfacesuchasadeepknifewound,oradeepburntoactuallydistortthetemplateattheepidermal,dermalinterface[ 42 ],pp.1-2.Theuniquenessofngerprintsisalsorootedintheirfetaldevelopment.Bablerstatedthatfactorsthatcouldaectthearrangementofridgesincludegenetics,environmentalfactors,chemicals,disease,andperhapstheshapeof"theendofthenger.Bablerstated: [T]herearemanydierentfactors,many,manydierentfactorsthatinuencedthedevelopmentofthefrictionridgeandultimatelythedevelopmentofitssecondarycharacteristics,theminutiae,theactualshapeoftheridgeitself.Allthesearesonumerousandsoindividualthatthey{thatIcannotconcludeanythingbutthateachandeveryfrictionridgeandtheirarrangementsareindividualandspecic[ 42 ],p.2.Bablerprovidesreasonsbasedinfetaldevelopmentforthepermanenceanduniquenessofngerprints.Observationsandexperimentsconrmingthatperma-nenceanduniquenesswerecarriedoutbyHenryFaulds,a19thcenturyScottishmedicalmissionaryinJapan.Fauldsrstbecameinterestedinngerprintswhenhenoticedpatternsofparallellinesinancientpotteryfragments.Whenpreparingtolecturemedicalstudentsonuseofthesenseoftouch,hehadbecomeawareofthepatternofridgesonhisownngertips.Fauldssuddenlyrealizedthathewasseeingimpressionsfromtheridgesofancientpottersonthefragments.Whenheexaminedmodernpotteryinthemarket,hefoundamultitudeofngerprints.WhilelookingatChinateasets,Fauldsnotedthatonepeculiarpatternoflin-eationswouldreappearwithgreatpersistency,asifthesameartisthadlefthersign-markonherwork."andthatpotterycouldbematchedtothepotterbytheridgemarks[ 2 ].AninterestinanthropologyledFauldstobegintakingngerprintsoffriends,relatives,andanyotherpeopleavailable.Herstsketchedtheridges,latertookprintsinwax,andnallybeganinkingalltenngertipsandtakingprintsonpaper.

PAGE 43

30 Hewantedtoseeifprintsdieredaccordingtothegroupsthepeoplecamefrom.However,hewasonlyabletocollectEuropeanandJapanesengerprints.Hewrotetoscientistsinotherpartsoftheworld,butnonewereinterestedinhisideas.Thenthemedicalalcoholbegantodisappearfromalockedcabinetinhishospital.Fauldsfoundalaboratorybeakerthathadbeenusedasadrinkingglass,andcomparingthengerprintsonittohiscards,foundamatchtoamedicalstudent[ 2 ].Later,amemberofthestawasaccusedofattemptingtoburglethehospital.Fauldsshowedthepolicethatthesuspect'sngerprintsdidnotmatchthoseleftbytheburglar,provingthesuspectwasinnocent.AtthispointFauldsrealizedthatngerprintscouldsolvemanylegalproblemsrelatedtoidentication.Hehesitatedtopublishtheideabecauseofamostdepressingsenseofmoralresponsibilityanddanger.Whatifsomeonewerewronglyidentiedandmadetosuerinnocentlythroughadefectivemethod?Itseemedtomethatagreatdealhadtobedonebeforepubliclyproposingtheadoptionofsuchascheme."Herealizedthenecessityofprovingthatngerprintswereuniqueandpermanent[ 2 ].Fauldsandhismedicalstudentsusedarazortoshaveotheirngerridgesuntilnotngerprintpatternremained.Theirngerprintridgesgrewbackinidenticalpatterns.Theyrepeatedtheexperimentwithpumice,sandpaper,emerydust,acids,andbases,andinallcasesthengerprintsgrewbackwiththeexactsamepatternsasbeforethetreatments[ 2 ].Healsostudiedchildrenbetweentheagesof5and10,andfoundthattheirngerprintsdidnotchangeastheygrew.Whenascarletfeverepidemiccausedseverepeelingofskin,Fauldsfoundthattherewasagainnochangeinthenger-prints[ 2 ].Inthecourseofhisstudies,hehadcollectedthousandsofngerprints,leadingtotheconclusionthatngerprintswereunique.Fauldswasnallysatisedthathisdiscoverywasworthyofpublication[ 2 ].

PAGE 44

31 FrancisGaltonfoundfurtherscienticevidenceforthepermanenceofnger-prints.Galtonmadeacarefulstudyofngerprintstakenoveraperiodof28years,andfoundthemunchangedexceptinwaysthatcouldbeaccountedforbywear; Thequestionariseswhetherthesenger{marksremainunalteredthroughoutthelifeofthesameperson.Inreplytothis,Iamabletosubmitamostinterestingpieceofevidence,whichthusfarisunique,throughthekindnessofSirWm.Herschel.Itconsistsoftheimprintsofthetworstngersofhisownhand,madein1860andin1888respectively;thatisatperiodsseparatedbyanintervaloftwenty-eightyears.Ihavealsotwointermediateimprints,madebyhimin1874andin1883respectively.Theimprintsof1860and1888havenowbeenphotographedonanenlargedscale,directupontheengraver'sblock,whenceFigs.9and11arecut;thesewoodcutsmaythereforebereliedonasverycorrectrepresentations[ 16 ],p.201.Galtongoesontodescribethedetailsoftheprints,andtogiveinstructiononhowtocomparengerprints,thenconcludes, AcarefulcomparisonofFigs.9and11isamostinstructivestudyoftheeectsofage.Thereisanobviousamountofwearingandofcoarsenessinthelatter,butthemainfeaturesinbotharethesame[ 16 ],p.202.Healsocitesseveralotherscholarlypublicationsonthetopicofngerprints,andreferstowidespreadexperimentation,andindescribingthedicultyofproducinggoodimpressionsofngerprintsforstudy,commentsthatAllthisisratherdirtywork,butpeopledonotseemtoobjecttoit;rivalryandthehopeofmakingcontinuallybetterimpressionscarriesthemon"[ 16 ].Galtonpublishedanexampleofngerprintsthatdidnotchange.Itisclearthatanumberofpeoplewereexperimentinginthearea.Ifpeoplestudyingngerprintsoutofrivalry"hadfoundanexampleofangerprintchanging,theywouldcertainlyhavepublishedit.Level1detailofngerprintstendstobethesameforfamilymembers,andespeciallyforidenticaltwins.However,theformationoflevel2and3detailis

PAGE 45

32 morecontrolledbyembryonicenvironment,sothesefeaturesareuniqueineveryngerprint,evenbetweenidenticaltwins[ 41 ].Clonedmonkeysalsohaveuniquengerprintsandpalmprints,althoughallmonkeyshavethesamelevel1pattern[ 41 ].Morerecently,DonaldZeisigofLockheedMartinInformationSystems,thedevelopersoftheFBI'scomputerizedngerprintsystem,performedatestknownasthe0kx50kstudy,"comparing50,000ngerprintstoeachother.Unfortunately,Zeisig'sworkhasnotbeenpublished[ 29 ],butsomeinformationonthetestingprocedureandresultsisavailablefromhisexperttestimonyatahearingrelatingtotheadmissibilityofngerprintevidenceincourt[ 51 ].Zeisigrstdescribesthematchingprocess.Twomatchingalgorithms,onedevelopedinternally,andasecondfromSagem/MorphoofFrance,independentlycomparedeachprinttoeachotherintheset.Thetwoscoreswerethenfusedtodeterminewhethertherewasamatch.Thefusionalgorithmmakesuseofextremevaluestatistics,whichtakealotofinformation,andlookforsomeunusualoccurrence,whichinthisapplicationisamatch.Forthe50kx50kstudy,therst50,000leftslopeloopsfromwhitemaleswereextractedfromthedatabaseofngerprintimages.Imageswerelimitedtoleftslopelooppatternsandwhitemalesinordertoincreasethelikelihoodofndingmatchingprints.ZeisigalsonotedthatifthesystemwasabletoextractLevel3Detailthatheexpectedthecalculatedprobabilitytobeevenlowerthandeterminedinthetests"[ 51 ].Whenfulloneinchngerprintswerecompared,itwasconcludedthattheprobabilityofndingtwoidenticalngerprints,eitherondierentngersofthesamepersonorondierentpeople,wasonein1097,andwhentheprintsarecropped,andonlythemiddle21.7percentoftheprintsarecompared,thechanceofdierentprintsmatchingisonein1027.Thesmallerareaswerecomparedbecauselatentprintsfromcrimescenesareoftensmallerthanoneinch.Each

PAGE 46

33 printwascomparedwithall50,000prints,includingitself.Probabilitiesweredeterminedbytakingthetop500scoresfromeachsetof50,000andnormalizingthemtothegivethebestscoreineachset,whichcamefromacomparisonofangerprintimagetoitself,ascoreof1.Then,themeansandstandarddeviationsweredeterminedeitherwithorwithoutthethecomparisonoftheimagetoitself.Resultswerereportedforthecasewherethehighscorefromthecomparisonoftheimagewithitselfisincludedbecauseinclusionofthisscorewasfoundtobroadenthecurveandproduceahigherprobabilityofafalsematch[ 51 ].TheexperimentfoundseveralmatchesofprintswithdierentFBInumberswhichturnedouttobetworolledprintsofthesamenger.Unfortunately,itisdiculttodeterminethemeaningofsomepartsofthetestimony,becauseitreferstosomeitemstheparticipantsweregiven,whicharenotincludedinrecordsofthetrial.Intheexperimentonthereducedarea,simulatedlatentprints,anotherpairofprintswithdierentFBInumberswasfound.Togainmoreinformationonwhetherornottheywereafalsematch,Zeisigcomparedallcombinationsofprintsonthetwocards,andfoundanextremelyhighscoreforall10ngersgoinginbothdirections"thecomparisonprocessisnotcommutative.IfprintAiscomparedtoprintB,andthenBiscomparedtoA,thescoreswillnotbethesame.Onemightwonderwhytheotherninepairsofngerswerenotmatchedintheoriginalexperiment.However,iftheotherninengerprintsoftheindividualinquestionwerenotleftslopeloops,theywouldnothavebeenincludedinthedatasetof50,000prints.TheFBIexaminedtheactual10-printcards,andconrmedthattheywerefromthesameperson[ 51 ].Itmightbeconsideredcircularreasoningtoconcludethatthetwosetsofprintsarefromthesamepersononthebasisofclosesimilarityofalltenprintsinastudyusedtotestthehypothesisthatallngerprintsareunique.However,givenotherevidencefortheuniquenessofngerprints,itseemsmorereasonabletosupposethatthesamepersonwas

PAGE 47

34 ngerprintedtwicethanthattwodierentpersonshadalltenngerprintsidentical.Recallthatevenidenticaltwinshavedierentngerprints[ 41 ].Inanothercase,amatchwasfoundbetweentwoadjacentngerprintsonthesame10-printcard.Zeisigusedaprogramtoplottheminutiathathadbeenextractedfromthetwongerprintsinquestion,andbasedonanareaofoneprintthatseemedtoincludeminutiafromapartoftheother,concludedthatthetwoprintsmustoverlaponthe10-printcard.Examinationofthe10-printcardconrmedhisconclusion.ThedefenseattorneyquestionedZeisigaboutanormalizedscorefortwoprintsofthesamengerwhichwaslowerthannormalizedscoresofdierentngersinothertests.However,itsnormalizedscorewassecondhighestamongall50,000scoresforprintscomparedtoitsmate[ 51 ].Thehighestscorewouldhavebeenfortherstprintofthepaircomparedtoitself.Iftherawscoreinthiscasewasunusuallyhigh,whichcouldbeduetoalargenumberofminutiaintheprint,thentheothernormalizationfactorwouldalsobehigh,sootherscoresinthissetof50,000wouldbelowerthaninothersets.Wemightexpecttheotherprintofthengertoalsohaveahighnumberofminutia,andtoachieveahighscore,butitmayhavebeenalowqualityprint.Whenthesametwoprintswerecomparedintheotherdirection,theymatchedbetter.However,itwasnotdeterminedthattheyweretwoprintsofthesamengeruntilthesecondhalfoftheexperiment,whenthecentral21.7percentofeachprintwascompared[ 51 ].Williamscriticizesthistestonseveralpointsinapapercriticalofthecurrentstateofbiometrics[ 54 ]. 1. Thecourtrecordisincomplete:arethere5,000whitemales,eachwith0-printcards"or50,000dierentmales,eachwithonefull-size,1-inch"rolledprint,orsomewhereinbetween?{Weredierentngersinvolved,etc.?Dideachprinthaveacorrespondingarticialpartialprint...?[ 54 ],p.100

PAGE 48

35 Itisclearthatatleastsomeindividualshadmorethanoneleftslopeloopngerprint,andthereforethatmorethanoneoftheirprintswasincluded.Specically,foroneindividualtwoadjacentngerprintswerefoundtomatchbecausetheprintsoverlappedonthe10-printcardandthereforecontainedthesameminutia.Anindividualdoesnotnormallyhavethesameclassofngerprintonalltenngers,anditwouldbequiteremarkableiftherst50,000leftslopeloopsfromwhitemalesintheFBIdatabasewerefrom5,000individualswith10leftslopeloopprintseach.Whilenotclearlystated,fromtheextraexperimentdescribedabove,inwhichZeisigcomparedalltenprintsfromtwo10-printcardsoftwoprintsthathadahighscore,wemayinferthattheothernineprintswerenotinthedataset,otherwisetheywouldalreadyhavebeencomparedandfoundtomatchinthetest.Presumably,theywerenotleftslopeloops.Thuswecanseethatsomeindividualshadmultipleprintsinthedataset,butthedatasetdidnotconsistof10printseachfrom5,000individuals. 2. Thereisnohintofpeerreview,norcontrolfororganizational-conict-of-interestOCOIintheLockheed-Martin/AFIS-relatedndings[ 54 ],p.100.Thisisavalidcriticism.Itappearsthatthetestwasdoneafterthesystemwasalreadyinoperation.Haditbeendoneasaconditionforacceptanceofthesystem,therewouldhavebeensomecheckonconictofinterest,butatthestageofthetrial,goodresultswouldbedesiredbyboththeFBIandLockheed-Martin.Publicationofthisworkwouldseemtobeanopportunitytolaytorestdoubtsabouttheuniquenessofngerprintsingeneral,andthecapabilitiesofthesysteminparticular.Aworthwhilepapercouldsurelybepreparedwithoutrevealingproprietaryinformationonthesystem. 3. Thereisnojusticationgivenforexcludingallbutwhitemales,yetdrawinginferencesforallhumanity,foralltime[ 54 ],p.100.

PAGE 49

36 However,Zeisigtestied: Thereasonweselectedtheleftslopeloops,andIcan'tsaythisfrompersonalknowledge,butthewhitemales,I'llhavetorelyonthetestimonyofotherexpertsinthatarea,wastoincreasethelikelihoodthatweweregoingtondamatch,matchingsetofminutiaifitwasthere.Inotherwords,thatwouldbeabiasinfavorofthedefensecase[ 51 ],p.51.Zeisig,andapparentlyothersinvolvedinplanningthetest,knowthattheyarelookingforarareevent,sotheymakeachoicethatwillincreasetheirchancesofndingit.Ifthisweretheonlystudythathadeverbeendoneonngerprints,itwouldindeedbeworrisomethatonlywhitemaleswereincluded.However,recallthatanthropologicalstudiesofngerprintsgobacktothebeginningofngerprintscience,andonlystatisticaldierencesbetweengroupshavebeenfound[ 15 ],[ 17 ]. 4. ThereisnojusticationreportedfortreatingperfectarticialpartialngerprintsasequivalenttolatentngerprintsLFP,whicharenormallydegradedimagesofcrime-scenengerprintimages[ 54 ],p.100.Thispointisimportantfortheforensicuseofngerprints,buthasnobearingonthequestionofuniqueness.Itdoesnotrelatedirectlytobiometricauthentication,howevertheimportanceofagoodqualityimageisdiscussedbelow. 5. Thereisnojusticationgivenoftheautomatedtechniquesem-ployed,includingsuchissuesasprovenance,technology,testing,validation,maintenance,andqualityassurance{theyarealltreatedasequivalenttohumanexaminers[ 54 ],p.100.Thereissometruthhere.However,theabilityofthematchingprogramstodetectunsuspectedduplicateprints,andtodetectdetailsofoneprintoverlappinganother,providesomelevelofproofthattheyfunctionproperly.Inthetestimony,Zeisigdescribesthesystemingeneralities,butstatesthat

PAGE 50

37 detailsofthealgorithmsareproprietary[ 51 ].Itisprobablynotreasonabletoexpectverymuchinformationinsomeoftheseareas. 6. Theseextraordinarynumbersdemanddetailedscienticreconsid-eration.Eventhedierence,70ordersofmagnitude,strainsthecredulitywithoutextensivereviewbythescienticcommunityatlarge[ 54 ],p.100.Whilethenumbersareindeedextraordinary,giventheprobabilitiesdeter-minedintheexperiment,thedierenceisaboutwhatshouldbeexpected.Twofullprinthaveaprobabilityof10)]TJ/F15 11.955 Tf 7.085 -4.338 Td[(97ofmatching[ 51 ],andifallel-ementsofareaoftheprintswereindependent,wewouldexpectthattheprobabilityofthemiddle21.7%matchingwouldbe)]TJ/F15 11.955 Tf 7.085 -4.338 Td[(9721:7=100,or10)]TJ/F22 7.97 Tf 6.586 0 Td[(21:0,morethantheobserved10)]TJ/F22 7.97 Tf 6.586 0 Td[(27.Ifareasoftheprintwereindependent,thedierencewouldbe76ordersofmagnitude.Thisindicatesthattheelementsofareaofasingleprintarenotindependent,whichisnotsurprisingsincengerprintshavepatterns.Onepartshouldhavesomedegreeofrelationshiptotheothers.DiscussionoftheValidityofFingerprintsforForensicIdenticationThissectionwilldiscussseverallegalchallengestotheadmissibilityofnger-printsintrials,andwhetherthesechallengeswouldalsoapplytotheusefulnessofbiometricauthentication.ThesechallengesarebasedontwoimportantcasesandoneruleadoptedbyCongressrelatedtoadmissibilityofscienticevidenceincourt.First,theFryeTest"comesfromFryev.UnitedStates,fromtheDistrictofColumbiacircuitcourtin1923.Theopinionrulingthatresultsfromanearlytypeofliedetectorcouldnotbeadmittedstates[ 1 ]: Whilecourtswillgoalongwayinadmittingexperttestimonydeducedfromawell-recognizedscienticprincipleordiscovery,thethingfrom

PAGE 51

38 whichthedeductionismademustbesucientlyestablishedtohavegainedgeneralacceptanceintheparticulareldtowhichitbelongs 2 TheFryetesthasbeencriticizedonseveralgrounds[ 1 ].Itissaidtobeoverlyconservative,becauseitrequireswaitinguntilscienticideasbecomeacceptedinthelegalcommunitybeforetheycanbeofuseincourt.Second,thereisnoclearstandardforwhenorifanideaisacceptedinthescienticcommunity.Itmaybediculttoknowwhicheldtoconsultonaparticularideatodetermineifitisaccepted.In1975,CongressadoptedFederalRuleofEvidence702: Ifscientic,technical,orotherspecializedknowledgewillassistthetrieroffacttounderstandtheevidenceortodetermineafactinissue,awitnessqualiedasanexpertbyknowledge,skill,experience,training,oreducation,maytestifytheretointheformofanopinionorotherwise[ 40 ],p.6.AlthoughthisruledoesnotmentiontheFryeconditionofgeneralaccep-tance,"itwasstillappliedbymanycourtsuntilthesupremecourtclariedthatithadbeensupersededbyrule702inthesecondimportantcase,Daubertv.MerrellDowPharmaceuticals,Inc.inJune1993[ 40 ].JusticeBlackmunexplainedthemeaningofscienticknowledge: Theadjectivescientic"impliesagroundinginthemethodsandproceduresofscience.Similarly,thewordknowledge"connotesmorethansubjectivebelieforunsupportedspeculation.Thetermappliestoanybodyofknownfactsortoanybodyofideasinferredfromsuchfactsoracceptedastruthsongoodgrounds.Ofcourse,itwouldbeunreasonabletoconcludethatthesubjectofscientictestimonymustbeknown"toacertainty;arguably,therearenocertaintiesinscience.But,inordertoqualifyasscienticknowledge,"aninferenceorassertionmustbederivedbythescienticmethod[ 40 ],p.6.JusticeBlackmunalsogavefourstandardsforadmissibility[ 1 ],[ 54 ]. 1. Whetherornotascientictheoryortechniquecanbeandhasbeentested. 2293F.1014D.C.Cir.1923,quotedin[ 1 ].

PAGE 52

39 2. Whetherthetheoryortechniquehasbeensubjecttopeerreviewandpublication. 3. Whetherthetechniquehasaknownorpotentialrateoferror"andstan-dardscontrollingthetechnique'soperationexistandhavebeenmaintained. 4. TheFryetest,whetherthetechniquehasgeneralacceptanceinthescienticcommunity.AfterDaubert,allcourtsthatconsideredchallengestongerprinttestimonycametotheconclusionthatitshouldbeadmitteduntilUnitedStatesv.Plazain2002,whereJudgePollakdecidedthatngerprintexaminersandtheprocessofcomparinglatentprintsfromcrimescenestoprintstakenundercontrolledcondi-tionsmetonlythefourthoftheDaubertfactors,generalacceptancewithintheAmericanngerprintexaminercommunity"[ 40 ].Itwasfoundtolackrequirementsoftesting,peerreview,andstandards,andtherateoferrorisinlimbo."There-fore,thepartieswouldbeallowedtointroducengerprints,explainhowtheywereobtained,andpointoutsimilaritiesanddierences.Buttheywouldnotbeabletopresentexperttestimonyonwhetherornotprintsmatched.However,JudgePollaktookjudicialnoticeofthepermanenceanduniquenessofngerprints.Hestatedthat Ajudiciallynoticedfactmustbeonenotsubjecttoreasonabledis-puteinthatitiseithergenerallyknownwithintheterritorialjurisdictionofthetrialcourtorcapableofaccurateandreadydeterminationbyresorttosourceswhoseaccuracycannotbereasonablyquestioned"[ 40 ],p.5.Ziesig'stestimonyonthe50kx50kstudydescribedaboveprovidedgroundsforjudicialnoticeofuniqueness,andBabler'stestimonyontheprenataldevelop-mentofngerprints,alsodescribedabove,providedgroundsforjudicialnoticeofpermanence.Thustheimportantpointsforbiometricauthentication,theperma-nenceanduniquenessofngerprints,werenotquestionedbythecourt.Methodsofacquiringandmatchinglatentprintsareirrelevanttobiometricauthentication.

PAGE 53

40 However,itwillbenecessarytoconsiderwhetherngerprintscanningdevicesrecordsucientdetailforreliableauthentication.Pollakreconsideredhisdecisionnottoallowexperttestimonyonmatchingofngerprintsbecausetherstdecisionwasbasedonlyonthetranscriptsoftestimonygiveninasimilarcase,andthejudgehadnotheardanylivewitnesses.FollowingtestimonybyAmericanandBritishexperts,PollakdecidedthatforensicuseofngerprintsmetthestandardsofDaubert[ 41 ].HardwareThreetypesofngerprintscannersareinusetocaptureimagesofngers.Theresolutionofthecapturedimagesisfrom250-625dotsperinch,with500dotsperinchcommonlyused[ 37 ].Higherresolutionallowsthecaptureofnerdetails,andasystemthatauthenticatesbasedonpores,whicharesmallerthanridges,hasaresolutionof800dotsperinch[ 46 ].Theareaofthengerprintcapturedrangesfrom0.5to1.25inchsquare,witha1inchbeingacommonsize[ 37 ].Largerareawillinsuretheinclusionofmorede-tailsinthecapturedprint.However,anareaof5mm2,whichwouldcontainmorethan20pores,issaidtobesucientforauthenticationwithpores,and10mm2wouldcontainabout12minutia,andwouldbesucientforauthentication[ 46 ].However,ifascanneronlycaptured5mm2ngerprintimages,thesame5mm2wouldhavetobecapturedinenrollmentandmatching.ThiswouldprobablyresultinaveryhighFRR.Eachpixelisusuallyencodedwith8bits,givinganintensityrangeof0-255[ 37 ].Designofangerprintcapturedeviceisacompromisebetweensize,resolution,andcost.Thegoalmustbetocaptureamaximumofdetailwithaminimumofsizeandcost.Opticalngerprintscannersproduceanimagebyilluminatingangerplacedonglasssurfacewithlaserlight.Lightisreectedbyridges,butnotbyvalleys

PAGE 54

41 ofthenger.ThereectedlightiscapturedbyaChargeCoupledDeviceCCDarray.Opticalscannersmaybeadvantageousifalargeimageareaisdesired,becauselargerareasensorsarecheaperthansamesizesolidstatesensor[ 37 ].Solidstatengerprintscannersusuallyproduceanimageviaacapacitancemeasurement.Thescannerconsistsofanarrayofconductiveplatescoveredbydielectriclayer.Thengerisplacedonthedielectriclayer,andformstheotherplateofthecapacitors.Thecapacitance,andthereforethevoltage,ontheplatesdependsondistance,soitisdierentforridgesandvalleys.Pressure-sensitivesensors,madeofpiezoelectricmaterial,havealsobeenproposed[ 37 ].Solidstatecouldbeequippedwithautomaticgaincontroltogethighcontrastimage,automaticallycompensatingforfactorssuchasvariationsindrynessandpressureofthenger[ 37 ].Ultrasonicscannersusesoundwavesreectedfromngertoformanimage.Theyaresaidtobelessaectedbydirtandskinoilonthenger[ 37 ].InternalAlgorithmsforMatchingAwidevarietyofalgorithmshavebeenusedformatchingofngerprints.Fingerprintmatchingalgorithmsmostcommonlyworkwithminutia,butsomeworkwithpores,andothersperformglobalpatternmatching,orpatternmatching,comparingtheowofridgesatallpointsintheprints[ 37 ].Afterageneraldescriptionofprocessinginatypicalminutia-basedngerprintauthenticationsystemfollowingO'Gorman[ 37 ],severalspecicalgorithmsarebrieydiscussed.Fingerprintimagestendtobenoisybecausengersmaybe"dirty,cut,scarred,creased,dry,wet,worn,etc."Therefore,inmostcases,imageenhancementisnecessarybeforefeaturescanbeextracted.Therststepisusuallyalocallyadaptivematchedlter,whichtakesadvantageoffactthatngerprintsaremadeupofparallelridges.Itenhancesridgesorientedinthedirectionoftheridgesin

PAGE 55

42 thelocality,anddecreasesanythingwithadierentorientationfromthelocalridgedirection.Thenextstepistoconvertthegray-scaleimagetoabinaryimage.Thisisdonebylocallyadaptivethresholding.Athresholdischosenlocallytogetbinaryimageofridges,features.Next,ridgesarethinned,reducingthewidthofridgestoasinglepixel.Thisaidsinndingminutia.Allofthesestepsrequiresignicantamountsofcomputation.Therefore,insteadofthresholdingandthinning,somesystemstracetheridgesandndminutiainthegray-scaleimage.Nextthefeatures,whichinthiscaseareendingsandbifurcationsofridges,mustbeextracted.Iftheridgeshavebeenthinned,anendingistheendofathinline,andabifurcationisthejunctionofthreelines.Brancheswithshortspursarelikelytobeartifactsofthethinningprocess,sotheyareeliminated.Otherminutiathatarelikelytobeartifactsofimageprocessingarealsoeliminated.Theresultingtemplatehaslistofminutia,withtype,location,orientation.Althoughthetypeofminutiaisusuallyincludedinthetemplate,itisoftennotusedinmatchingbecauseerrorsindeterminingtypeofminutiaarecommon[ 37 ].Achangeinpressurecanconvertonetypeofminutiatotheother[ 24 ].Usually10to100minutiaarefoundinangerprint.Oncethefeatureshavebeenextractedandatemplatehasbeenproduced,itmustbecomparedtotheenrollmenttemplate.Onemethodofcomparingtemplatesistocompareallneighborhoodsinoneprinttoallneighborhoodsintheother,whereaneighborhoodisasmallareaofaprintcontainingabout3minutia.Thematchscoreisbasedonthenumberofneighborhoodsthatmatch.Neighborhoodsintwoprintsofthesamengerareexpectedtobesimilar,notidentical,becauseofnoisyimagesandelasticityoftheskin,whichcanchangedistancesandanglesbetweenminutia.Thematchscoreiscomparedtothresholdtodeterminewhethertoacceptorreject.

PAGE 56

43 Alternatively,somealgorithmsndacore,whichisthecenterofthenger-printpattern,andadelta,wherethreedierentpatternscometogether,toorienttheprint,andthenonlycomparecorrespondingneighborhoods.However,notallprintshaveacoreandadelta[ 37 ].Apore-basedalgorithmisverysimilartotheminutia-basedalgorithmde-scribedabove.Theimageisprocessedinasimilarway,andthenporelocationsandsizesareextractedfromtheimage.Anearbyminutiaisusedasareferencepointformatchingtheporesofoneimagetothoseofanotherbecausedistancescanchangeduetoplasticityofngers.Thischangecancauseimportanterrorsoverlongerdistances,butisnotsignicantfornearbyfeatures.Amatchscoreisdeterminedfromtheproportionoftheporesinthetwoimagesthatmatchaporeintheotherimage[ 46 ].Inglobalpatternmatchingthetemplateimageandtheauthenticationimagearecomparedtoseeiftheirridgesmatch.Printsmaybealignedbytranslationandrotationrst,ifcoreanddeltapointarefound.Inordertodeterminehowwelltheimagesmatch,correspondingpixelsaremultiplied,andtheresultssummed.Ifthetwoimagesmatch,thesumwillbehigherthaniftheydonot.Minutiamatchingisgenerallyconsideredtobemoreaccurate.Patternmatchingmaybefaster,especiallyonvectorprocessors,orifhardwareforfastFouriertransformsisavailable[ 37 ].Itispossibletocombineseveralalgorithmsinabiometricauthenticationsystem.PrabhakarandJain[ 43 ]usedfourminutia-basedalgorithmsandonebasedontexturetoprocessngerprintimages,andcombinedtheresultstoclassifythengerprintasamatchornon-match.TherstalgorithmwasHoughtransform-basedmatching.Theprintsweresubjectedtotranslationandrotation,thenthenumberofmatchedpairsofminutiawerecounted.Asetofallowedtranslationsarecarriedout,andthescoreiscomputedbasedonthenumberofmatchedpairsin

PAGE 57

44 eachtransformation.Thehighestscorefromallthetranslationsistakentobethecorrectscore.Inthesecondalgorithmstringdistance-basedmatching,ananchorpointisselectedineachpattern.Theminutiaareconvertedtopolarcoordinateswithrespecttotheanchorpoint,andconcatenatedintoastringorderedbytheirradialangle.Thenthetwostringsarecomparedandtheireditdistanceiscomputed.Theeditdistanceisconvertedtoamatchscore.Theanchorpointsarefoundbydeterminingtherotationandtranslationthatgivesthemostmatchedpairsofminutiawithinaboundedbox.Theminutiaofonematchingpairareusedastheanchorpoints.Thenalminutia-basedmethodwasadynamicprogramming-basedmatchingalgorithm.Inthisalgorithm,rotationandtranslationarefoundasinthestringdistance-basedalgorithmabove,theminutiaarealignedbythisrotationandtranslation,anddynamicprogrammingisusedtondthemaximumnumberofmatchingminutiapairs.Theintuitiveinterpretationofthisstepistowarponesetofminutiatoalignwiththeothersothatthenumberofmatchedminutiaismaximized."Thematchscoreiscomputedfromthenumberofmatchedpairs,withapenaltyforunmatchedpairswithintheoverlappingregionsoftheprints.Thefourthalgorithmusesthetextureoftheridgestoclassifytheimages.First,thecenterislocatedbyndingthepointofmaximumcurvatureoftheridgesintheprint.Ifnocentercanbefound,theimageisrejectedbythisalgorithm.Next,acircularregion,centeredatthecenterpointfoundintherststep,isdividedsectorsbyradiallinesandconcentriccircles.Thegreyvaluesineachsectorarenormalized.Next,thecircularregionislteredineightdirectionswithGaborlters,whichproduceagreyvalueineachsectordependingonthedirectionoftheridgesinthatsector.Afeaturevector,knownastheFingerCode,"liststheaveragegreyvalueofeachsectorwitheachlter.TheEuclideandistancebetween

PAGE 58

45 theenrollmenttemplatevectorandthematchtemplatevectoriscomputed.Theinverseofthisdistanceisthematchscore.Thebestoftheindividualalgorithms,thedynamicandthelteralgorithms,hadEER'sof3.5%.Whenthesetwoalgorithmswerecombinedwiththestringalgoritm,anEERof1.4%wasachieved.Performancewithallfouralgorithmswasnotquiteasgood.Thisisnotunusualinclassicationproblemswhentheamountofdataisnite[ 43 ].StrengthsandWeaknessesofFingerprintScanAdvantagesofngerprintscanforauthenticationincludetheuniquenessandconstancyofthengerprintpatternforanindividual,andtherelativeeaseofuseofngerprintscanners.Itisalsomatureandcommonlyused[ 35 ].Disadvantagesincludetheinabilitytoobtainagoodngerprintimageofsomeindividuals.Peoplewhoseworkabradesorchemicallyattackstheirskin,andelderlypeople,maynotbeabletoauthenticateonsuchasystem. Butthetechnologyhasglitches.Digitalngerprintreaderscandrawablankonsomepeople,suchashairdresserswhoworkwithharshchemicals,andtheelderly,whoseprintsmaybeworn.RecenttestsbytheindependentresearchandconsultingrmInternationalBiometricGroupshowedthatsomesystemsareunabletocollectangerscanfromupto12percentofusers[ 18 ],pp60-61.Asecondproblemisthatngerprintauthenticationsystemscanoftenbespoofedwithcopiesofagenuineuser'sngerprints.Thalheimetal.[ 49 ]wereabletoauthenticateonanyofseveralsolidstatecapacitivengerprintscannersbybreathingonthelatentprintleftbyanauthorizeduser.Theythenrepeatedau-thenticationbyholdingathin-walledplasticbagofwateronthesensor.Next,theydustedalatentprintonthesensorwithgraphitepowder,pressedanadhesivelmonthesurface,andappliedaslightpressure.Thisallowedthemtoauthenticate.Themousewithoneofthesengerprintsensorswassupposedtohavesoftwarethat

PAGE 59

46 woulddeterminewhetherangerprintimagehadthesamepositionandangleasthelastngerprint,andifsorejectitasapossiblereactivatedlatentprint.Thalheimetal.[ 49 ]nextusedangerprintingkittodustprintsonsurfacesotherthanthengerprintscanner,thenliftedthemwithadhesivetapeandpressedthemontothescanner.Theywereagainabletoauthenticate.Withanopticalngerprintscanner,latentprintscouldnotbereactivated,soThalheimetal.madeawaximpressionofanauthorizeduser'sngerprint,andlleditwithsilicone.Withthisarticialnger"theywereabletoauthenti-cate[ 49 ].Theywerealsoabletoauthenticatewithalatentngerprintdustedwithgraphitepowderandliftedonadhesivelm,butontheopticalscannertheyhadtoilluminateitfrombehindwithahalogenlamp[ 49 ].Thalheimetal.[ 49 ]werealsoabletospoofathermalngerprintsensorwiththesiliconenger,butnotbyreactivatinglatentprintsorbypickingupdustedlatentprintsfromothersurfaceonadhesivelm.Matsumotosuccessfullyspoofed11dierentngerprintscanners,includingbothopticalandcapacitivetypes,usinggelatincopiesofngerprints[ 47 ].Moldsforthegelatinweremadebothwithaplasticmaterialandbyaphotographicprocess.Inthephotographicprocess,latentprintsonglasswereenhancedwithcyanoacrylateadhesiveandphotographedwithadigitalcamera.ThecontrastofthephotoswasenhancedwithPhotoshopandthengerprintswereprintedontransparentsheets.Thenthesheetswereusedasnegativesforphoto-sensitiveprintedcircuitboards.Whentheprintedcircuitboardswereetched,athree-dimensionalngerprintwasproduced.Thengelatinwasmoldedontheetchedprintedcircuitboard.Withbothtypesofngerprint,aFARof80%wasachieved.Ifanimpostorcoverstheirngerwithathinlayerofgelatincontainingthenger-printcopy,theywouldappeartobeusingtheirownngerprinttoauthenticate,andcouldauthenticateevenundersupervision.

PAGE 60

47 Topreventspoong,somesensorsdetectskintemperature,capacitance,orresistance[ 37 ].SomeofthesensorsspoofedbyMatsumotoincorporatedsuchlivenesstests.Todefeatsensorsthatmeasureskinresistance,thegelatinshouldbemoistened.Findingthecorrectamountofmoisteningrequiredpractice[ 47 ].2.4.2IrisScanIrisscanisseenasahighlyreliablebiometric,andiscurrentlyinuseforautomatictellermachines,portalcontrol,andcomputerlogin.Itisusedinnuclearpowerstations,prisons,andothergovernmentapplications.PermanenceandUniquenessofIrisFeaturesWildesdescribestheirisas[ 53 ]athindiaphragmstretchingacrosstheanteriorportionoftheeyeandsupportedbythelens..."Theirisconsistsofseverallayers.Fromposterior,ontheinsideoftheeyeball,toanterior,nearthefrontsurfaceoftheeye,thelayersare: 1. Heavilypigmentedepithelialcellsthatmaketheirisopaque. 2. Musclesthatcontrolthepupil. 3. Thestromallayer,alayerofconnectivetissue,whichcontainsaradialpatternofcorkscrew-likebloodvessels. 4. Finally,theanteriorborderlayer,inadditiontoconnectivetissue,ispackedwithchromatophores,pigmentcells.Itisdividedintotwoconcentricregions.Theinnerregioniscalledthepupillaryzone,andtheouterregionisthecilliaryzone.Thecilliaryzonehasinterlacingridgesduetosupportfromthestromallayer,andcontractilelinesthatvaryasthepupilopensorcloses.Therearealsostriationsduetotheradialbloodvessels,andvarioustypesofsmallirregularitiesintheiris.Eyecolorisalsoduetothislayer.Ifithaslittlepigment,lightpassesthoughit,isreectedbytheposteriorsurfaceoftheiris,andscatteredbythestroma,producingbluecolor.Ifthereismorepigment,lightisabsorbedhere,producingadarkeyecolor.

PAGE 61

48 Thehighinformationcontentofirispatternscanbeseenfromthelargevariabilityofa256-byteIrisCode,whichencodestheirispatternofanindividual,betweendierentpeople[ 8 ].TheprobabilitythatanyparticularbitofanIrisCodefromanunspeciedpopulationissetiscloseto0.5.InaBritishTelecomexper-iment,whereeachimagewasencodedwith2048bits,therewere266degreesoffreedom,becausethereismuchcorrelation,especiallyradially,inanirispattern.Betweenanypairofirispatternsinthestudy,therewouldbea1in1016chancethattheydierinonly25%oftheirbitsorless.Astatisticalcomparisonofthepatternsofrightandlefteyepairsof324peopleshowed259degreesoffreedom,notmuchlessthanthe266degreesoffreedomforeyesfromdierentpeople[ 8 ].Anindividual'srightandlefteyesaregeneticallyidentical,sothisistakenasproofthatthereismuchvariationinirisstructureduetorandom,non-geneticfactors,andthereforetheeventheeyesofidenticaltwinswouldnotbeverysimilar.Thedecidabilityindexisameasureofthedistinctnessofthedistributionsofscoresforgenuineusersandimpostors,withmeans1and2,andstandarddeviations1and2,isd0=j1)]TJ/F23 11.955 Tf 11.956 0 Td[(2j q 21+22 2.12Foririsscan,d0=11:36.Basedonthesemeasurements,theEERforirisis1in1.2million[ 8 ].Whilethecoloroftheirismaychangeduringtherstyearoflife,"theavailableclinicalevidenceindicatesthatthe...patternitselfisstablethroughoutthelifespan"[ 8 ].Thebloodvesselsaredevelopedatbirth,themusclesmatureatabouttwoyears,andtheaveragepupilsizecontinuestoincreaseslightlyuntiladolescence[ 53 ].Withadvancedagethereisslightreductionoftheaveragepupilopening,andslightdepigmentation[ 53 ].

PAGE 62

49 Inphotographskeptbyanophthalmologistoverthecourseof25years,therewerenonoticeablechangesinirispatterns,butthereweresomechangesincolor.Theinvestigatorswerenotabletodeterminewhetherthecolordierenceswerereal,orwereartifactsofthephotographicprocessandtheagingofthecolordyesintheprints[ 8 ].However,atleastwheninfraredilluminationisused,theirispatternisnotexpectedtobeaected.Theirisisprotectedbybeinginsidetheeye,behindthecornea.Theonlycommonenvironmentalfactorthataectsitislight,whichcausesdilationandcontractionofthepupil.Thusirismatchingalgorithmsmustsomehowdealwiththisvariation.Itmightevenbeturnedtoadvantage.Pupillarymotionoccursevenwhenilluminationdoesnotchange,andcouldbeusedasa"livenesstest"[ 8 ].However,intensiveexposuretocertainenvironmentalcontaminantse.g.,metalscanaltertheappearanceoftheiris"[ 53 ].Althoughtheirisofadark-eyedpersonmayappearinvisiblelighttohavelittledetail,withinfraredillumination,evendark-eyedindividualshaveagreatdealofdetailintheiriris[ 8 ].HardwareFormerly,irisscansystemsusedavisiblelightsourcetoilluminatetheiris,andavisiblelightcameratoobtainanimage.Onetypeofsystemusedapointlightsource,resultinginasimpledesign,butreectionswoulddegradethequalityoftheimage.Amorecomplexdesignusedadiusecircularlightsourcearoundthecamera,andpolarizerstoeliminatethereection.Attheexpenseofthemorecomplexillumination,ahigherqualityimagecouldbeobtained[ 53 ].Acurrentdesignusesaninfraredpointlightsourcetoilluminatetheeye,andadigitalcameratocaptureanimage[ 8 ].Becauseplacementoftheirisrelativetothecameraiscritical,allsystemsprovidesometypeoffeedback,light,orreticlethattheusershouldbringintoviewinordertobeauthenticated.

PAGE 63

50 InternalAlgorithmsforMatchingInirismatching,itisrstnecessarytolocatepreciselytheboundariesoftheiriswithintegro-dierentialoperators.Thealgorithmdeterminesiftheeyelidsoverlaptheiris,ifsoexcludesthem.Next,adoubly-dimensionlesscoordinatesystemisdenedwhichmapsthetissueinamannerthatisinvarianttochangesinpupillaryconstrictionandoverallirisimagesize,and"thereforenotdependentoncameradistance.Thecoordinatesystemcompensatesautomaticallyforthestretchingoftheiristissueasthepupildilates."Theirispatternisthenencodedintoa256-byte`IrisCode'bydemodulatingitwith2DGaborwavelets,whichrepresentthetexturebyphasorsinthecomplexplane."Then,ifthebitsinthetwopatternsarenotstatisticallyindependent,thereisamatch[ 8 ].Theiriscodeisnotindependentofrotation,soincasethecameraoruser'sheadisatadierentanglethaninenrollment,thematchingmustberepeatedoverarangeofangles.Thebestmatchisused[ 8 ].Whenauserattemptstoauthenticate,typicallyabout10%ofthebitsinanIrisCodedisagreewhentheenrolledandpresentingpatternsarecompared,duetofactorssuchasinadequateimagingresolution,poorfocus,motionblur,occlusionbyeyelashes,artifactsfromcontactlenses,cornealreections,scatteringfromdustorscratchesoneyeglasses,CCDcameranoise,etc"[ 8 ].AdvantagesandDisadvantagesAnadvantageofirisscanisthattheirisfeaturesdonotchangeofthecourseofaperson'slife[ 35 ].However,"trainingandattentiveness"areneededforgoodimageacquisition,andperhapsforthisreasonthesystemshavea"propensityforfalserejection"[ 35 ].Spoongofanirisscansystemisrelativelydicult,butstillpossible.Thal-heimetal.[ 49 ]werenotabletoauthenticatewithanirisimageonanotebookcomputerdisplayorprintedonpaper.Theynoticedthattheirisimagesdisplayed

PAGE 64

51 onthecomputerscreenduringnormalauthentication,thepupilshowedabrightspot.Theythereforecutoutthepupilinthepaperimageoftheeye,andputitovertheimpostor'seye.Thesystemthengrantedaccess.Theywerealsoabletoenrollwithaneyeimage.Thenthepersonwhoseeyephotographhadbeenenrolledwasabletoauthenticate.Infavoroftheirisscansystem,Thalheimetal.statethatunderreallifeconditionsitwouldnotbeeasytoobtainirisimagesofauthorizedpersons."2.4.3RetinaScanRetinascanisusedtoprotectassetssuchasnuclearweaponsandresearchandcommunicationsandcontrolfacilities.AccordingtoHill,developerofretinascan,theinstalledbaseisatestamenttothecondenceinitsaccuracyandinvulnerability.Itssmalluserbaseandlackofpenetrationintohigh-volumeprice-sensitiveapplicationsisindicativeofitshistoricallyhighpriceanditsunfriendlyperception"[ 19 ].RetinalTechnologiesstatesthatNosystemsarecurrentlyavailableonthemarket,"buttheyhaveanimprovedsystemthattsinthepalmofthehandandisconvenienttouseintheprototypestage[ 45 ].Formation,Permanence,andUniquenessofRetinaFeaturesTheuniquenessofretinalveinpatternswasrstnoticedin1935bytwoophthalmologists,SimonandGoldstein,whothenpublishedapaperontheidenticationofpeoplebasedonbloodvesselpatternsinretinalphotographs[ 19 ].Astudyofidenticaltwinsshowedthatretinalvesselpatternsshowedtheleastsimilarityofanycharacteristiccompared[ 19 ].Theretinaislocatedonthebackinteriorsurfaceoftheeyeball,soitisnotexposedtoenvironmentaleects.Identicationisoftenbyinfraredillumination.Theretinaistransparenttoinfrared,sointhiscaseidenticationisactuallydonebytheveinsofthechoroid,justbehindtheretina[ 19 ].

PAGE 65

52 HardwareTherstworkingprototypeofanautomaticretinascansystemwasbuiltin1981.Productionbeganin1985.ThesystemsdevelopedbyHillusedaspecialtypeofcamerathatdidacircularscanoftheretina.Earlymodelsusedvisiblelight,butmorerecentsystemsusedinfraredillumination.Theeyehadtobeplacedabout3/4ofaninchfromthescanner[ 19 ].TheRetinalTechnologiesprototypeusesapatentedasphericlensarraythatiscapableofcapturingaretinalimageatdistancesasgreatasameterfromtheuser'seye.Drawnfromophthalmicimagingscience,thistechnologyiscompletelysafeandunobtrusive.Glasses,contactlensesandexistingmedicalconditions,suchascataracts,donotinterferewiththescanningoftheretinausingthistechnology"[ 45 ].InternalAlgorithmsforMatchingThecamerarstdoesacircularscanoftheretina,andproducesacircularimageconsistingof25612bitsamples."TwodierentmethodsofprocessingwereusedbyHillatdierenttimes.Theearliermethodconvertedthisimageintoa40bytereferencesignatureinthefrequencydomainforeacheye.Thethesignatureisanormalizedcontrastwaveformoverthewholecircle.Later,anadditional32bytespereyeoftime-domaininformationwasaddedtospeedupmatching.Anothersystemstoresa48-bytetemplateconsistingof96equally-spaced4-bitcontrastmeasurementsinthetimedomain.Althoughitusesmorestorage,lesscomputationisrequired,asthefrequencydomainversionsrequireafastFouriertransformtobeperformed[ 19 ].Incasetheheadisatadierentanglerelativetocamerainauthenticationfromtheangleinenrollment,theacquiredwaveformisshiftedasmallanglerelativetotheenrollmentwaveformandcomparedseveraltimestondthebest

PAGE 66

53 match.TwotemplatesarenormalizedtosameRMSvalue,andthenaFourier-basedcorrelation"isusedtogenerateamatchscore[ 19 ].AdvantagesandDisadvantagesRetinascanseemstobeanextremelyhighsecuritytechnology.IntestingbySandiaNationalLabtherewerenofalseacceptances,anda1%FARwiththreetrys.ThedistributionofimpostorscoreshasaGaussiandistribution,andfromthetailofthedistributionaFARofabout1in106ispredicted[ 19 ].Spoongsuchasystemwouldbedicult.Alignmentwouldbedicultwithafakeeye."Iffurtherprotectionagainstspoongwasneeded,HillsuggeststhattheSystemcoulddisplayarandomnumberinthealignmentopticsduringscanning.Thentheuserwouldberequiredtoenteritinordertoauthenticate[ 19 ].Forsuccessfulauthentication,theusershouldnotfeartheretinascansystem,andshouldbemotivated,beforeenrollment.Userswhoperceiveabenetdobetterthanthosewhosimplyavoidanegativeeect,suchasnotbeingabletoworksomewhere[ 19 ].Retinalscanalsohasimportantdisadvantages.Someusersfeareyedamage.Thesystemsdonotworkwelloutofdoors,orinareaswithhighlightlevel,becausebrightlightcausesthepupil,tocontract,loweringthesignalintheretinascan[ 19 ].Also,medicalchanges,inparticularpregnancy,maycausechangesintheveinsoftheretina,causingfalserejection[ 36 ].2.4.4DynamicSignatureScanDynamicsignaturevericationisabehavioralbiometric.Itisseenashavingauniquecapabilitytoverifynotonlyidentitybutalsointent 3 3Personalcommunication,UlrichPantow,October,2002.

PAGE 67

54 Formation,Permanence,andUniquenessofSignatureSignaturebiometricsystemsusedynamicinformation,suchasthespeedandpressureofthependuringsigning.Theadvantageofusingthisdynamicsignatureinformationisthatitislesseasilyavailabletoaforgerthanthestaticcharacteristicsofthesignature.Thedisadvantageisthatitislessconsistentthanthestaticinformation[ 34 ].Anindividualusuallyhassignicantvariationinthewaytheysign.Therearealsoconsistenciesinthewayapersonsignstheirownname,andthewayaforgersigns.Ingeneral,ourspeedalonghigh-curvaturecurvesegmentsislowrelativetoourspeedsalonglow-curvaturecurvesegments,ouraverageoverallspeedvaryinggreatlyfromoneinstanceofapatterntoanotherirrespectiveofwhetherweareproducingourownpatternorforgingsomeoneelse's"[ 34 ].Boththeinconsistencieswithinanindividual'ssignature,andtheconsistenciesbetweenthegenuineuserandtheforgerareundesirableforabiometriccharacteristic.HardwareHardwareforsignaturescanisadigitizingtablet.Somesignaturevericationsystemscanmakeuseofpressuredataifitisavailablefromthetablet.InternalAlgorithmsforMatchingAmongthefeaturesofasignaturethatcanbemeasuredandcomparedarethetotaltimethepenisincontactwiththepaper,theaverageorRMSpenspeed,acceleration,orpressure,pressurevs.time,andthexandycomponentsofposition,velocity,acceleration,forcevs.time.Time-basedfeaturesaregenerallythoughttodobetterintests.Nalwathinksthatthereasontime-basedsystemsdobetterintestsisbecauseforgersareunawarethatdynamicfeaturesarebeingmeasured,andsimplyattempttoreproducetheshapeofthesignature[ 34 ].Ifthisisindeedthecase,itissecuritybyobscurity.Theadvantageofthetime-based

PAGE 68

55 characteristicswillonlylastuntilforgerslearnthattheyarebeingmeasured.Nalwa'ssystemmakesuseofbothdynamicandstaticcharacteristics.Whenpeoplesigntheirnames,theyvarytheratioofheighttowidth,sothisratiomustbenormalizebeforesignaturescanbecompared.Nalwanormalizesratioofsumofverticaldisplacementstohorizontaldisplacements[ 34 ].Signaturecurvemustbeparameterized,whichisaone-toonemappingfromaparameterontothecurve.Timeisusuallyusedastheparameter,butNalwausesthenormalizedarclength,thefractionofthetotallengththepentravelsinwritingthesignature.Featuresmeasuredvs.thisparameterarexandycoordinatesofthecenterofmass,torque,whichisthecrossproductofthepositionofthepenandthetangenttothecurve,andmomentsofinertiawhichareaveragesofx2,y2,andxyoverthewindow[ 34 ].Featuresareaveragedoverawindow.Thewindowshouldbelargeenoughtoaverageoutnoise,butnotsolargethatitaveragesoutrealdierencesbetweenimpostorandgenuinesignatures.Thewindowsizeshouldbelessthanthewidthofasinglecharacter[ 34 ].Inenrollment,theconsistencyofeachfeatureismeasuredastheinverseofthestandarddeviationoverseveralsignatures.Performanceimprovesasnumberofsignaturesisincreaseduptosixsignatures.Ameanandstandarddeviationarecomputedforeachfeature[ 34 ].Then,formatching,thefeaturesofasignaturearecomparedtothefeaturesmeasuredatenrollment.Thesignatureisallowedtowarpalongitslengthtominimizeerror,becausethisisatypicalvariationbetweendierentsignaturesofthesameperson.Todetermineascore,theerrorsareweighted,sothaterrorsinfeaturesthatweremoreconsistentduringenrollmentaregivenmoreweightthanthosethathavelargestandarddeviationduringenrollment[ 34 ].

PAGE 69

56 Equalerrorrateforthismethodisabout3.6%,andthechosenoperatingcon-ditionisa1%FARand7%FRR.Themethodormethodsusedbytheimpostorsisnotspecied[ 34 ].AdvantagesandDisadvantagesofDynamicSignatureVericationAdvantagesattributedtodynamicsignaturevericationareresistancetoimpostors,theabilityofuserstochangetheirsignatureifitisstolen"byanimpostor,andtheperceptionbyusersthatitisnotinvasive[ 35 ].However,inconsistentsignaturesaresaidtoleadtoincreasederrorrates[ 35 ].2.4.5VoiceScanVoicescanisabiometrictechnologywithavarietyofapplication[ 6 ].Itcanbeusedlocallyoroveratelephonenetwork.Itcanbetextdependent,usingaparticularphrase,eitherxedatenrollmentorspeciedbysystem,ortextindependent,authenticatingtheuseronthebasisofanyphrasetheyspeak.Applicationsincludeaccesscontrol,telephonebanking,andtelephonecreditcards.Formation,Permanence,andUniquenessofVoiceFeaturesBothphysiologicalfactors,theshapeofthevocalcords,throat,mouth,etc,andlearnedfactorsaectspeech.Theshapeofthevocaltractwillproducetheuniquecharacteristicsofaperson'sspeech[ 6 ].Foranumberofreasonsspeechissubjecttochange.Someofthereasonsaremoredirectlyconnectedwiththespeaker,andothersmightbeconsideredartifactsoftheenvironmentortheauthenticationprocess.Changesinthespeakerthatcanaectthevericationprocessincludechangesinspeaker'semotionalstate,sickness,andaging.Otherfactorsthatwillchangethespeechheardbythesystemincludeambientnoiseandechoesofthespeaker'svoice,errorsbythespeakerinrepeatingarequiredphrase,changesinmicrophoneplacement,inconsistentorbadacousticsintheroom,anduseofadierentmicrophonethanwasusedinenrollment.

PAGE 70

57 HardwareThehardwareforvoicescandependsontheapplication.Ifitisusedlocally,assumingthecomputerhasmultimediacapability,thehardwareisamicrophoneandthesoundcardorchipinthecomputer.Ifitisusedoveratelephonesystem,hardwarefordigitizingtheaudiosignalwouldbeneeded.InternalAlgorithmsforMatchingTherearevestepsinvoicescanauthentication[ 6 ]: 1. Dataacquisition:Amicrophoneconvertsasoundwaveintoananalogsignal,whichisusuallylteredtolimitbandwidthtohalfthesamplingrate.Thesignalmustthenbedigitized.Theresolutionisusually12to16bitsresolution,withasamplingrateof8,000to20,000samplespersecond.Whenspeakervericationisdonelocally,theanalogsignalcanbeofhighquality,ifagoodmicrophoneisused.Whenvericationisdoneoveratelephonenetwork,distortionoftheanalogsignalmaymakevericationmoredicult[ 6 ]. 2. FeatureExtraction:Eachintervalofspeech,typically10to30ms,isrep-resentedbyavectorinamultidimensionalfeaturespace.Featureswithagreatdealofvariabilitybetweenspeakers,butlittlevariabilityfordierentinstancesofspeechfromthesamespeaker,shouldbeselected[ 6 ]. 3. Patternmatching:Thesequenceoffeaturevectorsiscomparedtothatoftheenrollmenttemplate,andamatchscoreisgeneratedthatrepresentsthesimilarityofthefeaturevectorstothetemplate.Theremaybeonematchscoreforeachsequencevector,orasingleoneforthewholepattern.Twotypesofmodelsareusedinpatternmatching,templatemodelsandstochasticmodels[ 6 ].Withtemplatemodels,thepatternmatchingisdeterministic[ 6 ].Thespeechsamplecapturedinauthenticationisassumedtobeanimperfectcopyof

PAGE 71

58 thetemplate.Thesequencesoffeaturevectorsisalignedwiththoseinthetemplatetominimizesomedistancedbetweenthem.Dynamictimewarpingisusedtocompensatefordierencesintherateofspeech.Itattemptstomatchupthefeaturevectorsequencesinawaythatminimizesthesumofthedistancesbetweenmatchingfeaturevectors,whichisthematchscoreforthespeechsample.Theithfeaturevectorofthespeechsamplemightmatchupwithavectorgreaterthanioftheenrollmenttemplateifthespeakerspokefaster,orlessthaniifthespeakerspokeslowerthaninproducingthetemplate.Ascorecanthembecalculatedasexp)]TJ/F23 11.955 Tf 9.298 0 Td[(adwhereaisapositiveconstant[ 6 ]yieldingascorethatdecreasesasdistanceincreases.Vectorquantizationisanothertemplate-basedmethodofderivingamatchscore[ 6 ].Vectorquantizationusesacodebookofwordscollectedfromeachuserduringenrollment.Thematchscoreisthesumofthedistancesofthefeaturevectorsfromtheclosestcodewordsinthecodebook.Thecodebookisformedinsuchawaythattemporalinformationisaveragedout,sothereisnoneedtodotimewarping.Thenearestneighbormethodcombinesvectorquanticationanddynamictimewarping[ 6 ].Astochasticmodelattemptstodeterminethelikelihoodofobservingapar-ticularpatterngiventheenrollmentinformationfortheclaimedidentity[ 6 ].AhiddenMarkovmodelisastochasticmethodofpatternmatching.Theconditionalpdffortheclaimedidentity,andthentheprobabilitythatthephrasewasspokenbythatpersoncanbedetermined.Thisprobabilityisthematchscoreforthespeechsegment. 4. Makingadecisiontoacceptorreject,basedonthescorefrompatternmatching.

PAGE 72

59 Inatestinvolving9300trials,inwhichimpostorsspokeintheirnormalvoice,withdynamictimewarpingtherewere19falseacceptances,andtheFRRwasabout5%.Usingthenearestneighbormethod,anEERof0.5%wasachieved.Thesetwomethodsmadeerrorsmostlyondierentpeople.Therefore,improvedperformancemightbeachievedbyusingmultiplepatternmatchingalgorithmstoprocessanauthenticationattempt.Combiningthescorescouldproduceimprovedresults.Arecenthigh-performancespeakerdetectionsystemcombineseightsystems[ 6 ].AdvantagesandDisadvantagesofVoiceScanVoicescanworkswithleveragingtelephonyinfrastructure."Iteectivelylayerswithotherprocessessuchasspeechrecognitionandverbalpasswords"[ 35 ].Italsolacksnegativeperceptions.Weaknessesofvoicescanincludesusceptibilitytoreplayattacks,problemsduetolow-delityequipmentandambientnoise,andlargetemplatesize.Enrollmentcanbedicultandforauthenticationtheuserhastospeakinthesamewayasduringenrollment2.4.6FaceScanbyVisibleLightFacescanningmaybecarriedoutwithvisibleorwithinfraredlight.Thetwotechniqueshaveverylittleincommon,sothissectionwilldealwithfacerecognitionusingvisiblelight,andinfraredwillbereviewedinthenextsection.Facescansystemshaveanumberofpracticalapplications,butalsosomeinstancesofsuccessfuluse.Casinosusethemtolookforknowncardcounters.Thesystemalertsemployees,whochecktoseeifthepersonreallyisthesuspectedcardcounter.Ahighrateoffalsepositivesisacceptable,becausethefalsepos-itivesaredealtwithbyemployees,anddonotinconveniencenon-card-countingcustomers[ 35 ].

PAGE 73

60 Inotherapplicationsithasnotbeenfounduseful.InTampa,avideocamerasystemthatcouldbefocusedonanindividual,whocouldthenbeidentiedbyafacialrecognitionsystem,wasinstalledonastreetinYborCity[ 48 ].PolicelogsobtainedbytheACLUforfourdaysofoperationshowedthattherewere14falsepositives,butnoidenticationsofsuspectswerefoundovertheentireperiodofuse,fromJune29,2001toAugust11,2001.Anewspaperreporterobservedtheoperatorsacquireimagesof457peopleonaFridayevening,whenanaverageof125,000peoplevisitthearea.Thepoliceturnedothesystemafteralittleoveramonthofuse,apparentlybecausetheydidnotndituseful.AtestofasimilarsystematthePalmBeachInternationalAirporthadafalsepositiverateof1%,andafalsenegativerateofmorethan50%onamockterror-istdatabase"[ 54 ].Insuchanapplication,anevenhigherfalsepositiveratemightnotbeharmful.Securitypersonnelsearchanumberofpassengers,apparentlychosenatrandom,unlesslittleoldladiesarelikelysuspectsforhijackers.Theycouldsearchthepositivesinsteadofrandompeople.Butifthefalsenegativerateissohigh,themightnotbeuseful.Formation,Permanence,andUniquenessofFaceFeaturesComparedtosomeotherbiometriccharacteristics,suchasthengerprintandiris,thefacehasasmallnumberoffeaturesonwhichtobaseidentication.Thesefeaturesmaybesubjecttochangeduetoplasticsurgeryordisguise,orevengainorlossofweight[ 44 ].InternalAlgorithmsforMatchingThereisavarietyofapproachestofacerecognition.Oldertypesoffacerecognitionprogramsarewrittentomakepredenedmeasurementsonfaces,suchas"distancesandanglesbetweeneyecorners,endsofthemouth,nostrils,andtopofthechin"[ 52 ].Morerecentprogramsalsomeasuretheintensityoflightreectedfromareassuchashairandcheeks.Problemswiththistypeofapproachinclude

PAGE 74

61 thedicultyofdetectingfeaturesautomatically,andthesmallnumberoffeaturesavailableforthistypeoftechniquetoworkwith.Anewerapproachtofacerecognitionistouseneuralnetworksandsimilarmethodswhichdonotrelyontheprogrammertodenewhatfeaturesshouldbemeasured[ 52 ].However,thenetworkmaybecomelarge,resultinginslowcomputation,ifthenumberoffacesislarge.Finally,approachesknownas"appearance-based"representthefacewithahigh-dimensionalvector,whereeverypixelinthefaceimageisacomponentofthevector[ 52 ].Lineardiscriminantanalysisisusedforrecognitionoffacesrepresentedinthisway.Manycommercialfacerecognitionsystemsusethistypeofalgorithm.Inappearance-basedalgorithms,acovariationmatrixiscomputedfromthefacetrainingimages.Thenprincipalcomponentanalysisisusedtondbasisvectorsofasubspacethatcontainthefaceimagescenteredbysubtractingthemeanvalueofeachcomponentfromtheindividualface'svalue.Thekvectorswiththelargesteigenvaluesarethemostusefulforimagereconstruction.TheyareknownastheMostExpressiveFeaturesMEF.Alternatively,asubspacethathasthemostscatterbetweendierentindividual'sfaces,withoutincreasingscatterbetweenavariousimagesofasingleindividual'sface,canbefoundbylineardiscriminantanalysis.ThissubspaceisknownastheMostDiscriminatingFeaturesMDF.matchingalgorithmsusingMDFshavebetterrecognitionratesthanMEFs.However,theymayrequiremoredatatocompute[ 52 ].StrengthsandWeaknessesFacerecognitionsystemsareconvenient,requiringnocontactfromusers,andcanevenlocatethefaceastheuserapproachesthecomputer[ 49 ].However,theysuerfromhigherrorratesandaresusceptibletospoongbyrelativelyeasymeans.

PAGE 75

62 Inonetestoffacialrecognitionsystems,testsubjectswereenrolled,thentestedagainsixweekslater.Underideal,controlledconditions,somesystemshadFRR'sofalmostonethird[ 18 ].Spoongoffacialrecognitionsystemshasbeencarriedoutwithapictureofanauthorizeduserdisplayedonthescreenofalaptopcomputer.Whenthelaptopscreenwaspresentedtothecamera,thesystemacceptedthepictureasanauthorizeduser[ 49 ].Thalheimetal.alsomanagedtoauthenticateonaCognitecfacialrecognitionsystemwithLive-Check,"afeaturethatlooksformovementofthefaceinordertofoilattemptsatspoongwithastillpicture.Whilethesystemdidrejectstillimages,whentheydisplayedavideoclipinwhichauser'sfaceturnedslightlyfromsidetoside,theyweregrantedaccesstothesystem[ 49 ].2.4.7InfraredFaceScanInfraredfacescanisfundamentallydierentfromfacescanusingvisiblelight,becausethedetailsusedforrecognitionarenotvisiblefacefeatures,butathermalproledependingonbloodowinarteriesandveinswithinafewcentimetersoftheskin.Thereismuchmoredetailonwhichtobaserecognition,anditislikelytobehardertospoofthanvisiblefacerecognition.Whiletheinfraredcamerarequiredismoreexpensive,likevisiblefacescanitrequiresnocontactwiththesubject.Itiseasytouse,requiringlittleornotraining.Itcouldalsobeusedwithoutcooperation,perhapsinperformingidenticationinpublicareassuchasairports[ 44 ].Formation,Permanence,andUniquenessofInfrared-detectableFaceFeaturesForinfraredfacescan,acamerapicksupIRemittedbytheface,ineitherthemid-5micronorlong8-12micronIRband.Becausetheinfraredformingtheseimagesisgenerallythermalradiation,theimagesareknownasthermograms:The

PAGE 76

63 imagesconsistofthermalcontoursduetobloodvesselsupto4cmbelowsurface.Positionofbloodvesselswouldonlybechangedbygrowth,injury,orsurgery.ProkoskiandRiedel[ 44 ]presentfacialimagesofidenticaltwins.Eventhoughtheirvisiblelightfaceimagesareindistinguishable,theyhavedierentthermograms.Suchthermogramsareclaimedtohavemoreinformationthanngerprints[ 44 ].Manymedicalfactorscanaecthumanthermograms.Theyareaectedbyingestionofsubstanceswhicharevasodilatorsorvasoconstrictors,bysinusproblems,inammation,arterialblockages,incipientstroke,softtissueinjuries,andotherphysiologicalconditions"[ 44 ].Thermogramsarealsoaectedbychangesinambienttemperature.Illuminationonlyhasaneectifitisintenseenoughtochangefacetemperature.However,anatomicaldataduetotheuniquepatternofbloodvesselsineachperson,andnotsubjecttothesefactors,canbeextractedfromtheimage[ 44 ].Thesebloodvesselpatternsaregenerallypermanent.Plasticsurgerytoreroutebloodvessels wouldnecessarilycauseincisionsdetectableininfrared,andwouldriskdamagingfacialnerves.Itis,therefore,consideredpossiblethataper-soncouldsurgicallydistorthisfacialthermogramtoavoidrecognition,butthethermogramwouldcontainevidencethathehaddoneso[ 44 ],p.194.Otherchanges,suchasweightlossandgain,causerubbersheetingdistortionsonly,whicharedealtwithinthematchingalgorithm[ 44 ].Ininfraredfacescan,Minutiapointsarespecicjunctionsoffacialbloodvessels.Thereare175oftheseminutia.Theseminutiawouldbearichsourceofinformationforfacerecognition.Withaverysensitivecamera,theycanbelocatedintheimage.Withalesssensitivecamera,theirlocationsmustbedeterminedfromthermalcontours[ 44 ].

PAGE 77

64 HardwareInfraredfacescanrequiresaninfraredcamera.Infraredcamerascostmorethanvisiblelightcameras,sosuchsystemsaremoreexpensivethanvisiblelightfacescan.AccordingtoProkoskiandRiedel,Whenthecostofprovidingcon-trolledlightingforavisibleIDsystemisincluded,thecurrentcostdiscrepancyisabout$10,000persystem.Thatgurehasbeendecreasingbyabout30%peryearforthepast10years,whichreductionisexpectedtocontinue"[ 44 ].InternalAlgorithmsforMatchingAfteranimageisacquired,itmustbeprocessedtondthefaceinimageandtodetermineiftheimagequalityisadequateforidenticationorauthentication.Itmustthembenormalizedfororientationandamplitude.Finally,backgroundandnoisemustberemoved[ 44 ].Authenticationcanbedonebymethodssimilartothoseusedwithvisiblelightimagesoffaces.Theupperfacehasthebestinformationforrecognition.Thelowerface"presentsmorecluestogenderandexpression."Glassandplasticlensesdonottransmitthewavelengthsused,soeyeglassesobscuretheeyearea[ 44 ].Testswerecarriedoutwithnoadaptivealgorithms,notraining,carriedoutonawidevarietyofpeople,withandwithoutglasses,ofdierentheightsandskintones,overseveralweeks,ThebestresultsachievedsofarwereanEERof1%[ 44 ].Matchingusingminutiaisunderdevelopment.Infraredcamerasnowintheprototypestagecandirectlyimagetheminutia.Withproductioncameras,minutiamustbecalculatedfromthethermogram.Thenminutiamatchingalgorithmssimilartothoseusedforngerprintmatchingcanbeused.Thesealgorithmsarefast,andcouldallowsearchingoflargedatabasesforamatch[ 44 ].Usingminutiaformatching,aproleorpartialimageofafaceinacrowdwouldbeanalogoustoapartialngerprint,andwouldstillcontainsomeminutia,sothatitmightstillbepossibletomatchittoapatterninadatabase[ 44 ].

PAGE 78

65 AdvantagesandDisadvantagesofInfraredFaceScanInfraredfacescanworksinanyleveloflight,evenindarkness.Itiseasytouse,anddoesnotrequirecontactwiththeapparatus[ 44 ].WhileitwouldbepossibletoblocktheIRimage,perhapswithaskimask,theimagecouldnotbeeasilyalteredwithouttheattemptbeingvisibleinthethermogram.Forexample,fakefacialhairhasadierenteectonthethermogramthandoesrealfacialhair[ 44 ].Themaindisadvantageatthispointisthehighcostoftheinfraredcamerarequired.2.4.8HandScanHandscansystemsareinuseforvericationofholdersofnon-transferablepassesatDisneythemeparksinOrlando[ 30 ].The102systemsinuseateightthemeparkshaveprocessed12milliontransactions.Usersareage10orolder,andnotallspeakEnglish,sothesystemmustbesimpleandintuitivetouse.Enrollmentandvericationmustbothproceedquickly.Disneyismoreconcernedwiththroughputthanaccuracy,andconsidersfalseacceptancelessharmfulthanfalserejection.Onlyasinglemeasurementistakenforenrollment.Whentheywereinstalledin1995,theyrequired31secondsperperson.By1997,thetimewasreducedto11secondsperperson,ascomparedto5.5secondsperpersonfornon-biometricturnstiles.Theyonlyscantwongers,asopposedtothefullhand[ 30 ].Thismaybebecauseuntilrecentlytheywereconcernedaboutthesizeoftemplates,duetointegrationproblems.ApparentlynotallusersareashappywithhandscanasDisneyWorld. AndatNewYork-PresbyterianHospital,wherelongqueuessometimesformathand-scanreaders,frustratedemployeessmashedmachinestwoweeksinarowlastmonth.YetJoeSalernoofNewYork-Presbyteriansayseverybuildinghasahandreader.Hespeculatesthatemployeesmaybeupsetabouttherigoroustimekeeping[ 18 ],p.62.

PAGE 79

66 Itwouldbeinterestingtoknowtheaveragetimerequiredforexperienceduserswhoareinahurrytogetthroughsothattheyandtheircolleaguesarenotdocked.Atimeclocktakesaboutonesecondperperson,andunlessthehandscannerisconsiderablyfasterthanthe11secondsreportedbyDisney,thiscouldbeaproblemwiththebiometricsystem.Formation,Permanence,andUniquenessofHandFeaturesThefeaturesusedinhandscanarethedimensionsofthehandandngers.Thesedimensionsmaychangeduetogrowth.Systemsoftenaveragethenewmeasurementstakeninauthenticationwiththeexistingmeasurementsinthetemplatetoallowforslowchangesindimensionsduetogrowthandaging[ 55 ].HardwareAtypicalhandgeometrysystemusesaCCDcameraandinfraredilluminationtotaketwoorthogonalimagesofthehand[ 55 ].Oneimageisfromthetop,andtheotherisfromtheside.Ineachcase,onlytheoutlineofthehand,andnotdetailssuchasngerprintsorscars,isrecorded.Thehandandngersareheldinposition,withthengersspread,byanumberofpegs.InternalAlgorithmsforMatchingOnetypeofhandscansystemextracts96measurementsfromtheimagesofauser'shand.Thematchingalgorithmmaysimplysumtheabsolutevaluesofthedierencesinthese96measurementsbetweentheenrollmentandmatchtemplates[ 55 ].AdvantagesandDisadvantagesofHandScanHandscansystemsareeasytousewithlittletraining[ 30 ].TestingbySandiaNationalLabconrmedanEERof0.1%whentwotrieswereallowed[ 55 ].2.5ArchitectureofBiometricAuthenticationSystemsAvarietyofarchitecturesarepossibleforbiometricauthenticationsystems.Asystemcouldbeself-contained.Alaptopcomputerwithbuilt-inngerprintscanner

PAGE 80

67 isanexampleofsuchanarchitecture[ 33 ].However,inmostcases,abiometricsystemcomprisestwoormoredevicesconnectedbysomesortofnetwork.MostbiometricdevicesconnecttoacomputerviaaUSBport.Itmayalsobedesirabletostoreuser'senrollmenttemplates,andpossiblyeventocarryoutprocessingandmatchingonaserver,whenauserisauthenticatingonaclient.Auserdatabasemightbeonaserver,andtheservermightoeramoresecureenvironmentandgreatercomputingpowerfortheprocessingandmatchingprocess[ 3 ].Suchabiometricauthenticationsystemmusthavea`trustedpath'betweenallfactorsusedinaparticularID/Authenticationandthe`trustedcomputingbase'performingthevalidationoftheinputs"[ 54 ].Otherwiseitwillbesubjecttoattackssuchasthestealingoftemplatesdiscussedonpage 16 above.Interceptionofthebiometricdatabeingsentfromthebiometricdeviceisanotherrealthreat.Thalheimetal.interceptedUSBpacketsfromangerprintmouse,andfromtheinterceptedpacketswhichwouldcontainanimageofthengerprint,ratherthanatemplatetheywereabletoreconstructngerprints.TheythenusedamicrocontrollerwithUSBsupportandsomestoragecapacity"whichtheyprogrammedtorespondwithanswersidenticaltothoseoftheactualscannerandthenattherightmomentplaybackthestoredbiometricdata"inordertologin.Inordertopreventsuchanattack,theysuggesttheuseofachallenge-responseprotocolwherethebiometricscannerandtheapplicationmutuallyauthenticateoneanotherandthereaftercommunicatewithoneanotherexclusivelyinanencryptedfashion"[ 49 ].Ifthebiometricdeviceistoauthenticateitself,itmusthavesomecomputingpowerandmemory.Thiscreatestheoptionofcarryingoutsomeoralloftheprocessingandmatchingonthebiometricdevice,andevenstoringthedatabaseofusersandtemplatesthere.

PAGE 81

68 Chenetal.proposetheuseofasmartcardwithatrusteddisplaytoprotectusersfrommaliciousbiometricsystemswhichmightstealauser'sbiometricdata[ 7 ].Thesmartcardwouldauthenticatetheplatformandthebiometricdevice,andgivetheuserasignalthroughabuilt-indisplaytoindicatethattheyhaveauthenticatedsuccessfully.Iftheydonotauthenticate,theymayhavebeentamperedwith,andtheuserwillknownottopresenttheirbiometricdatatothedevice.2.6BiometricStandardsBiometricstandardsareusefulbecausetheymakeintegrationofbiometricau-thenticationsystemswithoperatingsystemsorothersoftwareeasier.Inparticular,combiningmultiplebiometricauthenticationsystemswouldbemucheasieriftheyallfollowedthesamestandard.Threestandardshavebeenpublishedandusedtovaryingdegrees.Ingeneral,thesestandardsspecifyaninterfacefortheinteractionofasoftwaremodulespecictoaparticularpieceofbiometrichardware,knownasabiometricserviceproviderBSPwithsomeothersystemthatwouldmakeuseofbiometricauthentication,suchasanauthenticationmiddleware.Thensoft-waresystemscandealwithavarietyofbiometricauthenticationsubsystemsinagenericway.Thiswouldalloweasysubstitutionof,say,anirisscanforafacialscansystem,oranimprovedngerprintscannerforalesscapableone.Theytypicallyoeranumberofoptionalfeatures,suchastheabilitytoreturnamatchscoreasopposedtosimplyreturningapass"orfail"result.Sincethescoreisrelatedtothedegreeofcondencethesystemhasinitsconclusion,thiskindofinformationisveryusefulforreachingadecisionbasedonmultiplebiometricdevices.TherstbiometricstandardisHumanAuthentication-ApplicationProgramInterfaceHAAPI.Version1.0wasissuedinAugustof1997,andthenalversion,2.0,wasissuedinApril1998[ 9 ],

PAGE 82

69 TheBioAPIconsortium,whicheventuallyreleasedtheBiometricAPIBioAPIstandard,formedinAprilof1998toprovideamultilevelAPI,whereHAAPIprovidesonlyahigh-levelAPI.PerceivedcompetitionwithHAAPIcausedconfusioninthebiometricindustry,withcompaniesunsurewhichstandardtheyshouldfollow.TheninFebruary1999theHA-APIWorkingGroupandtheBioAPIConsortiummerged[ 50 ].BioAPIversion1.0wasreleasedinMarch,2000,andversion2.0wasreleasedinMarchof2001[ 4 ].TheBAPIstandardwasdevelopedbyI/OSoftware,andthenpurchasedbyMicrosoft.Itremainedproprietary,incontrasttoHAAPIandBioAPI,whichareopenstandards.InDecember1998,theBAPIgroupjoinedwiththeBioAPIconsortium[ 3 ].TheCommonDataSecurityArchitectureCDSA,ajointeortofIntelandTheOpenGroup,isanopenstandardforanarchitectureincorporatingmanysecurity-relatedfunctions.Whenitsdevelopersbecameinterestedinincludingbio-metrics,theyinitiallysetouttoincorporateHAAPI[ 50 ],butitisnowconsistentwithBioAPI,havingthesamefunctionsavailable,butwithdierentnomenclature.AnopensourcereferenceimplementationofBioAPI2.0,consistingofmiddle-wareandapasswordBSP,whichinteractswiththemiddlewareaswouldaBSPforabiometricdevice,andisprovidedasanexampleandfortesting,isavailablefromtheBioAPIConsortium'swebsite.ThewebsitealsohaslinkstocompaniesthatsupplyBioAPI-compliantmiddlewareandngerprint,signature,face,handgeometry,iris,voice,andlipmovementBSPs[ 3 ].2.7SummaryWhilebiometricauthenticationattemptstosolvetheproblemsofforgottenorstolenpasswords,andlostorstolenauthenticationtokens,biometricinformationmayalsobesubjecttolossortheft.Asignicantproportionofpeoplehavedamagedorwornngerprints,sothatangerprintscannermaynotbeableto

PAGE 83

70 acquiregoodenoughinformationtoauthenticatethem.Also,impostorsmaybeabletoliftngerprintsfromdrinkingglassesorothersurfacesandproducecopiesofthengerprintingelatinorsilicone.Theimpostormaythenbeabletoauthenticatewiththisartifact.Additionally,biometricdatamightbestolenasitistransmittedfromthebiometricdevicetothecomputer,orwhenitisstoredinthecomputer.Thisinformationmightbeusedforreplayattacks.Itisparticularlyimportanttopreventsuchattackswithabiometricauthenticationsystem.Ifapasswordisstolen,itcanbechanged,butaperson'sbiometriccharacteristicscannot.Therefore,communicationbetweenthebiometricdeviceandthecomputershouldbeencrypted,andanonceortimestampshouldbeusedtopreventreplay.Othertypesofbiometricauthenticationsystemsareknowntobesusceptibletooneorbothofthesetypesofproblems,leadingtohighFRRand/orFAR.Devicesforwhichsuchvulnerabilitieshavenotbeenreportedmaynothavebeentestedadequately,byavarietyofmeans,todetecttheirvulnerabilities.Fingerprint,iris,retina,andthefacewhenimagedwiththermalinfraredwavelengthshaveagreatdealofuniqueinformationthatisnormallyconstantoverthelifeofaperson.However,ngerprintsmayberendereddiculttoscanbyabrasionorexposuretochemicals.Retinalveinsmaychangeduetofactorssuchaspregnancy.Aswasmentionedaboveforngerprints,irisscanisalsovulnerabletoattackwithanartifact.Animpostorcanuseaphotographofauser'siristoauthenticate.Suchattacksforretinalscanorinfraredfacescanarenotknown.RetinalscanandirisscanmaysuerfromhighFAR.Themaindisadvantageofinfraredfacescanseemstobethecostofthecamera,whichcausesthesystemtocostabout$10,000morethanavisiblelightfacescansystem.Otherbiometricsystemsarealsoknowntohaveweaknesses.Voicescanisvulnerabletoambientnoiseandreplayattacks.Dynamicsignatureverication

PAGE 84

71 maysuerfromhighFRRduetoinconsistentsignatures.Facescanwithvisiblelightisalsosubjecttospoongwithapictureofanauthorizeduser.Theredoesnotappeartobeanyinformationonspoongofhandscansystems.Itwouldbeinterestingtoattempttospoofsuchsystems.Thefollowingsectiondiscusseshowmultiplebiometricauthenticationsystemsarecombinedinanattempttoovercometheweaknessesofsinglebiometricauthenticationsystems,andachievelowerFRRandFAR.AnumberofstandardshavebeendevelopedtospecifyanAPIforthebio-metricauthenticationsystemtointeractwiththeauthenticationcomponentoftheoperatingsystemoramiddleware.Adoptionofsuchastandardwouldmakethebiometricdeviceandthedevice-specicsoftwarethatgoeswithitinterchangeable,sothatdevicescanbeexchangedorupgradedwithaminimumofeortanddis-ruption.Itwouldalsoalloweasycombinationofmultiplebiometricauthenticationsystems.Currentlythebiometricindustryseemstobeconvergingonasinglestandard,BioAPI.Becausebiometricauthenticationsystemsareinmanycasessusceptibletospoong,andgenerallyhaveunacceptablyhighfalseacceptanceorrejectionrates,therehavebeenseveralattemptstocombinemultiplebiometricauthenticationsystems.Ifanintruderisabletoobtainormakeanartifact,suchasagelatincopyofauser'sngerprintoraphotographofauser'sfaceoriris,theymightbeabletoauthenticateonasinglebiometricsystem.However,ifauthenticationrequiresanacceptablecombinationofscoresonseveraldevices,animpostorwithanartifactforonlyasingledevicewouldprobablybedefeated.Also,auserwhosengerprintisdamagedbyaweekendofbricklayingorrockclimbingmightfailasinglengerprinttest,butmightstillbeabletoauthenticateviaotherdevicesifmultiplebiometricsareinuse.

PAGE 85

CHAPTER3PREVIOUSWORKINCOMBININGBIOMETRICAUTHENTICATIONSYSTEMSBiometricauthenticationcanbeconsideredacaseofpatternrecognition.Asubjectmakesaclaimtobeaparticularauthorizeduser,andpresentsbiometricdatatooneormorebiometricdevices.Thedeviceordevicesandtheassociatedsoftwareprocessthebiometricdatatoproduceascore.Normallyahighscoreindicatesahighprobabilitythatthesubjectisinfacttheauthorizeduser.Alowscoreindicatesalowprobabilitythatthesubjectistheuser,andahighprobabilitythattheyareanimpostor.BecausebiometricauthenticationsystemsmaysuerfromunacceptablyhighFAR,particularlywhenanadversaryusesaphysicalorlogicalcopyofauser'sbiometricinformation,suchasagelatinngerprintorreplayofavalidauthentication,andalsounacceptablyhighFRR,severalresearchershavecombinedmultiplebiometricsystemsintoanauthenticationsystemwithlowererrorrates.Methodsofcombiningmultipleclassiersfallintothreegroups,parallel,cascading,andhierarchical[ 23 ].Mostreportedcombiningmethodsfallintotheparallelcategory.Inthiscategoryaresuchmethodsasvoting,sum,andproductrules.Italsoincludesschemesinwhichthescoresfromindividualclassiersareweightedbeforecombining.Allbutoneofthemethodsdescribedbelowforcombinationofmultiplebiometricsareparallelmethods.Incascadingmethods,classiersareinvokedinalinearsequence"[ 23 ].Usuallylesscomputationallyintensiveclassiersareinvokedrst,andreducethenumberofclassestobeconsideredbysubsequentclassiersthatrequiremorecomputation[ 23 ].Useofacascadecombiningmethodinabiometricidenticationsystemisdescribedbelow. 72

PAGE 86

73 Hierarchicalmethodscombineclassiersintoatree.Eachtreenodemaybeacomplexclassiermakinguseofalargenumberoffeatures.Neuralnetworksmayleadtohierarchicalclassifyingmethods[ 23 ].Particularlyforparallelcombinationschemes,ifwehaveNdevices,itisconvenienttoformavectorfromtheNsingledevicescores,x=x1;x2;:::;xNItisalsopossibletoprocessthedatafromasinglebiometricdevicewithsev-eralalgorithms,generatingseveralscores,asdescribedabove[ 43 ].Ifadevicemademultiplescoresavailabletotheuser,eachscorecouldbetreatedasaclassier,anddimensionalityofthevectorxwouldbethenumberofclassiers,ratherthanthenumberofdevices.Alternatively,eachalgorithmcouldbetreatedasalogicaldevice,andthenumberNoflogicaldeviceswouldbegreaterthanthenumberofphysicaldevices.Somecommercialbiometricdevicesusemultipleclassiersinter-nally,andprovideasinglescoretotheuser,whichistheresultofcombiningtheseclassiers.ThisisdoneintheAutomatedFingerprintIdenticationSystemusedbytheFBI[ 51 ],andalsointheSoftprodynamicsignaturevericationsystem. 1 ThenadecisionruleisneededtomaptheN-dimensionalvectortooneoftwoclasses,!1and!2foracceptandreject.Thegoalofthedecisionruleistosimultaneouslyminimizetwotypesoferrors,falserejectionofauthorizedusersandfalseacceptanceofimpostors,asdescribedabove.3.1OptimalBayesDecisionRuleTheoptimalBayesdecisionrule,equation 2.10 ,Acceptif 1Personalcommunication,UlrichPantow,October,2002.

PAGE 87

74 L!1;!2pxj!2P!2P!jjx.2orassignZtotheclasswiththemaximumaposterioriprobability,"whereZisthepatterntobeclassiedThisruleisthereforeknownasthemaximumaposteriori"rule[ 27 ].Kittleretal.[ 27 ]developseveralrulesforclassicationfromBayesiantheory.Theyderivetheproductrule,sumrule,maxrule,minrule,medianrule,andma-jorityvoterulebymakingdierentassumptionsandsimplications.Kittleretal.developtheseequationsforanynumberofclasses,butforbiometricauthentication,apatternZisapersonattemptingtoauthenticate,andmustbeassignedtoone

PAGE 88

75 oftwoclasses,!1and!2foracceptandreject.Thisallowssimplicationofsomeequations.Thepatternisrepresentedbythemeasurementvectorx=x1;x2;:::;xNmadeupofthescoresfromNbiometricdevices.Then,accordingtoBayesiantheory,iftheaprioriprobabilityofaclass!kisP!k,forasetofmeasurementvectors,apatternshouldbeassignedtotheruleassignZ!!jifP!jjx1;:::;xN=maxkP!kjx1;:::;xN.3FromtheBayestheorem,theaposterioriprobabilitycanberewrittenasP!kjx1;:::;xN=px1;:::;xNj!kP!k Px1;:::;xN.4wherepx1;:::;xNj!kistheconditionaljointprobabilitydensityfunctionformeasurementsonclass!kandpx1;:::;xNistheunconditionalmeasurementjointprobabilityfunction.Theunconditionaljointpdfisjustthesumofthejointpdf'softheclasses,timestheirprobabilities,px1;:::;xN=2Xj=1px1;:::;xNj!jP!j3.53.1.1ProductRuleBecausealargeamountofdatamightbeneededtodeterminethemea-surementjointprobabilityfunctionsaccurately,itmightbedesirabletoassumeindependenceofthescoresofthedevices.Ifthedevicesaremeasuringdierentfea-turesofthesubject,thescoresmightbeexpectedtobeindependent.Forexample,

PAGE 89

76 acoldwouldbeexpectedtoaectavoicevericationscorebutnotangerprintscore.Thentheconditionaljointpdfbecomespx1;:::;xNj!k=NYi=1pxij!k.6Theassumptionofindependenceofthescoresfromtheindividualclassiersleadstotheproductrule.Substitutingequations 3.5 and 3.6 into 3.4 ,P!kjx1;:::;xN=P!kQi=1Npxij!k P2j=1P!jQi=1Npxij!j.7Thedenominatoroftherightsideofequation 3.7 isthesameforbothclasses,soitcanbeneglectedwhen 3.7 issubstitutedintodecisionrule 3.3 :assignZ!!jifP!jNYi=1pxij!j=2maxk=1P!kNYi=1pxij!k3.8andintermsoftheaposterioriprobabilitiesfromthedevices,assignZ!!jifP)]TJ/F22 7.97 Tf 6.587 0 Td[(N)]TJ/F22 7.97 Tf 6.586 0 Td[(1!jNYi=1P!jjxi=2maxk=1P)]TJ/F22 7.97 Tf 6.587 0 Td[(N)]TJ/F22 7.97 Tf 6.587 0 Td[(1!kNYi=1P!kjxi.9Notethatifasingleclassiergivesaverylowscoreandallothersgiveahighscore,theproductrulewillgivealowscore.Thisisaweaknessofthisrule.3.1.2SumRuleIfitcanbefurtherassumedthattheaposterioriprobabilitiesfromtheclassiersdonotdiergreatlyfromtheaprioriprobabilities,thesumrulecanbe

PAGE 90

77 derived.Thusitwillapplywhentheclassiersarenotverysurehowtoclassifysomething.ThentheaposterioriprobabilitieswillbeP!kjxi=P!k+ki3.10whereki1.Substitutingtheaposterioriprobabilityinequation 3.10 intotherightsideofequation 3.9 ,P)]TJ/F22 7.97 Tf 6.587 0 Td[(N)]TJ/F22 7.97 Tf 6.587 0 Td[(1!kNYi=1P!kjxi=P!kNYi=1+ki3.11andexpandingtheproductandneglectingtermsthataresecondorhigherorderinki,P)]TJ/F22 7.97 Tf 6.587 0 Td[(N)]TJ/F22 7.97 Tf 6.587 0 Td[(1!kNYi=1P!kjxi=P!k+P!kNXi=1ki.12Thensubstituting 3.12 into 3.9 ,andusing 3.10 toeliminateki,thesumdecisionruleisassignZ!!jif)]TJ/F23 11.955 Tf 11.955 0 Td[(NP!j+NXi=1P!jjxi=2maxk=1[)]TJ/F23 11.955 Tf 11.955 0 Td[(NP!k+NXi=1P!kjxi].13Withtheassumptionofequalaprioriprobabilities,thisbecomesassignZ!!jifNXi=1P!jjxi=2maxk=1NXi=1P!kjxi.14

PAGE 91

78 3.1.3MaxRuleIfthesumoftheNaposterioriprobabilitiesinequation 3.13 isreplacedbyNtimesthegreatestprobability,theMaxruleresults:assignZ!!jif)]TJ/F23 11.955 Tf 9.814 0 Td[(NP!j+NNmaxk=1P!jjxi=2maxk=1[)]TJ/F23 11.955 Tf 9.814 0 Td[(NP!k+NmaxNk=1P!kjxi].15which,withtheassumptionofequalaprioriprobabilities,becomesassignZ!!jifNmaxk=1P!jjxi=2maxk=1maxNk=1P!kjxi.16Useofthisruleinbiometricauthenticationwouldassistanimpostorwhoisabletogetonehighscoreeitherbyuseofanartifact,orsimplybychance.3.1.4MinRuleTheproductoftheposteriorprobabilitiesinequation 3.13 willalwaysbelessthanorequaltotheminimumoftheprobabilities,NYi=1P!kjxiNmini=1P!kjxi.17When 3.17 issubstitutedinto 3.9 andboundingtheprobabilitiesfromabove,wegetassignZ!!jifP)]TJ/F22 7.97 Tf 6.586 0 Td[(N)]TJ/F22 7.97 Tf 6.586 0 Td[(1!jNmini=1P!jjxi=2maxk=1P)]TJ/F22 7.97 Tf 6.587 0 Td[(N)]TJ/F22 7.97 Tf 6.587 0 Td[(1!kNmini=1P!kjxi3.18

PAGE 92

79 andwiththeassumptionofequalpriorprobabilities,assignZ!!jifNmini=1P!jjxi=2maxk=1Nmini=1P!kjxi.193.1.5MedianRuleIfequalpriorprobabilitiesareassumed,thenthesumruleinequation 3.13 canbethoughtofasanaverageaposterioriprobabilityforeachclassfromalltheclassieroutputs,assignZ!!jif1 NNXi=1P!jjxi=2maxk=11 NNXi=1P!kjxi.20sothepatternisassignedtotheclassforwhichtheaverageaposterioriprobabilityisamaximum.Ifoneoftheaposterioriprobabilitiesisanoutlier,itwillinuencetheaverage,andcouldcauseawrongdecision.Themedianislesseasilyinuencedbyoutliers,soitcanbeconsideredasaruleforcombiningclassiers:assignZ!!jifNmedi=1P!jjxi=2maxk=1Nmedi=1P!kjxi.213.1.6MajorityVoteRuleIftheaposterioriprobabilitiesarehardenedtoproduceabinaryvaluedfunction,

PAGE 93

80 ki=8><>:1ifP!kjxi=max2k=1P!jjxi0otherwisethen 3.13 becomesassignZ!!jifNXi=1ji=2maxk=1NXi=1ki.22sothattheclasswiththelargestnumberofvotesisselected.3.1.7ExperimentalTestofRulesforCombiningClassiersThenKittleretal.[ 27 ]reporttheresultsofexperimentstestingtheserulesforcombiningclassiers.Inoneexperimenttheycombinethreebiometrics,frontalandproleviewsofthefaceandvoiceverication.Equalerrorratesof12.2%,8.5%,and1.4%wereobtainedfortheindividualfrontal,prole,andvoicebiometrics.Equalerrorratesforthevariouscombinationrulesare0.7%forthesumrule,1.4%forproduct,12.2%formaximum,1.2%formedian,and4.5%forminimum.Thesumrulehasthebestperformance.Forsomereasonthemajorityvoterulewasnotused.Theycomputedacorrelationmatrixforthedatausedtocomputetheindividualbiometricscores,whichshowedthattherewassomecorrelationbetweenfaceproleandvoice,butnotmuchbetweenfrontalfaceandtheotherbiometrics.Asecondexperimentinvolvedcharacterrecognition.Inthiscasethemedianrulewasbest,withaclassicationrateof98.19%,andthesumrulewasaclosesecondat98.05%.Amajorityvoteisnextat97.96%,followedbythemaxruleat93.93%,theminruleat86.00%,andtheproductruleat84.69%.Theminandproductruleswerebothworsethananyoftheindividualclassiersusedforcharacterrecognition.

PAGE 94

81 Inordertoexplainthesuperiorityofthesumrule,whichrequirestheassump-tionsofindependenceandthatclassesareambiguous,theyshowthaterrorshavelessinuenceonthesumrulethanontheproductrule.3.2NonparametricMethodsandLikelihoodRatioPrabhakarandJain[ 43 ]useseveralmatchingalgorithmstoclassifyngerprintimagesfromasinglengerprintscanner.Thegoalistoachievelowererrorratesthananyoneofthealgorithmscouldachievealone,withouttheexpenseandinconvenienceofusingmultiplebiometricdevices.Theydevelopaclassiercombinationmethodthatdoesnotassumeanyparticularformfortheprobabilitydensityfunctionsoftheclasses,andalsodoesnotassumeindependenceofthescoresfromthevariousmatchingalgorithms.Firstaclassseparationstatisticisusedtochoosethesubsetofavailablealgorithmsthatgivesthebestseparationofauthorizedusersandimpostors[ 43 ].Anaturalassumptionwouldbetoassumethatthemorealgorithmsused,thebettertheresultshouldbe.Ifthepdf'softheclassesareperfectlyknown,increasingthenumberoffeatures,inthiscasethenumberofalgorithmsgeneratingascoreforangerprint,willneverdecreasetheaccuracyofclassication.Iftheadditionalfeatureshavesomeindependentdatafromthosealreadyinuse,classicationaccuracywouldbeexpectedtoimprove.However,inmanyrealcases,wheredensitiesarenotknownperfectly,andmustbeestimatedfromlimitedexperimentaldata,thereisapeakingphenomenon"inclassicationperformanceasthenumberoffeaturesisincreased.Beyondsomepoint,furtherincreaseinthenumberoffeaturesresultsinadecreaseinclassicationaccuracy[ 23 ].Thisisknownasthecurseofdimensionality."Theoptimumdimensionalitydependsonthenumberofdatapointsavailable.Itisconsideredgoodpracticetouseatleasttendatapointsforeachdimension.However,forsomeapproaches,thedatarequirementismuchgreater.

PAGE 95

82 Anaivetable-lookuptechniquepartitioningthefeaturespaceintocellsandassociatingaclasslabelwitheachcellrequiresthenumberoftrainingdatapointstobeanexponentialfunctionofthefeaturedimension.[ 23 ],p.11PrabhakarandJainusesuchatechnique.Then,althoughtheycompared2572ngerprintimagesfrom167subjectsagainsteachother,resultingin7472genuineusermatchesand3,298,834impostormatches,thebestperformancewasachievedwiththeuseofonlythreeofthefouralgorithmsthatwerestudied[ 43 ].NexttheParzenwindowdensityestimateoftheN-dimensionaldensityfunctionisused,whereNisthenumberofalgorithmsintheoptimalsubset.Thedensityestimateatapointx,withndatapointsavailable,ispx=1 nhNnXj=1f1 N 2jj1=2exp[)]TJ/F15 11.955 Tf 16.229 8.087 Td[(1 2h2x)]TJ/F23 11.955 Tf 11.955 0 Td[(xjt)]TJ/F22 7.97 Tf 6.587 0 Td[(1x)]TJ/F23 11.955 Tf 11.955 0 Td[(xj]g.23wherehisthewidthoftheN-dimensionalwindowoverwhichthedensityisaveraged,andisthecovariancematrix,whichisestimatedfromthendatapoints[ 43 ].Thelargerthevalueofh,thegreaterthesmoothingoftheestimateddensityfunction.Ifhistoosmallsothatasmallnumberofpointsfallinsidethewindow,randomvariationswillinuencethedistribution.Ifhistoolarge,featuresofthedistributionmaybeobscured[ 13 ].Finally,alikelihoodratio,equation 2.7 R=Pxj!2=Pxj!1.24isusedtoassigntoclass!2ifRislarge,andtoclass!1ifRissmall.IfalimitissetonFAR,forexample,andregionsofminimumRareassignedtoclass!1,theclassofgenuineusers,untiltheFARlimitisreached,thentheremainingregionsareallassignedtoclass!2,forimpostors,oralternatively,alimitfor

PAGE 96

83 FRRischosen,regionsofmaximumRareassignedtoclass!2untiltheFRRlimitisreached,thismethodwillyieldanoptimalNeyman-Pearsondecisionrule.Experimentalresultsforoneofthematchingalgorithmsshowthat,whiletheimpostorcurveappearstobeclosetoanormaldistribution,theerrorrateissignicantlybetterwhenthenonparametricParzenwindowdensityisused.Thelikelihoodratiogiveslowererrorratethanthesumrule,whichisbetterthantheproductrule[ 43 ].3.3MajorityVotingDieckmannetal.[ 10 ]testedasystemthateitherveriedoridentiedpeopleenteringabuilding.Thesubjectslookedatacameraandsaidtheirnames.Thecameracapturedastillimageoftheface,aswellaslipmovement,whileamicrophonecapturedthevoice.Thesedatawereprocessedtoobtainthreeharddecisions,andiftwoofthethreedecisionswerepositivethepersonwasauthenticatedoridentied.Itwasclaimedthatvoiceandlipmovement,beingdynamicfeatures,aremorediculttofakethanstaticfeatures,suchasthefaceimage.Thevotingschemeissaidtobeveryreliableandrobustagainstchanginglightconditionssunmovement,clouds,changingelectriclightsandagainstanoisyenvironment.Ifonecueisdisturbedtheothertwostillguaranteeasafeclassication."Becausefalserejectionwasseentobemoreundesirablethanfalseacceptance,thethreeclassiersweretrainedtominimizeFRR+FAR.Inthevericationtest,thefaceimagehadFRRof0.005andFARof0.027,lipmovementhadFRRof0.26andFARof0.035,andspeechhadFRRof0.009andFARof0.019.ThesystemhadaFRRof0.002,andFARof0.003.3.4WeightedSumRuleDucetal.[ 12 ]usedBayestheorytocombinescoresfromafaceimageandspeech.Theyassumeindependenceofthefaceimageandspeakervericationscores.Theyalsoassumethatthelogofthemisidenticationscorefollowsa

PAGE 97

84 normaldistribution.Themisidenticationscoreisthedierencebetweenthetrueauthenticationscore,whichisoneforagenuineuserand0foranimpostor,andtheactualscorefortheauthenticationattempt.Aweightedsumofthefaceandspeechscoresresults,wherethescoresareweightedbytheinverseoftheirvariance.Falseacceptanceratesforfaceandspeechwere3.6%and6.7%,whilethearithmeticmeanofthetwoscoresachievedafalseacceptancerateof1.2%andtheBayesianmethodachieved0.54%..Thefalserejectionrateswere7.4%forface,0.0%forspeech,2.1%forthearithmeticmean,and0.0%fortheBayesianmethod.Jourlinetal.[ 25 ]combinevisualinformationfromlipmovementwithacousticinformationfromspeech.Thecombinedsystemwastestedon37people,whowererecordedspeakingthedigitsfrom0to9inFrench.Eachpersonwasrecordedvetimesatoneweekintervals.Theyusedtherstthreerecordingsfortrainingoftheirclassicationsystem.Thefourthwasusedforvalidation.Thethresholdwaschosentominimizeerrorsonthisset.Thefth,whichwasmorediculttoclassifybecauseoftiltingofthespeaker'shead,notshaving,poorsignaltonoiseratiointhevoicerecording,orpoorfocusofthecamera,wasusedfortesting.Testswerecarriedoutbycomparingeachperson'sdatafromthefthtrialtotheirownspeechandlipmovementpatternsobtainedfromtherstthreerecordings,andalsotoaworldmodel,whichisamodelofthespeechof500peopleandlipmovementpatternsof36people.Ascoreisobtainedbynormalizingtheratioofthelikelihoodthattheyaretheclaimedidentitytotheworldlikelihood,theirsimilaritytotheworldmodel.Aweightedsumisusedtocombinetheacousticandlipmovementscores,withthebestperformancefoundataweightingof0.86foracousticand0.14forlipmovement.Impostortestswerecarriedoutinasimilarway,comparingasubject'sfthrecordingtothespeechandlipmovementpatternsofothertestsubject'srstthreetrials.Fromjusttheacousticinformation,thetestachievedFARof2.3%andFRRof2.8%.Usingjustthelipmovementinformation,the

PAGE 98

85 FARwas3.0%andtheFRRwas27.8%.Combiningthetwo,theFARwas0.5%andtheFRRwas2.8%.3.5CascadingMethodofCombiningClassiersHongandJain[ 20 ]useacascadingmethodofcombiningfacerecognitionwithngerprinttoconstructanidenticationsystem.Becauseanidenticationsystemmayneedtomakealargenumberofcomparisons,processingtimeismoreimportant.Therefore,facerecognitionisusedtoselectthevebestmatches,andthenthengerprintmatchingisperformedonlyonthoseselectedidentities.Faceandngerprintscoresareassumedtobeindependent.ThentheFARiscomputedforeachofthevetopfacematches,basedonboththefaceandngerprintscores.ThesystemacceptsanidentityascorrectifthecomputedFARislessthantherequiredstandard,andiftheFARistheminimumofthevereturnedfromthedatabaseonthebasisofthefacematch.Thissystemwastestedusingdatabasesoffaceandngerprintimages.Fingerprintswereassignedtofacesatrandom,basedontheassumptionthatngerprintandfaceareindependent.WithaFARof1%,thefaceFRRis15.8%,thengerprintFRRis3.9%,andthesystemFRRis1.8%.WithaFARof0.001%,thefaceFRRis64.1%,thengerprintFRRis14.9%,andthesystemFRRis9.8%.IncludedinthesystemFRRarethe1.8%oftheindividualswhowerenotamongthetopvematchesofthefacerecognitionsystem.3.6HierarchicalMethodsofCombiningClassiersHierarchicalmethods,alsoknownasdecisiontrees,dierfromthecascadingmethodinthatinformationfromallclassiersisassumedtobeavailableatthestartoftheclassicationprocess.Thendecisionscanbebasedonasinglevariableoronacombinationofvariables.Ifthescoresfromtheindividualclassiersarerelated,basingthedecisiononasinglescoreratherthanacombinationofscoresintroducesbias[ 11 ].Toavoidthis,Draperetal.describehowtoderiveadecision

PAGE 99

86 treewithalinearmachineateachnodethatcanreachadecisionbasedonalinearcombinationofallthescoreswithdierentcostsassignedtodierentkindsofmisclassicationerrors[ 11 ].Biometricsystemsthatmeasuredierentcharacteristicsshouldbeapproximatelyindependent,sothealgorithmforbuildingthetreeisnotdescribedhere,butifanumberofclassifyingalgorithmswereusedondatafromasinglebiometricdevice,theresultsmightnotbeindependent,andsuchatechniquemightbeadvantageous.3.7SummaryInsummary,ofthethreegeneralclassesofproceduresforcombiningclassiers,mostofthemethodsusedforcombiningbiometricclassiersareparallelmethods.Theproduct,sum,median,minandmajorityvoterulescanallbederivedfromBayesiantheorywithvaryingassumptions.Theproductrule,derivedbyassumingthattheclassiersareindependent,canbestronglyaectedbyasinglelowscore.Alsoitismorestronglyaectedbyerrorintheclassiersthanisthesumrule.Thisisprobablythereasonthatthesumrule,althoughitrequiresthefurtherassumptionthattheaposterioriprobabilityofagenuineuseroranimpostordoesnotdiergreatlyfromtheaprioriprobability,wasfoundtohavebetterperformancethantheproductrule.Themedianrulehadperformancecomparabletothatofthesumrule,andthemajorityvoterulewasslightlyinferior.Theminandproductrulesweresignicantlylower.Inothertests,aweightedsumrulegaveimprovedclassicationperformance,withtheweightingfactorsdeterminedempiricallyorwiththeinverseofthevarianceofaclassier'sscoresusedasaweightingfactor.APDFmustbefoundforeachclassier'sscoreforeachclass.Iftheclassiersarenotindependent,thenajointPDFisneeded.DeterminationofajointPDFrequiresmuchdata,butgaveimprovedperformancewhenanumberofalgorithmswereusedtoclassifyasetofngerprintimages.However,inanotherstudydata

PAGE 100

87 fromfrontalface,faceprole,andvoicewerenearlyindependent.Thus,whenworkingwithmultiplebiometricsystemsthatmeasuredierentcharacteristics,itisprobablysafetoassumeindependence,andajointPDFneednotbedetermined.Probabilitydensityfunctionscanbefoundbyparametricmethods,whichassumethedistributionstofollowsomefunction,ornonparametricmethods,whichmakenosuchassumption.Withalargedatasetofngerprintimages,anonparametricmethod,theParzenwindowdensity,wasfoundtobesuperiortoparametricmethods[ 43 ].Alikelihoodratiowasusedtoassignregionsofthefour-dimensionalspacegeneratedbythescoresfromfourclassiers.Thismethodwasfoundtobesuperiortothesumrule,whichwassuperiortotheproductrule.Abiometricidenticationsystemmadeuseofacascadingsystem,rstinvok-ingafastfacerecognitionsystemtoselectasmallnumberofclosematchesfromadatabase,andthenaslowerngerprinttoeitherndamatchfromamongthesmallsetofclosematchesortodecidethatthepersonisnotinthedatabase[ 20 ].

PAGE 101

CHAPTER4EXPERIMENTALGOALSANDMETHODSTheliteratureonbiometricauthenticationsystemssuggeststhatunacceptablyhighFARandFRRremainproblems.Agenuineusermayberejectedbecauseofwornngerprintsorfailuretoaligntheeyeproperlywithanirisscan.Animpostormayuseasiliconecopyofauser'sngerprinttobeaccepted.Onegoalofourworkwastotestavarietyofbiometricauthenticationsystems,andtodeterminetheFRRandFAR,particularlywhentheimpostorusessomecreativemeanstospoofthesystem.Datafromthesetestswouldhelpusunderstandtheindividualvulnerabilitiesofthevarioussystems.Asecondgoalofourworkwastodevelopanunderstandingofhowmultiplebiometricsystemscouldbecombined,andhowmuchtheFARandFRRcouldbereduced.4.1MeaningandMeasurementofFalseAcceptanceRateBecauseFRRandFARarerelatedviathethreshold,bothmustbedeter-minedinordertoprovideausefuldescriptionofabiometricauthenticationsystem.Increasingthresholdmakesitmorediculttoimpostorstoauthenticate,loweringtheFAR,butitalsomakesauthenticationmoredicultforgenuineusers,in-creasingtheFRR.DecreasingthresholdwilldecreaseFRRatthecostofahigherFAR.MeasurementofFRRisfairlystraightforward.Anadequatenumberoftestsubjectsshouldbeenrolled,andshouldpresenttheirbiometricfeaturetothesystemintheproperwayseveraltimes,perhapswithadelayofweeksormonthsbetweenattemptstodetermineifthebiometriccharacteristicchangesenoughoverthattimetoincreasetheFRR.Manysystemsaretestedinthisway,[ 10 ]oronadatabaseofbiometricdatacapturedinthisway[ 12 ],[ 20 ],[ 25 ],[ 43 ],[ 28 ],[ 27 ].The 88

PAGE 102

89 testsubject'sdatafromdierentattemptsarecomparedinordertondtheFRR,andthedatafromdierentsubjectsarecomparedinordertondtheFAR.However,themeaninganddeterminationofthefalseacceptanceratepresentssomedicultybecausetheFARforagivenbiometricdevicewilldependstronglyonthemethodusedbytheimpostor.Theniftheresultsofalltests,regardlessofmethod,arelumpedtogethertodeterminetheFARfromequation 2.2 ,theresultwilldependontherelativefrequencyoftestsbydierentmethods.Forexample,experimentalresultspresentedbelowwillshowthattheFARforanimpostorlookingatanauthorizeduser'ssignaturewhilesigningitismuchlowerthantheFARwhentheimpostortracestheauthorizeduser'ssignature.Ifourtestingincludedmanyattemptsinwhichimpostorslookedattheuser'ssignaturebutfewornoneinwhichimpostorstracedtheuser'ssignature,thevulnerabilityofthedevicetothesecondkindofattackwouldbehiddeninalowFAR.Arststepinevaluatingadeviceisthentouseanymeansthatcanbethoughtoftotrytofoolthedevice,anddetermineaseparateFARforeachmeans.However,asingleFARmightbeneededforcomparisontoothertypesofdeviceswhereanirisscanwouldnotbevulnerabletoasiliconengerbutmightbeattackedwithapictureofauser'sirisortodetermineifthedevicemeetsastandard.WaysinwhichtheFARsmightbecombinedinclude 1. AweightedaverageFAR,FARav=XiwiFARi.1couldbecomputedusingtheinverseofthedicultyofvariousattacksasaweightingfactor,W1i=1 Di.2

PAGE 103

90 W1=X1 Di.3w1i=W1i W1.4whereDiisthedicultyofattackiandw1iistheweightingfactor.Theprobabilityorfrequencyofaparticularattackmightbeexpectedtodependonitslevelofdiculty.Factorsthatcouldbeconsideredinaresource-basedestimateofDimightincludetheexpertiseneededtocarryouttheattack,timeneededtopreparefortheattackvs.timeavailable,theavailability,cost,andqualityofmaterialsandequipmentneeded,andiftheuser'sbiometricinformationisneeded,thelevelofdicultytocopythatinformation.Forexample,itisprobablyrelativelyeasytogetacopyofauser'ssignatureorngerprint.Ontheotherhand,acquisitionofausableirisimagerequiresclose-upphotographyoftheuser'seye,whichwouldberelativelydicult[ 49 ]. 2. TheweightingfactormightbetheFARoftheattackdividedbythedif-culty,becauseimpostorsaremorelikelytoattemptanattackthathasahighprobabilityofsuccessevenifitisdicult.Ifuseofagoodqualityirisimagehasahighprobabilityofsuccess,moreimpostorswillbeexpectedtotryitinspiteofthediculty.Inthiscase,theweightingfactortobeusedinequation 4.1 wouldbeW2i=FARi Di.5W2=XiFARi di=XiW2i.6w2i=W2i W2.7

PAGE 104

91 3. UsethehighestFAR.FARcombined=maxiFARi.8Thiswouldavoidtheproblemofdetermininganappropriateweightingfactorforthevariouspossibleattacks.Also,themostdeterminedanddangerousimpostorscouldbeexpectedtousethemethodthatismostlikelytosucceed,evenifitwasmoredicult.Membersofthecleaningcrewmightputtheirownngersonangerprintscanneroutofcuriosity,andiftheyhappenedtogetaccesstothecomputer,theymightchecktheirfavoriteteam'sscoreontheinternet.However,aspymightgotogreatlengthstoproduceasiliconeorgelatincopyofanauthorizeduser'sngerprint,andthenuseittostealimportantsecrets.Evenifthesecondkindofattackweremuchlessfrequentthantherst,itwouldprobablybetheoneweshouldbemoreconcernedabout.Aremainingdicultyhereisthatwemaynotthinkofthebestmeansforattackingadevice,butthespymay.4.2TestingProceduresAtestingframeworkwasdevelopedtoguidethetesting.Testswerecarriedoutonfourbiometricsystemsbyagroupof24volunteers.Therstweekvol-unteersenrolledandauthenticated.Theyreturnedthreetimestoauthenticateand,insomecases,toattempttospoofthebiometricdevices.Thesesessionswereoneweek,veweeks,andsixweeksaftertheinitialsession.Ateachsession,testsubjectsattemptedtoauthenticateoneachdevicetheytesteduntiltheysucceeded,uptoamaximumofthreeattempts.Agreaternumberoftestsubjectswasdesired.However,theonlymotivationsforpeopletoauthenticatewere,formembersoftheIPPDgroup,toproducedataforourproject,andforthoseoutsidethegroup,curiosityaboutbiometric

PAGE 105

92 devices,andadesiretohelpoutfriends.Withthe24testsubjects,ifeachhadauthenticatedfourtimes,asplanned,therewouldhavebeen96authenticationattempts.However,therewereonly57authenticationattempts,andonlythreetestsubjectsauthenticatedfourtimes.Ifabiometricauthenticationsystemcouldbeputintoproduction,evenonalimitedscale,thenuserswouldauthenticateregularly,andamuchgreateramountofdatacouldbecollected.Inordertotesttheconceptofcombiningmultiplebiometricauthenticationsystems,casesinwhichauserattemptedtoauthenticateontheirisscan,signa-ture,andthumbprintsystemsatthesametimeareneeded.Therewere31suchoccasions.Probablythemainreasonthattherestofthe57authenticationat-temptsdidnotinvolveallthedeviceswasthattheirissoftwareonlyallowedsixusers.Forthesecondweekoftesting,theharddrivewaspartitionedandmultiplecopiesoftheoperatingsystemandirissoftwarewereinstalled,allowingmoreuserstobeenrolled.4.3CurveFittingFromdynamicsignaturevericationscores,plotsofFRRforgenuineusersweregeneratedbyplottingscorevs.k=n+1,wherenisthetotalnumberofpointsinthedataset,andkistherankofthepointtobeplotted.Thisresultsinaplotofthefractionofauthenticationattemptsbelowaparticularscorevs.score.Foreachtypeofimpostorattempt,suchastracingorattemptingtoforgethesignaturefromtheuser'sname,plotsofFARweregeneratedbyplottingscorevs.1)]TJ/F15 11.955 Tf 12.595 0 Td[(k=n+1,wherethetermshavethesamemeaningasforthegenuineuserplot.Thisresultsinaplotofthefractionofauthenticationattemptsaboveaparticularscorevs.score.Next,inordertobetterunderstandthedistributionofscoresfromgenuineusersandfromvariousattacks,curveswerettedtoeachdataset.Insomecases,nosinglecurvewasagoodtovertheentirerange.Inthosecases,preference

PAGE 106

93 Table4{1:Equationsttedtogenuineandimpostorsignaturedata Equation IncreasingSigmoid y=a)]TJ/F24 7.97 Tf 31.755 4.707 Td[(b 1+expx)]TJ/F25 5.978 Tf 5.756 0 Td[(c d Weibull y=aexp[)]TJ/F28 11.955 Tf 11.291 9.683 Td[()]TJ/F24 7.97 Tf 6.675 -4.976 Td[(x bc] Sigmoidal y=a+b 1+expx)]TJ/F25 5.978 Tf 5.757 0 Td[(c d DualSigmoidal y=a+b 1+expx)]TJ/F25 5.978 Tf 5.757 0 Td[(c d+e 1+expx)]TJ/F25 5.978 Tf 5.756 0 Td[(f g Exponential aexp)]TJ/F24 7.97 Tf 10.494 4.708 Td[(x)]TJ/F24 7.97 Tf 6.586 0 Td[(b c Linear a+bx Quadratic a+bx)]TJ/F23 11.955 Tf 11.955 0 Td[(cx2 Cubic a+bx)]TJ/F23 11.955 Tf 11.955 0 Td[(cx2+dx3 Quartic a+bx)]TJ/F23 11.955 Tf 11.955 0 Td[(cx2+dx3)]TJ/F23 11.955 Tf 11.955 0 Td[(ex4 wasgiventocurvesthatwereagoodtathighscores,becauselowscoreswouldnormallyberejected.Table 4.3 givestheequationsthatwereconsidered.Lowercaselettersathroughgareadjustableparameters.Fittingwascarriedoutwithgnuplot,tryingallequationsthatappearedtobepossiblecandidatesforaparticulardatasetandselectingtheonethatappearedtogivethebestt.Thequantityofdataavailablewasnotjudgedtobegreatenoughtojustifyanymoredetailedtreatment.Theincreasingsigmoidgavethebestttothegenuinescores.AWeibullfunctiontthetailbetter,butdidnotgiveagoodttothehighscoreregionwheremostofthedatapointswere.Impostordatatvariousoftheotherequations.Dataforimpostorstracingauser'ssignaturettheDualSigmoidal"equation,indicatingthatthedatapointswereconcentratedinthetworegionsoflargeslope.Someotherplotstasigmoidalcurve,indicatingthatdatapointsweremoreconcentratedinasingleregion.Mostplotsdecreasedmoregradually,withthedatapointswidelyscattered.Becauseofthesmallamountofdata,curveswerettedtoplotsofFARandFRR,whicharecumulativeplots,ratherthantoanumberdistribution.Thecumulativeplotsshouldsmoothoutirregularitiesduetothesmallnumberofpoints.

PAGE 107

94 Afewgeneralrulesfordesigningdecisionrulescanbederivedfromtheshapesofthecurvesforgenuineusersandimpostors. 1. Regionswherethecurveforgenuineusersisatcontainfewornogenuineuserscores,andshouldthereforeberejected. 2. Regionsoflargeslopeinthecurveforgenuineuserscontainmanygenuineuserscores,sotheyshouldbeaccepted. 3. Regionswherethecurveforimpostorsisatcontainfewornoimpostors,andshouldthereforebeaccepted. 4. Regionsoflargeslopeinthecurveforimpostorscontainmanyimpostorscores,sotheyshouldberejected.Theserulesareonlygeneralguidelines,andiftherulesbasedonthegenuinecurveandimpostorcurveconict,itwillbemorediculttodecidewhethertoacceptorrejectscoresinthatregion.Thelikelihoodratio,equation 3.24 ,mightbeusedtodecide.Infact,therulesgivenabovecouldalsobederivedfromthelikelihoodratio.AftertheplotsofFARandFRRweregenerated,plotsofthederivativesofthettedcurvesweregenerated,andsuperimposedonthenumberdensityofdatapoints,togetanideaoftheformsofthedistributions.Theseplotsindicatethatthetracingresultsfollowabimodaldistribution.Itwouldbeinterestingtohavemoredatatoclarifywhethertheresultsreallyarebimodal.Iftheyare,FARcanbereducesbyrejectingtheregionswheretheimpostorscoresareconcentrated.4.4TheoryofCombiningMultipleBiometricSystemsTwomethodsofcombiningmultiplebiometricauthenticationsystemsthatinpracticeexhibitgoodperformancewillbeconsidered,sumruleandmajorityvote.Basedonreportedexperiments[ 27 ],thesumrulemaybeexpectedtooutperformmajorityvoting.However,thethumbprintandirissystemsgiveonlyahardresult,notascore,sotheycannotbecombinedaccordingtothesumrule.

PAGE 108

95 4.4.1MajorityVotingForasystemofNbiometricdevices,ifweassumethatanindividual'sattemptstoauthenticateonthevariousdevicesareindependent,theprobabilitythatanimpostorcanauthenticateonallNdevicesisNYi=1FARi.9andtheprobabilitythatanimpostorcanauthenticateonallbutonedevicejisNXj=1f)]TJ/F23 11.955 Tf 11.955 0 Td[(FARjNYi=1;i6=jFARig.10andtheprobabilitythattheimpostorwillnotauthenticatesuccessfullyonanydeviceisNYi=1)]TJ/F23 11.955 Tf 11.955 0 Td[(FARi.11Then,ifweassumetheFARandFRRfordierentdevicesarethesame,theprobabilitythatanimpostorwillsuccessfullyauthenticateonallNdevicesisFARN,theprobabilitythattheimpostorwillsuccessfullyauthenticateonallbutonedeviceisFARN)]TJ/F22 7.97 Tf 6.586 0 Td[(1)]TJ/F23 11.955 Tf 12.979 0 Td[(FAR,andtheprobabilitythattheimpostorwillsuccessfullyauthenticateonexactlykoutofNdevicesis)]TJ/F24 7.97 Tf 5.48 -4.379 Td[(NkFARk)]TJ/F23 11.955 Tf -384.282 -23.908 Td[(FARN)]TJ/F24 7.97 Tf 6.586 0 Td[(k.Theseprobabilitiesaretermsofabinomialexpansion.IfthepolicyofthebiometricsystemistorequiresuccessonkoftheNdevices,theprobabilitythatanimpostorwillsucceedinauthenticatingonthesystemisthesumoftheprobabilitiesforauthenticatingonkthroughndevices,orFARsystem=NXi=kNiFARi)]TJ/F23 11.955 Tf 11.955 0 Td[(FARN)]TJ/F24 7.97 Tf 6.587 0 Td[(i.12

PAGE 109

96 IfweassumethatFAR1,thenthetermwiththelowestpowerofFARdominates.Also,)]TJ/F23 11.955 Tf 11.955 0 Td[(FAR1,soitcanbeignored,andwegetFARsystemNkFARk.13Byasimilarmethod,theprobabilitythatanauthorizeduserwillfailtoauthenticateonallNdevicesisFRRN,andtheprobabilitythattheauthorizeduserwillfailtoauthenticateonexactlykoutofNdevicesis)]TJ/F24 7.97 Tf 5.479 -4.379 Td[(NkFRRk)]TJ/F23 11.955 Tf -380.904 -23.908 Td[(FRRN)]TJ/F24 7.97 Tf 6.586 0 Td[(k.WhenthesystempolicyrequiressuccessonkoftheNdevices,theprobabilityoffalserejectionbythesystemistheprobabilityofrejectionbyatleastN+1)]TJ/F23 11.955 Tf 11.955 0 Td[(kdevices,soFRRsystem=NXi=N+1)]TJ/F24 7.97 Tf 6.587 0 Td[(kNiFRRi)]TJ/F23 11.955 Tf 11.955 0 Td[(FRRN)]TJ/F24 7.97 Tf 6.586 0 Td[(i.14andassumingFRR1,FRRsystemNN+1)]TJ/F23 11.955 Tf 11.955 0 Td[(kFRRN+1)]TJ/F24 7.97 Tf 6.586 0 Td[(k.15Thenforn=N,whenk=1,FARsystem=2FARandFRRsystem=FRR2.IfFRRis0.01,forexample,alargedecreaseinFRRsystemisassociatedwithasmallincreaseinFARsystem.Ifwemakek=2,FARsystem=FAR2andFRRsystem=2FRR.Withthreedevicesandk=2,wegetFARsystem=3FAR2andFRRsystem=3FRR2.AsubstantialimprovementinbothFARandFRRcanbeexpectedwiththreedevices.Thenifthesinglesystemerrorrateis10%,thesystemerrorratefortwoofthreedevicesis3%.Ifthesinglesystemerrorrateis5%,thesystemerrorratefortwoofthreedevicesis0.75%.

PAGE 110

97 4.4.2SumRuleSupposeagroupofbiometricdeviceshavenormallydistributedscoresforbothgenuineusersandimpostors,withmeanscoresgforgenuineusers,withvariance2g,meanscoresfforimpostors,withvariance2f,andthresholdT.Forasingledevice,theFRRistheprobabilitythatagenuineuser'sscoreislessthanT,or[ 5 ]FRR=T)]TJ/F23 11.955 Tf 11.955 0 Td[(g g.16andtheFARwillbeFAR=f)]TJ/F23 11.955 Tf 11.955 0 Td[(T f.17wherexisthecumulativePDFforthenormaldistribution.Becausebothvarianceandmeanareadditivefornormallydistributedvariables,[ 5 ]ifthreebiometricdevicesasdescribedabovearecombined,themeanswillbe3gand3f,andthevarianceswillbe32gand32f.Ifthethresholdisadjustedto3T,thetheFRRandFARbecomeFRRsystem=3T)]TJ/F15 11.955 Tf 11.956 0 Td[(3g p 3g.18FRRsystem=p 3T)]TJ/F23 11.955 Tf 11.955 0 Td[(g g!.19FARsystem=3f)]TJ/F15 11.955 Tf 11.956 0 Td[(3T p 3f.20FRRsystem=p 3T)]TJ/F23 11.955 Tf 11.955 0 Td[(f f!.21ThereisnosimplerelationshipbetweenthevaluesofthesinglesystemFRRandFAR,andthoseforacombinationofthreesystems.Iftheoriginalerrorratewas

PAGE 111

98 10%,correspondingto1)]TJ/F15 11.955 Tf 12.372 0 Td[(:3,theerrorratebecomes1)]TJ/F15 11.955 Tf 12.372 0 Td[(1:3 p 3,or1.2%,animprovementovertheerrorrateof3%ifthedeviceswerecombinedbymajorityvote.Withanoriginalerrorrateof5%,correspondingto1)]TJ/F15 11.955 Tf 11.394 0 Td[(:65,theerrorratebecomes1)]TJ/F15 11.955 Tf 12.249 0 Td[(1:65 p 3,or0.2%,againsuperiortothe0.75%thatwouldbeobtainedbycombiningthedevicesbymajorityvote.4.5SummaryMosttestingofbiometricauthenticationsystemsreportedintheliteratureiscarriedouteitherbypeoplepresentingtheirownbiometricfeaturestothesysteminthepropermanner,whichissuitablefordeterminationofFRR,butnotFAR.Impostorscanachievemuchhigherscoresbysomehowcopyingthebiometriccharacteristicsoftheusertheyareattemptingtoimpersonate.Thereforerealistictestingmustincludeattemptingtondmeanstomakeandusecopiesofuser'sbiometricfeaturestoauthenticate.Avarietyofmethodsmustbetried.UnlessthereissomereasonforthinkingthatthemethodwiththehighestFARwillbeimpossibleorverydicultforimpostors,thehighestFARwouldprobablybethebestvaluetousetojudgethesecurityofasystem.Wehavecarriedouttestsonfourtypesofbiometricdevices,testingtheminthenormalwaytodetermineFRRandbyavarietyofmeanstodeterminehowhighanFARwecanachieve.Curveswerettedtothedatafromtestsonthedynamicsignaturevericationsystem,whichwastheonlysystemundertestthatgavescores.Mostcurveshadformssimilartowhatmighthavebeenexpected.Theformofthecurvesprovidesdatathatcanbeusedforderivingadecisionrule.Datafortracingofauser'ssignaturebyanimpostorappear,onthebasisofaverysmallamountofdata,tobebimodal,withdatapointsconcentratedintworegions.Ifitis,improvedperformancecanbeattainedbyrejectingtheseregions.

PAGE 112

99 Twomethodsofcombiningtheresultsofmultiplebiometricauthenticationsystemstoachievelowererrorrateshavebeenanalyzed.Thesumrulegivesagreaterimprovementinaccuracythandoesmajorityvote.Unfortunately,thesumrulecannotbeusedwithdevicesthatdonotgiveascore,whichincludesthengerprintandirissystemsbeingtested.

PAGE 113

CHAPTER5RESULTSANDDISCUSSIONFourbiometricauthenticationsystems;adynamicsignaturevericationsystem,athumbprintsystem,anirisscansystem,andavoicescansystem,weretested.Thevoicescansystem'sperformancewaserratic.BecausenoneoftheindividualbiometricauthenticationsystemshadsatisfactoryFRRandFAR,acascadingsystemofmultiplebiometricdeviceswithlowererrorrateswasdevisedbasedonthedynamicsignaturevericationsystem,thumbprintsystem,andirisscansystem.5.1SoftproDynamicSignatureVericationTheusersignstheirnameonatabletWacomGraphire,andabiometricserviceproviderBSP,apieceofsoftware,comparesboththeshapeofthesignatureandthespeedandpressuretoanenrollmenttemplate.Dynamicandstaticmatchscores,whichrangefrom0to100,aredisplayedonthescreen,alongwithamatch"ornomatch"message.Amatch'messageisdisplayedifbothdynamicandstaticscoresareatleast80.Thus,thesoftwarecombinesthetwomeasurementsaccordingtoequation 3.19 ,theMinrule".ThesoftwarecomplieswiththeBioAPI1.1standard,andmakesacombinedscoreavailableasspeciedbytheAPI.Thisscoreisproportionaltothesumofthestaticanddynamicscores.Themeasurementsarethusbeingcombinedaccordingtoequation,theSumrule".Bothstaticanddynamicscoreundergoanintegerdivisionbytwobeforebeingadded.All24testsubjectsenrolledsuccessfullywiththisdevice.Eachtimetheycameinfortesting,testsubjectsmadeuptothreeattemptstoauthenticate. 100

PAGE 114

101 Spoongmethodsincluded i Theimpostorsignstheirownname. ii Theimpostorknowsthevictim'susername,butnotthevictim'sname. iii Theimpostorknowsthevictim'sname,butdoesnotseethevictim'ssigna-ture.Theimpostorwillnotknow,forexample,ifthevictimusesamiddleinitial. iv Theimpostorseesthevictim'ssignature. v Theimpostortracesthevictim'ssignature.Anadditionalspoongmethodthatwasnottriedwouldbefortheimpostortowatchthevictimsign,andtomimicthemovementsofthevictim,inanattempttogetsimilarpressureandvelocity,inhopeofachievingahighdynamicstore.Therewasonlyoneattemptoftypei,wheretheimpostorsignedherownname.Theimpostorandvictimweretwinsisters,withsimilarnames.AnnetteVizueteattemptedtoauthenticateasJeannetteVizuetebysigningherownname.Inthreeattemptsherbestscorewas.75bytheminruleand.82bythesumrule.Probablyfewimpostorscoulddosowellwiththeirownnames.Figures 5{1 to 5{6 showthescoresfromauthenticationattemptsbybothgenuineusersandimpostorsusingmethodsiitov.TheFRRcurvesareobtainedbyplottingthecumulativefractionofgenuineuserscoresvs.threshold.TheFARcurvesareobtainedbyplottingthefractionofimpostorscoresatorbelowthethreshold.EqualerrorratesEER,thepointatwhichFARandFRRarethesame,areusedtocomparethecurvesindierentplots.Theyarenotnecessarilythemostdesirablethresholdlevelforactualuse.ValuesinTable 5{1 showthatasingleattemptgivesthelowesterrorrates,andthreeattemptsgiveshighererrorratesthantwo.ThereislittledierenceinEERbetweentheminrule,"usingtheminimumofthedynamicandstaticscores,whichisthecriterionusedbythe

PAGE 115

102 Figure5{1:Softprosignaturematchscoresforgenuineusersandimpostors,oneattempt,sumrule. Figure5{2:Softprosignaturematchscoresforgenuineusersandimpostors,oneattempt,minrule.

PAGE 116

103 Figure5{3:Softprosignaturematchscoresforgenuineusersandimpostors,twoattempts,sumrule. Figure5{4:Softprosignaturematchscoresforgenuineusersandimpostors,twoattempts,minrule.

PAGE 117

104 Figure5{5:Softprosignaturematchscoresforgenuineusersandimpostors,threeattempts,sumrule. Figure5{6:Softprosignaturematchscoresforgenuineusersandimpostors,threeattempts,minrule.

PAGE 118

105 Table5{1:Equalerrorratesfordynamicsignatureverication ImpostorMethod Rulefor EER;One Two Three Combining Attempt Attempts Attempts Tracing Sum 47% 50% 59% ViewingSignature Sum 8% 15% 21% KnowingName Sum 12% 36% 35% KnowingUsername Sum 9% Tracing Min 48% 52% 58% ViewingSignature Min 8% 16% 25% KnowingName Min 12% 37% 37% KnowingUsername Min 11% softwaretodeterminewhethertodisplayamatch"ornomatch"message,andthesumrule,"wherethesumofthestaticanddynamicscoresisused.Thesumrule"scoreistheresultprovidedbythesoftwarethroughtheBioAPIinterface.TheattackwiththehighestFARistracing.Itmaynotbediculttogetasignatureofanauthorizedusertotrace,sothisisaseriousweakness.TheothermethodsallhavemuchlowerFAR0s.Surprisingly,knowingtheauthorizeduser'sname,andevenknowingtheusername,givehigherFAR0sthanviewingtheauthorizeduser'ssignatures.Inordertolearnmoreaboutthedistributionsofscoresforgenuineusersandforimpostorsusingvariousmethods,curveswerettedtothepointsofgures 5{1 to 5{6 .Figures 5{1 to 5{2 areredrawnwiththettedcurvesingures 5{7 to 5{8 .Perhapsthemostinterestingfeatureoftheseguresisthatthecurvefortracinghastwoatsections,whichinacumulativedistributionindicatesfewornodatapoints.Therearealsotwosectionswithalargeslope,indicatingmanydatapoints.Thistypeofcumulativedistributioncorrespondstoabimodaldistributionofdatapoints.Figure 5{10 isaplotofnumberofdatapointsvs.score,withthederivativeofthecurvettedtothecumulativedistribution,gure 5{7 .Thecurveisbimodal,ifnottrimodal,andisagoodttothedatapoints.Notethesinglematchscoreofthree,whichisdiscussedinmoredetailbelow.Withthistype

PAGE 119

106 Figure5{7:Softprosignaturematchscoresforgenuineusersandimpostors,oneattempt,sumrule,withttedcurves. ofdistributionforimpostorscores,itmightbepossibletoimproveperformancebyrejectingthesteepregionsofthecumulativedistribution,orthepeaksinitsderivative, 5{7 .Examinationofthesumrulescoresforoneattemptintable B{2 showsthatoftenattemptsattracing,veresultedinscoresof96orhigher,accountingforthesteeperofthetworegionswithlargeslope,anadditionalfourwerefrom66to79,accountingfortheotherregionoflargeslope,andthesingleremainingpointhadascoreof3.Numbersandpercentagesofscoresinvariousrangesforgenuineusersandfourtechniquesusedbyimpostorsaregivenintable 5{4 Ifuserswithsumrulescoresfrom85to95areaccepted,therearenofalseacceptancesduetotracing,buttheFRRrisesto19.3%duetorejectionofthoseauthorizeduserswithveryhighscores.However,impostorscanstillachievea13.3%FARbyknowingthenameofthevictim,soitisnotveryusefultoeliminatesomanyhighscores.Iftherangeiswidenedto85to96,theFARfortracing

PAGE 120

107 Table5{2:Equationsttedtogenuineandimpostorsignaturedataforoneat-tempt,sumrule,inFigure 5{7 above Impostor Method Equation Genuine 1)]TJ/F22 7.97 Tf 29.671 4.707 Td[(0:95 1+expx)]TJ/F25 5.978 Tf 5.756 0 Td[(:93 0:0152 Tracing :023+0:436 1+expx)]TJ/F25 5.978 Tf 5.756 0 Td[(:982 :00790+0:432 1+expx)]TJ/F25 5.978 Tf 5.756 0 Td[(:750 0:0406 Viewing :862exp0:304)]TJ/F24 7.97 Tf 6.586 0 Td[(x 0:156 Knowing :940+:459x)]TJ/F15 11.955 Tf 11.956 0 Td[(8:84x2+14:8x3)]TJ/F15 11.955 Tf 11.955 0 Td[(7:37x4 Username 0:827exp0:203)]TJ/F24 7.97 Tf 6.586 0 Td[(x 0:277 Figure5{8:Softprosignaturematchscoresforgenuineusersandimpostors,oneattempt,minrule,withttedcurves. Table5{3:Equationsttedtogenuineandimpostorsignaturedataforoneat-tempt,minrule,inFigure 5{8 above Impostor Method Equation FRR 0:991)]TJ/F22 7.97 Tf 28.865 4.707 Td[(0:924 1+expx)]TJ/F25 5.978 Tf 5.756 0 Td[(:874 0:0271 Tracing 0:101+0:290 1+expx)]TJ/F25 5.978 Tf 5.756 0 Td[(:971 0:00750+0:521 1+expx)]TJ/F18 5.978 Tf 5.756 0 Td[(0:628 0:102 Viewing 0:152exp)]TJ/F24 7.97 Tf 10.494 4.707 Td[(x)]TJ/F22 7.97 Tf 6.586 0 Td[(0:392 0:422 Knowing 0:228exp)]TJ/F24 7.97 Tf 10.494 4.707 Td[(x)]TJ/F22 7.97 Tf 6.586 0 Td[(0:422 0:560 Username 0:346)]TJ/F15 11.955 Tf 11.955 0 Td[(0:997x+2:28x2)]TJ/F15 11.955 Tf 11.955 0 Td[(1:90x3

PAGE 121

108 Figure5{9:Softprosignaturematchscoresforgenuineusers,oneattempt,sumrule,withderivativeofcurvettedtodatapoints. Figure5{10:Softprosignaturematchscoresforimpostorstracingagenuineuser'ssignature,oneattempt,sumrule,withderivativeofcurvettedtodatapoints.

PAGE 122

109 Figure5{11:Softprosignaturematchscoresforimpostorswhoknowagenuineuser'sname,butdonothaveaccesstotheuser'ssignature,oneattempt,sumrule,withderivativeofcurvettedtodatapoints. Figure5{12:Softprosignaturematchscoresforimpostorswholookatagenuineuser'ssignaturewhiletheycopyit,oneattempt,sumrule,withderivativeofcurvettedtodatapoints.

PAGE 123

110 Figure5{13:Softprosignaturematchscoresforimpostorswhoknowtheuser-nameofagenuineuser,butnottheirfullname,anddonothaveaccesstotheirsignature,oneattempt,sumrule,withderivativeofcurvettedtodatapoints. Figure5{14:Softprosignaturematchscoresforgenuineusers,oneattempt,minrule,withderivativeofcurvettedtodatapoints.

PAGE 124

111 Figure5{15:Softprosignaturematchscoresforimpostorstracingagenuineuser'ssignature,oneattempt,minrule,withderivativeofcurvettedtodatapoints. Figure5{16:Softprosignaturematchscoresforimpostorswhoknowagenuineuser'sname,butdonothaveaccesstotheuser'ssignature,oneattempt,minrule,withderivativeofcurvettedtodatapoints.

PAGE 125

112 Figure5{17:Softprosignaturematchscoresforimpostorswholookatagenuineuser'ssignaturewhiletheycopyit,oneattempt,minrule,withderivativeofcurvettedtodatapoints. Figure5{18:Softprosignaturematchscoresforimpostorswhoknowtheuser-nameofagenuineuser,butnottheirfullname,anddonothaveaccesstotheirsignature,oneattempt,minrule,withderivativeofcurvettedtodatapoints.

PAGE 126

113 Table5{4:Numberandpercentofsumscoresinvariousranges Type Scorerange,sumrule 0)]TJ/F15 11.955 Tf 11.955 0 Td[(84 85)]TJ/F15 11.955 Tf 11.955 0 Td[(95 96 97)]TJ/F15 11.955 Tf 11.955 0 Td[(100 Genuine 4 7.0 46 80.7 3 5.3 4 7.0% Tracing 5 50.0% 0 0% 1 10.0% 4 40.0% ViewingSignature 9 100% 0 0% 0 0% 0 0% KnowingName 13 86.7% 2 13.3% 0 0% 0 0% KnowingUsername 12 92.3% 1 7.7% 0 0% 0 0% Table5{5:Errorratesfordierentdecisionrules ErrorType Accept85 Accept85-95 Accept85-96 FRR 7.0% 19.3% 14.0% FAR,Tracing 50% 0% 10% FAR,ViewingSignature 0% 0% 0% FAR,KnowingName 13.3% 13.3% 13.3% FAR,KnowingUsername 7.7% 7.7% 7.7% becomes10%,stilllessthanforknowingtheuser'sname,whichremains13.3%.However,theFRRisreducedto14.0%.Withalargeramountofdata,itwouldbepossibletouseamoresophisticatedstrategyforderivingadecisionrule.IfthedistributionsofimpostoranduserscorescouldbeapproximatedbytheParzenwindowmethod,amethodsimilartothatusedbyPrabhakarandJain[ 43 ]forcombiningscoresfromngerprintalgorithmscouldbeused.However,whenthereisnodatapointinawindow,thedensityestimatewillbezero.Withourlimiteddata,theremightberegionsinwhichbothdensitiesarezero.Themannerinwhichausersignstheirnamemaybeanimportantfactorindynamicsignatureverication.Thevictiminthetracingattemptthatresultedinasumscoreof3,personeintable A{1 ,hadanornatesignature,reminiscentofcopperplate.Whentheauthorattemptedtotracehissignature,heattemptedtokeepthepenmovingatareasonablerateinordertohavesomehopeofareasonabledynamicscore,andwasunabletofollowthesignaturewithanydegreeofsuccess.Attemptsatforginghissignaturebyothermeansalsoresultedin

PAGE 127

114 lowscores.Attemptingtoforgehissignaturewithouthavingseenit,andonlyknowinghisusername,resultedinadynamicscoreof27andastaticscoreof0,forasumscoreof13.Whentheimpostorknewthevictim'sname,buthadnotseenhissignature,thesumscoreononetrywas16.Threeattemptsweremadebyviewingthesignaturewhilecopyingit.Therstsumscorewas50,andtheotherattemptsdidnotimproveonit.Personeauthenticatedthreetimes,achievingsumscoresrangingfrom93to96onhisrsttryeachtime.Thushesuerednofalserejections,andallimpostorsattempts,totalingsixattemptsbyfourmethods,failed.Ifdynamicsignaturevericationisused,choiceofusernamemightbecomeasecurityissue.Thehighscorewhentheimpostorknewonlythevictim'susernamewas88,forauserwhoseusernameconsistedofhisrstinitialconcatenatedwithhislastname,withacommonrstname,Michael.Ifimpostorscaneasilylearnusernames,butcannoteasilylearnthefullnamesofusers,usersshouldselectusernamesthatdonotrevealtheirlastname.However,ifimpostorscaneasilylearnthenamesofusers,choiceofausernameisnotimportant,becausehigherscorescanbeachievedfromknowledgeoftheuser'sfullname.5.2BiolinkBiomouseAmousewithabuilt-inthumbprintscannerinthepositionaright-handeduser'sthumbwouldnaturallycontactthemouse.Itusesanopticalscanner,andissaidtoincorporateanunspeciedlivenesstest"todefeatattacksbymeansofartifacts.Livenesstestscanincludetestsfortemperatureorforapulse.Whenitcapturesanimageofathumbprint,theimageisdisplayedonthemonitor.Themouseworkswithproprietaryauthenticationsoftware,andeithergrantsordeniesaccesstothesystem.Forenrollment,thesystemacquiresfourimagesofthethumbprint,requiringtheusertoplacetheirthumbonthescannerandremoveitfourtimes.Allusersenrolledsuccessfully.Falserejectionratesaregivenin

PAGE 128

115 Table5{6:Falserejectionrates Device ThreeAttempts OneAttempt Thumbprint 0 10.7% Iris 16.1% 28.1% Voice 25.5% 46.8% Table5{7:Falseacceptancerates Device Method Successes=Attempts FAR Iris Imposter'siris 0/4 0 Photoofuser'siris 0/9 0 Thumbprint Imposter'snger 0/1 0 Reactivatelatentngerprint 0/2 0 Capturengerprintontape 0/2 0 Siliconenger 4/31 12.9% Voice Imposter'sphrase 3/5 60% Victim'sphrase 4/4 100% Table 5{6 .Thefalserejectionrateonuser'srstattempttoauthenticatewas10.7%,butwhenuserswereallowedthreeattempts,therewerenofalserejections.Oneuserhadablisteronhisthumbwhenheenrolled,butwasstillabletoenrollsuccessfully,andtoauthenticateonhisrsttryinsubsequentweeks.Anotheruserhadablisteronthesecondauthenticationweek,butwasabletoauthenticateonhisrsttry.ResultsofspoongattemptsaregiveninTable 5{7 .TheBiolinkmousefunctionsasanidenticationdevice,andusersdonotenterausername,soanauthorizedusercannotattempttoauthenticateasanotherauthorizeduser.Apersonwhoisnotenrolledisinfactattemptingtoimpersonateallenrolledusers.Therewasonesuchattemptwhentherewere21enrolledusers.Theimpostorwasrejected.Anattemptwasmadetoreactivatelatentprintsleftonthescannerbyauthorizedusers.Whenanimpostorblewonalatentprint,itbecamevisible,butthescannerdidnotrespondtoit.Then,inanotherattempttoreactivatethelatentngerprint,abagofwarmwaterwasplacedagainstthescanner.Again,the

PAGE 129

116 scannerdidnotcaptureanimageofthelatentngerprint,sotheFARforthismethodwas0.Next,twovaliduserspressedtheirthumbsagainstpiecesofscotchtape.Thumbprintswerevisibleonthetapes,butwhenthetapeswerepressedagainstthescanner,itdidnotcaptureanimage,soitwasnotpossibletoauthenticatebythismethod.Finally,anauthorizeduserpressedhisthumbintosoftwax,producingathree-dimensionalngerprint.Thisngerprintwaslledwithsiliconerubber.Afteritcured,itwasremovedfromthewax.Whenthissiliconengerwaspressedagainstthengerprintscanner,itdidcaptureanimage.Authenticationwiththesiliconengersucceededfouroutof31times,foraFARof12.9%.Thefailureswereattributedtothescannernotcapturingacompleteimageofthengerprint.5.3PanasonicAuthenticamAspecialcameraacquiresanimageoftheuser'siriswithinfraredillumination,andcomparesittotheenrollmenttemplate.Anledinsidethecameraguidestheuserinlininguptheireyewiththecamerasothatitcanacquireanimage.Thesoftwarecomponentoftheauthenticationsystemonlyallowssixuserstobeenrolled.Forthisreason,ontherstweekonlyafewtestsubjectscouldenroll.Beforethesecondweekoftesting,theharddrivewasdividedintosixpartitions,andtheoperatingsystemandAuthenticamsoftwarewereinstalledoneachpartition.Thenalluserswhoattemptedtoenrollsucceeded,buttwousersrequired10minuteseachtoenroll,andoneofthesetwoonlyachievedamarginal"enrollment.Inbothofthetestingsessionsinwhichheattemptedtoauthenticatehefailed.Forallgenuineusers,theFRRwas28.1%forasingleattempt,and16.1%forthreeattempts.Byequation 2.6 ,iftheoutcomesofthreeattemptswereindependent,theFRRforthreeattemptsshouldbe0:2813,or2.2%.Itisclear

PAGE 130

117 thatapersonwhofailstherstattemptismuchmorelikelytofailthenexttwoattemptsthantheaverageuser.Likethethumbprintmouse,theirisscanactuallyperformsidentication,comparingtotheenrollmenttemplatesofallusers.Ifoneuserattemptstoauthenticateasanotheruser,theywillinsteadbegrantedaccesstotheirownaccount.Whenanimpostorwhowasnotenrolledattemptedtoauthenticateasherfraternaltwinsister,shewasrejected.Foranotherattemptatspoong,aclose-updigitalphotooftheeyeofanauthorizeduserwasprintedonacolorprinter.Theiriswascutout,andtheimpostorlookedthroughtheholetolineitup.TheAuthenticamacquiredanimage,butrejectedtheimpostor.ThephotousedintheattemptdidnotappearassharpastheirisimagesshownonthemonitorwhentheAuthenticamacquiresimagesofrealeyes.Thalheimetal.havesucceededinauthenticatingwithanAuthenticambymeansofaphotographofaneyeprintedonmatpaperwithahighresolutioninkjetprinter,buttheystatethatunderreallifeconditionsitwouldnotbeeasytoobtainirisimagesofauthorizedpersons"[ 49 ].Inourtests,wewereunsuccessfulinspoongtheAuthenticam,soitachievedaFARof0.5.4VoiceScanSoftwareextractsdatafromaspokenphraserecordedbyamicrophoneandsoundcard.Theresultiscomparedtoanenrollmenttemplate.Theusermustalwaysusethesamephrase,butitisclaimedthatthesoftwareanalyzesuniquecharacteristicsoftheuser'svoice.Ourresultswiththissoftwarewerepoor.TheFARwas60%,andtheFRRwas46.8%,indicatingthatimpostershadslightlymoresuccessinauthenticatingthandidauthorizedusers.Therearetwolikelyreasonsforthediculties.First,thetestingroomhadanoisyventilationsystem.Second,thesuggestedmethodofadjustingthesensitivityofthesoundcardrelied

PAGE 131

118 onadierentversionofsoftwarethanthatonourcomputer.Neartheendoftesting,therecordinglevelwasreadjusted,andtheresultsseemedtobemuchbetter,butitwastoolatetore-enrollthetestsubjects.5.5MultipleSystemResultsInordertoachievelowerFARandFRRthananyofourindividualdevices,wedesiredtosomehowcombinetheresultsoftheiris,thumbprint,andsignaturedevices.Useofthesumruleisnotpossible,becauseonlythedynamicsignaturevericationprovidesascore.However,wecanusethethumbprintandirisresultstodivideourresultsintosixsubsets: 1 acceptedbyirisandacceptedbythumbprintonthersttry, 2 acceptedbyirisandacceptedbythumbprintonthesecondorthirdtry, 3 acceptedbyirisandrejectedbythumbprintafterthreetries, 4 rejectedbyirisandacceptedbythumbprintafteronetry, 5 rejectedbyirisandacceptedbythumbprintonthesecondorthirdtry,and 6 rejectedbybothirisandthumbprintafterthreetries.Thenwecandeterminealikelihoodratio 2.7 afterPrabhakarandJain[ 43 ]foreachregion.Wehad31authenticationattemptsinwhichthetestsubjectsgenuineusersattemptedtoauthenticateontheiris,thumbprint,andsignaturedevices.Wealsohadresultsonspoongthedevices.Becausenoimpostorssucceededinauthenticatingontheirisscan,thelikelihoodratioRiszeroforregions1to3,andanysubjectwhoauthenticatesontheirisscancanbeimmediatelyauthenticatedbythesystem,withoutevenrequiringanattemptontheothertwodevices.Thiscascadingbiometricauthenticationsystemwillsavetimeforusers,reducingthecostofauthentication.Inour31authenticationattemptsonallthreedevices,25,or80.6%,authenticatedontheirisscan.

PAGE 132

119 Theother19.4%,whofailedtheiris,couldattempttoauthenticateonthethumbprintdevice.Inourtestresults,ifthesesubjectswereallowedthreeattempts,allthegenuineuserswouldpassofcourseifwehadcontinuedtestingwewouldeventualyexpecttohavesomefailuresafterthreetries,butinourtestingtherewerenosuchfailures.Thiswouldleavenogenuineusersinregion6,andRinthisregionwouldbeinnite,soanyauthenticationattemptthatfailsthreetriesonthengerprintcouldberejected.Regions4and5wouldcontainbothgenuineandimpostors.Becauseanimpostorwithasiliconengerbearingthethumbprintofanauthorizeduserwouldhavea33.9%chanceofauthenticatinginthreetries,butifonlyonetryisallowedtheFARwouldbe12.9%,Rwouldbehigherinregion5thaninregion4.Authenticationattemptsinregion4wouldbeallowedtocontinuewithsignatureverication.Apolicydecisionmustbemadeonwhethertoallowusersinregion5tocontinue,toachievealowerFRRattheexpenseofahigherFAR,or,ifalowerFARisjudgedmoreimportant,torejectthem.Ifsubjectsinregions4and5areallowedtocontinuewiththesignatureverication,withthethresholdsetat.85fortheSumRule"score,andifoneattemptisallowed,weexpectaFARof50%assumingtheimposterusestracing,onthesignatureverication.Allusersamongour31genuineattemptspassedthesignatureontheirrsttry,sothismethodwouldgiveaFRRof0,buttheFARwouldbe0:50X0:339=17:0%.Ontheotherhand,ifonlyonethumbprinttrialwasallowed,onegenuineuserwhohadfailedtheiriswouldfailthethumbprintandberejected.Allthosewhopassedthethumbprintwouldpassthesignatureinonetrial,sotheFRRwouldbe1/31=3.2%.TheFAR,assumingtheimposterusesasiliconengerandtracesthesignature,wouldbe0:5x0:129,or6.5%.

PAGE 133

120 Table5{8:Comparisonofsinglebiometricauthenticationsystemswithacascad-ingmultiplebiometricsystem.Thehighestfalseacceptancerateforeachdeviceisused. DevicesandAttemptsAllowed Signature Iris Thumbprint Signature AcceptRange FAR FRR 1 12.9% 10.7% 3 33.9% 0 3 0 16.1% 0 0 1 :85 50% 7.0% 3 3 1 :85 17.0% 0 3 1 1 :85 6.5% 3.2% 0 0 1 :85score:96 13.3% 14% 3 3 1 :85score:96 4.5% 3.2% 3 1 1 :85score:96 1.7% 6.5% Alternatively,ifsignaturescoresfrom.85through.96areaccepted,withhigherandlowerscoresrejected,thesignatureFARbecomes13.3%,assumingsignatureimpostorsnowsignwithouttracing,andwithoutlookingatthesignaturewhiletheysign,butknowthevictim'sfullname.Withthisdecisionrule,tracingonlyachievesaFARof10%.However,underthisruleoneattemptinregion4,withasumscoreof.98,wouldberejected.Ifusersarepermittedonlyonetryonthethumbprintscan,theFRRwillbe2=31=6:5%,andtheFARwouldbe:129x:133=1:7%.Alternatively,ifusersarepermittedthreetriesonthethumbprint,onlytheuserwiththesignaturescoreof.98willberejected,foraFRRof3.2%,andtheFARwillbe:339x:133=4:5%.InTable 5{8 ,theFARandFRRofindividualdevicesandthecombinationofthreedevicesarecompared.Thesedataarefromalimitedamountoftesting.Itshouldbeexpectedthatsomesmallnumberofgenuineuserswouldfailthreeattemptsonthethumbprint.Also,itmightbepossibleforauserwithagoodqualitypictureofagenuineuser'siristoauthenticate,aswasdonebyThalheimetal.[ 49 ]

PAGE 134

121 Theotherpossibilityforcombiningourthreebiometricsystemswouldbeamajorityvote.Thismethodwouldhavetwodisadvantagesoverthecascadingsystem.Firstly,userswhosuccessfullyauthenticatedontheirisscanwouldstillhavetoauthenticateononeoftheotherdevices.Amongour31authenticationattempts,oneattemptwhichwassuccessfulontheirisscanrequiredtwosignatureattemptsandthreethumbprintattempts.Thus,unlessthesystemweremodiedtoallowtwosignatureattempts,anadditionaluserwouldsuerfalserejection,raisingtheFRRby3.2%,withnocompensatingdecreaseintheFAR.Secondly,the83.9%ofuserswhosucceedontheirissystemwouldberequiredtospendad-ditionaltimeattemptingthethumbprintandsignaturesystems.Thus,recognitionofthedierentstrengthsandweaknessesoftheindividualsystemsallowsimprovedperformanceinthecombinedsystem.Thiscascadingsystemwouldalsobesuperiortothesumrule.Ifuserswhodowellontheirisscanbutgetscoresof0onthethumbprintandsignaturearetobeaccepted,aswouldbethecasewiththecascadingsystem,thesystemthresholdmustbelowenoughthattheirisscorealonecanreachthethreshold.Thenimpostorswhodowelloneitherthumbprintorsignaturewouldbeaccepted,leadingtoaveryhighFAR.Aweightedsumrulemightbeabletoachievebetterperformancethanthecascadingsystemdescribedabove.Itiscertainlytruethatsomeinformationislostinhardeningtooutputsoftheirisandthumbprintsystems.However,ifscoreswereavailableforthesedevicesitmightbepossibletomodifythecascadingschemetousethisinformationinitslaterstages.5.6SummaryFromresultsintables 5{6 and 5{7 ,threeofthefourdevicesshowarealabilitytodistinguishbetweenauthorizedusersandimpostors.However,noneiscompletelysatisfactory.Theirisscanisdiculttospoof,butaFRRof16.1%

PAGE 135

122 withthreeattemptsisprobablynotacceptable.Ifusersareallowedthreeattempts,nonewererejectedbythethumbprintmouse.However,iftheFARforasingleattemptwithasiliconethumbis12.9%,fromequation 2.5 forthreeattemptswewouldexpectaFARof1)]TJ/F15 11.955 Tf 12.494 0 Td[()]TJ/F15 11.955 Tf 12.494 0 Td[(0:1293,or33.9%.Ifweallowonlyasingletryatauthentication,wehaveaFRRof10.7%andaFARof12.9%,bothofwhichmightbeunacceptablyhigh.Withthesignaturedevice,theavailabilityofscoresallowsaninvestigationofthebehaviorofthedevice.TheattackthatproducesthehighestFARistracing.Aplotofthescoresdoesnotdecreasemonotonically,soanimprovementinbehaviormightbepossiblebyrejectingandacceptingparticularregions,ratherthansimplysettingathreshold,andacceptingeverythingaboveit.Wemightdecidetoallowoneattempt,andusetheSumRule"scoreavailablethroughBioAPI.Thenifweselectanormalizedthresholdof0.85,theFRRwouldbe7%andtheFARwouldbe50%,againunacceptablevalues.Ifscoresfrom85through96areaccepted,theFRRis14%andtheFARis13.3%,animprovement,butnotgoodenough.Onepossiblewaytoimprovethesystemistocombinescoresfromseveralsystems.Acascadingbiometricauthenticationsystemisproposed,inwhichusersstartoutwiththeirisscan.Iftheyaresuccessful,theyareauthenticatedbythecombinedsystem,andneednotproceedtotheothersystems.Iftheyfail,theyproceedtothethumbprintscan.Iftheyfailagain,theyarerejected.Otherwise,iftheysucceedtheyattemptthedynamicsignatureverication.Iftheysucceedhere,theyareaccepted.Otherwisetheyarerejected.Thissystemhasbetterperformancethananyoftheindividualsystems,andrequireslesseortofthemajorityofusers,whosucceedontheirisscan.Giventhatthethumbprintandirissystemsdonotprovideascore,theonlyalternativewouldbeamajorityvote,whichwouldhaveahigherFRRandwouldrequiremoreeort,becauseallusers

PAGE 136

123 wouldhavetoattemptatleasttwodevices.Evenifscoreswereavailablefromalldevices,thecascadingcombiningmethodwouldstillhaveadvantagesoverthesumrule.

PAGE 137

CHAPTER6CONCLUSIONSANDFUTUREWORKTheoreticalanalysisshowsthatcombiningmultiplebiometricsystemscangiveimprovedperformance,andthatuseofthesumruletocombinescoresshouldgiveagreaterimprovementthanmajorityvoting.Improvedperformancehasbeenachievedbyusingmultiplebiometricsystemsinacascadearchitecture.Thesystemisdesignedtakingintoaccountthestrengthsandweaknessesofindividualcomponentsystems.Usersrstattempttoauthenti-catewiththeirisscan.Becausetherewerenofalseacceptanceswiththeirisscan,iftheyaresuccessful,theyareauthenticatedbythecombinedsystem,andneednotproceedtotheothersystems.Iftheyfail,theyproceedtothethumbprintscan.Iftheyfailagain,theyarerejected.Otherwise,iftheysucceedtheyattemptthedynamicsignatureverication.Iftheysucceedhere,theyareaccepted.Otherwisetheyarerejected.Thissystemhasbetterperformancethananyoftheindividualsystems,andrequireslesseortofthemajorityofusers,whosucceedontheirisscan.Whenthreetriesareallowedforthethumbprintandarangeofhighscoreswithahighconcentrationofimpostorscoresisrejectedbythedynamicsignaturevericationsystem,anFARof4.5%andFRRof3.2%wouldbeachievedbyanimpostorusingasiliconecopyofauser'sngerprintandattemptingtoforgethesignaturefromaknowledgeoftheuser'sname.OthermethodsthatwetestedwouldgivelowervaluesoftheFARattheexpenseofahigherFRR.Suchacombinedsystemshouldassistusers,whocanstillauthenticateiftheyfailasingletest,andmakelifeharderforattackers,whomustcontrivetobeacceptedbytwosystemsinsteadofjustone.Thiscascadingschemeissuperiortoissuperiortoma-jorityvotingandtothesumrule,unlessweightingisused.Weightingthescoresin 124

PAGE 138

125 thesumruleisonewayoftakingintoaccounttheuniquefeaturesoftheindividualbiometricsystemsinordertocombinetheminabetterway.Generallybiometricauthenticationsystemsusecomplicatedmethodstoextractandcomparefeaturesinordertoarriveatascore,whichisrelatedtothesystem'slevelofcondencethatthebiometricinformationcamefromtheuserinquestion.Thenadecisionruleusuallyacceptsallscoresabovesomethreshold,andrejectsallscoresbelowthethreshold.Byttingcurvestodynamicsignaturevericationdata,wehavefoundthatdatacanhaveawidevarietyofdistributions.Theshapeofthecurvesprovidesinformationthatcanbeusedtodesignadecisionrule.Regionsofthegenuineusercurvewithhighslopecontainmanygenuineusers,andshouldbeaccepted,whileatregionscontainfewornogenuineusers,andshouldberejected.Regionsofanimpostorcurvewithalargeslopecontainmanyimpostorscores,andshouldberejected,whileatregionscontainfewornoimpostorsandshouldbeaccepted.Whenthereareseveralimpostorcurvesfordierentattacks,thecurvewiththehighestFARshouldbegiventhemostattentionindesigningthedecisionrule.Inonecasethedataseemedtofollowabimodaldistribution,withdatapointsconcentratedintworelativelynarrowregions,oneofwhichwasataveryhighscore,sothatitwouldnormallybeaccepted.Withthiskindofdistribution,wewereablebyrejectingveryhighscorestoachievealargedecreaseinFARattheexpenseofarelativelysmallincreaseinFRR.Furtherstudyofthescoresproducedbybiometricsystemsmayshowthatcertainrangesorpatternsofscoresprobablycomefromanimpostor,andmorecomplexdecisionrulesmayallowimprovedperformance.Developersandadministratorsofbiometricauthenticationsystemsneedtobeawareoftheprincipleofeasiestpenetration."MeasurementandreportingofFAR,inparticular,requirescaution.WehaveshownthetheFARdependsonthemethodusedbytheimpostor,andinsomecaseslargeFARcanbeachieved

PAGE 139

126 bysimplemeans.Iftestsubjectssimplyclaimanotheruser'sidentityandpresenttheirownngerprint,iris,etc.,alowFARmaybemeasured.ThisFARcouldgiveafalsesenseofsecuritytothosewhodeploythesystemunlesstheyalsotestitagainstartifactssuchassiliconecopiesofuser'sngerprints.Awiderangeofbiometricauthenticationsystems,measuringavarietyoffeatures,areeithercommerciallyavailable,orunderdevelopment.Biometricfeaturesthatseemtohavealargeamountofinformationuniquetotheindividualincludengerprint,irisscan,retinascanandinfraredfacescan.Ofthesefour,ngerprint,evenwhenequippedwithsomesortoflivenesscheck"toattempttodefeatuseofartifacts,seemstobesusceptibletospoongbyavarietyofmethods.Perhapsthemostdicultofthesetodetectwouldbeacopyofanauthorizeduser'sngerprintinathinsheetofgelatinattachedtothenger.Suchanartifactwouldbeatbodytemperature,andtheresistancecanbeadjustedbymoisteningit,soitcandefeatlivenesschecks."Irisscanhasbeenspoofedsuccessfully,[ 49 ]butnotbyus.Attemptscouldbemadetospooftheirisscanwithabetterqualityphotographofauser'siris.Ifthesystemdetectsnaturalirismovement,itmaybediculttospoof,althoughitmightstillbepossiblewithavideoofanauthorizeduser'seyereplayedonasuitabledisplay,ratherthanastillpicture.Dynamicsignaturevericationwasfoundtobequitesusceptibletoattackbytracingofanauthorizeduser'ssignature.Signaturescanoftenbefoundondocumentssuchasletters.However,auserwithacomplexsignaturewasrelativelyimmunetotheattacksattemptedinthiswork.Usersofsignaturebiometricsshouldtakeprecautionstoprotecttheirsignature.Theymightalsowanttodevelopamorecomplexsignature.FurtherstudyoftheeectofcharacteristicsofthesignatureoftheFARdistributionwouldbeinteresting.Systemsmayalsobesusceptibletoreplayattacksandtheftofbiometricin-formation.Protectionofbiometricsystemsagainstreplayandtheftofbiometric

PAGE 140

127 informationrequiresthatthebiometrichardwareandthecomputershouldmu-tuallyauthenticate.Iftemplatesarestoredonacentraldatabase,thedatabaseshouldalsomutuallyauthenticatewiththeothercomponents.Theauthenticationprotocolshouldincludeprecautionsagainstreplayattacks,suchasuseofanonce.Informationpassedfromonepartofthesystemtoanothershouldbeencrypted,becausetheftofbiometricdataismoreseriousthantheftofpasswords.Passwordscanbechanged,butngerprintscannot.Theuseofasmartcardtoauthenticatethebiometricsystembeforepresentingbiometricdataisaninterestingwayofpreventingcompromiseofone'sbiometricdata.Furthertestingisneededtomoreaccuratelycharacterizethesystemswehavestudied.Alargernumberoftestsbygenuineuserscouldincreasetheaccuracyoftheresults.FurthereortsatspoongmightincreasetheFAR0sachieved.Itwouldalsobeinterestingtoinvestigateothersystemsthatcouldbecombinedwithaminimumofhardwareandusereort.Forexample,thePanasonicAuthenticamcanbeusedasacameraforvideoconferencing.Itwouldalsobeinterestingtouseittoincorporatefacialrecognition.IntegrationofbiometricsystemsintoanauthenticationsystemthatcombinesbiometricswouldbefacilitatedifmoremanufacturerswouldoerthesoftwarecomponentoftheirsystemasaBSPthatcomplieswiththeBioAPIstandard.ThenumberofsuchsystemslistedontheBioAPIwebsiteisgrowing,butatthetimeofourexperimentsanumberoftheorganizationslistedwerenolongerinexistence,andotherswereunwillingtoallowuseoftheirBSP.

PAGE 141

REFERENCES [1] E.L.Baggett,Thestandardsappliedtotheadmissionofsoftscienceexpertsinstatecourts,"AmericanJournalofTrialAdvocacy,vol.26,no.1,pp.149{183,2002. [2] C.Beavan,Fingerprints:TheOriginofCrimeDetectionandtheMurderCaseThatLaunchedForensicScience.HyperionPress,May2001,citedinPollak,March13,2002. [3] TheBioAPIConsortium[Online].Available: http://www.bioapi.org/ ,accessedAugust2003. [4] TheBioAPIConsortium,01,Mar.16Bioapispecicationversion1.1[Online].Available: http://www.bioapi.org/BIOAPI1.1.pdf ,accessedAugust2003. [5] M.G.Bulmer,PrinciplesofStatistics.NewYork:DoverPublications,Inc.,1979. [6] J.P.Campbell,Speakerrecognition,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,2002,vol.SECS479,pp.165{190[Online].Available: http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedOctober,2003. [7] L.Chen,S.Pearson,andA.Vamvaleas,Atrustedbiometricsystem,"HPLaboratoriesBristol,Tech.Rep.,July152002.[Online].Available: http://www.hpl.hp.com/techreports/2002/HPL-2002-185.pdf ,accessedNovember2003. [8] J.Daugman,Recognizingpersonsbytheiririspatterns,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,2002,vol.SECS479,pp.103{122[Online].Available: http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedOctober2003. [9] 998,Apr.22Interfacespecication:Humanauthentication-applicationprograminterfaceha-apiver2.0.DepartmentofDefense.[Online].Available: http://www.biometrics.org/REPORTS/HAAPI20/ ,accessedSeptember2003. 128

PAGE 142

129 [10] U.Dieckmann,P.Plankensteiner,andT.Wagner,SESAM:Abiometricpersonidenticationsystemusingsensorfusion,"PatternRecognitionLetters,vol.18,pp.827{833,1997. [11] B.A.Draper,C.E.Brodley,andP.E.Utgo,Goal-directedclassicationusinglinearmachinedecisiontrees,"IEEETrans.PatternAnal.MachineIntell.,vol.16,pp.888{893,Sept.1994. [12] B.Duc,E.S.Bigun,J.Bigun,G.Ma^tre,andS.Fischer,Fusionofaudioandvideoinformationformultimodalpersonauthentication,"PatternRecognitionLetters,vol.18,pp.835{843,1997. [13] R.O.Duda,P.E.Hart,andD.C.Stork,Nonparametrictechniques,inPatternClassication,2nded.NewYork:JohnWileyandSons,Inc.,pp.161{177,2001. [14] M.Esser.Biometricauthentication.UniversityofMarylandManagementInformationSystems,October,2000[Online].Available: http://faculty.ed.umuc.edu/~meinkej/inss690/messer/Paper.htm# ,accessedAugust,2003. [15] H.Faulds,Ontheskin-furrowsofthehand,"NatureMagazine,Oct.81880.[Online]Available: http://www.clpex.com/Articles/History/Faulds1880.htm ,accessedOctober2003. [16] F.Galton,Personalidenticationanddescription,"Nature,pp.201{202,June281888[Online].Available: http://www.mugu.com/galton/ .accessedNov.21,2003. [17] ||,FingerPrints.London:MacmillanandCo.,1892[Online].Available: http://etext.lib.virginia.edu/railton/wilson/galtonfp.html ,accessedSeptember2003. [18] D.Hawkins,Bodyofevidence,"USNews&WorldReport,pp.60{62,Feb.182002. [19] R.Hill,Retinaidentication,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,vol.SECS479,pp.123{142,2002[Online].Available: http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedOctober2003. [20] L.HongandA.K.Jain,Multimodalbiometrics,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,vol.SECS479,pp.327{433,2002[Online].Available:

PAGE 143

130 http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedOctober2003. [21] InternationalBiometrics,Inc.Whatisbiometricauthentication?[Online].Available: http://www.inbiometrics.com/information.htm# ,accessedJune2003. [22] InternationalBiometrics,Inc.Level1,2and3details...athumbnailexplanationoftermscoinedbyDavidAshbaugh.September13,1999[Online].Available: http://onin.com/fp/level123.html ,accessedJune2003. [23] A.K.Jain,R.P.W.Duin,andJ.Mao,Statisticalpatternrecognition:Areview,"IEEETrans.PatternAnal.MachineIntell.,vol.22,pp.4{37,Jan.2000. [24] A.K.Jain,L.Hong,S.Pankanti,andR.Bolle,Anidentity-authenticationsystemusingngerprints,"ProceedingsoftheIEEE,vol.85,pp.1365{1388,Sept.1997. [25] P.Jourlin,J.Luettin,D.Genoud,andH.Wassner,Acoustic-labialspeakerverication,"PatternRecognitionLetters,vol.18,pp.853{858,1997. [26] C.Kaufman,R.Perlman,andM.Speciner,NetworkSecurity:PrivateCommunicationinaPublicWorld,2nded.UpperSaddleRiver,NewJersey:PrenticeHallPTR,2002,pp.238{250. [27] J.Kittler,M.Hatef,R.P.W.Duin,andJ.Matas,Oncombiningclassiers,"IEEETrans.PatternAnal.MachineIntell.,vol.20,pp.226{239,Mar.1998. [28] J.Kittler,J.Matas,K.Jonsson,andM.U.R.Sanchez,Combiningevidenceinpersonalidentityvericationsystems,"PatternRecognitionLetters,vol.18,pp.845{852,1997. [29] G.Langenburg.Re:Re:Re:Southcarolina'sdaubert,August5,2003[Online].Available: http://www.clpex.com/board/threads/2003-Jul-31/476/491.htm ,accessedSeptember,2003. [30] G.Levin,Realworld,mostdemandingbiometricsystemusage."Arlington,Virginia:TheBiometricConsortiumConference,Feb.13-15,2002[Online].Available: http://www.itl.nist.gov/div895/isis/bc/bc2001/FINAL_BCFEB02/FINAL_4_FINALGordonLevinBrief.pdf ,accessedSeptember2003. [31] R.D.LuceandH.Raia,GamesandDecisions:IntroductionandCriticalSurvey.NewYork:DoverPublications,Inc.,1957,1989. [32] A.J.ManseldandJ.L.Wayman,Bestpracticesintestingandreportingperformanceofbiometricdevices,"NationalPhysicalLaboratory,QueensRoad,Teddington,Middlesex,TW110LW,Tech.Rep.,Aug.2002.[Online]Available:

PAGE 144

131 http://homepage.ntlworld.com/avanti/bestpractice.pdf ,accessedNovember2002. [33] MPCComputers,LLC.[Online].Available: http://www.buympc.com/home/store/notebooks/overview_transport.html ,accessedSeptember2003. [34] V.S.Nalwa,Automaticon-linesignatureverication,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,vol.SECS479,pp.143{164,2002[Online].Available: http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedOctober2003. [35] S.Nanavati,M.Thieme,andR.Nanavati,Biometrics:IdentityVericationinaNetworkedWorld.NewYork:JohnWiley&Sons,Inc.,2002. [36] R.E.Newman,UniversityofFloridaComputerandInformationScienceandEngineeringDepartment,Sept.2003,classlecture,CryptographicProtocols. [37] L.O'Gorman,Fingerprintverication,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,vol.SECS479,pp.43{64,2002[Online].Available: http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedOctober2003. [38] O.O'Sullivan.Biometricscomestolife.AmericanBankersAssociation,January1997[Online].Available: http://www.banking.com/aba/cover_0197.htm ,accessedMay2003. [39] C.P.Peeger,SecurityinComputing,2nded.UpperSaddleRiver,NewJersey:PrenticeHallPTR,pp.254{264,2000. [40] J.Pollak,UnitedStatesv.Plaza.UnitedStatesDistrictCourtfortheEasternDistrictofPennsylvania,January7,2002[Online].Available: http://www.paed.uscourts.gov/documents/opinions/02D0046P.HTM ,accessedJuly2003. [41] ||.UnitedStatesv.Plaza.UnitedStatesDistrictCourtfortheEasternDistrictofPennsylvania,March13,2002[Online].Available: http://www.paed.uscourts.gov/documents/opinions/02D0182P.HTM ,accessedJuly2003. [42] ||.Unitedstatesv.plaza.UnitedStatesDistrictCourtfortheEasternDistrictofPennsylvania.TestimonyofWilliamBabler,January7,2002[Online].Available: http://www.paed.uscourts.gov/documents/opinions/02D0046P.HTM ,accessedJuly2003.

PAGE 145

132 [43] S.PrabhakarandA.K.Jain,Decision-levelfusioninngerprintverication,"PatternRecognition,vol.35,pp.861{874,2002. [44] F.J.ProkoskiandR.B.Riedel,Infraredidenticationoffacesandbodyparts,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,vol.SECS479,pp.191{212,2002[Online].Available: http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedSeptember2003. [45] RetinalTechnologies[Online].Available: http://www.retinaltech.com/index.html ,accessedSeptember2003. [46] A.R.RoddyandJ.D.Stosz,Fingerprintfeatures{statisticalanalysisandsystemperformanceestimates,"ProceedingsoftheIEEE,vol.85,pp.1390{1421,Sept.1997. [47] B.Schneier.Funwithngerprintreaders,2002[Online].Available: http://www.counterpane.com/crypto-gram-0205.html#5 ,accessedAugust2003. [48] J.StanleyandB.Steinhardt,Drawingablank:ThefailureoffacialrecognitiontechnologyinTampa,Florida.ACLU,January3,2002[Online].Available: http://archive.aclu.org/issues/privacy/drawing_blank.pdf ,accessedSeptember2003. [49] L.Thalheim,J.Krissler,andP.-M.Ziegler.Bodycheck.VerlagHeinzHeise,November2002[Online].Available: http://www.heise.de/ct/english/02/11/114/ ,accessedSeptember2002. [50] C.Tilton.Biometricstandardsreportno.1.InternationalBiometricIndustryAssociation,May7,1999[Online].Available: http://www.ibia.org/apibull.htm ,accessedSeptember2003. [51] UnitedStatesv.Mitchell,dauberthearingtranscript,day3.UnitedStatesDistrictCourtfortheEasternDistrictofPennsylvania,July9,1999[Online].Available: http://www.clpex.com/Information/USvMitchell/2DaubertHearingTranscripts/US_v_Mitchell_Daubert_Hearing_Day_3.pdf ,accessedJuly2003. [52] J.J.WengandD.L.Swets,Facerecognition,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,vol.SECS479,pp.65{86,2002[Online].Available: http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedSeptember2003.

PAGE 146

133 [53] R.P.Wildes,Irisrecognition:Anemergingbiometrictechnology,"ProceedingsoftheIEEE,vol.85,pp.1348{1363,Sept.1997. [54] J.M.Williams,Biometricsor...biohazards?"inProceedingsNewSecurityParadigmsWorkshop2002,C.F.HempelmannandV.Raskin,Eds.VirginaBeach,VA:AssociationforComputingMachinerySpecialInterestGrouponSecurity,Audit,andControl,Sept.23{262002,pp.97{107. [55] R.L.Zunkel,Handgeometrybasedverication,"inBiometrics:PersonalIdenticationinNetworkedSociety,KluwerInternationalSeriesinEngineeringandComputerScience,A.K.Jain,R.Bolle,andS.Pankanti,Eds.,NewYork,vol.SECS479,pp.87{102,2002[Online].Available: http://emedia.netlibrary.com/reader/reader.asp?product_id=69518 ,accessedSeptember2003.

PAGE 147

APPENDIXATESTSUBJECTS TableA{1:Testsubjects TestSubject Age Height Weight Sex a m b f c m d m e 21 68 m f 22 72 175 m g 22 65 128 f h 23 69 180 m i 46 72 170 m j 19 71 155 m k 21 72 168 m l 22 67 185 m m 20 70 m n 19 65 155 f o 47 72 195 m p 21 69 160 m q 22 67 132 m r 23 62 108 f s 21 70 190 m t 72 m u 22 68 m v 22 63 130 f w 22 61 130 f x 20 67 180 m 134

PAGE 148

APPENDIXBDYNAMICSIGNATUREVERIFICATIONDATA

PAGE 149

TableB{1:Signaturegenuinescores Person Date Time SignatureScores Result MinRule SumRule Trial1 Trial2 Trial3 1=pass; Dyn: Stat: Dyn: Stat Dyn: Stat 0=fail 1try 2 3 1try 2 3 a 88 100 1 88 8 8 94 4 4 a 3/25 1450 90 100 1 90 0 0 95 5 5 b 2/20 945 91 100 1 91 1 1 95 5 5 c 2/20 91 100 1 91 1 1 95 5 5 c 2/27 1739 99 100 1 99 9 9 99 9 9 c 3/20 1720 94 100 1 94 4 4 97 7 7 d 2/13 1222 89 100 1 89 9 9 94 4 4 d 2/20 1206 70 100 55 100 79 100 0 70 70 79 85 85 89 e 2/11 1733 86 100 1 86 6 6 93 3 3 e 2/27 1752 93 100 1 93 3 3 96 6 6 e 3/25 1748 90 100 1 90 0 0 95 5 5 f 2/11 1015 87 100 1 87 7 7 93 3 3 f 2/20 1000 83 100 1 83 3 3 91 1 1 g 2/13 1005 83 100 1 83 3 3 91 1 1 g 2/20 945 83 100 1 83 3 3 91 1 1 h 2/13 1000 87 100 1 87 7 7 93 3 3 h 2/20 945 87 100 1 87 7 7 93 3 3 i 2/13 1615 88 100 1 88 8 8 94 4 4 i 2/20 1600 89 100 1 89 9 9 94 4 4 i 3/20 1600 89 100 91 100 91 100 1 89 91 91 94 95 95 i 3/27 1640 88 100 1 88 8 8 94 4 4 j 2/13 1738 91 100 1 91 1 1 95 5 5 k 2/11 1250 84 95 1 84 4 4 89 9 9 Continuedonnextpage 136

PAGE 150

137 TableB{1{continued Person Date Time SignatureScores Result MinRule SumRule Trial1 Trial2 Trial3 1=pass; Dyn: Stat: Dyn: Stat Dyn: Stat 0=fail 1try 2 3 1try 2 3 k 2/20 1220 85 100 1 85 5 5 92 2 2 k 3/18 92 98 1 92 2 2 95 5 5 l 2/11 1415 95 98 1 95 5 5 96 6 6 l 2/20 1420 79 100 71 98 92 80 1 79 79 80 89 89 89 l 3/20 89 94 1 89 9 9 91 1 1 m 2/11 1728 85 99 1 85 5 5 91 1 1 m 2/27 1804 86 100 1 86 6 6 93 3 3 m 3/25 1756 86 100 1 86 6 6 93 3 3 n 2/13 1000 47 100 34 98 0 47 7 73 3 n 2/20 945 70 1 75 5 60 94 0 1 5 60 35 39 77 o 2/14 1600 95 90 1 90 0 0 92 2 2 p 2/11 1749 82 100 1 82 2 2 91 1 1 p 3/25 1802 83 98 1 83 3 3 90 0 0 q 2/13 1600 87 100 1 87 7 7 93 3 3 q 2/20 1600 85 100 1 85 5 5 92 2 2 q 3/20 1600 96 100 1 96 6 6 98 8 8 r 2/11 1500 83 100 1 83 3 3 91 1 1 r 2/18 1500 83 100 1 83 3 3 91 1 1 r 3/18 1500 87 100 1 87 7 7 93 3 3 r 3/25 84 100 1 84 4 4 92 2 2 s 2/11 1500 82 100 1 82 2 2 91 1 1 s 2/18 1500 88 100 1 88 8 8 94 4 4 t 2/13 1400 94 100 1 94 4 4 97 7 7 t 2/21 1240 86 100 1 86 6 6 93 3 3 Continuedonnextpage

PAGE 151

138 TableB{1{continued Person Date Time SignatureScores Result MinRule SumRule Trial1 Trial2 Trial3 1=pass; Dyn: Stat: Dyn: Stat Dyn: Stat 0=fail 1try 2 3 1try 2 3 t 3/19 1240 87 100 1 87 7 7 93 3 3 u 2/11 1740 89 100 1 89 9 9 94 4 4 u 2/27 1746 90 100 1 90 0 0 95 5 5 u 3/25 1734 93 100 1 93 3 3 96 6 6 v 2/20 1250 75 100 86 100 1 75 5 5 87 93 3 w 2/13 1734 85 100 1 85 5 5 92 2 2 x 2/11 1710 90 100 1 90 0 0 95 5 5 x 2/18 1713 88 100 1 88 8 8 94 4 4 x 3/18 1735 53 100 94 100 1 53 94 4 76 97 7 x 3/25 1809 99 12 90 100 1 12 90 0 55 95 5

PAGE 152

139 TableB{2:Signatureimpostorscores,tracing Impostor Victim Date Time SignatureScores MinRule SumRule Trial1 Trial2 Trial3 Result 1try 2 3 1try 2 3 Dyn Sta Dyn Sta Dyn Sta a w 2/28 1130 69 65 56 93 78 100 0 65 65 78 66 74 89 a v 2/28 1130 55 100 69 100 0 55 69 9 77 84 4 a w 3/18 1500 99 100 1 99 9 9 99 9 9 a w 99 100 76 98 1 99 99 9 99 99 9 a v 49 100 48 92 57 100 0 49 49 57 74 74 78 r w 3/18 1500 94 99 1 94 4 4 96 6 6 r w 94 100 94 100 1 94 94 4 97 97 7 r v 97 100 79 100 79 100 1 97 97 97 98 98 98 r a 71 89 55 98 75 100 0 71 71 75 79 79 87 i e 3/27 6 0 0 0 3

PAGE 153

140 TableB{3:Signatureimpostorscores,impostorlooksatvictim'ssignatureandcopiesit. Impostor Victim Date Time SignatureScores MinRule SumRule Trial1 Trial2 Trial3 Result 1try 2 3 1try 2 3 Dyn Sta Dyn Sta Dyn Sta a w 57 7 0 7 31 p u 3/25 1800 73 0 73 4 28 0 0 0 4 4 36 38 38 m u 3/25 1800 77 34 68 13 74 76 0 34 34 74 55 55 75 e u 3/25 1800 68 0 70 0 68 0 0 0 0 0 34 35 35 q a 3/20 1600 63 0 0 0 31 q n 3/20 1600 76 0 0 0 38 x m 3/25 1800 99 50 95 82 96 99 1 50 82 96 74 88 97 r w 3/18 1500 78 0 0 0 39 u e 3/25 1800 0 100 0 99 0 100 0 0 0 0 50 50 50

PAGE 154

141 TableB{4:Signatureimpostorscores,impostorknowsnameofvictimbuthasnotseensignature. Impostor Victim Date Time SignatureScores MinRule SumRule Trial1 Trial2 Trial3 Result 1try 2 3 1try 2 3 Dyn Sta Dyn Sta Dyn Sta r y 3/18 1500 99 30 0 30 64 a s 88 0 0 0 44 a q 0 45 0 0 22 a e 33 0 0 0 16 a n 74 0 0 0 37 r k 3/18 1500 76 0 0 0 38 i b 3/17 36 0 0 0 18 i o 3/17 0 0 0 0 0 i q 3/17 46 0 0 0 23 i s 3/17 88 100 1 88 94 i y 3/17 74 100 96 100 1 74 96 6 87 98 8 i x 3/20 53 7 64 7 55 61 0 7 7 55 29 35 57 i w 3/17 66 30 0 30 48 i v 3/20 71 94 79 99 77 87 0 71 79 79 82 88 88 i p 3/20 85 9 89 0 85 0 0 9 9 9 46 46 46

PAGE 155

142 TableB{5:Signatureimpostorscores,impostorknowsonlytheusernameofthevictim. Impostor Victim Date Time SignatureScores MinRule SumRule Trial1 Trial2 Trial3 Result 1try 2 3 1try 2 3 Dyn Sta Dyn Sta Dyn Sta i e 3/17 27 0 0 0 13 i p 3/17 87 0 0 0 43 i r 3/17 78 0 0 0 39 i m 3/17 98 0 0 0 49 i k 3/17 75 0 0 0 37 i c 3/17 78 0 0 0 39 i n 3/17 60 0 0 0 30 i l 3/17 75 0 0 0 37 i u 3/17 76 100 65 92 0 76 76 88 88 i z 3/17 79 63 0 63 70 i t 3/17 72 5 0 5 38 i g 3/17 90 26 0 26 58 i x 3/17 41 0 0 0 20

PAGE 156

APPENDIXCRESULTSOFAUTHENTICATIONATTEMPTSONMULTIPLEDEVICES

PAGE 157

TableC{1:Authenticationattemptsinwhichtheuserattemptedonngerprint,signature,andirissystems.A1inthesuccesscolumnindicatessuccesswithinthreeattempts,anda0indicatesfailure. Fingerprint Signature Iris Attempts Success 1try 2tries 3tries Success Attempts Success Dyn Sta Dyn Sta Dyn Sta 1 1 90 100 0 0 0 0 1 1 1 1 1 88 100 0 0 0 0 1 1 1 1 1 86 100 0 0 0 0 1 1 1 1 1 87 100 0 0 0 0 1 1 1 1 1 99 100 0 0 0 0 1 1 1 1 1 70 100 55 100 79 100 0 1 1 3 1 93 100 0 0 0 0 1 3 0 1 1 90 100 0 0 0 0 1 2 0 1 1 87 100 0 0 0 0 1 1 1 1 1 89 100 0 0 0 0 1 1 1 1 1 91 100 0 0 0 0 1 1 1 1 1 88 100 0 0 0 0 1 1 1 1 1 84 95 0 0 0 0 1 1 1 1 1 85 100 0 0 0 0 1 2 1 1 1 92 98 0 0 0 0 1 3 1 1 1 95 98 0 0 0 0 1 3 0 1 1 79 100 71 98 92 80 1 1 1 1 1 89 94 0 0 0 0 1 1 1 2 1 86 100 0 0 0 0 1 1 1 2 1 86 100 0 0 0 0 1 1 1 Continuedonnextpage 144

PAGE 158

145 TableC{1{continued Fingerprint Signature Iris Attempts Success 1try 2tries 3tries Success Attempts Success Dyn Sta Dyn Sta Dyn Sta 1 1 85 100 0 0 0 0 1 3 0 1 1 96 100 0 0 0 0 1 3 0 1 1 83 100 0 0 0 0 1 1 1 1 1 87 100 0 0 0 0 1 3 0 1 1 84 100 0 0 0 0 1 2 1 1 1 90 100 0 0 0 0 1 1 1 1 1 93 100 0 0 0 0 1 1 1 1 1 75 100 86 100 0 0 1 1 1 1 1 88 100 0 0 0 0 1 1 1 3 1 53 100 94 100 0 0 1 1 1 1 1 99 12 90 100 0 0 1 1 1

PAGE 159

BIOGRAPHICALSKETCHDavidHitchcockwasborninKansasCity,Missouriin1956.Heearnedamaster'sdegreeinceramicengineeringattheUniversityofMissouri-Rollain1981andaPhDinMaterialsScienceatUniversityofCalifornia,Berkeleyin1985. 146


Permanent Link: http://ufdc.ufl.edu/UFE0002662/00001

Material Information

Title: Evaluation and Combination of Biometric Authentication Systems
Physical Description: Mixed Material
Copyright Date: 2008

Record Information

Source Institution: University of Florida
Holding Location: University of Florida
Rights Management: All rights reserved by the source institution and holding location.
System ID: UFE0002662:00001

Permanent Link: http://ufdc.ufl.edu/UFE0002662/00001

Material Information

Title: Evaluation and Combination of Biometric Authentication Systems
Physical Description: Mixed Material
Copyright Date: 2008

Record Information

Source Institution: University of Florida
Holding Location: University of Florida
Rights Management: All rights reserved by the source institution and holding location.
System ID: UFE0002662:00001


This item has the following downloads:


Table of Contents
    Title Page
        Page i
        Page ii
    Dedication
        Page iii
    Acknowledgement
        Page iv
    Table of Contents
        Page v
        Page vi
        Page vii
    List of Tables
        Page viii
    List of Figures
        Page ix
        Page x
    Key to abbreviations
        Page xi
    Abstract
        Page xii
        Page xiii
    Introduction to biometric authentication systems
        Page 1
        Page 2
        Page 3
        Page 4
        Page 5
        Page 6
        Page 7
        Page 8
        Page 9
        Page 10
    Background on biometric authentication systems
        Page 11
        Page 12
        Page 13
        Page 14
        Page 15
        Page 16
        Page 17
        Page 18
        Page 19
        Page 20
        Page 21
        Page 22
        Page 23
        Page 24
        Page 25
        Page 26
        Page 27
        Page 28
        Page 29
        Page 30
        Page 31
        Page 32
        Page 33
        Page 34
        Page 35
        Page 36
        Page 37
        Page 38
        Page 39
        Page 40
        Page 41
        Page 42
        Page 43
        Page 44
        Page 45
        Page 46
        Page 47
        Page 48
        Page 49
        Page 50
        Page 51
        Page 52
        Page 53
        Page 54
        Page 55
        Page 56
        Page 57
        Page 58
        Page 59
        Page 60
        Page 61
        Page 62
        Page 63
        Page 64
        Page 65
        Page 66
        Page 67
        Page 68
        Page 69
        Page 70
        Page 71
    Previous work in combining biometric authentication systems
        Page 72
        Page 73
        Page 74
        Page 75
        Page 76
        Page 77
        Page 78
        Page 79
        Page 80
        Page 81
        Page 82
        Page 83
        Page 84
        Page 85
        Page 86
        Page 87
    Experimental goals and methods
        Page 88
        Page 89
        Page 90
        Page 91
        Page 92
        Page 93
        Page 94
        Page 95
        Page 96
        Page 97
        Page 98
        Page 99
    Results and discussion
        Page 100
        Page 101
        Page 102
        Page 103
        Page 104
        Page 105
        Page 106
        Page 107
        Page 108
        Page 109
        Page 110
        Page 111
        Page 112
        Page 113
        Page 114
        Page 115
        Page 116
        Page 117
        Page 118
        Page 119
        Page 120
        Page 121
        Page 122
        Page 123
    Conclusions and future work
        Page 124
        Page 125
        Page 126
        Page 127
    References
        Page 128
        Page 129
        Page 130
        Page 131
        Page 132
        Page 133
    Appendices
        Page 134
        Page 135
        Page 136
        Page 137
        Page 138
        Page 139
        Page 140
        Page 141
        Page 142
        Page 143
        Page 144
        Page 145
    Biographical sketch
        Page 146
Full Text










EVALUATION AND COMBINATION OF BIOMETRIC AUTHENTICATION
SYSTEMS














By

DAVID C. HITCHCOCK


A THESIS PRESENTED TO THE GRADUATE SCHOOL
OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OF
MASTER OF SCIENCE

UNIVERSITY OF FLORIDA


2003

































Copyright 2003

by

David C. Hitchcock















I dedicate this work to my wife.















ACKNOWLEDGMENTS

Thanks are owed to the following persons, groups, and companies:

* Dr. Richard Newman for his help, encouragement, and stimulating discus-

sions during the research and writing of this thesis.

* The Retinators IPPD team, C'!i 1!i I Ammon, Marisa Arvesu, Peter Drwiega,

John Hildebrant, Sean McDonald, David Nelson, and Jeannette Vizuete, for

their work on this research.

* Raytheon Corporation for their support for this research.















TABLE OF CONTENTS
page

ACKNOW LEDGMENTS ............................. iv

LIST OF TABLES .. .. .. .. ... .. .. .. .. ... .. .. .. .. ... viii

LIST OF FIGURES ................................ ix

KEY TO ABBREVIATIONS ........................... xi

ABSTRACT .... ............................ xii

CHAPTER

1 INTRODUCTION TO BIOMETRIC AUTHENTICATION SYSTEM\ IS. 1

2 BACKGROUND ON BIOMETRIC AUTHENTICATION SYSTEMS 11

2.1 Authentication . . . . . . . .11
2.1.1 "W hat You Ki, .x- .................. .. 11
2.1.2 "W hat You H .. ....................... 13
2.1.3 "W hat You Are" ....... ................... 14
2.2 Evaluation of Biometric Authentication Systems ......... .. 17
2.2.1 False Acceptance Rate and False Rejection Rate ..... 17
2.2.2 Failure to Enroll Rate ..................... 18
2.2.3 Equal Error Rate ....................... 19
2.2.4 Ability-to-Verify Rate .................... 20
2.2.5 Receiver Operating C!i 'teristic and Detection Error
Trade-off Curves . . . . . 21
2.2.6 Cost ....... . . . . ..... 21
2.2.7 Number of Authentication Attempts Allowed . ... 21
2.3 Decision Rules . . . . . . ... 23
2.4 Types of Biometric Authentication Systems . . ... 26
2.4.1 Fingerprint . . . . . . 27
2.4.2 Iris Scan . . . . . . . 47
2.4.3 Retina Scan . . . . . . 51
2.4.4 Dynamic Signature Scan . . . . ... 53
2.4.5 Voice Scan . . . . . . 56
2.4.6 Face Scan by Visible Light . . . . 59
2.4.7 Infrared Face Scan . . . . . 62
2.4.8 Hand Scan . . . . . . 65
2.5 Architecture of Biometric Authentication Systems . .... 66









2.6 Biom etric Standards . . . . . . .
2.7 Sum m ary . . . . . . . .

3 PREVIOUS WORK IN COMBINING BIOMETRIC AUTHENTICATION
SYSTFEM S .................................


3.1 Optimal Bw,-.- Decision Rule ...........
3.1.1 Product Rule ...............
3.1.2 Sum Rule .................
3.1.3 M ax Rule .................
3.1.4 M in Rule . . . . .
3.1.5 M edian Rule . . . .
3.1.6 Majority Vote Rule . . .
3.1.7 Experimental Test of Rules for Combining
3.2 Nonparametric Methods and Likelihood Ratio .
3.3 M majority Voting . . . . .
3.4 Weighted Sum Rule . . . .
3.5 Cascading Method of Combining Classifiers .
3.6 Hierarchical Methods of Combining Classifiers .
3.7 Sum m ary . . . . . .


Classifiers


4 EXPERIMENTAL GOALS AND METHODS . .

4.1 Meaning and Measurement of False Acceptance Rate
4.2 Testing Procedures . . . . .
4.3 Curve Fitting . . . . . .
4.4 Theory of Combining Multiple Biometric Systems .
4.4.1 M majority Voting . . . . .
4.4.2 Sum Rule . . . . . .
4.5 Sum m ary . . . . . .

5 RESULTS AND DISCUSSION . . . .


Softpro Dynamic Signature Verification . .
Biolink Biomouse . . . . .
Panasonic Authenticam . . . .
Voice Scan . . . . . .
Multiple System Results . . . .
Summary . . . . . .


6 CONCLUSIONS AND FUTURE WORK . . . . .

REFEREN CES . . . . . . . . .









APPENDICES

A TEST SUBJECTS .............................. 134

B DYNAMIC SIGNATURE VERIFICATION DATA ........... 135

C RESULTS OF AUTHENTICATION ATTEMPTS ON MULTIPLE
DEVICES .... ....................... ..... 143

BIOGRAPHICAL SKETCH ............................ 146















LIST OF TABLES
Table page

4-1 Equations fitted to genuine and impostor signature data . ... 93

5-1 Equal error rates for dynamic signature verification . . 105

5-2 Equations fitted to genuine and impostor signature data for one at-
tempt, sum rule, in Figure 5-7 above .... . . 107

5-3 Equations fitted to genuine and impostor signature data for one at-
tempt, min rule, in Figure 5-8 above .... . . 107

5-4 Number and percent of sum scores in various ranges . . ... 113

5-5 Error rates for different decision rules ..... . . 113

5-6 False rejection rates . . . . . . . 115

5-7 False acceptance rates . . . . . . 115

5-8 Comparison of single biometric authentication systems with a cascad-
ing multiple biometric system. The highest false acceptance rate for
each device is used . . . . . . 120

A-1 Test subjects . . . . . . . . 134

B-1 Signature genuine scores . . . . . . 136

B-2 Signature impostor scores, tracing . . . . . 139

B-3 Signature impostor scores, impostor looks at victim's signature and
copies it . . . . . . . . 140

B-4 Signature impostor scores, impostor knows name of victim but has
not seen signature . . . . . . 141

B-5 Signature impostor scores, impostor knows only the username of the
victim . . . . . . . . 142

C-1 Authentication attempts in which the user attempted on fingerprint,
signature, and iris systems. A 1 in the success column indicates
success within three attempts, and a 0 indicates failure. . .... 144















LIST OF FIGURES
Figure

2-1 In enrollment, a user's biometric data are captured, information is
extracted and stored in an enrollment template, and the template
is stored in a database. . . . . . .

2-2 In authentication, a user's biometric data are captured, information
is extracted and stored in an enrollment template, which is com-
pared to the enrollment template from the database . ..

5-1 Softpro signature match scores for genuine users and impostors, one


attempt, sum rule . ..

5-2 Softpro signature match scores
attempt, min rule . ..

5-3 Softpro signature match scores
attempts, sum rule. . .

5-4 Softpro signature match scores
attempts, min rule . ..

5-5 Softpro signature match scores
attempts, sum rule. . .

5-6 Softpro signature match scores
attempts, min rule . ..


for genuine users


for genuine users


for genuine users


for genuine users


for genuine users


5-7 Softpro signature match scores for genuine users
attempt, sum rule, with fitted curves. . .

5-8 Softpro signature match scores for genuine users
attempt, min rule, with fitted curves . ..


and impostors, one


and impostors, two


and impostors, two


and impostors, three


and impostors, three


and impostors, one


and impostors, one


5-9 Softpro signature match scores for genuine users, one attempt, sum
rule, with derivative of curve fitted to data points. . . ...

5-10 Softpro signature match scores for impostors tracing a genuine user's
signature, one attempt, sum rule, with derivative of curve fitted to
data points . . . . . . . .


page









5-11 Softpro signature match scores for impostors who know a genuine
user's name, but do not have access to the user's signature, one at-
tempt, sum rule, with derivative of curve fitted to data points. 109

5-12 Softpro signature match scores for impostors who look at a genuine
user's signature while they copy it, one attempt, sum rule, with
derivative of curve fitted to data points. .... . . 109

5-13 Softpro signature match scores for impostors who know the username
of a genuine user, but not their full name, and do not have access
to their signature, one attempt, sum rule, with derivative of curve
fitted to data points . . . . . . 110

5-14 Softpro signature match scores for genuine users, one attempt, min
rule, with derivative of curve fitted to data points . .... 110

5-15 Softpro signature match scores for impostors tracing a genuine user's
signature, one attempt, min rule, with derivative of curve fitted to
data points . . . . . . . 111

5-16 Softpro signature match scores for impostors who know a genuine
user's name, but do not have access to the user's signature, one at-
tempt, min rule, with derivative of curve fitted to data points. 111

5-17 Softpro signature match scores for impostors who look at a genuine
user's signature while they copy it, one attempt, min rule, with
derivative of curve fitted to data points. .... . . 112

5-18 Softpro signature match scores for impostors who know the username
of a genuine user, but not their full name, and do not have access
to their signature, one attempt, min rule, with derivative of curve
fitted to data points . . . . . . 112















KEY TO ABBREVIATIONS


ATV: ability to verify rate

BAPI: biometric application program interface

BioAPI: biometric application program interface

BSP: biometric service provider

CCD: charge coupled device

CDSA: common data security architecture

DET: detector error trade-off

EER: equal error rate

FAR: false acceptance rate

FRR: false rejection rate

FTE: failure to enroll rate

HAAPI: human authentication application program interface

HRS: human recognition service

MDF: most discriminating features

MEF: most expressive features

PDF: probability density function

ROC: receiver operating characteristic















Abstract of Thesis Presented to the Graduate School
of the University of Florida in Partial Fulfillment of the
Requirements for the Degree of Master of Science

EVALUATION AND COMBINATION OF BIOMETRIC AUTHENTICATION
SYSTEMS

By

David C. Hitchcock

December 2003

C!i i': Richard E. Newman
Major Department: Computer and Information Science and Engineering

While passwords may be stolen, guessed, or forgotten and tokens may be lost

or stolen, biometric authentication systems attempt to link authentication directly

to the user.

We have devised a cascading biometric authentication system which takes

advantage of unique strengths of the component biometric systems to achieve

better performance than either the individual biometric systems alone, or a system

that combines the biometrics in a generic way, such as a i, Pi ii ly vote or sum

rule. In this system, the user first attempts to authenticate on an iris scan system.

Users who succeed here are accepted by the combined system because the iris scan

suffered no false acceptance in our testing. Users who fail the iris scan must then

attempt to authenticate on fingerprint scan and dynamic signature verification

systems. If they fail either of these, they are rejected by the combined system. If

they succeed in both, they are accepted. Two of the most important characteristics

of a biometric authentication system are the false rejection rate (FRR), the

fraction of authentication attempts by genuine users that are rejected, and the false

acceptance rate (FAR), the fraction of impostor authentication attempts that are









accepted. This system yields lower (FRR) and/or FRR than any of the individual

systems, and saves time, because more than l 1'- of genuine users are accepted by

the iris scan, and need not attempt to authenticate on the other devices.

The dynamic signature verification system provided a score, instead of simply

a hard decision, allowing a more detailed study of its behavior. Curves were fitted

to the data from this system. Although the amount of data collected was small,

curves for tracing by impostors showed an unexpected distribution of scores, which

appeared to be bimodal. Based on a knowledge of the distribution of impostor

scores, a decision rule has been tailored to reject a large proportion of impostors at

the expense of rejecting a slightly increased number of genuine users.

Determination of the FAR presents difficulties because it depends strongly

on the method used by the impostor. Also, different systems are vulnerable to

different kinds of attacks, and must be tested in different v--,i-. Comparison of

FARs of different biometric devices subjected to different attacks is discussed.















CHAPTER 1
INTRODUCTION TO BIOMETRIC AUTHENTICATION SYSTEMS

Authentication is fundamental to security of computer systems. There must

be some means of knowing whether a person who attempts to access the system,

or some resources, is authorized to access the system or resources in question.

People may be authenticated on the basis of v!i ii they know," which in the

case of authentication by an information system could be a password or PIN, by

v. 1i i they have," which could be a smart card or a card with a magnetic strip,

or by v!i iI they are," by measuring some physical feature, such as a fingerprint

or face image, or behavior, such as a signature. Similar methods are used for

authentication of individuals requesting physical access to locations ranging from

secret command and control facilities to amusement parks, and while the main

focus of this thesis is on authentication for access to computer systems, occasional

reference will be made to authentication in other contexts.

All authentication systems suffer from two kinds of errors, false acceptance of

impostors and false rejection of authorized users. Unless restrictions are in place

on choice of passwords, most users will choose easily guessed passwords such as the

name of a family member or pet, or a common word. Even good passwords may be

cracked by offline password guessing, or stolen by peaking over the user's shoulder.

If restrictions are placed on choice of passwords to prevent the use of easily guessed

passwords, users may forget their passwords, resulting in lost productivity and in

increased work for administrators. Authentication tokens, such as smart cards, may

also be lost or stolen.

In an attempt to overcome these problems, biometric authentication systems

seek to link authentication directly to the person of the user. Users might be









authenticated by placing their finger on a scanner, which will record the fingerprint

and send it to the computer. Unique information would be extracted from the

recorded fingerprint and compared to information extracted from the user's

fingerprint when they were enrolled in the authentication system. Ideally, the

user's information will ahv-- be a close match, so that the user will be accepted,

and an impostors information will ahv-- be very different from the enrollment

information, so that the impostor will be rejected. However, in real biometric

authentication systems users may fail to interact properly with the biometric

system. For example, if an iris scan system is in use, the user must place their eye

the proper distance from the iris scanner, and must open their eye enough so that

the v lid and eyelashes do not interfere too much with image acquisition. Also,

in some cases the user's biometric feature may be changed. For example, if a user

of a voice scan system gets a cold, their voice may be changed to the degree that

they cannot be authenticated. Cases such as these result in false rejection. The

false rejection rate (FRR) of a biometric authentication system is the fraction of

authorized user authentication attempts that result in rejection. Impostors may

happen to have biometric characteristics very similar to those of the authorized

user, or may obtain a copy of the user's biometric feature, such as a photograph of

a user's face, that can be used for spoofing the biometric authentication system.

The fraction of authentication attempts by impostors that succeed is known as the

false acceptance rate (FAR). If the system requires a very close match, FAR will

be low, but FRR will be high, and vice versa. Therefore, testing of a biometric

authentication system must determine both the FAR and FRR of the system, and

the report of only one of these parameters is not very useful.

Frequently, the FAR is determined by having test subject A use their own

fingerprint, iris, etc. to attempt to authenticate as B, and vice versa. It is certainly

important that a biometric authentication system reject such attempts, but we









will show that FAR can be much higher when the impostor uses other methods,

such as a silicone copy of a fingerprint. Biometric authentication systems should be

subjected to whatever attacks can be devised in order to get a realistic idea of the

FAR a determined intruder might achieve.

If the threshold for authentication can be varied, the FAR and FRR should

be determined as a function of this threshold. This will allow the administrator of

the system to make a rational choice of a decision rule for accepting or rejecting

authentication attempts. There are two methods for choice of a decision rule. A

Neyman-Pearson decision rule results when a maximum acceptable value is set for

one of the FAR and FRR, and the other type of error is minimized subject to this

constraint. In some cases, high security is needed, and it is much more important

to prevent false acceptance, even at the cost of inconveniencing authorized users. In

this case, a low FAR might be specified, and a threshold high enough to achieve

this FAR would be chosen. In other cases, the loss due to rejecting an authorized

user may be greater than that of accepting an impostor, and a low FRR would be

specified, and a threshold low enough to achieve it would be used.

Alternatively, if a cost can be assigned to each type of error, an optimal B -,-,-

decision rule will set the threshold to minimize the total loss from false acceptance

and false rejections in the system.

Based on a long history of forensic use and many scientific investigations, there

is good evidence for the uniqueness and permanence of fingerprints [40],[41],[51].

Also, it might seem impossible for a fingerprint to be lost or stolen. However,

due to abrasion of fingerprints or condition of the skin, it may be impossible for a

scanner to detect the fingerprint detail well enough to authenticate the person [18].

Fingerprints can also be copied from objects such as glass handled by a user, and

replicated in gelatin [47], or the image may be captured as it is being transmitted

from the scanner to the computer and re .1,-, ,- by an attacker at a later date [49].









A variety of other characteristics are used for biometric authentication with

varying degrees of success. The iris, like the fingerprint, has a great deal of unique

and permanent information that can be used for authentication [8]. However, it

may also be spoofed with a photograph of a user's iris [49], and may suffer from a

high FRR [35].

The blood vessels of the retina also have unique information, and as far as

is known retina scan systems are invulnerable to authentication attempts by

impostors[19], but medical conditions, such as pregnancy, may cause changes in the

vessels resulting in false rejection [36].

Dynamic signature verification measures both the shape of the signature, and

also dynamic factors such as speed and pressure. Inconsistent signatures may cause

increased error rates [35], Also, we have found that impostors may achieve a high

success rate when tracing an authorized user's signature.

Voice scan is convenient for use over the telephone, and may make use of

existing hardware in a computer, such as a microphone and sound card, but is

vulnerable to ambient noise and replay attacks.

Face scan can be carried out by visible or infrared light. Face scan with

visible light suffers from a small number of features compared to other biometric

authentication methods, and those features may be changed by disguise or by

weight change [44]. It is also subject to spoofing with a picture of an authorized

user [49]. Infrared face scan uses a thermal image to detect patterns due to

blood flow beneath the surface of the face. The positions of the blood vessels

are permanent, and provide much information for authentication [44]. The main

disadvantage is the high cost of a camera [44].

Hand scan systems measure the dimensions of a user's hand. They are used to

authenticate season pass holders at Disney amusement parks [30], and achieve an









error rate of 0.1 in testing [55]. There does not appear to be any information on

spoofing of hand scan systems.

Biometric devices are frequently connected to a computer via a USB port.

Devices connected by this or some other sort of bus or network that is physically

accessible may be subject to snooping. The data being sent to the computer

by a fingerprint scanner been recorded and used to reconstruct the fingerprint

image [49]. Theft of a fingerprint image is much more serious than theft of a

password. A stolen password can be changed, but a stolen fingerprint, or other

biometric information, cannot be. The data recorded could also be used for a

replay attack. To avoid such attacks, communication between the biometric device

and the computer should be encrypted.

A biometric authentication system consists of hardware to capture biometric

information, and software to compare this information to that stored in the system

when the user enrolled. This system must interact with the authentication software

of the operating system. It often interacts via a middleware. If so, the middleware

can interact with the software component of the biometric authentication system

via a standard API. Several such standards have been developed, and currently

the biometric industry seems to be converging on a single standard, BioAPI.

Adoption of such a standard would make the biometric device together with its

device-specific software interchangeable. It would also allow easy combination of

multiple biometric authentication systems to meet the authentication needs of a

single computer system.

Because biometric authentication systems are in many cases susceptible to

spoofing, and generally have unacceptably high false acceptance or rejection rates,

there have been several attempts to combine multiple biometric authentication

systems. If an intruder is able to obtain or make an artifact, such as a gelatin

<(. i of a user's fingerprint or a photograph of a user's face or iris, they might









be able to authenticate on a single biometric system. However, if authentication

requires an acceptable combination of scores on several devices, an impostor with

an artifact for only a single device would probably be defeated. Also, a user whose

fingerprint is damaged by a weekend of brick!-iving or rock climbing might fail a

single fingerprint test, but might still be able to authenticate via other devices if

multiple biometrics are in use.

Biometric authentication is a case of pattern nIi ,11 iii: in which a pattern

consisting of biometric data from a person must be classified as belonging to

the person whose identity is being claimed, or not belonging to that person. A

biometric authentication system is then a classifier, and when multiple biometric

systems are to be combined, methods from the literature on combining classifiers

can be used.

There are three broad groups of methods for combining classifiers; parallel,

< .-i..liw.- and hierarchical [23]. Most combining methods discussed in the liter-

ature on combining classifiers in general, as well as in biometric authentication,

fall into the parallel category. In this category are such methods as voting, sum,

min, and product rules. It also includes schemes in which the scores from indi-

vidual classifiers are weighted before combining. The product, sum, min, and

II in, iil,y vote rules have all been derived from B il, -i oi theory by making various

assumptions and simplifications [27]. If the various classifiers are assumed to be

independent, the product rule can be derived. With the product rule, a single low

score can have a large effect on the result.

With the further assumption that the a posteriori probability of a genuine

user or an impostor does not differ greatly from the a priori probability, the sum

rule can be derived. While it might seem undesirable to make such an assumption,

errors in the scores from the classifiers have less effect on the sum than they do on

the product, which could be an important advantage.









The median rule would assign the pattern based on the classifier with the

median score. Dividing the sum by the number of classifiers in use, which is a

constant, yields the mean. The median is unaffected by the value of outlier scores,

while the mean is affected, so the median might be expected to be a more robust

classifier than the sum.

The min rule classifies a pattern based on the classifier that gives the pattern

the lowest score. It could thus be sensitive to a single outlier. However, if a single

classifier assigns a low score to an impostor the min rule would be able to reject the

impostor.

If the score from each individual classifier is hardened to give a binary value,

perhaps a 1 for the class the classifier considers most probable and a 0 otherwise, a

i ii iily vote results.

When these and other rules were applied to two sets of experimental results,

the sum rule was best on one data set, the median rule was best on the other, ma-

jority vote was close to these two, and the min and product rules were significantly

lower.

Classification normally depends on determining a probability density function

(PDF) for each classifier's score for each class. If the classifiers are not indepen-

dent, then joint probability functions are needed. Parametric methods, which

assume the distributions to follow some function, or nonparametric methods, which

make no such assumption, can be used. nonparametric methods require more data

than parametric methods, but if sufficient data are available, they may achieve

better results. Also, the amount of data needed to derive a joint PDF increases as

the number of classifiers, and therefore the number of dimensions in the PDF, in-

creases. Therefore, beyond some point, addition of more classifiers may degrade the

accuracy of classification. With a large data set of fingerprint images, a nonpara-

metric method, the Parzen window density, was found to be superior to parametric









methods [43]. Then the best classification was obtained by combining only four

of five algorithms that were tested. A likelihood ratio, the ratio of the PDF for

impostors to that for genuine users, was computed for the four-dimensional space

generated by the scores from these four classifiers. Then scores in regions where

there was a high ratio of impostors to genuine users were rejected, and scores

falling in regions where the ratio was low were accepted. This method was found to

be superior to the sum rule, which was superior to the product rule.

A weighted sum rule has also been used to combine scores from multiple

biometrics. Weighting factors have been determined empirically to achieve the best

classification accuracy on training data [25], and the inverse of the variance of a

classifier's scores has been used as a weighting factor [12].

In cascading methods, classifiers are used in a sequence. A biometric identifi-

cation system uses face recognition, which requires little computation, to select a

small number of close matches from a database, and then a fingerprint scan system,

which is slower, is used to identify the subject as the best fingerprint match, if that

match meets a threshold. Otherwise, the system reports no match [20].

Hierarchical methods do not seem to have been used in biometrics.

The first goal of our work is to test a variety of biometric authentication

systems, to determine the FRR and the FAR. In order to accomplish this goal,

a group of test subjects authenticated on four different biometric authentication

systems, a thumbprint mouse, a dynamic signature verification system, an iris scan

system, and a voice verification system. The test subjects authenticated four times

over a period of six weeks. However, this will not give adequate information on

the vulnerabilities of these systems. The "Principle of Easiest Penetration" states

that intruders will any available means of penetration. This is not necessarily

the most obvious means, nor is it necessarily the one against which the most solid

defense has been installed" [39]. Therefore determination of the FAR that could









be achieved by spoofing of biometric devices by a variety of methods was a focus

of our research. Spoofing was successful on the voice verification, thumbprint and

signature systems, but not on the iris scan system. However, the voice verification

system was found to be unreliable, and the acceptance rate for impostors was

similar to the acceptance rate for genuine users.

False acceptance rate was found to depend strongly on the method used by the

impostor. A FAR of 5(0' was achieved by tracing an authorized user's signature.

Because only the dynamic signature verification gave a score, as opposed to a

hard decision to accept or reject, more could be done with the results from that

system. False acceptance rate and FRR data for the dynamic signature verification

were plotted, and curves were fitted to the data in order to better characterize the

patterns of scores for genuine users and for impostors using different methods.

Data for tracing in particular has an unexpected shape, with most of the data

points concentrated at high scores, where the genuine user scores are expected.

The very limited data fit a bimodal curve, and based on this bimodal distribution

a reduced FAR can be achieved by rejecting very high scores, where many of the

tracing scores are concentrated, at the expense of an increased FRR.

No single biometric system was found to be satisfactory. The Iris scan

system had a high FRR of 16.1 when the user was allowed three attempts.

The thumbprint system suffered from an FAR of 12.9'-. when the impostor used a

silicone copy of a user's thumbprint. The signature scan system's FAR was 50'-.

for tracing. Therefore the possibility of lowering error rates by combining scores

was investigated. Theoretical results show that combining scores of several systems

by the sum rule could significantly improve error rates. Theory predicts a lesser

improvement via a ii i Pi i iy vote. However, only one of our devices provided a

score, rendering use of the sum rule impossible. Therefore, a cascading method

has been devised in which a user first authenticates on the iris scan. Because there









were no false acceptance on this system, users who authenticate successfully on

the iris scan are accepted by the combined system. Those who fail then go on

to attempt authentication on the fingerprint system. If they again fail, they are

rejected by the combined system. If they succeed they attempt to authenticate

on the signature system. If they succeed here, they are accepted. Otherwise they

are rejected. The FAR and FRR of the combined system depend on the number

of thumbprint attempts allowed and the decision rule for the signature system,

but with one thumbprint attempt and not rejecting very high signature scores

that might represent tracing, the FAR is 6.5' and the FRR is 3.'"- Also, the

i i, i ily of users, who pass the iris scan, need not spend further time and effort on

authentication.















CHAPTER 2
BACKGROUND ON BIOMETRIC AUTHENTICATION SYSTEM \ IS

2.1 Authentication

If a computer system is accessible to more than one person, either physically

or via a network, then some form of authentication is necessary if security is

desired. Those who are authorized to use the system should somehow be recognized

and allowed access, while vi one making a false claim to be an authorized user

should be rejected and not allowed access. Even if the computer is in a physically

secure location, if it is shared by several users, different users will probably have

different privileges for accessing different resources, so the system will need to

authenticate the users to determine what they should be allowed to do. People can

be authenticated by three main methods; v.!i ii you know," v.!i ii you have," and

.-!_, ,1 you .11 [26].

2.1.1 "What You Know"

People are commonly authenticated by passwords, an example of v.!i ii you

know." However, passwords suffer from several weaknesses. Left to their own

devices, users will tend to choose passwords that are easy for them to remember,

such as common words and names. Such passwords are likely to also be easy

to guess [39]. If passwords can be entered on-line, and there is no restriction on

the number of attempts or rate, the password can often be found by means of a

"dictionary attack," simply using all words in an on-line dictionary as guesses when

attempting to authenticate.









If the passwords cannot be guessed, they might be stolen. Passwords can

be stolen by methods as simple as looking over a user's shoulder. If a security-

conscious administrator requires hard-to-guess passwords and frequent changes,

users who are unable to remember them may write them on post-it notes.

Operating systems such as UNIX and VMS store cryptographically hashed

passwords. If the file containing the hashed passwords can be stolen, the attacker

can hash possible passwords until one of the hashes matches a hash in the password

file.

If a password is large enough, it will be computationally infeasible to try all

possible passwords. In order to prevent off-line password guessing, there should be

about 64 bits of randomness, or 264 possible passwords [26]. If the password is a

random string of any letters, upper or lower case, any digit, or punctuation marks,

for a total of 64 possible characters, an 11-character password would be sufficient.

However, few people would remember such a password. If it is constrained to be

a pronounceable, case-insensitive string of letters, so that it can be more easily

memorized, a 16-character password would be needed. If users are allowed to

choose their own passwords, the randomness is thought to be about 2 bits per

character, and 32 characters would be needed. According to Kaufman et al. [26],

all three possibilities are too long for humans to memorize. However, the author

suspects that a lot of people could remember a 32-character phrase, particularly if

they used it regularly. "When in the course of human events," the first seven words

from the Declaration of Independence, is already 34 characters. Then, instead of

a "dictionary attack," a compilation of familiar texts would have to be used as a

source of possible guesses for a "library attack."

Finally, if users forget passwords, extra work is imposed on administrators to

reset the passwords, and users are denied access to needed computing resources

until the new password is available.









Authentication by means of v.! i ,i you l i ,' or v. !i iI you .,1, must often

be converted to or supplemented by authentication by v., iI you know." If a

user authenticates over a network, only bits, not possessions or characteristics of

the user, can be presented to the system. Also, if devices used for other forms

of authentication are not themselves authenticated by means of a cryptographic

challenge, the system may be vulnerable to spoofing or repl i attacks.

2.1.2 "What You Have"

The most common authentication token, or physical device used for authenti-

cation, is a key.

Early pc's often had a lock on the front panel that could be used to block

access to anyone without the key. While keys remain the method of choice for

authenticating users of automobiles and houses, they would not be practical

for networked computers, or for systems with multiple users who have different

privileges.

Two types of authentication tokens currently used are cards with magnetic

strips and smart cards. Both types contain passwords or keys, but they are not

constrained by human forgetfulness, so the secret can be too long to be guessed.

Smart cards have embedded CPUs. Some require the use of a PIN before allowing

their information to be read. This provides more security for the secret than a

magnetic strip. Others will not allow their secret key to be read, but will only use

it to encrypt or decrypt a number in order to authenticate via a cryptographic

challenge and response. Then it is difficult or impossible for the secret to be

stolen [26].

Authentication tokens can be lost or stolen. For this reason they are often

combined with another form of authentication, such as a PIN or password [26].

Because users may occasionally leave their tokens at home, there must be

some mechanism to authenticate forgetful users. As with lost passwords, there









will be a loss of access to needed resources until the user can be authenticated

by the alternative means, and there will be some cost for administrator's work in

authenticating the user.

2.1.3 "What You Are"

Biometric authentication attempts to link authentication directly to the person

of the user, basing its decision to accept or reject an attempt at authentication

on a measurement of a physical or behavioral characteristic of the user. It is an

attempt to avoid the problems of lost or stolen passwords or authentication tokens.

Evaluation of the degree to which it may succeed, and the types of errors that can

occur, is in the following section.

Biometric authentication has a long history. In ancient Egypt, for legal

and business purposes people were identified by characteristics such as scars,

complexion, eye color, and height [21]. Fingerprints were also used in ancient Chiii

on seals and in Babylon on clay tablets [14].

The first reported use of an automated biometric authentication system in the

business world was in 1968, when fingerprints were used on Wall Street to open a

vault containing stock certificates. The system cost $20,000 [38]. As of May, 2003,

a mouse with a fingerprint scanner costs about $90-$140, and an iris scan system

costs .

A variety of biometric devices allow a user to authenticate by means of a

fingerprint, an image of their hand, face, iris, or retina, handwriting, or the sound

of their voice. Their common features are described here, and details of the various

types of devices follow.

Before a biometric device can be used for authentication, a user must first

enroll, as shown in Figure 2-1. In the case of a fingerprint system, this would

involve putting a finger on a fingerprint scanner. The scanner would record an

image of the fingerprint, perhaps in a ".bmp" file. The the software component of











Biometric
Data


Figure 2-1: In enrollment, a user's biometric data are captured, information is
extracted and stored in an enrollment template, and the template is stored in a
database.


Figure 2-2: In authentication, a user's biometric data are captured, information is
extracted and stored in an enrollment template, which is compared to the enroll-
ment template from the database.

the biometric system would process this file, extracting unique characteristics and

saving them in an enrollment template. Most biometric authentication systems

require users to repeat this process several times in the course of an enrollment, in

order to get more data on the user's characteristics [35].

Later, when someone claims to be the user and attempts to authenticate,

they again place their finger on the fingerprint scanner, the image is processed, the









unique characteristics are extracted, and a second template, the "match template,"

is produced, as shown in Figure 2-2. This template is compared to the enrollment

template, and a match score is generated [35].

Note that the images of the fingerprint from enrollment and authentication

could not be directly compared, because the position and orientation of the

fingerprint would be different each time. Even the templates would generally not

be identical. This is in contrast to authentication by a password or other secret,

whether stored in the memory of a user or of an authentication token, where a

perfect match is expected. Therefore a decision rule is needed to get from the

match score to a decision to accept or reject an attempt at authentication, as

described below.

At first thought, biometric authentication would seem to be immune to loss

and theft, except in rare cases, such as accidents. However,

A hacker who broke into a poorly designed system might be able to
steal other people's digital biometric templates and use them to access
secure networks. This trick, called "replqi.," could take identity theft to
a whole new level. "Your fingerprint is uniquely yours, forever. If it's
compromised, you can't get a new one," -zv' Jackie Fenn, a technology
analyst at the Gartner Group ([18], p.61).

Stealing of templates is not a certain way for a hacker to get access. Normally

the biometric data, such as a fingerprint or iris image, cannot be computed from

the template. If the software expects the biometric data rather than a template, a

hacker might be able to compute biometric data that produces the same template.

However, the contents of the template would depend on the algorithm used,

and if a template for a fingerprint using one algorithm was stolen, it might bear

no resemblance to the template for another fingerprint device with a different

algorithm. Likewise, a fingerprint computed to yield that template might not work

on a system using a different algorithm which might extract different types of data

from the signature.









2.2 Evaluation of Biometric Authentication Systems

In this section, several metrics useful in the evaluation of biometric devices are

discussed. Important parameters for a biometric device include False Acceptance

Rate (FAR), False Rejection Rate (FRR), the Failure to Enroll rate (FTE),

Ability to Verify rate, (ATV), and cost.

2.2.1 False Acceptance Rate and False Rejection Rate

As described above, a biometric authentication system derives a match score

by comparing biometric data from a person attempting to authenticate with

enrollment data for the identity they claim. The closer the match, the higher

the match score will be. If the match score exceeds a threshold, the person

authenticating is accepted. If the threshold is set too high, genuine users will be

rejected. If it is set too low, impostors will be authenticated. Ideally, the lowest

score from a genuine user would be higher than the highest impostor score. Then

the threshold would be set somewhere between the two.

However, in reality, the genuine and impostor scores overlap. Then the system

will generate a greater or lesser number of two types of errors. In order to quantify

these errors, the false rejection rate (FRR) and the false acceptance rate (FAR)

for a biometric device are defined as:



number of failed attempts at authentication by authorized users
FRR = (2.1)
number of attempts at authentication by authorized users


number of successful authentications by impostors
FAR = (2.2)
number of attempts at authentication by impostors
Both FAR and FRR depend on threshold. A higher threshold will generally

reduce FAR, but at the expense of increased FRR, and vice versa. Methods and

considerations related to choice of a threshold are discussed in Section 2.3 below.









Because impostors may be able to authenticate by a variety of means, such

as the use of artifacts like copies of fingerprints and replay attacks [47], [49],

information on such vulnerabilities is needed for proper evaluation of biometric

devices [54]. The "Principle of Easiest Penetration" states that intruders will

ili- any available means of penetration. This is not necessarily the most obvious

means, nor is it necessarily the one against which the most solid defense has been

installed" [39]. Therefore, biometric authentication systems should be tested by

any means that can be devised. However, most testing that is reported consists

of person A attempting to authenticate as person B [10], or with a database of

biometric data captured in this way [12], [20], [25], [43], [28], [27].

2.2.2 Failure to Enroll Rate

When a user attempts to enroll on a biometric authentication system, if the

system cannot extract enough unique characteristics to reliably authenticate the

user, the user will not be able to enroll. Then the failure to enroll rate (FTE) is

defined as


number of users who fail in their attempts at enroll
FTE (2.3)
number of users who attempt to enroll
Obviously a user without hands could not be enrolled on a fingerprint scanner.

However, even when a user has the feature in question, the system may not be able

to extract enough unique information in order to reliably authenticate the person.

According to International Biometrics, about 2.5'-. of office workers do not have

1im i prints of sufficient quality to allow for authentication" [21].

Several methods have been proposed to reduce FTE. First, improved training

and improved ergonomics of the system can significantly reduce FTE. Nanavati et

al. v, that by these means FTE might be reduced from 10'. to 1 [35].









The FTE can also be decreased by lowering the standards for an acceptable

enrollment, but when users are enrolled in spite of insufficient unique characteris-

tics, the FAR and/or the FRR will be increased [35].

Finally, if users are allowed more attempts to enroll FTE can be decreased,

but users who need many attempts to enroll will probably also have difficulty

authenti' i._i n so at some point it is probably best to give up and use another

method of authenticating [35].

A high failure to enroll rate will tend to negate any advantages of the biomet-

ric authentication system, because an alternative means of authentication must be

provided for users who cannot be enrolled. If the alternative system is less secure,

then intruders should be expected to attempt to penetrate this alternative authen-

tication scheme rather than the biometric authentication system. If the cost of

the alternative authentication method is higher, a high FTE will increase the cost

of authentication. If the alternative system is not less secure or more expensive,

then the biometric system is probably not needed anyway. A second authentication

system is certain to increase the administrator time needed for authentication,

because they will have to maintain two systems rather than one.

2.2.3 Equal Error Rate

At a sufficiently low threshold, few or no users will be rejected, so the FRR

will be low. Most or all impostors will be accepted, so the FAR will be high.

Then as the threshold is increased more genuine users will be rejected and less

impostors will be accepted. At some point FRR and FAR will be equal. The

value of the FAR and FRR at this point is the equal error rate (EER). The equal

error rate may be useful as a single value to allow comparison between different

biometric authentication systems. However, it can be misleading because systems

will seldom be operated at the EER. In some cases it will be more important to

keep impostors out, even at the expense of rejecting authorized users, and in other









cases it will be more important to avoid rejecting authorized users. [35] The EER

tells us nothing about what the FAR and FRR will be at any other threshold.

Also, if the standards for enrollment are made high, the EER will be low, but

at the expense of a high FTE. If the EER is reported but the FTE is not, it is

impossible to know how good the system really is.

2.2.4 Ability-to-Verify Rate

In order for the biometric authentication system to work properly for a given

user, the user must be able to enroll, and then to authenticate. The Ability-to-

Verify Rate (ATV) then gives the proportion of users for whom the system works

properly,


ATV (1 FTE)(1 FRR) (2.4)

Along with the FAR, the ATV provides important information on three key issues

for biometric authentication systems [35]:

1. Cost: If some users cannot be authenticated by the biometric system,

some alternative authentication process will be needed. It could be an

alternate biometric authentication system, or a system based on a password

or authentication token, or even an administrator who would come and verify

the individuals who cannot be authenticated on the biometric system. In any

case, it will increase costs.

2. Security: If the ATV is low, many users are not being verified by the biomet-

ric authentication system. Unless the alternative means of authentication is

at least as secure as the biometric system, the security of the system will be

degraded.

3. Convenience: A low ATV indicates that the biometric system is difficult to

use, because many users cannot enroll or authenticate successfully.









Of course the ATV could be made high by lowering the standard for enroll-

ment and the threshold for authentication, but this would result in a high FAR.

Likewise, the FAR could be made very low by making the standard for enrollment

and the threshold for authentication high, but then the ATV would be low. For

this reason, both of these metrics should be reported together, and not just one or

the other.

2.2.5 Receiver Operating Characteristic and Detection Error Trade-off
Curves

Receiver operating characteristic (ROC) curves display the genuine acceptance

rate on the y axis vs. the FAR on the x axis. They are oi accepted method

for summarizing the performance of imperfect diagnostic, detection, and pattern

matching systems" [32]. However, for biometric systems, detection error trade-off

(DET) curves, which plot FRR on the y axis vs. FAR on the x axis, are preferred

because they treat both types of error in the same way [32]. If desired, the error

rates can be plotted on logarithmic scales to cover a wider range of errors. These

curves allow a relatively complete view of the characteristics of a biometric system.

From such a curve, one can find the EER, the FAR corresponding to any desired

FRR, or the FRR corresponding to any desired FAR.

2.2.6 Cost

The cost of a biometric system would include the purchase price of the device,

as well as administrative cost of setting up and maintaining the device, and the

cost of the time spent by users in authenticating. It might also include the cost of

an alternative system for users who cannot be enrolled, and the cost of dealing with

users who are falsely rejected by the system.

2.2.7 Number of Authentication Attempts Allowed

An important policy decision in the design and administration of a biometric

authentication system is the number of attempts allowed. If multiple attempts are









allowed, the FRR will be decreased and the FAR will be increased. In the simplest

case, if the probability of success for all attempts is independent, the FAR and

FRR for a system that allows n attempts are



FAR,, (1 FAR,)- (2.5)



FRR,, = (FRR1)" (2.6)

where FAR1 and FRRI are the values when only one attempt is allowed. However,

probability of success for multiple attempts is not likely to be independent. If 1 .

of imposters can authenticate on a particular fingerprint system as user A, there

may be some with fingerprints very close to A's, who can authenticate every time.

Others may be able to authenticate occasionally. Others, with fingerprints very

different from A, may never be able to authenticate as A. Likewise, if a user is

falsely rejected by a voice system due to a cold, the user would continue to have a

very low probability of success until they recover. Multiple attempts would be little

help.

Imposing a limit on the number of authentication attempts creates the

possibility of another kind of attack [26]. If access to the account is blocked after

some number of unsuccessful attempts, attacker can simply make the required

number of attempts to authenticate, blocking the account. An attacker could even

block the administrator's account, creating a severe problem.

An alternative approaches to preventing repeated attempts by an attacker

might be to impose a delay between attempts. The delay might be a few minutes,

and begin after some small number of attempts. In addition, the administrator

could be alerted when there are repeated failed authentication attempts, and could

investigate to catch the impostor.









2.3 Decision Rules

Because FAR and FRR for a given device depend on threshold, selection of

the threshold is a critical policy decision. A decision rule must be chosen based

on the requirements of the system. An attempt at authentication on a biometric

authentication system produces a score x. In general, x' is a vector, the components

of which are scores returned by one or more biometric devices, each of which

may return multiple scores, either from processing the same data by different

algorithms [43], or by processing different measurements, as in the case of the

Softpro Dynamic Signature Verification system, which returns both dynamic and

static scores, as described below. The decision rule must map the score to one of

two classes, u1 for accept and U2 for reject. Two methods of choosing a decision

rule might be appropriate depending on the requirements of the system.

If a maximum acceptable rate for one type of error is specified, and errors of

the other type should be minimized subject to this constraint, we are using the

Neyman-Pearson method of selecting a decision rule [31]. In the case of a single

biometric device, assuming that the distribution of impostor scores decreases

monotonically and the distribution of genuine user scores monotonically decreases

as score increases, this rule is almost trivial. For example, if a limit of 0.001 is

placed on the FAR, then the threshold is set to produce a FAR of the required

level, 0.001. A lower threshold would not achieve the required FAR, and while a

higher threshold would further decrease the FAR, it would also increase the FRR.

If either or both of the distributions of scores for impostors and genuine

users are not monotonic, then simply accepting everything above a threshold and

rejecting everything below may not be optimal. Instead, we need to define the

likelihood ratio, as in [43]


R P(x I )/P(xi | 0(1)


(2.7)









where P(x I w2) and P(x wI 1) are the conditional probabilities of the score x given

that the person authenticating in an impostor, belonging to class w2, or a genuine

user, belonging to class ucu, respectively. Regions of high R have a high proportion

of impostors, and regions of low R have a high proportion of genuine users. If we

again consider the example of a maximum FAR of 0.001, then we would select the

regions to accept beginning with the lowest R, and continue adding progressively

higher R regions to the ... pt" area until the proportion of impostors being

accepted reaches the maximum acceptable FAR of 0.001. If a maximum FRR is

specified, regions with highest R are rejected until the proportion of genuine users

rejected reaches the maximum allowed value.

The optimal B --i decision rule can be used when both types of errors can be

assigned a loss. This rule minimizes the risk, or expected value of loss, by assigning

a pattern x the the class uw which minimizes the conditional risk,

2
r(-- ,) L(w ,uw)-P( x) (2.8)
j-1
where L(wi, wj) is the loss when a pattern belonging to woj is assigned to wui. Thus,

L(wo2, 14) is the loss incurred when an authorized user is rejected, and L(woI, L2)

is the loss incurred when an impost is accepted. The loss incurred in assigning a

pattern to the correct class is normally given a value of 0. P(wjj x) is the posterior

probability, or the probability that the pattern belongs to Uj given the values of the

measurements that make up the vector x [27].

The values of the losses for assigning to the wrong class will depend on the

application of the biometric device. In a test of a system of three biometric devices

used to authenticate people entering the Fraunhofer-Institute for Integrated

Circuits, a false rejection was assigned twice the cost of a false acceptance [10].

On the other hand, if we are designing a biometric authentication system to

protect the gold in Fort Knox, the loss due to a false acceptance would be much









greater than that due to a false rejection. P(impostor x) and P(genuinelx) are the

posterior probabilities that the person attempting to authenticate is an impostor or

a genuine user, given they achieved a score x, respectively.

The posterior probabilities P(uwix) and P(U2 x ) are not likely to be known for

a biometric authentication system. According to Bi,--'s formula, they are



P(wk | x) p W)P() (2.9)
P(x)
where p(x Uwk) is the conditional probability density function for measurements

of x on class uk and p(x) is the unconditional probability function of x [27]. Now

p(x | wi), the probability that a genuine user will get a score x, can be determined

by allowing genuine users to authenticate and determining the probability distri-

bution of their scores. The probability of an impostor getting a score x, p(x I U2),

will depend on the method used by the impostor, because some methods will allow

the impostor to present data that matches the genuine user's data more closely. As

with FAR's, values of p(x I U2) should be determined for each possible method

that impostors may use. We are still left with terms that might or might not be

measurable; P(w2), the probability that a person who attempts to authenticate is

an impostor, and P(wi), the probability that a person who attempts to authenti-

cate is a genuine user. If it is desired to apply biometric authentication in a system

currently using some other method of authentication, such as passwords, these

probabilities might be estimated by logging all attempts at authentication, and

assuming that the successful attempts are genuine users, and unsuccessful attempts

are impostors. However, error will result if some impostors are successful under the

current system, and if genuine users forget their passwords or make typing errors.

A more sophisticated approach to the log might reduce the number of errors in the

estimates. Genuine users might be expected to succeed on their second try, or to

ask the administrator to reset their password soon after they fail several times. A









large number of unsuccessful attempts in rapid succession would indicate on-line

password guessing.

Substituting equations (2.9) into equation (2.8) we can arrive at a decision

rule,

Accept if



L(1i, 2) *p(x L2) -P(w2) < L(w2,w 1) p(xwai) P(wi) (2.10)

otherwise reject

and rearranging and substituting R from equation (2.7),


Accept if



L(w2, Li) P(wi)
R < L 2) (2.11)

otherwise reject

From this equation, it is clear that our choice to accept or reject a particular

attempt at authentication will depend on the probability that a person attempting

to authenticate is a genuine user, or is an impostor, independent of the score

achieved. In neighborhoods where the probability that a person trying to enter

a house is a burglar is large, people are much more likely to put bars on their

windows. Equation (2.11) si--. -1- that we should take a similar attitude with

a biometric authentication system. If all else is constant, a system with frequent

impostor attempts will have to require a lower likelihood ratio for authentication

than would a similar system with few impostor attempts.

2.4 Types of Biometric Authentication Systems

In order for a characteristic to be useful for biometric identification, it should

be unique to each individual and constant throughout the individual's lifetime. If it









is not unique, there will be some error, but the characteristic may still be useful if

the error is small enough or if the characteristic is used in combination with other

characteristics. If it is not constant, error will again result. Gradual changes in the

characteristic might require periodic re-enrollment. The characteristic should also

be measurable by some technique that is inexpensive in terms of equipment and

software cost, administrator time, and user time, and not objectionable to the user.

In this section the degree to which fingerprint, iris, voice, face, hand, and

signature scans meet these criteria will be discussed. A recent legal challenge to

fingerprint evidence in courts will also be reviewed.

2.4.1 Fingerprint

Fingerprints have a long history of scientific investigation and forensic use.

Biometric systems using this feature seem to be both the most numerous and most

highly developed.

Fingerprints have three levels of detail, all of which are useful for identification

or authentication. Level one is the overall pattern, includes whorl patterns, loop

patterns, and arch patterns. It is not sufficient to indicate a match, but can

indicate a non-match. Level two includes ridge endings, bifurcations, dots, and

combinations of these features. Level three includes details of ridges, such as pores,

breaks, width, shape, and scars [22]. The permanence and individuality of these

features have made fingerprints a useful means of identification in many contexts,

including biometrics.

Formation, Permanence, and Uniqueness of Fingerprints

The mechanism of formation of fingerprints is of interest because it provides

reason for the permanence and uniqueness of the fingerprint pattern. In a case in

which the admissibility of fingerprint evidence was challenged, William Babler, an

an -,I n-, -,v professor, embryologist, and former president of the American Dermato-









glyphics Association, 1 testified on the mechanism of formation of friction ridges,

the ridges that make up fingerprints and palmprints, and also exist on toes and

the soles of feet [42]. This testimony was used by the judge in United States v.

Plaza in deciding on the admissibility of fingerprints in that case. Babler states

that "Primary friction ridges, which develop 'deep to the surface of the skin'"

begin to form in the ninth or tenth week of a fetus. "At about fourteen weeks,

sweat glands or sweat ducts begin to form, '-1 ,il [ii:-] out as proliferations from the

primary ridge. They grow down into the dermis and they ultimately mature into a

duct and into a gland.'" Some time from the fifteenth to the seventeenth week the

primary ridges have all formed, and the secondary ridges begin to appear on the

skin surface at about the seventeenth week. Babler stated that

this interface between the epidermis and the dermis really provides a
template of the configuration of the friction ridges on the surface. And
this template tends to be permanent. It does not change. Unless it gets
injured, and it would take a deep injury. It would take an injury that



1 This association consists of physical anthropologists, geneticists, and biolo-
gists who study the patterns of friction ridges on the hands and feet of humans
and other primates "looking at the relationships of these configurations for de-
termining predictability for, z, a medical condition or a v -i, I i, of other related
situations" [42]. It is interesting to note that Francis Galton expected to find sim-
ilarities in fingerprints within various ethnic and racial groups, and distinctions
between the groups, but concluded "As a first and only an approximately correct
description, the English, Welsh, Jews, Negroes, and Basques, may all be spoken of
as identical in the character of their finger prints; the same familiar patterns ap-
pearing in all of them with much the same degrees of frequency, the differences be-
tween groups of different races being not larger than those that occasionally occur
between groups of the same race. The Jews have, however, a decidedly larger pro-
portion of Whorled patterns than other races, and I should have been tempted to
make an assertion about a peculiarity in the Negroes, had not one of their groups
differed greatly from the rest." He later states that "[t]he only differences so far
observed are statistical, and cannot be determined except through patience and
caution, and by discussing large groups" [17]. Whatever similarities there may be
in fingerprint patterns within groups are only statistical similarities, and should not
interfere with the use of fingerprints for identification.









would pierce through that interface such as a deep knife wound, or a
deep burn to actually distort the template at the epidermal, dermal
interface ([42], pp. 1-2).

The uniqueness of fingerprints is also rooted in their fetal development. Babler

stated that factors that could affect the arrangement of ridges include ;, i, 1i, -

environmental factors, chemicals, disease, and perhaps the shape of" the end of the

finger. Babler stated:

[T]here are many different factors, many, many different factors that
influenced the development of the friction ridge and ultimately the
development of its secondary characteristics, the minutiae, the actual
shape of the ridge itself. All these are so numerous and so individual
that they-that I cannot conclude anything but that each and every
friction ridge and their arrangements are individual and specific ([42], p.
2).

Babler provides reasons based in fetal development for the permanence and

uniqueness of fingerprints. Observations and experiments confirming that perma-

nence and uniqueness were carried out by Henry Faulds, a 19th century Scottish

medical missionary in Japan. Faulds first became interested in fingerprints when

he noticed patterns of parallel lines in ancient pottery fragments. When preparing

to lecture medical students on use of the sense of touch, he had become aware of

the pattern of ridges on his own fingertips. Faulds suddenly realized that he was

seeing impressions from the ridges of ancient potters on the fragments. When he

examined modern pottery in the market, he found a multitude of fingerprints.

While looking at C'iii tea sets, Faulds noted that "one peculiar pattern of lin-

eations would reappear with great persistency, as if the same artist had left her

sign-mark on her work." and that pottery could be matched to the potter by the

ridge marks [2].

An interest in anthropology led Faulds to begin taking fingerprints of friends,

relatives, and any other people available. He first sketched the ridges, later took

prints in wax,and finally began inking all ten fingertips and taking prints on paper.









He wanted to see if prints differed according to the groups the people came from.

However, he was only able to collect European and Japanese fingerprints. He

wrote to scientists in other parts of the world, but none were interested in his

ideas. Then the medical alcohol began to disappear from a locked cabinet in his

hospital. Faulds found a laboratory beaker that had been used as a drinking glass,

and comparing the fingerprints on it to his cards, found a match to a medical

student [2]. Later, a member of the staff was accused of attempting to burgle the

hospital. Faulds showed the police that the suspect's fingerprints did not match

those left by the burglar, proving the suspect was innocent. At this point Faulds

realized that fingerprints could solve many legal problems related to identification.

He hesitated to publish the idea because of a in, .- I depressing sense of moral

responsibility and danger. What if someone were wrongly identified and made

to suffer innocently through a defective method? It seemed to me that a great

deal had to be done before publicly proposing the adoption of such a scheme." He

realized the necessity of proving that fingerprints were unique and permanent [2].

Faulds and his medical students used a razor to shave off their finger ridges

until not fingerprint pattern remained. Their fingerprint ridges grew back in

identical patterns. They repeated the experiment with pumice, sandpaper, emery

dust, acids, and bases, and in all cases the fingerprints grew back with the exact

same patterns as before the treatments [2].

He also studied children between the ages of 5 and 10, and found that their

fingerprints did not change as they grew. When a scarlet fever epidemic caused

severe peeling of skin, Faulds found that there was again no change in the finger-

prints [2].

In the course of his studies, he had collected thousands of fingerprints, leading

to the conclusion that fingerprints were unique. Faulds was finally satisfied that his

discovery was worthy of publication [2].









Francis Galton found further scientific evidence for the permanence of finger-

prints. Galton made a careful study of fingerprints taken over a period of 28 years,

and found them unchanged except in v--,v- that could be accounted for by wear;

The question arises whether these finger-marks remain unaltered
throughout the life of the same person. In reply to this, I am able to
submit a most interesting piece of evidence, which thus far is unique,
through the kindness of Sir Wm. Herschel. It consists of the imprints
of the two first fingers of his own hand, made in 1860 and in 1888
respectively; that is at periods separated by an interval of twenty-eight
years. I have also two intermediate imprints, made by him in 1874 and
in 1883 respectively. The imprints of 1860 and 1888 have now been
photographed on an enlarged scale, direct upon the engraver's block,
whence Figs. 9 and 11 are cut; these woodcuts may therefore be relied
on as very correct representations ([16], p. 201).

Galton goes on to describe the details of the prints, and to give instruction on

how to compare fingerprints, then concludes,

A careful comparison of Figs. 9 and 11 is a most instructive study
of the effects of age. There is an obvious amount of wearing and
of coarseness in the latter, but the main features in both are the
same ([16], p. 202).

He also cites several other scholarly publications on the topic of fingerprints,

and refers to widespread experimentation, and in describing the difficulty of

producing good impressions of fingerprints for study, comments that "All this is

rather dirty work, but people do not seem to object to it; rivalry and the hope of

making continually better impressions carries them on" [16].

Galton published an example of fingerprints that did not change. It is clear

that a number of people were experimenting in the area. If people studying

fingerprints out of ii r1ry" had found an example of a fingerprint changing, they

would certainly have published it.

Level 1 detail of fingerprints tends to be the same for family members, and

especially for identical twins. However, the formation of level 2 and 3 detail is









more controlled by embryonic environment, so these features are unique in every

fingerprint, even between identical twins [41].

Cloned monkeys also have unique fingerprints and palm prints, although all

monkeys have the same level 1 pattern [41].

More recently, Donald Zeisig of Lockheed Martin Information Systems, the

developers of the FBI's computerized fingerprint system, performed a test known as

the "50k x 50k study," comparing 50,000 fingerprints to each other. Unfortunately,

Zeisig's work has not been published [29], but some information on the testing

procedure and results is available from his expert -I ii,,.i ,- at a hearing relating

to the admissibility of fingerprint evidence in court [51]. Zeisig first describes

the matching process. Two matching algorithms, one developed internally, and a

second from Sagem/Morpho of France, independently compared each print to each

other in the set. The two scores were then fused to determine whether there was

a match. The fusion algorithm makes use of extreme value statistics, which take a

lot of information, and look for some unusual occurrence, which in this application

is a match. For the 50k x 50k study, the first 50,000 left slope loops from white

males were extracted from the database of fingerprint images. Images were limited

to left slope loop patterns and white males in order to increase the likelihood of

finding matching prints. Zeisig also "noted that if the system was able to extract

Level 3 Detail that he expected the calculated probability to be even lower than

determined in the tests" [51].

When full one inch fingerprints were compared, it was concluded that the

probability of finding two identical fingerprints, either on different fingers of the

same person or on different people, was one in 10'7, and when the prints are

cropped, and only the middle 21.7 percent of the prints are compared, the chance

of different prints matching is one in 1027. The smaller areas were compared

because latent prints from crime scenes are often smaller than one inch. Each









print was compared with all 50,000 prints, including itself. Probabilities were

determined by taking the top 500 scores from each set of 50,000 and normalizing

them to the give the best score in each set, which came from a comparison of a

fingerprint image to itself, a score of 1. Then, the means and standard deviations

were determined either with or without the the comparison of the image to itself.

Results were reported for the case where the high score from the comparison of the

image with itself is included because inclusion of this score was found to broaden

the curve and produce a higher probability of a false match [51].

The experiment found several matches of prints with different FBI numbers

which turned out to be two rolled prints of the same finger. Unfortunately, it is

difficult to determine the meaning of some parts of the testimony, because it refers

to some items the participants were given, which are not included in records of

the trial. In the experiment on the reduced area, simulated latent prints, another

pair of prints with different FBI numbers was found. To gain more information

on whether or not they were a false match, Zeisig compared all combinations of

prints on the two cards, and found "an extremely high score for all 10 fingers

going in both directions" (the comparison process is not commutative. If print A

is compared to print B, and then B is compared to A, the scores will not be the

same.) One might wonder why the other nine pairs of fingers were not matched in

the original experiment. However, if the other nine fingerprints of the individual in

question were not left slope loops, they would not have been included in the data

set of 50,000 prints. The FBI examined the actual 10-print cards, and confirmed

that they were from the same person [51]. It might be considered circular reasoning

to conclude that the two sets of prints are from the same person on the basis

of close similarity of all ten prints in a study used to test the hypothesis that

all fingerprints are unique. However, given other evidence for the uniqueness

of fingerprints, it seems more reasonable to suppose that the same person was









fingerprinted twice than that two different persons had all ten fingerprints identical.

Recall that even identical twins have different fingerprints [41].

In another case, a match was found between two .,i] ent fingerprints on

the same 10-print card. Zeisig used a program to plot the minutia that had been

extracted from the two fingerprints in question, and based on an area of one

print that seemed to include minutia from a part of the other, concluded that the

two prints must overlap on the 10-print card. Examination of the 10-print card

confirmed his conclusion.

The defense attorney questioned Zeisig about a normalized score for two prints

of the same finger which was lower than normalized scores of different fingers in

other tests. However, its normalized score was second highest among all 50,000

scores for prints compared to its mate [51]. The highest score would have been

for the first print of the pair compared to itself. If the raw score in this case was

unusually high, which could be due to a large number of minutia in the print, then

the other normalization factor would also be high, so other scores in this set of

50,000 would be lower than in other sets. We might expect the other print of the

finger to also have a high number of minutia, and to achieve a high score, but it

may have been a low quality print. When the same two prints were compared in

the other direction, they matched better. However, it was not determined that they

were two prints of the same finger until the second half of the experiment, when the

central 21.7 percent of each print was compared [51].

Williams criticizes this test on several points in a paper critical of the current

state of biometrics [54].

1. The court record is incomplete: are there 5,000 white males, each
with "10-print cards" or 50,000 different males, each with one "full-
size, 1-inch" rolled print, or somewhere in between?-Were different
fingers involved, etc.? Did each print have a corresponding artificial
partial print...? ([54], p. 100)









It is clear that at least some individuals had more than one left slope loop

fingerprint, and therefore that more than one of their prints was included.

Specifically, for one individual two .,ili .ent fingerprints were found to match

because the prints overlapped on the 10-print card and therefore contained

the same minutia. An individual does not normally have the same class of

fingerprint on all ten fingers, and it would be quite remarkable if the first

50,000 left slope loops from white males in the FBI database were from 5,000

individuals with 10 left slope loop prints each. While not clearly stated, from

the extra experiment described above, in which Zeisig compared all ten prints

from two 10-print cards of two prints that had a high score, we may infer that

the other nine prints were not in the data set, otherwise they would already

have been compared and found to match in the test. Presumably, they were

not left slope loops. Thus we can see that some individuals had multiple

prints in the data set, but the data set did not consist of 10 prints each from

5,000 individuals.

2. There is no hint of peer review, nor control for organizational-
conflict-of-interest (OCOI) in the Lockheed-Martin/AFIS-related
findings ([54], p. 100).

This is a valid criticism. It appears that the test was done after the system

was already in operation. Had it been done as a condition for acceptance

of the system, there would have been some check on conflict of interest, but

at the stage of the trial, good results would be desired by both the FBI and

Lockheed-Martin. Publication of this work would seem to be an opportunity

to lay to rest doubts about the uniqueness of fingerprints in general, and the

capabilities of the system in particular. A worthwhile paper could surely be

prepared without revealing proprietary information on the system.

3. There is no justification given for excluding all but white males,
yet drawing inferences for all humanity, for all time ([54], p. 100).









However, Zeisig testified:

The reason we selected the left slope loops, and I can't -w this
from personal knowledge, but the white males, I'll have to rely
on the testimony of other experts in that area, was to increase
the likelihood that we were going to find a match, matching set
of minutia if it was there. In other words, that would be a bias in
favor of the defense case ([51], p. 51).

Zeisig, and apparently others involved in planning the test, know that they

are looking for a rare event, so they make a choice that will increase their

chances of finding it. If this were the only study that had ever been done

on fingerprints, it would indeed be worrisome that only white males were

included. However, recall that anthropological studies of fingerprints go back

to the beginning of fingerprint science, and only statistical differences between

groups have been found [15], [17].

4. There is no justification reported for treating perfect artificial
partial fingerprints as equivalent to latent fingerprints (LFP),
which are normally degraded images of crime-scene fingerprint
images ([54], p. 100).

This point is important for the forensic use of fingerprints, but has no

bearing on the question of uniqueness. It does not relate directly to biometric

authentication, however the importance of a good quality image is discussed

below.

5. There is no justification given of the automated techniques em-
ph v, d, including such issues as provenance, technology, J ii ,-
validation, maintenance, and quality assurance-they are all treated
as equivalent to human examiners ([54], p. 100).

There is some truth here. However, the ability of the matching programs

to detect unsuspected duplicate prints, and to detect details of one print

overlapping another, provide some level of proof that they function properly.

In the J -1 ii ..ii,, Zeisig describes the system in generalities, but states that









details of the algorithms are proprietary [51]. It is probably not reasonable to

expect very much information in some of these areas.

6. These extraordinary numbers demand detailed scientific reconsid-
eration. Even the difference, 70 orders of magnitude, strains the
credulity without extensive review by the scientific community at
large ([54], p. 100).

While the numbers are indeed extraordinary, given the probabilities deter-

mined in the experiment, the difference is about what should be expected.

Two full print have a probability of 10-97 of matching [51], and if all el-

ements of area of the prints were independent, we would expect that the

probability of the middle 21.7'. matching would be (10-97)21.7/100, or 10-21.0,

more than the observed 10-27. If areas of the print were independent, the

difference would be 76 orders of magnitude. This indicates that the elements

of area of a single print are not independent, which is not surprising since

fingerprints have patterns. One part should have some degree of relationship

to the others.

Discussion of the Validity of Fingerprints for Forensic Identification

This section will discuss several legal challenges to the admissibility of finger-

prints in trials, and whether these challenges would also apply to the usefulness of

biometric authentication. These challenges are based on two important cases and

one rule adopted by Congress related to admissibility of scientific evidence in court.

First, the "Frye Test" comes from Frye v. United States, from the District of

Columbia circuit court in 1923. The opinion ruling that results from an early type

of lie detector could not be admitted states [1]:

While courts will go a long way in admitting expert iii ..nv deduced
from a well-recognized scientific principle or discovery, the thing from









which the deduction is made must be sufficiently established to have
gained general acceptance in the particular field to which it belongs2

The Frye test has been criticized on several grounds [1]. It is said to be overly

conservative, because it requires waiting until scientific ideas become accepted in

the legal community before they can be of use in court. Second, there is no clear

standard for when or if an idea is accepted in the scientific community. It may be

difficult to know which field to consult on a particular idea to determine if it is

accepted.

In 1975, Congress adopted Federal Rule of Evidence 702:

If scientific, technical, or other specialized knowledge will assist the
trier of fact to understand the evidence or to determine a fact in
issue, a witness qualified as an expert by knowledge, skill, experience,
training, or education, may testify thereto in the form of an opinion or
otherwise ([40], p. 6).

Although this rule does not mention the Frye condition of g, ii i i! accep-

tance," it was still applied by many courts until the supreme court clarified that it

had been superseded by rule 702 in the second important case, Daubert v. Merrell

Dow Pharmaceuticals, Inc. in June 1993 [40]. Justice Blackmun explained the

meaning of scientific knowledge:

The adjective i. :iii,:" implies a grounding in the methods and
procedures of science. Similarly, the word "knc.xv 1-, connotes more
than subjective belief or unsupported speculation. The term applies
to any body of known facts or to any body of ideas inferred from
such facts or accepted as truths on good grounds. Of course, it would
be unreasonable to conclude that the subject of scientific J. -i ii: ii-
must be 1.:ii .- t" to a certainty; arguably, there are no certainties in
science. But, in order to qualify as -, i i,, knowledge," an inference
or assertion must be derived by the scientific method ([40], p.6).

Justice Blackmun also gave four standards for admissibility [1], [54].

1. Whether or not a scientific theory or technique can be and has been tested.


2 293 F. 1014 (D.C. Cir. 1923), quoted in [1].









2. Whether the theory or technique has been subject to peer review and

publication.

3. Whether the technique has a "known or potential rate of error" and stan-

dards controlling the technique's operation exist and have been maintained.

4. The Frye test, whether the technique has general acceptance in the scientific

community.

After Daubert, all courts that considered challenges to fingerprint testimony

came to the conclusion that it should be admitted until United States v. Plaza in

2002, where Judge Pollak decided that fingerprint examiners and the process of

comparing latent prints from crime scenes to prints taken under controlled condi-

tions met only the fourth of the Daubert factors, ;, i, i d! acceptance within the

American fingerprint examiner community" [40]. It was found to lack requirements

of testing, peer review, and standards, and "the rate of error is in limbo." There-

fore, the parties would be allowed to introduce fingerprints, explain how they were

obtained, and point out similarities and differences. But they would not be able to

present expert testimony on whether or not prints matched.

However, Judge Pollak took judicial notice of the permanence and uniqueness

of fingerprints. He stated that

A judicially noticed fact must be one not subject to reasonable dis-
pute in that it is either (1) generally known within the territorial
jurisdiction of the trial court or (2) capable of accurate and ready
determination by resort to sources whose accuracy cannot be reasonably
questioned" ([40], p. 5).

Ziesig's I ii i, v on the 50k x 50k study described above provided grounds

for judicial notice of uniqueness, and Babler's testimony on the prenatal develop-

ment of fingerprints, also described above, provided grounds for judicial notice of

permanence. Thus the important points for biometric authentication, the perma-

nence and uniqueness of fingerprints, were not questioned by the court. Methods

of acquiring and matching latent prints are irrelevant to biometric authentication.









However, it will be necessary to consider whether fingerprint scanning devices

record sufficient detail for reliable authentication.

Pollak reconsidered his decision not to allow expert testimony on matching

of fingerprints because the first decision was based only on the transcripts of

testimony given in a similar case, and the judge had not heard any live witnesses.

Following J- -I i ii, ii, by American and British experts, Pollak decided that forensic

use of fingerprints met the standards of Daubert [41].

Hardware

Three types of fingerprint scanners are in use to capture images of fingers. The

resolution of the captured images is from 250-625 dots per inch, with 500 dots per

inch commonly used [37]. Higher resolution allows the capture of finer details, and

a system that authenticates based on pores, which are smaller than ridges, has a

resolution of 800 dots per inch [46].

The area of the fingerprint captured ranges from 0.5 to 1.25 inch square, with

a 1 inch being a common size [37]. Larger area will insure the inclusion of more de-

tails in the captured print. However, an area of 5 mm2, which would contain more

than 20 pores, is said to be sufficient for authentication with pores, and 10 mm2

would contain about 12 minutia, and would be sufficient for authentication [46].

However, if a scanner only captured 5 mm2 fingerprint images, the same 5 mm2

would have to be captured in enrollment and matching. This would probably result

in a very high FRR.

Each pixel is usually encoded with 8 bits, giving an intensity range of 0-

255 [37]. Design of a fingerprint capture device is a compromise between size,

resolution, and cost. The goal must be to capture a maximum of detail with a

minimum of size and cost.

Optical fingerprint scanners produce an image by illuminating a finger placed

on glass surface with laser light. Light is reflected by ridges, but not by valleys









of the finger. The reflected light is captured by a C'! irge Coupled Device (CCD)

array. Optical scanners may be advantageous if a large image area is desired,

because larger area sensors are cheaper than same size solid state sensor [37].

Solid state fingerprint scanners usually produce an image via a capacitance

measurement. The scanner consists of an array of conductive plates covered

by dielectric 1- v r. The finger is placed on the dielectric 1- .Vr, and forms the

other plate of the capacitors. The capacitance, and therefore the voltage, on the

plates depends on distance, so it is different for ridges and valleys. Pressure-

sensitive sensors, made of piezoelectric material, have also been proposed [37]. Solid

state could be equipped with automatic gain control to get high contrast image,

automatically compensating for factors such as variations in dryness and pressure

of the finger [37].

Ultrasonic scanners use sound waves reflected from finger to form an image.

They are said to be less affected by dirt and skin oil on the finger [37].

Internal Algorithms for Matching

A wide variety of algorithms have been used for matching of fingerprints.

Fingerprint matching algorithms most commonly work with minutia, but some

work with pores, and others perform global pattern n i', 1i' i.-. or pattern matching,

comparing the flow of ridges at all points in the prints [37].

After a general description of processing in a typical minutia-based fingerprint

authentication system following O'Gorman [37], several specific algorithms are

briefly discussed.

Fingerprint images tend to be noisy because fingers may be "dirty, cut,

scarred, creased, dry, wet, worn, etc." Therefore, in most cases, image enhancement

is necessary before features can be extracted. The first step is usually a locally

adaptive matched filter, which takes advantage of fact that fingerprints are made

up of parallel ridges. It enhances ridges oriented in the direction of the ridges in









the locality, and decreases anything with a different orientation from the local ridge

direction. The next step is to convert the gi ,i- 1.- image to a binary image. This

is done by locally adaptive thresholding. A threshold is chosen locally to get binary

image of ridges, features. Next, ridges are thinned, reducing the width of ridges to

a single pixel. This aids in finding minutia. All of these steps require significant

amounts of computation. Therefore, instead of thresholding and thinning, some

systems trace the ridges and find minutia in the gi i-- J,1. image.

Next the features, which in this case are endings and bifurcations of ridges,

must be extracted. If the ridges have been thinned, an ending is the end of a thin

line, and a bifurcation is the junction of three lines. Branches with short spurs

are likely to be artifacts of the thinning process, so they are eliminated. Other

minutia that are likely to be artifacts of image processing are also eliminated. The

resulting template has list of minutia, with type, location, orientation. Although

the type of minutia is usually included in the template, it is often not used in

matching because errors in determining type of minutia are common [37]. A change

in pressure can convert one type of minutia to the other [24]. Usually 10 to 100

minutia are found in a fingerprint.

Once the features have been extracted and a template has been produced,

it must be compared to the enrollment template. One method of comparing

templates is to compare all neighborhoods in one print to all neighborhoods in

the other, where a neighborhood is a small area of a print containing about 3

minutia. The match score is based on the number of neighborhoods that match.

Neighborhoods in two prints of the same finger are expected to be similar, not

identical, because of noisy images and elasticity of the skin, which can change

distances and angles between minutia. The match score is compared to threshold

to determine whether to accept or reject.









Alternatively, some algorithms find a core, which is the center of the finger-

print pattern, and a delta, where three different patterns come together, to orient

the print, and then only compare corresponding neighborhoods. However, not all

prints have a core and a delta [37].

A pore-based algorithm is very similar to the minutia-based algorithm de-

scribed above. The image is processed in a similar way, and then pore locations

and sizes are extracted from the image. A nearby minutia is used as a reference

point for matching the pores of one image to those of another because distances

can change due to plasticity of fingers. This change can cause important errors

over longer distances, but is not significant for nearby features. A match score is

determined from the proportion of the pores in the two images that match a pore

in the other image [46].

In global pattern matching the template image and the authentication image

are compared to see if their ridges match. Prints may be aligned by translation

and rotation first, if core and delta point are found. In order to determine how well

the images match, corresponding pixels are multiplied, and the results summed.

If the two images match, the sum will be higher than if they do not. Minutia

matching is generally considered to be more accurate. Pattern matching may be

faster, especially on vector processors, or if hardware for fast Fourier transforms is

available [37].

It is possible to combine several algorithms in a biometric authentication

system. Prabhakar and Jain [43] used four minutia-based algorithms and one based

on texture to process fingerprint images, and combined the results to classify the

fingerprint as a match or non-match. The first algorithm was Hough transform-

based matching. The prints were subjected to translation and rotation, then the

number of matched pairs of minutia were counted. A set of allowed translations are

carried out, and the score is computed based on the number of matched pairs in









each transformation. The highest score from all the translations is taken to be the

correct score.

In the second algorithm string distance-based matching, an anchor point is

selected in each pattern. The minutia are converted to polar coordinates with

respect to the anchor point, and concatenated into a string ordered by their radial

angle. Then the two strings are compared and their edit distance is computed.

The edit distance is converted to a match score. The anchor points are found by

determining the rotation and translation that gives the most matched pairs of

minutia within a bounded box. The minutia of one matching pair are used as the

anchor points.

The final minutia-based method was a dynamic programming-based matching

algorithm. In this algorithm, rotation and translation are found as in the string

distance-based algorithm above, the minutia are aligned by this rotation and

translation, and dynamic programming is used to find the maximum number of

matching minutia pairs. "The intuitive interpretation of this step is to warp one

set of minutia to align with the other so that the number of matched minutia is

maximized." The match score is computed from the number of matched pairs, with

a penalty for unmatched pairs within the overlapping regions of the prints.

The fourth algorithm uses the texture of the ridges to classify the images.

First, the center is located by finding the point of maximum curvature of the ridges

in the print. If no center can be found, the image is rejected by this algorithm.

Next, a circular region, centered at the center point found in the first step, is

divided sectors by radial lines and concentric circles. The grey values in each sector

are normalized. Next, the circular region is filtered in eight directions with Gabor

filters, which produce a grey value in each sector depending on the direction of

the ridges in that sector. A feature vector, known as the "FingerCode," lists the

average grey value of each sector with each filter. The Euclidean distance between









the enrollment template vector and the match template vector is computed. The

inverse of this distance is the match score.

The best of the individual algorithms, the dynamic and the filter algorithms,

had EER's of 3.5'. When these two algorithms were combined with the string

algoritm, an EER of 1. !'. was achieved. Performance with all four algorithms was

not quite as good. This is not unusual in classification problems when the amount

of data is finite [43].

Strengths and Weaknesses of Fingerprint Scan

Advantages of fingerprint scan for authentication include the uniqueness and

constancy of the fingerprint pattern for an individual, and the relative ease of use

of fingerprint scanners. It is also mature and commonly used [35].

Disadvantages include the inability to obtain a good fingerprint image of

some individuals. People whose work abrades or chemically attacks their skin, and

elderly people, may not be able to authenticate on such a system.

But the technology has glitches. Digital fingerprint readers can draw
a blank on some people, such as hairdressers who work with harsh
chemicals, and the elderly, whose prints may be worn. Recent tests by
the independent research and consulting firm International Biometric
Group showed that some systems are unable to collect a finger scan
from up to 12 percent of users ([18], pp 60-61).

A second problem is that fingerprint authentication systems can often be

spoofed with copies of a genuine user's fingerprints. Thalheim et al. [49] were able

to authenticate on any of several solid state capacitive fingerprint scanners by

breathing on the latent print left by an authorized user. They then repeated au-

thentication by holding a thin-walled plastic bag of water on the sensor. Next, they

dusted a latent print on the sensor with graphite powder, pressed an adhesive film

on the surface, and applied a slight pressure. This allowed them to authenticate.

The mouse with one of these fingerprint sensors was supposed to have software that









would determine whether a fingerprint image had the same position and angle as

the last fingerprint, and if so reject it as a possible reactivated latent print.

Thalheim et al. [49] next used a fingerprinting kit to dust prints on surfaces

other than the fingerprint scanner, then lifted them with adhesive tape and pressed

them onto the scanner. They were again able to authenticate.

With an optical fingerprint scanner, latent prints could not be reactivated,

so Thalheim et al. made a wax impression of an authorized user's fingerprint,

and filled it with silicone. With this il ii i ,I f in', i they were able to authenti-

cate [49]. They were also able to authenticate with a latent fingerprint dusted with

graphite powder and lifted on adhesive film, but on the optical scanner they had to

illuminate it from behind with a halogen lamp [49].

Thalheim et al. [49] were also able to spoof a thermal fingerprint sensor with

the silicone finger, but not by reactivating latent prints or by picking up dusted

latent prints from other surface on adhesive film.

Matsumoto successfully spoofed 11 different fingerprint scanners, including

both optical and capacitive types, using gelatin copies of fingerprints [47]. Molds

for the gelatin were made both with a plastic material and by a photographic

process. In the photographic process, latent prints on glass were enhanced with

cyanoacrylate adhesive and photographed with a digital camera. The contrast of

the photos was enhanced with Photoshop and the fingerprints were printed on

transparent sheets. Then the sheets were used as negatives for photo-sensitive

printed circuit boards. When the printed circuit boards were etched, a three-

dimensional fingerprint was produced. Then gelatin was molded on the etched

printed circuit board. With both types of fingerprint, a FAR of S 11', was achieved.

If an impostor covers their finger with a thin lv.--r of gelatin containing the finger-

print copy, they would appear to be using their own fingerprint to authenticate,

and could authenticate even under supervision.









To prevent spoofing, some sensors detect skin temperature, capacitance, or

resistance [37]. Some of the sensors spoofed by Matsumoto incorporated such

liveness tests. To defeat sensors that measure skin resistance, the gelatin should be

moistened. Finding the correct amount of moistening required practice [47].

2.4.2 Iris Scan

Iris scan is seen as a highly reliable biometric, and is currently in use for

automatic teller machines, portal control, and computer login. It is used in nuclear

power stations, prisons, and other government applications.

Permanence and Uniqueness of Iris Features

Wildes describes the iris as [53] "a thin diaphragm stretching across the

anterior portion of the eye and supported by the lens..."

The iris consists of several 1 i-. From posterior, on the inside of the eyeball,

to anterior, near the front surface of the eye, the 1 .- s are:

1. Heavily pigmented epithelial cells that make the iris opaque.

2. Muscles that control the pupil.

3. The stromal -1*- r, a 1 ,-rV of connective tissue, which contains a radial

pattern of corkscrew-like blood vessels.

4. Finally, the anterior border 1Ii- r, in addition to connective tissue, is packed

with chromatophores, pigment cells. It is divided into two concentric regions.

The inner region is called the pupillary zone, and the outer region is the

cilliary zone. The cilliary zone has interlacing ridges due to support from the

stromal 1 i'r, and contractile lines that vary as the pupil opens or closes.

There are also striations due to the radial blood vessels, and various types

of small irregularities in the iris. Eye color is also due to this 1 vr. If it has

little pigment, light passes though it, is reflected by the posterior surface of

the iris, and scattered by the stroma, producing blue color. If there is more

pigment, light is absorbed here, producing a dark eye color.









The high information content of iris patterns can be seen from the large

variability of a 256-byte IrisCode, which encodes the iris pattern of an individual,

between different people [8]. The probability that any particular bit of an IrisCode

from an unspecified population is set is close to 0.5. In a British Telecom exper-

iment, where each image was encoded with 2048 bits, there were 266 degrees of

freedom, because there is much correlation, especially radially, in an iris pattern.

Between any pair of iris patterns in the study, there would be a 1 in 1016 chance

that they differ in only 25'_. of their bits or less. A statistical comparison of the

patterns of right and left eye pairs of 324 people showed 259 degrees of freedom,

not much less than the 266 degrees of freedom for eyes from different people [8].

An individual's right and left eyes are genetically identical, so this is taken as proof

that there is much variation in iris structure due to random, non-genetic factors,

and therefore the even the eyes of identical twins would not be very similar.

The decidability index is a measure of the distinctness of the distributions

of scores for genuine users and impostors, with means pi and P2, and standard

deviations aor and a2, is



d' = (2.12)


For iris scan, d' = 11.36. Based on these measurements, the EER for iris is 1 in 1.2

million [8].

While the color of the iris may change during the first year of life, "the

available clinical evidence indicates that the... pattern itself is stable throughout

the li! -I' pii [8]. The blood vessels are developed at birth, the muscles mature

at about two years, and the average pupil size continues to increase slightly until

adolescence [53]. With advanced age there is slight reduction of the average pupil

opening, and slight depigmentation [53].









In photographs kept by an ophthalmologist over the course of 25 years, there

were no noticeable changes in iris patterns, but there were some changes in color.

The investigators were not able to determine whether the color differences were

real, or were artifacts of the photographic process and the aging of the color dyes in

the prints [8]. However, at least when infrared illumination is used, the iris pattern

is not expected to be affected.

The iris is protected by being inside the eye, behind the cornea. The only

common environmental factor that affects it is light, which causes dilation and

contraction of the pupil. Thus iris matching algorithms must somehow deal with

this variation. It might even be turned to advantage. Pupillary motion occurs

even when illumination does not change, and could be used as a "liveness test" [8].

However, ii,, i,.- exposure to certain environmental contaminants (e.g., metals)

can alter the appearance of the iris" [53].

Although the iris of a dark-ei,, person may appear in visible light to have

little detail,with infrared illumination, even dark-ei,, .1 individuals have a great deal

of detail in their iris [8].

Hardware

Formerly, iris scan systems used a visible light source to illuminate the iris,

and a visible light camera to obtain an image. One type of system used a point

light source, resulting in a simple design, but reflections would degrade the quality

of the image. A more complex design used a diffuse circular light source around

the camera, and polarizers to eliminate the reflection. At the expense of the more

complex illumination, a higher quality image could be obtained [53].

A current design uses an infrared point light source to illuminate the ev. and

a digital camera to capture an image [8]. Because placement of the iris relative to

the camera is critical, all systems provide some type of feedback, light, or reticle

that the user should bring into view in order to be authenticated.









Internal Algorithms for Matching

In iris rn ii .Li-.1: it is first necessary to locate precisely the boundaries of the

iris with integro-differential operators. The algorithm determines if the eyelids

overlap the iris, if so excludes them. Next, "a doubly-dimensionless coordinate

system is defined which maps the tissue in a manner that is invariant to changes

in pupillary constriction and overall iris image size, and" therefore not dependent

on camera distance. "The coordinate system compensates automatically for the

stretching of the iris tissue as the pupil dilates." The iris pattern is then "encoded

into a 256-byte 'IrisCode' by demodulating it with 2D Gabor wavelets, which

represent the texture by phasors in the complex plane." Then, if the bits in the

two patterns are not statistically independent, there is a match [8].

The iris code is not independent of rotation, so in case the camera or user's

head is at a different angle than in enrollment, the matching must be repeated over

a range of angles. The best match is used [8].

When a user attempts to authenticate, lypI, !!y about 10'. of the bits in an

IrisCode disagree when the enrolled and presenting patterns are compared, due to

factors such as inadequate imaging resolution, poor focus, motion blur, occlusion by

eyelashes, artifacts from contact lenses, corneal reflections, scattering from dust or

scratches on eyeglasses, CCD camera noise, etc" [8].

Advantages and Disadvantages

An advantage of iris scan is that the iris features do not change of the course

of a person's life [35].

However, "training and attentive, i, -- are needed for good image acquisition,

and perhaps for this reason the systems have a "propensity for false rejection" [35].

Spoofing of an iris scan system is relatively difficult, but still possible. Thal-

heim et al. [49] were not able to authenticate with an iris image on a notebook

computer display or printed on paper. They noticed that the iris images di-1l -i .1









on the computer screen during normal authentication, the pupil showed a bright

spot. They therefore cut out the pupil in the paper image of the and put it

over the impostor's eye. The system then granted access. They were also able

to enroll with an eye image. Then the person whose eye photograph had been

enrolled was able to authenticate. In favor of the iris scan system, Thalheim et al.

state I Ii i under real life conditions it would not be easy to obtain iris images of

authorized persons."

2.4.3 Retina Scan

Retina scan is used to protect assets such as nuclear weapons and research

and communications and control facilities. According to Hill, developer of retina

scan, "the installed base is a testament to the confidence in its accuracy and

invulnerability. Its small user base and lack of penetration into high-volume price-

sensitive applications is indicative of its historically high price and its unfriendly

perception" [19].

Retinal Technologies states that "No systems are currently available on the

market," but they have an improved system that fits in the palm of the hand and is

convenient to use in the prototype stage [45].

Formation, Permanence, and Uniqueness of Retina Features

The uniqueness of retinal vein patterns was first noticed in 1935 by two

ophthalmologists, Simon and Goldstein, who then published a paper on the

identification of people based on blood vessel patterns in retinal photographs [19].

A study of identical twins showed that retinal vessel patterns showed the least

similarity of any characteristic compared [19].

The retina is located on the back interior surface of the eyeball, so it is not

exposed to environmental effects. Identification is often by infrared illumination.

The retina is transparent to infrared, so in this case identification is actually done

by the veins of the choroid, just behind the retina [19].









Hardware

The first working prototype of an automatic retina scan system was built in

1981. Production began in 1985. The systems developed by Hill used a special

type of camera that did a circular scan of the retina. Early models used visible

light, but more recent systems used infrared illumination. The eye had to be placed

about 3/4 of an inch from the scanner [19].

The Retinal Technologies prototype u, a patented aspheric lens array that

is capable of capturing a retinal image at distances as great as a meter from the

user's evc, Drawn from ophthalmic imaging science, this technology is completely

safe and unobtrusive. Glasses, contact lenses and existing medical conditions,

such as cataracts, do not interfere with the scanning of the retina using this

te(dIi..!..-y [45].

Internal Algorithms for Matching

The camera first does a circular scan of the retina, ,ii, produces a circular

image consisting of 256 12 bit samples." Two different methods of processing were

used by Hill at different times. The earlier method converted this image into a 40

byte reference signature in the frequency domain for each evc, The the signature is

a normalized contrast waveform over the whole circle. Later, an additional 32 bytes

per eye of time-domain information was added to speed up matching. Another

system stores a 48-byte template consisting of 96 equally-spaced 4-bit contrast

measurements in the time domain. Although it uses more storage, less computation

is required, as the frequency domain versions require a fast Fourier transform to be

performed [19].

In case the head is at a different angle relative to camera in authentication

from the angle in enrollment, the acquired waveform is shifted a small angle

relative to the enrollment waveform and compared several times to find the best









match. Two templates are normalized to same RMS value, and then a "Fourier-

based correlation" is used to generate a match score [19].

Advantages and Disadvantages

Retina scan seems to be an extremely high security technology. In testing by

Sandia National Lab there were no false acceptance, and a 1 FAR with three

trys. The distribution of impostor scores has a Gaussian distribution, and from the

tail of the distribution a FAR of about 1 in 106 is predicted [19].

Spoofing such a system would be difficult. Alignment would be difficult with a

"fake eye." If further protection against spoofing was needed, Hill -i--.-- -I that the

System could display a random number in the alignment optics during scanning.

Then the user would be required to enter it in order to authenticate [19].

For successful authentication, the user should not fear the retina scan system,

and should be motivated, before enrollment. Users who perceive a benefit do better

than those who simply avoid a negative effect, such as not being able to work

somewhere [19].

Retinal scan also has important disadvantages. Some users fear eye damage.

The systems do not work well out of doors, or in areas with high light level,

because bright light causes the pupil, to contract,lowering the signal in the retina

scan [19].

Also, medical changes, in particular pregnancy, may cause changes in the veins

of the retina, causing false rejection [36].

2.4.4 Dynamic Signature Scan

Dynamic signature verification is a behavioral biometric.

It is seen as having a unique capability to verify not only identity but also

intent 3


3 Personal communication, Ulrich Pantow, October, 2002.









Formation, Permanence, and Uniqueness of Signature

Signature biometric systems use dynamic information, such as the speed

and pressure of the pen during signing. The advantage of using this dynamic

signature information is that it is less easily available to a forger than the static

characteristics of the signature. The disadvantage is that it is less consistent than

the static information [34].

An individual usually has significant variation in the way they sign. There are

also consistencies in the way a person signs their own name, and the way a forger

signs. "In general, our speed along high-curvature curve segments is low relative to

our speeds along low-curvature curve segments, our average overall speed varying

greatly from one instance of a pattern to another irrespective of whether we are

producing our own pattern or forging someone else's" [34]. Both the inconsistencies

within an individual's signature, and the consistencies between the genuine user

and the forger are undesirable for a biometric characteristic.

Hardware

Hardware for signature scan is a digitizing tablet. Some signature verification

systems can make use of pressure data if it is available from the tablet.

Internal Algorithms for Matching

Among the features of a signature that can be measured and compared are

the total time the pen is in contact with the paper, the average or RMS pen

speed, acceleration, or pressure, pressure vs. time, and the x and y components of

position, velocity, acceleration, force vs. time. Time-based features are generally

thought to do better in tests. Nalwa thinks that the reason time-based systems

do better in tests is because forgers are unaware that dynamic features are being

measured, and simply attempt to reproduce the shape of the signature [34]. If this

is indeed the case, it is security by obscurity. The advantage of the time-based









characteristics will only last until forgers learn that they are being measured.

Nalwa's system makes use of both dynamic and static characteristics.

When people sign their names, they vary the ratio of height to width, so this

ratio must be normalize before signatures can be compared. Nalwa normalizes ratio

of sum of vertical displacements to horizontal displacements [34].

Signature curve must be parameterized, which is a one-to one mapping from a

parameter onto the curve. Time is usually used as the parameter, but Nalwa uses

the normalized arc length, the fraction of the total length the pen travels in writing

the signature. Features measured vs. this parameter are x and y coordinates of the

center of mass, torque, which is the cross product of the position of the pen and the

tangent to the curve, and moments of inertia which are averages of x2, y2, and xy

over the window [34].

Features are averaged over a window. The window should be large enough

to average out noise, but not so large that it averages out real differences between

impostor and genuine signatures. The window size should be less than the width of

a single character [34].

In enrollment, the consistency of each feature is measured as the inverse of

the standard deviation over several signatures. Performance improves as number

of signatures is increased up to six signatures. A mean and standard deviation are

computed for each feature [34].

Then, for matching, the features of a signature are compared to the features

measured at enrollment. The signature is allowed to warp along its length to

minimize error, because this is a typical variation between different signatures of

the same person. To determine a score, the errors are weighted, so that errors in

features that were more consistent during enrollment are given more weight than

those that have large standard deviation during enrollment [34].









Equal error rate for this method is about 3.1'., and the chosen operating con-

dition is a 1 FAR and 7'. FRR. The method or methods used by the impostors is

not specified [34].

Advantages and Disadvantages of Dynamic Signature Verification

Advantages attributed to dynamic signature verification are resistance to

impostors, the ability of users to change their signature if it is "-I.1.' 1 by an

impostor, and the perception by users that it is not invasive [35].

However, inconsistent signatures are said to lead to increased error rates [35].

2.4.5 Voice Scan

Voice scan is a biometric technology with a variety of application [6]. It can

be used locally or over a telephone network. It can be text dependent, using

a particular phrase, either fixed at enrollment or specified by system, or text

independent, authenticating the user on the basis of any phrase they speak.

Applications include access control, telephone ', l,:iii:; and telephone credit cards.

Formation, Permanence, and Uniqueness of Voice Features

Both physiological factors, the shape of the vocal cords, throat, mouth, etc,

and learned factors affect speech. The shape of the vocal tract will produce the

unique characteristics of a person's speech [6].

For a number of reasons speech is subject to change. Some of the reasons are

more directly connected with the speaker, and others might be considered artifacts

of the environment or the authentication process.

C'!i in, in the speaker that can affect the verification process include changes

in speaker's emotional state, sickness, and aging. Other factors that will change

the speech heard by the system include ambient noise and echoes of the speaker's

voice, errors by the speaker in repeating a required phrase, changes in microphone

placement, inconsistent or bad acoustics in the room, and use of a different

microphone than was used in enrollment.









Hardware

The hardware for voice scan depends on the application. If it is used locally,

assuming the computer has multimedia capability, the hardware is a microphone

and the sound card or chip in the computer. If it is used over a telephone system,

hardware for digitizing the audio signal would be needed.

Internal Algorithms for Matching

There are five steps in voice scan authentication [6]:

1. Data acquisition: A microphone converts a sound wave into an analog

signal, which is usually filtered to limit bandwidth to half the sampling

rate. The signal must then be digitized. The resolution is usually 12 to 16

bits resolution, with a sampling rate of 8,000 to 20,000 samples per second.

When speaker verification is done locally, the analog signal can be of high

quality, if a good microphone is used. When verification is done over a

telephone network, distortion of the analog signal may make verification more

difficult [6].

2. Feature Extraction: Each interval of speech, typically 10 to 30 ms, is rep-

resented by a vector in a multidimensional feature space. Features with a

great deal of variability between speakers, but little variability for different

instances of speech from the same speaker, should be selected [6].

3. Pattern matching: The sequence of feature vectors is compared to that of

the enrollment template, and a match score is generated that represents the

similarity of the feature vectors to the template. There may be one match

score for each sequence vector, or a single one for the whole pattern. Two

types of models are used in pattern matching, template models and stochastic

models [6].

With template models, the pattern matching is deterministic [6]. The speech

sample captured in authentication is assumed to be an imperfect copy of









the template. The sequences of feature vectors is aligned with those in the

template to minimize some distance d between them. Dynamic time warping

is used to compensate for differences in the rate of speech. It attempts to

match up the feature vector sequences in a way that minimizes the sum of

the distances between matching feature vectors, which is the match score for

the speech sample. The i th feature vector of the speech sample might match

up with a vector greater than i of the enrollment template if the speaker

spoke faster, or less than i if the speaker spoke slower than in producing the

template. A score can them be calculated as exp -ad where a is a positive

constant [6] yielding a score that decreases as distance increases.

Vector quantization is another template-based method of deriving a match

score [6]. Vector quantization uses a codebook of words collected from each

user during enrollment. The match score is the sum of the distances of the

feature vectors from the closest codewords in the codebook. The code book is

formed in such a way that temporal information is averaged out, so there is

no need to do time warping.

The nearest neighbor method combines vector quantification and dynamic

time warping [6].

A stochastic model attempts to determine the likelihood of observing a par-

ticular pattern given the enrollment information for the claimed identity [6].

A hidden Markov model is a stochastic method of pattern matching. The

conditional pdf for the claimed identity, and then the probability that the

phrase was spoken by that person can be determined. This probability is the

match score for the speech segment.

4. Making a decision to accept or reject, based on the score from pattern

matching.









In a test involving 9300 trials, in which impostors spoke in their normal voice,

with dynamic time warping there were 19 false acceptance, and the FRR was

about 5'`. Using the nearest neighbor method, an EER of 0.5'_. was achieved.

These two methods made errors mostly on different people. Therefore, improved

performance might be achieved by using multiple pattern matching algorithms to

process an authentication attempt. Combining the scores could produce improved

results. A recent high-performance speaker detection system combines eight

systems [6].

Advantages and Disadvantages of Voice Scan

Voice scan works with leveraging telephony infrastructure. "It effectively 1., r1

with other processes such as speech recognition and verbal 1 .'.1..i1- [35]. It also

lacks negative perceptions.

Weaknesses of voice scan include susceptibility to replay attacks, problems due

to low-fidelity equipment and ambient noise, and large template size. Enrollment

can be difficult and for authentication the user has to speak in the same way as

during enrollment

2.4.6 Face Scan by Visible Light

Face scanning may be carried out with visible or with infrared light. The

two techniques have very little in common, so this section will deal with face

recognition using visible light, and infrared will be reviewed in the next section.

Face scan systems have a number of practical applications, but also some

instances of successful use. Casinos use them to look for known card counters.

The system alerts employees, who check to see if the person really is the suspected

card counter. A high rate of false positives is acceptable, because the false pos-

itives are dealt with by employees, and do not inconvenience non-card-counting

customers [35].









In other applications it has not been found useful. In Tampa, a video camera

system that could be focused on an individual, who could then be identified by a

facial recognition system, was installed on a street in Ybor City [48]. Police logs

obtained by the ACLU for four d- v of operation showed that there were 14 false

positives, but no identifications of suspects were found over the entire period of

use, from June 29, 2001 to August 11, 2001. A newspaper reporter observed the

operators acquire images of 457 people on a Fi 11 i,- evening, when an average of

125,000 people visit the area. The police turned off the system after a little over a

month of use, apparently because they did not find it useful.

A test of a similar system at the Palm Beach International Airport had a false

positive rate of 1 and a false negative rate of more than 50'. on a "mock terror-

ist d d ,I' .h- [54]. In such an application, an even higher false positive rate might

not be harmful. Security personnel search a number of passengers, apparently

chosen at random, unless little old ladies are likely suspects for hii 1, .. 1-. They

could search the positives instead of random people. But if the false negative rate

is so high, the might not be useful.

Formation, Permanence, and Uniqueness of Face Features

Compared to some other biometric characteristics, such as the fingerprint and

iris, the face has a small number of features on which to base identification. These

features may be subject to change due to plastic surgery or disguise, or even gain

or loss of weight [44].

Internal Algorithms for Matching

There is a variety of approaches to face recognition. Older types of face

recognition programs are written to make predefined measurements on faces, such

as "distances and angles between eye corners, ends of the mouth, nostrils, and top

of the chin" [52]. More recent programs also measure the intensity of light reflected

from areas such as hair and cheeks. Problems with this type of approach include









the difficulty of detecting features automatically, and the small number of features

available for this type of technique to work with.

A newer approach to face recognition is to use neural networks and similar

methods which do not rely on the programmer to define what features should

be measured [52]. However, the network may become large, resulting in slow

computation, if the number of faces is large.

Finally, approaches known as "appearance- i- represent the face with a

high-dimensional vector, where every pixel in the face image is a component of the

vector [52]. Linear discriminant analysis is used for recognition of faces represented

in this way. Many commercial face recognition systems use this type of algorithm.

In appearance-based algorithms, a covariation matrix is computed from the

face training images. Then principal component analysis is used to find basis

vectors of a subspace that contain the face images centered by subtracting the

mean value of each component from the individual face's value. The k vectors

with the largest eigenvalues are the most useful for image reconstruction. They

are known as the Most Expressive Features (MEF). Alternatively, a subspace

that has the most scatter between different individual's faces, without increasing

scatter between a various images of a single individual's face, can be found by

linear discriminant analysis. This subspace is known as the Most Discriminating

Features (MDF). matching algorithms using MDFs have better recognition rates

than MEFs. However, they may require more data to compute [52].

Strengths and Weaknesses

Face recognition systems are convenient, requiring no contact from users,

and can even locate the face as the user approaches the computer [49]. However,

they suffer from high error rates and are susceptible to spoofing by relatively easy

means.









In one test of facial recognition systems, test subjects were enrolled, then

tested again six weeks later. Under ideal, controlled conditions, some systems had

FRR's of almost one third [18].

Spoofing of facial recognition systems has been carried out with a picture

of an authorized user di-iln '1 on the screen of a laptop computer. When the

laptop screen was presented to the camera, the system accepted the picture as an

authorized user [49].

Thalheim et al. also managed to authenticate on a Cognitec facial recognition

system with "Live-C'l I: a feature that looks for movement of the face in order

to foil attempts at spoofing with a still picture. While the system did reject still

images, when they di-I n-, it a video clip in which a user's face turned slightly from

side to side, they were granted access to the system [49].

2.4.7 Infrared Face Scan

Infrared face scan is fundamentally different from face scan using visible light,

because the details used for recognition are not visible face features, but a thermal

profile depending on blood flow in arteries and veins within a few centimeters of

the skin. There is much more detail on which to base recognition, and it is likely

to be harder to spoof than visible face recognition. While the infrared camera

required is more expensive, like visible face scan it requires no contact with the

subject. It is easy to use, requiring little or no training. It could also be used

without cooperation, perhaps in performing identification in public areas such as

airports [44].

Formation, Permanence, and Uniqueness of Infrared-detectable Face
Features

For infrared face scan, a camera picks up IR emitted by the face, in either the

mid(3-5 micron) or long (8-12 micron) IR band. Because the infrared forming these

images is generally thermal radiation, the images are known as thermi *.li'i., The









images consist of thermal contours due to blood vessels up to 4 cm below surface.

Position of blood vessels would only be changed by growth, injury, or surgery.

Prokoski and Riedel [44] present facial images of identical twins. Even

though their visible light face images are indistinguishable, they have different

thermograms. Such thermograms are claimed to have more information than

fingerprints [44].

Many medical factors can affect human thermograms. They are affected

by in3;, -i i ii of substances which are vasodilators or vasoconstrictors, by sinus

problems, inflammation,arterial blockages, incipient stroke, soft tissue injuries, and

other physiological conditions" [44]. Thermograms are also affected by changes

in ambient temperature. Illumination only has an effect if it is intense enough to

change face temperature. However, anatomical data due to the unique pattern of

blood vessels in each person, and not subject to these factors, can be extracted

from the image [44].

These blood vessel patterns are generally permanent. Plastic surgery to

reroute blood vessels

would necessarily cause incisions detectable in infrared, and would risk
damaging facial nerves. It is, therefore, considered possible that a per-
son could surgically distort his facial thermogram to avoid recognition,
but the thermogram would contain evidence that he had done so ([44],
p. 194).

Other changes, such as weight loss and gain, cause rubber sheeting distortions

only, which are dealt with in the matching algorithm [44].

In infrared face scan, Minutia points are specific junctions of facial blood

vessels. There are 175 of these minutia. These minutia would be a rich source of

information for face recognition. With a very sensitive camera, they can be located

in the image. With a less sensitive camera, their locations must be determined

from thermal contours [44].









Hardware

Infrared face scan requires an infrared camera. Infrared cameras cost more

than visible light cameras, so such systems are more expensive than visible light

face scan. According to Prokoski and Riedel, "When the cost of providing con-

trolled lighting for a visible ID system is included, the current cost discrepancy is

about $10,000 per system. That figure has been decreasing by about 3G' per year

for the past 10 years, which reduction is expected to continue" [44].

Internal Algorithms for Matching

After an image is acquired, it must be processed to find the face in image and

to determine if the image quality is adequate for identification or authentication. It

must them be normalized for orientation and amplitude. Finally, background and

noise must be removed [44].

Authentication can be done by methods similar to those used with visible light

images of faces. The upper face has the best information for recognition. The lower

face "presents more clues to gender and expression." Glass and plastic lenses do not

transmit the wavelengths used, so eyeglasses obscure the eye area [44].

Tests were carried out with no adaptive algorithms, no training, carried out

on a wide variety of people, with and without glasses, of different heights and skin

tones, over several weeks, The best results achieved so far were an EER of 1 [44].

Matching using minutia is under development. Infrared cameras now in the

prototype stage can directly image the minutia. With production cameras, minutia

must be calculated from the thermogram. Then minutia matching algorithms

similar to those used for fingerprint matching can be used. These algorithms are

fast, and could allow searching of large databases for a match [44].

Using minutia for matching, a profile or partial image of a face in a crowd

would be analogous to a partial fingerprint, and would still contain some minutia,

so that it might still be possible to match it to a pattern in a database [44].









Advantages and Disadvantages of Infrared Face Scan

Infrared face scan works in any level of light, even in darkness. It is easy to

use, and does not require contact with the apparatus [44].

While it would be possible to block the IR image, perhaps with a ski mask,

the image could not be easily altered without the attempt being visible in the

thermogram. For example, fake facial hair has a different effect on the thermogram

than does real facial hair [44].

The main disadvantage at this point is the high cost of the infrared camera

required.

2.4.8 Hand Scan

Hand scan systems are in use for verification of holders of non-transferable

passes at Disney theme parks in Orlando [30]. The 102 systems in use at eight

theme parks have processed 12 million transactions. Users are age 10 or older,

and not all speak English, so the system must be simple and intuitive to use.

Enrollment and verification must both proceed quickly. Disney is more concerned

with throughput than accuracy, and considers false acceptance less harmful than

false rejection. Only a single measurement is taken for enrollment. When they

were installed in 1995, they required 31 seconds per person. By 1997, the time

was reduced to 11 seconds per person, as compared to 5.5 seconds per person

for non-biometric turnstiles. They only scan two fingers, as opposed to the full

hand [30]. This may be because until recently they were concerned about the size

of templates, due to integration problems.

Apparently not all users are as happy with hand scan as Disney World.

And at New York-Presbyterian Hospital, where long queues sometimes
form at hand-scan readers, frustrated employees smashed machines two
weeks in a row last month. Yet Joe Salerno of New York-Presbyterian
z- i- every building has a hand reader. He speculates that employees
may be upset about the rigorous timekeeping ([18], p. 62).









It would be interesting to know the average time required for experienced users

who are in a hurry to get through so that they and their colleagues are not docked.

A time clock takes about one second per person, and unless the hand scanner is

considerably faster than the 11 seconds reported by Disney, this could be a problem

with the biometric system.

Formation, Permanence, and Uniqueness of Hand Features

The features used in hand scan are the dimensions of the hand and fingers.

These dimensions may change due to growth. Systems often average the

new measurements taken in authentication with the existing measurements in the

template to allow for slow changes in dimensions due to growth and aging [55].

Hardware

A typical hand geometry system uses a CCD camera and infrared illumination

to take two orthogonal images of the hand [55]. One image is from the top, and the

other is from the side. In each case, only the outline of the hand, and not details

such as fingerprints or scars, is recorded. The hand and fingers are held in position,

with the fingers spread, by a number of pegs.

Internal Algorithms for Matching

One type of hand scan system extracts 96 measurements from the images

of a user's hand. The matching algorithm may simply sum the absolute values

of the differences in these 96 measurements between the enrollment and match

templates [55].

Advantages and Disadvantages of Hand Scan

Hand scan systems are easy to use with little training [30]. Testing by Sandia

National Lab confirmed an EER of 0.1 when two tries were allowed [55].

2.5 Architecture of Biometric Authentication Systems

A variety of architectures are possible for biometric authentication systems. A

system could be self-contained. A laptop computer with built-in fingerprint scanner









is an example of such an architecture [33]. However, in most cases, a biometric

system comprises two or more devices connected by some sort of network. Most

biometric devices connect to a computer via a USB port. It may also be desirable

to store user's enrollment templates, and possibly even to carry out processing and

matching on a server, when a user is authenticating on a client. A user database

might be on a server, and the server might offer a more secure environment

and greater computing power for the processing and matching process [3]. Such

a biometric authentication system must have a 'trusted path' between all

factors used in a particular ID/Authentication and the 'trusted computing base'

performing the validation of the inputs" [54]. Otherwise it will be subject to

attacks such as the stealing of templates discussed on page 16 above.

Interception of the biometric data being sent from the biometric device is

another real threat. Thalheim et al. intercepted USB packets from a fingerprint

mouse, and from the intercepted packets (which would contain an image of the

fingerprint, rather than a template) they were able to reconstruct fingerprints.

They then used a "micro controller with USB support and some storage ( Ip :1y

which they programmed to "respond with answers identical to those of the actual

scanner and then at the right moment p1 i, back the stored biometric d ii in

order to log in. In order to prevent such an attack, they sI----. -1 the use of a

challenge-response protocol where "the biometric scanner and the application

mutually authenticate one another and thereafter communicate with one another

exclusively in an encrypted fashion" [49].

If the biometric device is to authenticate itself, it must have some computing

power and memory. This creates the option of carrying out some or all of the

processing and matching on the biometric device, and even storing the database of

users and templates there.









C'!. i, et al. propose the use of a smart card with a trusted display to protect

users from malicious biometric systems which might steal a user's biometric

data [7]. The smart card would authenticate the platform and the biometric

device, and give the user a signal through a built-in di-phi v to indicate that they

have authenticated successfully. If they do not authenticate, they may have been

tampered with, and the user will know not to present their biometric data to the

device.

2.6 Biometric Standards

Biometric standards are useful because they make integration of biometric au-

thentication systems with operating systems or other software easier. In particular,

combining multiple biometric authentication systems would be much easier if they

all followed the same standard. Three standards have been published and used to

varying degrees. In general, these standards specify an interface for the interaction

of a software module specific to a particular piece of biometric hardware, known

as a biometric service provider (BSP) with some other system that would make

use of biometric authentication, such as an authentication middleware. Then soft-

ware systems can deal with a variety of biometric authentication subsystems in a

generic way. This would allow easy substitution of, i, an iris scan for a facial scan

system, or an improved fingerprint scanner for a less capable one. They typically

offer a number of optional features, such as the ability to return a match score as

opposed to simply returning a 1. "-' or "fail" result. Since the score is related to

the degree of confidence the system has in its conclusion, this kind of information is

very useful for reaching a decision based on multiple biometric devices.

The first biometric standard is Human Authentication Application Program

Interface (HAAPI). Version 1.0 was issued in August of 1997, and the final version,

2.0, was issued in April 1998 [9],









The BioAPI consortium, which eventually released the Biometric API

(BioAPI) standard, formed in April of 1998 to provide a multilevel API, where

HAAPI provides only a high-level API. Perceived competition with HAAPI caused

confusion in the biometric industry, with companies unsure which standard they

should follow. Then in February 1999 the HA-API Working Group and the BioAPI

Consortium merged [50]. BioAPI version 1.0 was released in March, 2000, and

version 2.0 was released in March of 2001 [4].

The BAPI standard was developed by I/O Software, and then purchased by

Microsoft. It remained proprietary, in contrast to HAAPI and BioAPI, which

are open standards. In December 1998, the BAPI group joined with the BioAPI

consortium [3].

The Common Data Security Architecture (CDSA), a joint effort of Intel and

The Open Group, is an open standard for an architecture incorporating many

security-related functions. When its developers became interested in including bio-

metrics, they initially set out to incorporate HAAPI [50], but it is now consistent

with BioAPI, having the same functions available, but with different nomenclature.

An open source reference implementation of BioAPI 2.0, consisting of middle-

ware and a password BSP, which interacts with the middleware as would a BSP

for a biometric device, and is provided as an example and for testing, is available

from the BioAPI Consortium's website. The website also has links to companies

that supply BioAPI-compliant middleware and fingerprint, signature, face, hand

geometry, iris, voice, and lip movement BSPs [3].

2.7 Summary

While biometric authentication attempts to solve the problems of forgotten or

stolen passwords, and lost or stolen authentication tokens, biometric information

may also be subject to loss or theft. A significant proportion of people have

damaged or worn fingerprints, so that a fingerprint scanner may not be able to









acquire good enough information to authenticate them. Also, impostors may

be able to lift fingerprints from drinking glasses or other surfaces and produce

copies of the fingerprint in gelatin or silicone. The impostor may then be able to

authenticate with this artifact.

Additionally, biometric data might be stolen as it is transmitted from the

biometric device to the computer, or when it is stored in the computer. This

information might be used for replay attacks. It is particularly important to

prevent such attacks with a biometric authentication system. If a password

is stolen, it can be changed, but a person's biometric characteristics cannot.

Therefore, communication between the biometric device and the computer should

be encrypted, and a nonce or timestamp should be used to prevent replay.

Other types of biometric authentication systems are known to be susceptible to

one or both of these types of problems, leading to high FRR and/or FAR. Devices

for which such vulnerabilities have not been reported may not have been tested

adequately, by a variety of means, to detect their vulnerabilities.

Fingerprint, iris, retina, and the face when imaged with thermal infrared

wavelengths have a great deal of unique information that is normally constant over

the life of a person. However, fingerprints may be rendered difficult to scan by

abrasion or exposure to chemicals. Retinal veins may change due to factors such

as pregnancy. As was mentioned above for fingerprints, iris scan is also vulnerable

to attack with an artifact. An impostor can use a photograph of a user's iris to

authenticate. Such attacks for retinal scan or infrared face scan are not known.

Retinal scan and iris scan may suffer from high FAR. The main disadvantage of

infrared face scan seems to be the cost of the camera, which causes the system to

cost about $10,000 more than a visible light face scan system.

Other biometric systems are also known to have weaknesses. Voice scan is

vulnerable to ambient noise and replay attacks. Dynamic signature verification









may suffer from high FRR due to inconsistent signatures. Face scan with visible

light is also subject to spoofing with a picture of an authorized user. There does

not appear to be any information on spoofing of hand scan systems. It would be

interesting to attempt to spoof such systems.

The following section discusses how multiple biometric authentication systems

are combined in an attempt to overcome the weaknesses of single biometric

authentication systems, and achieve lower FRR and FAR.

A number of standards have been developed to specify an API for the bio-

metric authentication system to interact with the authentication component of the

operating system or a middleware. Adoption of such a standard would make the

biometric device and the device-specific software that goes with it interchangeable,

so that devices can be exchanged or upgraded with a minimum of effort and dis-

ruption. It would also allow easy combination of multiple biometric authentication

systems. Currently the biometric industry seems to be converging on a single

standard, BioAPI.

Because biometric authentication systems are in many cases susceptible to

spoofing, and generally have unacceptably high false acceptance or rejection rates,

there have been several attempts to combine multiple biometric authentication

systems. If an intruder is able to obtain or make an artifact, such as a gelatin

(. i 'v of a user's fingerprint or a photograph of a user's face or iris, they might

be able to authenticate on a single biometric system. However, if authentication

requires an acceptable combination of scores on several devices, an impostor with

an artifact for only a single device would probably be defeated. Also, a user whose

fingerprint is damaged by a weekend of brickd!- ing or rock climbing might fail a

single fingerprint test, but might still be able to authenticate via other devices if

multiple biometrics are in use.















CHAPTER 3
PREVIOUS WORK IN COMBINING BIOMETRIC AUTHENTICATION
SYSTEMS

Biometric authentication can be considered a case of pattern recognition. A

subject makes a claim to be a particular authorized user, and presents biometric

data to one or more biometric devices. The device or devices and the associated

software process the biometric data to produce a score. Normally a high score

indicates a high probability that the subject is in fact the authorized user. A low

score indicates a low probability that the subject is the user, and a high probability

that they are an impostor. Because biometric authentication systems may suffer

from unacceptably high FAR, particularly when an adversary uses a physical or

logical copy of a user's biometric information, such as a gelatin fingerprint or replay

of a valid authentication, and also unacceptably high FRR, several researchers have

combined multiple biometric systems into an authentication system with lower

error rates.

Methods of combining multiple classifiers fall into three groups, parallel,

< .- illi.- and hierarchical [23]. Most reported combining methods fall into the

parallel category. In this category are such methods as voting, sum, and product

rules. It also includes schemes in which the scores from individual classifiers

are weighted before combining. All but one of the methods described below for

combination of multiple biometrics are parallel methods. In cascading methods,

classifierss are invoked in a linear sequence" [23]. Usually less computationally

intensive classifiers are invoked first, and reduce the number of classes to be

considered by subsequent classifiers that require more computation [23]. Use of a

cascade combining method in a biometric identification system is described below.









Hierarchical methods combine classifiers into a tree. Each tree node may be a

complex classifier making use of a large number of features. Neural networks may

lead to hierarchical classifying methods [23].

Particularly for parallel combination schemes, if we have N devices, it is

convenient to form a vector from the N single device scores, x = (xi, x2,... xN)

It is also possible to process the data from a single biometric device with sev-

eral algorithms, generating several scores, as described above [43]. If a device made

multiple scores available to the user, each score could be treated as a classifier,

and dimensionality of the vector x would be the number of classifiers, rather than

the number of devices. Alternatively, each algorithm could be treated as a logical

device, and the number N of logical devices would be greater than the number of

physical devices. Some commercial biometric devices use multiple classifiers inter-

nally, and provide a single score to the user, which is the result of combining these

classifiers. This is done in the Automated Fingerprint Identification System used

by the FBI [51], and also in the Softpro dynamic signature verification system. 1

Then a decision rule is needed to map the N-dimensional vector to one of

two classes, cuj and w02 for accept and reject. The goal of the decision rule is to

simultaneously minimize two types of errors, false rejection of authorized users and

false acceptance of impostors, as described above.

3.1 Optimal Bayes Decision Rule

The optimal B-,-. -- decision rule, equation (2.10),



Accept if


1 Personal communication, Ulrich Pantow, October, 2002.











L(i,w2) P(X 2) P(w2) < L(w2,wl) P(xI) P(wI) (3. 1)

otherwise reject

where L(uwi, woj) is the loss when a pattern belonging to wjy is assigned to

oi,. Thus, L(woi, o2) is the loss incurred when an authorized user is rejected,

and L(wo2, L1) is the loss incurred when an impostor is accepted. P(wuj x) is the

posterior probability, or the probability that the pattern belongs to Ujy given the

values of the measurements that make up the vector x [27]. and P(U2) and P(wi)

are the a priori probabilities that the person attempting to authenticate is an

impostor or a genuine user, respectively.

If the loss incurred in a false rejection is assumed to be equal to the loss

incurred in a false acceptance, and the a priori probabilities of impostors and

genuine users are assumed to be equal, the optimal B-i v.- decision rule can be

simplified to


Assign Z to class cui if



P(..- |0) > P(jy\x) (3.2)

or ,--1i1 Z to the class with the maximum a posteriori probability," where

Z is the pattern to be classified This rule is therefore known as the 11 ,i::ii:i a

posteriori" rule [27].

Kittler et al. [27] develop several rules for classification from B ,i, -i ,i theory.

They derive the product rule, sum rule, max rule, min rule, median rule, and ma-

jority vote rule by making different assumptions and simplifications. Kittler et al.

develop these equations for any number of classes, but for biometric authentication,

a pattern Z is a person attempting to authenticate, and must be assigned to one









of two classes, w1 and w2 for accept and reject. This allows simplification of some

equations.

The pattern is represented by the measurement vector x (xi, x,... XN)

made up of the scores from N biometric devices. Then, according to B ,i i

theory, if the a priori probability of a class 0k is P(uk), for a set of measurement

vectors, a pattern should be assigned to the rule



assign Z -- wj, if



P(Lj | x ,...,xN) = maxP(;k I X ,...,XN) (3.3)
k

From the B ,-, theorem, the a posteriori probability can be rewritten as



P(wk IX,, ..., XN) p(X, ---,XN (3.4)
P(x, ..., xN)
where p(x., XN I Uk) is the conditional joint probability density function for

measurements on class Uk and p(xa, ..., xN) is the unconditional measurement joint

probability function. The unconditional joint pdf is just the sum of the joint pdf's

of the classes, times their probabilities,
2
p(X,... ,XN) ^ P(X1,...,XN I i)P(Uj) (3.5)
j 1

3.1.1 Product Rule

Because a large amount of data might be needed to determine the mea-

surement joint probability functions accurately, it might be desirable to assume

independence of the scores of the devices. If the devices are measuring different fea-

tures of the subject, the scores might be expected to be independent. For example,









a cold would be expected to affect a voice verification score but not a fingerprint

score. Then the conditional joint pdf becomes

N
p(x1,...,XN Ik) II p(xi Ik) (3.6)
(i 1)
The assumption of independence of the scores from the individual classifiers leads

to the product rule. Substituting equations (3.5) and (3.6) into (3.4),



P(k IX ...,XN) 2- P(Lj) H(I 1)N-(X I I) (3.7)
2 P(wk ) H( t) 1Np(XI Uk)

The denominator of the right side of equation (3.7) is the same for both

classes, so it can be neglected when (3.7) is substituted into decision rule (3.3):



assign Z -> wuj if


N N

i= 1 i 1
and in terms of the a posteriori probabilities from the devices,



assign Z --+ wj if


N N
P- (-N )()JP x) m2XP-(N -1k)IJP(k xi) (3.9)
i= 1 i= 1
Note that if a single classifier gives a very low score and all others give a high

score, the product rule will give a low score. This is a weakness of this rule.

3.1.2 Sum Rule

If it can be further assumed that the a posteriori probabilities from the

classifiers do not differ greatly from the a priori probabilities, the sum rule can be










derived. Thus it will apply when the classifiers are not very sure how to classify

something.

Then the a posteriori probabilities will be


P( k Xi) -P(k)(+ 6ki)


(3.10)


where 6ki < 1. Substituting the a posteriori probability in equation (3.10) into

the right side of equation (3.9),


N N
p-(N-1)(U4) 17 P(k I X) P(k) n7(1 + 6ki)


(3.11)


i= 1 i 1
and expanding the product and neglecting terms that are second or higher

order in 6ki,


p-(N (wk P k I)
i 1


(3.12)


P(k) + P( ) ki
i= 1


Then substituting (3.12) into (3.9), and using (3.10) to eliminate 6ki, the sum

decision rule is


assign Z -- wj if


N
(1 N)P(w)j)+ P(wj| xi)


N
ma1x[( N)P(k) + P(k i)
k-l


With the assumption of equal a priori probabilities, this becomes



assign Z -+ wj if


N
SP(1 | xI)
i= 1


N
2E
max P(wk I X)
i 1


(3.13)


(3.14)









3.1.3 Max Rule

If the sum of the N a posteriori probabilities in equation (3.13) is replaced by

N times the greatest probability, the Max rule results:



assign Z -- wj if




(1-N)P( X) N 2
(1 -N)P()+NVmaxP( + x) = max[(1-N)P(Uk)+NmaxNk= ,P(k I X)] (3.15)
k=1 k=1

which, with the assumption of equal a priori probabilities, becomes



assign Z -- uj, if



N 2
maxP( | x) = maxmax Nk IP(ck I) (3.16)
k 1 k 1

Use of this rule in biometric authentication would assist an impostor who is

able to get one high score either by use of an artifact, or simply by chance.

3.1.4 Min Rule

The product of the posterior probabilities in equation (3.13) will alv--, be less

than or equal to the minimum of the probabilities,

N N
fJ P(wk xi) < minP(;wk x) (3.17)
i- 1
i 1
When (3.17) is substituted into (3.9)and bounding the probabilities from

above, we get



assign Z -+ wj if


N 2 N
P- -(N1)()minP(jI x) = maxP- (N-(wk)minP(wck I ) (3.18)
i= 1 k= i 1









and with the assumption of equal prior probabilities,



assign Z -- Lj if


N 2 N
minP(j I x) = maxminP(wk Ixi) (3.19)
i= 1 k= 1 i= 1

3.1.5 Median Rule

If equal prior probabilities are assumed, then the sum rule in equation (3.13)

can be thought of as an average a posteriori probability for each class from all the

classifier outputs,



assign Z -> wj if


SN N
SP(), xi) ma P(Wk Xi) (3.20)
i= 1 i 1
so the pattern is assigned to the class for which the average a posteriori

probability is a maximum. If one of the a posteriori probabilities is an outlier,

it will influence the average, and could cause a wrong decision. The median is

less easily influenced by outliers, so it can be considered as a rule for combining

classifiers:



assign Z -> wLj if


N N
med P( xi) max med P(wk Xi) (3.21)
i 1 k=l 1

3.1.6 Majority Vote Rule

If the a posteriori probabilities are hardened to produce a binary valued

function,











Aki 1 if P(wk Xi) I, i P(; j IXi)

0 otherwise

then 3.13 becomes



assign Z --> wj if


N N
Aji ax Aki (3.22)
i= 1 i= 1
so that the class with the largest number of votes is selected.

3.1.7 Experimental Test of Rules for Combining Classifiers

Then Kittler et al. [27] report the results of experiments testing these rules for

combining classifiers. In one experiment they combine three biometrics, frontal and

profile views of the face and voice verification. Equal error rates of 12.'" 8.5'.

and 1. !'. were obtained for the individual frontal, profile, and voice biometrics.

Equal error rates for the various combination rules are 0.7'. for the sum rule, 1. !'.

for product, 12.' for maximum, 1.' for median, and 4.5' for minimum. The

sum rule has the best performance. For some reason the iin Pii i ly vote rule was

not used. They computed a correlation matrix for the data used to compute the

individual biometric scores, which showed that there was some correlation between

face profile and voice, but not much between frontal face and the other biometrics.

A second experiment involved character recognition. In this case the median rule

was best, with a classification rate of 98.19' and the sum rule was a close second

at 98.05'. A in i ii ily vote is next at 97 '. followed by the max rule at 93.9 '.

the min rule at 86.011' and the product rule at 84.' i'. The min and product

rules were both worse than any of the individual classifiers used for character

recognition.









In order to explain the superiority of the sum rule, which requires the assump-

tions of independence and that classes are ambiguous, they show that errors have

less influence on the sum rule than on the product rule.

3.2 Nonparametric Methods and Likelihood Ratio

Prabhakar and Jain [43] use several matching algorithms to classify fingerprint

images from a single fingerprint scanner. The goal is to achieve lower error rates

than any one of the algorithms could achieve alone, without the expense and

inconvenience of using multiple biometric devices. They develop a classifier

combination method that does not assume any particular form for the probability

density functions of the classes, and also does not assume independence of the

scores from the various matching algorithms.

First a class separation statistic is used to choose the subset of available

algorithms that gives the best separation of authorized users and impostors [43]. A

natural assumption would be to assume that the more algorithms used, the better

the result should be. If the pdf's of the classes are perfectly known, increasing the

number of features, in this case the number of algorithms generating a score for

a fingerprint, will never decrease the accuracy of classification. If the additional

features have some independent data from those already in use, classification

accuracy would be expected to improve. However, in many real cases, where

densities are not known perfectly, and must be estimated from limited experimental

data, there is a 1." ,.1:ig phenomenon" in classification performance as the number

of features is increased. Beyond some point, further increase in the number of

features results in a decrease in classification accuracy [23]. This is known as the

"curse of dimensionality." The optimum dimensionality depends on the number of

data points available. It is considered good practice to use at least ten data points

for each dimension. However, for some approaches, the data requirement is much

greater.









A naive table-lookup technique (partitioning the feature space into
cells and associating a class label with each cell) requires the number
of training data points to be an exponential function of the feature
dimension. ([23], p. 11)

Prabhakar and Jain use such a technique. Then, although they compared 2572

fingerprint images from 167 subjects against each other, resulting in 7472 genuine

user matches and 3,298,834 impostor matches, the best performance was achieved

with the use of only three of the four algorithms that were studied [43].

Next the Parzen window density estimate of the N-dimensional density

function is used, where N is the number of algorithms in the optimal subset. The

density estimate at a point x, with n data points available, is


1 1 1
p(x) = nN (2) N {l exp[1/2 [- 22x x- x)t x x)]} (3.23)



where h is the width of the N-dimensional window over which the density

is averaged, and E is the covariance matrix, which is estimated from the n data

points [43]. The larger the value of h, the greater the smoothing of the estimated

density function. If h is too small so that a small number of points fall inside the

window, random variations will influence the distribution. If h is too large, features

of the distribution may be obscured [13].

Finally, a likelihood ratio, equation (2.7)


R = P(x | 2)/P(x I 1) (3.24)

is used to assign to class w2 if R is large, and to class uI if R is small. If a limit

is set on FAR, for example, and regions of minimum R are assigned to class w1,

the class of genuine users, until the FAR limit is reached, then the remaining

regions are all assigned to class w2, for impostors, or alternatively, a limit for









FRR is chosen, regions of maximum R are assigned to class 02 until the FRR

limit is reached, this method will yield an optimal Neyman-Pearson decision

rule. Experimental results for one of the matching algorithms show that, while

the impostor curve appears to be close to a normal distribution, the error rate is

significantly better when the nonparametric Parzen window density is used. The

likelihood ratio gives lower error rate than the sum rule, which is better than the

product rule [43].

3.3 Majority Voting

Dieckmann et al. [10] tested a system that either verified or identified people

entering a building. The subjects looked at a camera and said their names.

The camera captured a still image of the face, as well as lip movement, while

a microphone captured the voice. These data were processed to obtain three

hard decisions, and if two of the three decisions were positive the person was

authenticated or identified. It was claimed that voice and lip movement, being

dynamic features, are more difficult to fake than static features, such as the face

image. The voting scheme is said to be v, i reliable and robust against changing

light conditions (sun movement, clouds, changing electric lights) and against a

noisy environment. If one cue is disturbed the other two still guarantee a safe

classification." Because false rejection was seen to be more undesirable than false

acceptance, the three classifiers were trained to minimize (2FRR + FAR). In the

verification test, the face image had FRR of 0.005 and FAR of 0.027, lip movement

had FRR of 0.26 and FAR of 0.035, and speech had FRR of 0.009 and FAR of

0.019. The system had a FRR of 0.002, and FAR of 0.003.

3.4 Weighted Sum Rule

Due et al. [12] used B-vi theory to combine scores from a face image and

speech. They assume independence of the face image and speaker verification

scores. They also assume that the log of the misidentification score follows a









normal distribution. The misidentification score is the difference between the true

authentication score, which is one for a genuine user and 0 for an impostor, and the

actual score for the authentication attempt. A weighted sum of the face and speech

scores results, where the scores are weighted by the inverse of their variance. False

acceptance rates for face and speech were 3.''. and 6.7' while the arithmetic

mean of the two scores achieved a false acceptance rate of 1.''. and the B ',. -i ,i

method achieved 0.5 The false rejection rates were 7. !'. for face, 0.0' for

speech, 2.1 for the arithmetic mean, and 0.0'. for the B i,. -i in method.

Jourlin et al. [25] combine visual information from lip movement with acoustic

information from speech. The combined system was tested on 37 people, who were

recorded speaking the digits from 0 to 9 in French. Each person was recorded five

times at one week intervals. They used the first three recordings for training of

their classification system. The fourth was used for validation. The threshold was

chosen to minimize errors on this set. The fifth, which was more difficult to classify

because of tilting of the speaker's head, not shaving, poor signal to noise ratio in

the voice recording, or poor focus of the camera, was used for testing. Tests were

carried out by comparing each person's data from the fifth trial to their own speech

and lip movement patterns obtained from the first three recordings, and also to

a world model, which is a model of the speech of 500 people and lip movement

patterns of 36 people. A score is obtained by normalizing the ratio of the likelihood

that they are the claimed identity to the world likelihood, their similarity to the

world model. A weighted sum is used to combine the acoustic and lip movement

scores, with the best performance found at a weighting of 0.86 for acoustic and

0.14 for lip movement. Impostor tests were carried out in a similar way, comparing

a subject's fifth recording to the speech and lip movement patterns of other test

subject's first three trials. From just the acoustic information, the test achieved

FAR of 2.;:'-. and FRR of 2.'-. Using just the lip movement information, the









FAR was 3.0'-. and the FRR was 27.,>'. Combining the two, the FAR was 0.5'.

and the FRR was 2.,.

3.5 Cascading Method of Combining Classifiers

Hong and Jain [20] use a cascading method of combining face recognition

with fingerprint to construct an identification system. Because an identification

system may need to make a large number of comparisons, processing time is more

important. Therefore, face recognition is used to select the five best matches, and

then the fingerprint matching is performed only on those selected identities. Face

and fingerprint scores are assumed to be independent. Then the FAR is computed

for each of the five top face matches, based on both the face and fingerprint scores.

The system accepts an identity as correct if the computed FAR is less than the

required standard, and if the FAR is the minimum of the five returned from the

database on the basis of the face match. This system was tested using databases of

face and fingerprint images. Fingerprints were assigned to faces at random, based

on the assumption that fingerprint and face are independent. With a FAR of 1

. the face FRR is 15.>' the fingerprint FRR is 3.9'., and the system FRR

is 1.', With a FAR of 0.001 the face FRR is 64.1 the fingerprint FRR is

14.9'. and the system FRR is 9.>'. Included in the system FRR are the 1'~.,

of the individuals who were not among the top five matches of the face recognition

system.

3.6 Hierarchical Methods of Combining Classifiers

Hierarchical methods, also known as decision trees, differ from the cascading

method in that information from all classifiers is assumed to be available at the

start of the classification process. Then decisions can be based on a single variable

or on a combination of variables. If the scores from the individual classifiers are

related, basing the decision on a single score rather than a combination of scores

introduces bias [11]. To avoid this, Draper et al. describe how to derive a decision









tree with a linear machine at each node that can reach a decision based on a linear

combination of all the scores with different costs assigned to different kinds of

misclassification errors[11]. Biometric systems that measure different characteristics

should be approximately independent, so the algorithm for building the tree is not

described here, but if a number of classifying algorithms were used on data from a

single biometric device, the results might not be independent, and such a technique

might be advantageous.

3.7 Summary

In summary, of the three general classes of procedures for combining classifiers,

most of the methods used for combining biometric classifiers are parallel methods.

The product, sum, median, min and ii, ii ,i iiy vote rules can all be derived from

B i, --i i theory with varying assumptions. The product rule, derived by assuming

that the classifiers are independent, can be strongly affected by a single low score.

Also it is more strongly affected by error in the classifiers than is the sum rule.

This is probably the reason that the sum rule, although it requires the further

assumption that the a posteriori probability of a genuine user or an impostor

does not differ greatly from the a priori probability, was found to have better

performance than the product rule. The median rule had performance comparable

to that of the sum rule, and the ii i -i 1i liy vote rule was slightly inferior. The min

and product rules were significantly lower. In other tests, a weighted sum rule

gave improved classification performance, with the weighting factors determined

empirically or with the inverse of the variance of a classifier's scores used as a

weighting factor.

A PDF must be found for each classifier's score for each class. If the classifiers

are not independent, then a joint PDF is needed. Determination of a joint PDF

requires much data, but gave improved performance when a number of algorithms

were used to classify a set of fingerprint images. However, in another study data









from frontal face, face profile, and voice were nearly independent. Thus, when

working with multiple biometric systems that measure different characteristics, it is

probably safe to assume independence, and a joint PDF need not be determined.

Probability density functions can be found by parametric methods, which

assume the distributions to follow some function, or nonparametric methods,

which make no such assumption. With a large data set of fingerprint images, a

nonparametric method, the Parzen window density, was found to be superior to

parametric methods [43]. A likelihood ratio was used to assign regions of the four-

dimensional space generated by the scores from four classifiers. This method was

found to be superior to the sum rule, which was superior to the product rule.

A biometric identification system made use of a cascading system, first invok-

ing a fast face recognition system to select a small number of close matches from

a database, and then a slower fingerprint to either find a match from among the

small set of close matches or to decide that the person is not in the database [20].