5.
`E
`
`I
`
`_
`
`.
`
`7i
`O
`a
`
`is”
`«a.
`Hkfi‘r
`.
`"33?,
`PAS mg“
`
`Faculty of Informatics
`Masaryk University
`
`Biometric Authentication Systems
`
`by
`
`Zdenék Riha
`
`Véclav Matyas
`
`FI MU Report Series
`
`Copyright © 2000, F1 MU
`
`FIMU—RS—2000—08
`
`November 2000
`
`APPLE 1011
`
`APPLE 1011
`
`

`

`Biometric Authentication Systems
`
`
`
`Véelav Matyéé Jr.
`Zdenek Riha
`
`1
`
`

`

`4 5 6
`
`10
`
`10
`
`10
`
`14
`
`18
`
`21
`
`22
`
`24
`
`26
`
`28
`
`30
`
`3O
`
`30
`
`30
`
`31
`
`31
`
`31
`
`31
`
`32
`
`33
`
`33
`
`34
`
`34
`
`35
`
`35
`
`36
`
`37
`
`Contents
`
`1
`
`Introduction
`
`1.1
`
`1.2
`
`What to measure? ...........................
`
`Error rates and their usage ......................
`
`2 Biometric techniques
`
`2.1
`
`2.2
`
`2.3
`
`2.4
`
`2.5
`
`2.6
`
`2.7
`
`2.8
`
`Fingerprint technologies .......................
`
`Fingerprint readers .........................
`
`Fingerprint processing .......................
`
`Iris ...................................
`
`Retina .................................
`
`Hand geometry ............................
`
`Signature dynamics ..........................
`
`Facial recognition ...........................
`
`Speaker verification ..........................
`
`Other biometric techniques ......................
`
`Palmprint ..............................
`
`Hand vein .............................
`
`DNA ................................
`
`Thermal imaging ..........................
`
`Ear shape ..............................
`
`Body odor .............................
`
`Keystroke dynamics ........................
`
`Fingemail bed ...........................
`
`3 Practical Issu'es
`
`3.1
`
`3.2
`
`The core biometric technology ....................
`
`The layer model ............................
`
`First measurement (acquisition) ..................
`
`Creation of master characteristics .................
`
`Storage of master characteristics .................
`
`Acquisition(s) ...........................
`
`Creation of new characteristics ..................
`
`Comparison ............................
`
`2
`
`

`

`Decision .............................. 3 8
`
`3.3 Biometrics and cryptography ..................... 38
`
`Biometrics are not secrets ..................... 39
`
`The liveness problem ....................... 39
`
`Authentication software ...................... 40
`
`Improving security with biometrics ................ 41
`
`4 Conclusions
`
`43
`
`3
`
`

`

`Biometric Systems
`
`1
`
`Introduction
`
`Humans recognize each other according to their various char-
`acteristics for ages. We recognize others by their face when we
`meet them and by their voice as we speak to them. Identity verifi-
`cation (authentication) in computer systems has been traditionally
`based on something that one has (key, magnetic or chip card) or
`one knows (PIN, password). Things like keys or cards, however,
`tend to get stolen or lost and passwords are often forgotten or dis-
`closed.
`
`To achieve more reliable verification or
`
`identification we
`
`should use something that really characterizes the given person.
`Biometrics offer automated methods of identity verification or
`identification on the principle of measurable physiological or be-
`havioral characteristics such as a fingerprint or a voice sample. The
`characteristics are measurable and unique. These characteristics
`should not be duplicable, but it is unfortunately often possible to
`create a copy that is accepted by the biometric system as a true
`sample. This is a typical situation where the level of security
`provided is given as the amount of money the impostor needs to
`gain an unauthorized access. We have seen biometric systems
`where the estimated amount required is as low as $100 as well as
`systems where at least a few thousand dollars are necessary.
`
`This paper presents our conclusions* from a year-long study
`of biometric authentication techniques and actual deployment po-
`tential, together with an independent testing of various biometric
`authentication products and technologies. We believe that our ex-
`perience can help the reader in considering whether and what kind
`of biometric authentication should or should not be used in a given
`
`system.
`
`Biometric technology has not been studied solely to authenti-
`cate humans. A biometric system for race horses is being inves-
`tigated in Japan and a company that imports pedigree dogs into
`South Africa uses a biometric technique to verify the dogs being
`
`imported.
`
`*Conclusions and opinions as expressed are those of the authors as individual
`researchers, not of their past or present employers.
`
`biometrics
`
`

`

`Biometric Systems
`
`Biometric systems can be used in two different modes. Identity
`verification occurs when the user claims to be already enrolled in
`the system (presents an ID card or login name); in this case the
`biometric data obtained from the user is compared to the user’s data
`already stored in the database. Identification (also called search)
`occurs when the identity of the user is a priori unknown. In this
`case the user’s biometric data is matched against all the records in
`the database as the user can be anywhere in the database or he/she
`actually does not have to be there at all.
`
`It is evident that identification is technically more challenging
`and costly. Identification accuracy generally decreases as the size
`ofthe database grows. For this reason records in large databases are
`categorized according to a sufliciently discriminating characteristic
`in the biometric data. Subsequent searches for a particular record
`are searched within a small subset only. This lowers the number
`of relevant records per search and increases the accuracy (if the
`discriminating characteristic was properly chosen).
`
`Before the user can be successfully verified or identified by the
`system, he/she must be registered with the biometric system. Us-
`er’s biometric data is captured, processed and stored. As the quality
`of this stored biometric data is crucial for further authentications,
`there are often several (usually 3 or 5) biometric samples used to
`create user’s master template. The process of the user’s registration
`with the biometric system is called enrollment.
`
`verification
`
`identification
`
`identification
`
`enrollment
`
`1.1 What to measure?
`
`Most significant difference between biometric and traditional
`
`technologies lies in the answer of the biometric system to an au-
`thentication/identification request. Biometric systems do not give
`simple yes/no answers. While the password either is ’abcd’ or not
`and the card PIN 1234 either is valid or not, no biometric system
`can verify the identity or identify a person absolutely. The person’s
`signature never is absolutely identical and the position of the fin-
`ger on the fingerprint reader will vary as well. Instead, we are told
`how similar the current biometric data is to the record stored in
`
`the database. Thus the biometric system actually says what is the
`
`not always the
`same
`
`

`

`Biometric Systems
`
`probability that these two biometric samples come from the same
`
`person.
`
`Biometric technologies can be divided into 2 major categories
`according to what they measure:
`
`* Devices based on physiological characteristics of a person
`(such as the fingerprint or hand geometry).
`
`* Systems based on behavioral characteristics of a person
`(such as signature dynamics).
`
`Biometric systems from the first category are usually more re-
`liable and accurate as the physiological characteristics are easier
`to repeat and often are not affected by current (mental) conditions
`such as stress or illness.
`
`One could build a system that requires a 100% match each time.
`Yet such a system would be practically useless, as only very few
`users (if any) could use it. Most of the users would be rejected all
`the time, because the measurement results never are the samel.
`
`We have to allow for some variability of the biometric data in
`order not to reject too many authorized users. However, the greater
`variability we allow the greater is the probability that an impos-
`tor with a similar biometric data will be accepted as an authorized
`user. The variability is usually called a (security) threshold or a
`(security) level. If the variability allowed is small then the security
`threshold or the security level is called high and if we allow for
`greater variability then the security threshold or the security level
`is called low.
`
`1.2 Error rates and their usage
`
`There are two kinds of errors that biometric systems do:
`
`* False rejection (Type 1 error) — a legitimate user is rejected
`(because the system does not find the user’s current biomet-
`ric data similar enough to the master template stored in the
`database).
`
`TA hundred percent similarity between any two samples suggests a very good
`forgery.
`
`variability
`
`security
`threshold
`
`

`

`Biometric Systems
`
`* False acceptance (Type 2 error) — an impostor is accepted
`as a legitimate user (because the system finds the impostor’s
`biometric data similar enough to the master template of a
`legitimate user).
`
`In an ideal system, there are no false rejections and no false ac-
`ceptances. In a real system, however, these numbers are non-zero
`and depend on the security threshold. The higher the threshold the
`more false rejections and less false acceptances and the lower the
`threshold the less false rejections and more false acceptances. The
`number of false rejections and the number of false acceptances are
`inversely proportional. The decision which threshold to use de-
`pends mainly on the purpose of the entire biometric system.
`It
`is chosen as a compromise between the security and the usability
`of the system. The biometric system at the gate of the Disney’s
`amusement park will typically use lower threshold than the bio-
`metric system at the gate of the NSA headquarters.
`
`The number of false rejections/false acceptances is usually
`expressed as a percentage from the total number of autho-
`rized/unauthorized access attempts. These rates are called the
`false rejection rate (FRR)/false acceptance rate (FAR). The values
`of the rates are bound to a certain security threshold. Most of the
`systems support multiple security thresholds with appropriate false
`acceptance and false rejection rates.
`
`Some of the biometric devices (or the accompanying software)
`take the desired security threshold as a parameter of the decision
`process (e. g. for a high threshold only linear transformations are
`allowed), the other devices return a score within a range (e.g. a
`difference score between 0 and 1000, where 0 means the perfect
`match) and the decision itself is left to the application.
`
`If the device supports multiple security levels or returns a score
`we can create a graph indicating the dependence of the FAR and
`FR on the threshold value. The following picture shows an ex-
`ample of such a graph:
`
`traa'e-ofir
`
`decision
`
`process
`
`

`

`Biometric Systems
`
`FAR
`
`FRR
`
`FAR
`
`FRR
`
`ERR
`
` security threshold
`The curves of FAR and FR cross at the point where FAR and
`FR are equal. This value is called the equal error rate (ERR) or
`the crossover accuracy. This value does not have any practical use
`(we rarely want FAR and FRR to be the same), but it is an indi-
`cator how accurate the device is. If we have two devices with the
`
`equal error rates of 1% and 10% then we know that the first device
`is more accurate (i.e., does fewer errors) than the other. However,
`such comparisons are not so straightforward in the reality. First,
`any numbers supplied by manufacturers are incomparable because
`manufacturers usually do not publish exact conditions of their tests
`and second even if we have the supervision of the tests, the tests
`are very dependent on the behavior of users and other external in-
`fluences.
`
`The manufacturers often publish only the best achievable rates
`(e.g., FAR < 0.01% and FR < 0.1%), but this does not mean that
`these rates can be achieved at the same time (i.e., at one securi-
`ty threshold). Moreover, not all the manufacturers use the same
`algorithms for calculating the rates. Especially the base for com-
`putation of the FAR often differs significantly. So one must be very
`careful when interpreting any such numbers.
`
`The following table shows real rounded rates (from real tests)
`for three devices set the lowest security level possiblei:
`
`iThese numbers serve as an example only. Any such numbers depend heavily
`upon the conditions of the test and are subject to exhaustive discussions. Our
`numbers were collected during a two week trial in an office environment.
`
`crossover
`
`accuracy
`
`comparisons
`
`

`

`Biometric Systems
`
`
`
`—--I:l
`
`
`
`
`
`This table shows rates (again rounded) for three devices set to
`the highest security level possible:
`
`
`
`
`
`
`
`
`
`Although the error rates quoted by manufactures (typically
`ERR < 1%) might indicate that biometric systems are very ac-
`curate, the reality is rather different. Namely the false rejection
`rate is in reality very high (very often over 10%). This prevents
`the legitimate users to gain their access rights and stands for a
`significant problem of the biometric systems.
`
`not error-free
`
`

`

`Biometric Systems
`
`10
`
`2 Biometric techniques
`
`There are lots of biometric techniques available nowadays. A
`few of them are in the stage of the research only (e.g.
`the odor
`analysis), but a significant number of technologies is already ma-
`ture and commercially available (at least ten different types of bio-
`metrics are commercially available nowadays: fingerprint, finger
`geometry, hand geometry, palm print, iris pattern, retina pattern,
`facial recognition, voice comparison, signature dynamics and typ-
`ing rhythm).
`
`2.1 Fingerprint technologies
`
`Fingerprint identification is perhaps the oldest of all the biomet-
`ric techniques. Fingerprints were used already in the Old China as
`a means of positively identifying a person as an author of the doc-
`ument. Their use in law enforcement since the last century is well
`known and actually let to an association fingerprint = crime. This
`caused some worries about the user acceptance offingerprint-based
`systems. The situation improves as these systems spread around
`and become more common.
`
`Systems that can automatically check details of a person’s fin-
`gerprint have been in use since the 19603 by law enforcement agen-
`cies. The US. Government commissioned a study by Sandia Labs
`to compare various biometric technologies used for identification
`in early seventies. This study concluded that the fingerprint tech-
`nologies had the greatest potential to produce the best identification
`accuracy. The study is quit outdated now, but it turned the research
`and development focus on the fingerprint technology since its re-
`lease.
`
`the oldest
`
`Sandia study
`
`Fingerprint readers
`
`Before we can proceed any fiirther we need to obtain the dig-
`italized fingerprint. The traditional method uses the ink to get
`the fingerprint onto a piece of paper. This piece of paper is then
`scanned using a traditional scanner. This method is used only
`rarely today when an old paper-based database is being digitalised,
`a fingerprint found on a scene of a crime is being processed or in
`
`scanning
`
`

`

`Biometric Systems
`
`11
`
`law enforcement AFIS systems. Otherwise modern live fingerprint
`readers are used. They do not require the ink anymore. These live
`fingerprint readers are most commonly based on optical, thermal,
`silicon or ultrasonic principles.
`
`Source: I/O Software [6]
`
`All the optical fingerprint
`
`readers comprise of the
`
`
`
`finger-
`Optical
`print readers are the
`most
`common
`at
`
`They are
`present.
`based on reflection
`h
`h
`C anges at t 6 spots
`where the finger pa—
`pilar lines ““1011 the
`readers surface.
`
`source of light,
`the light
`sensor and a special reflec-
`tion surface that changes the reflection according to the preas-
`sure. Some of the readers are fitted out with the processing
`and memory chips as well.
`
`The size of the optical fingerprint readers typically is around
`10 x 10 x 5 centimeters.
`It is difficult to minimize them much
`
`more as the reader has to comprise the source of light§, reflection
`surface and the light sensor.
`
`fin-
`The optical
`gerprint
`readers
`
`work usually reli-
`ably, but sometimes
`
`have problems with
`dust if heavily used
`and not cleaned. The
`
`dust may cause latent
`fingerprints, which
`may be accepted by
`the reader as a real
`
`This
`
`is
`
`a
`
`fingerprint
`
`bitmap obtained by an
`
`optical fingerprint reader
`
`Access Corporation)
`
`(Securetouch 99 manu-
`
`factured by the Biometric
`
`fingerprint. Optical fingerprint readers cannot be fooled by a simple
`picture of a fingerprint, but any 3D fingerprint model makes a sig-
`nificant problem, all the reader checks is the pressure. A few read-
`ers are therefore equipped with additional detectors of finger live-
`ness.
`
`§It actually need not be and often is not visible light.
`
`

`

`Biometric Systems
`
`readers
`Optical
`are relatively cheap
`and
`are manufac-
`
`a great
`tured by
`number of manufac-
`
`turers. The field of
`
`optical
`
`technologies
`
`attracts many new-
`
`12
`
`Source: ABC [1]
`
`This is an example of the
`
`optical fingerprint reader.
`The “Biomouse Plus” in-
`
`tegrated with a smart card
`
`reader is able to capture
`
`the fingerprint at 500 DPI.
`It is connected to the paralel port of a computer and costs be-
`
`tween $100 and $200.
`
`ly established firms
`(e.g., American Bio-
`metric Company, Digital Persona) as well as a few big and well-
`-known companies (such as HP, Philips or Sony). Optical finger-
`print readers are also often embedded in keyboards, mice or moni-
`tors.
`
`Silicon technologies are older than the optical technologies.
`They are based on the capacitance of the finger. The dc-capacitive silicon
`fingerprint sensors consist of rectangular arrays of capacitors on
`a silicon chip. One plate of the capacitor is the finger, the other
`plate is a tiny area of metallization (a pixel) on the chip’s surface.
`One places his/her finger against the surface of the chip (actually
`against an insulated coating on the chip’s surface). The ridges of
`the fingerprint are close to the nearby pixels and have high capaci-
`tance to them. The valleys are more distant from the pixels nearest
`them and therefore have lower capacitance.
`
`array
`an
`Such
`of capacitors can be
`placed onto a chip as
`small as 15 x 15 x 5
`
`mm and thus is ideal
`
`for miniaturization.
`
`A PCMCIA card
`
`(the triple height of
`a credit card) with
`a silicon fingerprint
`
`already
`is
`reader
`Integra-
`available.
`tion of a fingerprint
`reader on a credit
`
`an 8-bit digital value. The resolution of the image is 500 DPI.
`
`Source: Veridicom [18]
`
`Beneath the surface passi-
`vation layer is a 300 x 300
`
`array of capacitor plates.
`
`The ridges and valleys of
`a finger are different dis-
`
`tances from the capacitor
`
`plates.
`
`That difference
`
`corresponds to a capaci-
`tance difference which the
`
`sensor measures.
`
`The
`
`analog-to-digital converter translates that capacitance to into
`
`card-sized smartcard was not achieved yet, but it is expected in
`
`

`

`Biometric Systems
`
`13
`
`the near fiiture. Silicon fingerprint readers are popular also in mo-
`bile phones and laptop computers due to the small size.
`
`The
`bitmap
`from the
`
`fingerprint
`obtained
`silicon
`
`reader is affected by
`the finger moisture
`as the moisture sig-
`nificantly influences
`the capacitance. This
`often means that too
`
`grayscale.
`
`This is an example of a fin-
`
`gerprint bitmap image ob-
`
`tained by a silicon finger-
`
`print reader (captured us-
`
`ing the “Precise 100 SC”
`
`manufactured by the Pre-
`cise Biometrics) The res-
`
`olution of the image is
`
`300 x 300 points, 8-bit
`
`wet or dry fingers do
`not produce bitmaps
`with a suficient quality and so people with unusually wet or dry
`fingers have problems with these silicon fingerprint readers.
`
`Both optical and silicon fingerprint readers are fast enough to
`capture and display the fingerprint in real time. The typical resolu-
`tion is around 500 DPI.
`
`fingerprint
`Ultrasonic
`readers are the newest and
`
`least common. They use ul—
`trasound to monitor the finger
`surface.
`
`The user places the finger
`on a piece of glass and the
`ultrasonic sensor moves and
`
`reads whole the fingerprint.
`This process takes one or two
`seconds. Ultrasound is not
`
`Source: UltraScan [17]
`
`This is an example of
`
`a
`
`fingerprint
`
`bitmap
`
`image obtained by an
`
`ultrasonic
`
`fingerprint
`
`reader.
`
`This
`
`image
`
`was obtained using the
`Model 703 ID Station
`
`at 250 DPI.
`
`disturbed by the dirt on the
`fingers so the quality of the bitmap obtained is usually fair.
`
`

`

`Biometric Systems
`
`14
`
`Ultrasonic
`
`fin-
`
`E warmmhlp
`
`Source: UlstraScan [17]
`
`_ “1°?!" ”ijfl‘u‘
`
`Ultrasound has the ability
`
`to penetrate many materi-
`als. Ultrasonic fingerprint
`scanner is based on the
`
`gerprint readers are
`manufactured
`by
`a
`single
`company
`nowadays.
`This
`company (UltraScan
`Inc.)
`owns multl-
`ple patents for
`the
`Ultrasonic
`technol-
`Ogy.
`The readers
`produced
`by
`thiS
`company are
`rela-
`tively big (15 X 15
`x 20 centimeters),
`heavy, noisy and expensive (with the price around $2500). They
`are able to scan fingerprints at 300, 600 and 1000 DPI (according
`to the model).
`
`:
`
`.
`
`difference in the acoustic
`
`=
`
`.
`
`impedance of skin, air and
`the fingerprint platen. At
`“
`V
`each interface level, sound waves are partially reflected and
`partially transmitted through. This penetration produces re-
`turn signals at successive depths. Low propagation velocities
`allow pulse-echo processing of return echoes, which can be
`timed to vary the depth at which the image is captured.
`
`Fingerprint processing
`
`Fingerprints are not compared and usually also not stored as
`bitmaps. Fingerprint matching techniques can be placed into two
`categories: minutiae-based and correlation based. Minutiae-based
`techniques find the minutiae points first and then map their relative
`placement on the finger. Minutiae are individual unique character— minutiae
`istics within the fingerprint pattern such as ridge endings, bifurca-
`tions, divergences, dots or islands (see the picture on the following
`page). In the recent years automated fingerprint comparisons have
`been most often based on minutiae.
`
`The problem with minutiae is that it is diflicult to extract the
`minutiae points accurately when the fingerprint is of low quali-
`ty. This method also does not take into account the global pattern
`of ridges and furrows. The correlation-based method is able to correlation-
`overcome some of the diflficulties of the minutiae-based approach. based
`However, it has some of its own shortcomings. Correlation-based
`techniques require the precise location of a registration point and
`are affected by image translation and rotation.
`
`

`

`Biometric Systems
`
`15
`
`‘n.
`
`fl
`,Jfl
`/7.94
`/,
`y?-
`I
`~. Anita \
`7
`7’
`bcaca
`
`"U
`
`A?"are:
`
`of all fingerprints and are defined by at least one ridge that makes a complete circle.
`
`Source: Digital Persona [4]
`
`The loop is the most common type of fingerprint pattern and accounts for about 65%
`of all prints. The arch pattern is a more open curve than the loop. There are two types
`of arch patterns: the plain arch and the tented arch. Whorl patterns occur in about 30%
`
`The readability of a fingerprint depends on a variety of work
`and environmental factors. These include age, gender, occupation
`and race. A young, female, Asian mine-worker is seen as the most
`diflicult subject. A surprisingly high proportion of the population
`have missing fingers, with the left forefinger having the highest
`percentage at 0.62% (source: [10]).
`
`There are about
`
`30 minutiae within
`
`a typical fingerprint
`image obtained by
`a
`live
`fingerprint
`reader. The FBI has
`
`shown that no two
`
`Source: PRIP MSU [ll]
`
`Fingerprint
`
`ridges
`
`are not
`
`continuous,
`
`straight
`
`ridges.
`
`Instead
`
`they
`
`are
`
`broken,
`
`forked, changed directionally,
`or interrupted. The points at
`
`
`
`-
`
`,
`
`-'
`
`'
`
`‘, .; "L
`”73‘3" ‘5
`-_
`'- .
`'.
`
`.-
`
`'-
`
`'
`
`'.
`
`.
`
`:I
`
`which ridges end,
`fork and
`change are called minutia
`individuals can have
`points,
`and these minutia
`more than 8 common
`points provide unique, identi-
`minutiae. The US.
`fying information. There are
`'
`Court
`system has
`a number of types of minutia points. The most common are
`allowed
`testimony
`ridge endings and ridge bifurcations (points at which a ridge
`based on 12 match-
`divides into two or more branches).
`ing minutiae.
`The
`number and spatial distribution of minutiae varies according to
`the quality of the fingerprint image, finger pressure, moisture and
`placement.
`In the decision process, the biometric system tries to
`find a minutiae transformation between the current distribution and
`
`the stored template. The matching decision is then based on the
`
`

`

`Biometric Systems
`
`16
`
`possibility and complexity of the necessary transformation. The
`decision usually takes from 5 milliseconds to 2 seconds.
`
`of
`speed
`The
`the decision some-
`
`Source: PRIP MSU [11]
`
`The minutiae matching is a
`
`process where two sets of
`
`the same finger or not.
`
`on
`depends
`times
`level
`security
`the
`the
`negative
`and
`answer
`very
`of-
`ten
`takes
`longer
`time than the positive one (sometimes even 10 times more).
`There is no direct dependency between the speed and accuracy of
`the matching algorithm according to our experience. We have seen
`fast and accurate as well as slow and less accurate matching algo-
`rithms.
`
`minutiae are compared to de-
`
`cide whether they represent
`
`The minutiae found in the fingerprint image are also used to
`store the fingerprint for future comparisons. The minutiae are en-
`codedlI and often also compressed. The size of such a master tem-
`plate usually is between 24 bytes and one kilobyte.
`
`templates
`
`Fingerprints contain a large amount of data. Because of the
`high level of data present in the image, it is possible to eliminate
`false matches and reduce the number of possible matches to a small
`fraction. This means that the fingerprint technology can be used
`for identification even within large databases. Fingerprint identifi-
`cation technology has undergone an extensive research and devel-
`opment since the seventies. The initial reason for the effort was
`the response to the FBI requirement for an identification search
`system. Such systems are called Automated Fingerprint Identifica-
`tion Systems (AFIS) and are used to identify individuals in large AFIS
`databases (typically to find the offender of a crime according to a
`fingerprint found at the crime scene or to identify a person whose
`identity is unknown). AFIS systems are operated by professionals
`who manually intervene the minutiae extraction and matching pro-
`cess and thus their results are really excellent. In today’s criminal
`justice applications, the AFIS systems achieve over 98% identifi-
`cation rate while the FAR is below 1%.
`
`llSoftware suppliers never publish their exact encoding methods. They are
`usually based on the type of minutiae, its location, the direction and the number
`of ridges between the minutiae
`
`

`

`Biometric Systems
`
`17
`
`The typical access control systems, on the other side, are com-
`pletely automated. Their accuracy is slightly worse. The quality
`of the fingerprint image obtained by an automated fingerprint read-
`er from an unexperienced (non—professional) user is usually lower.
`Fingerprint readers often do not show any fingerprint preview and
`so the users do not know if the positioning and pressure of the fin-
`ger is correct. The automatic minutiae extraction in a lower quality
`image is not perfect yet. Thus the overall accuracy of such a system
`is lower.
`
`Some newer systems are based not only on minutiae extraction,
`they use the length and position of the papilar lines as well. A
`few system take into account even pores (their spatial distribution),
`but the problem With pores is that they are too dependent on the
`fingerprint image quality and finger pressure.
`
`Most of the biometric fingerprint systems use the fingerprint
`reader to provide for the fingerprint bitmap image only, whole the
`processing and matching is done by a software that runs on a com-
`puter (the software is often available for Microsoft Windows oper-
`ating systems only). There are currently only very few fingerprint
`devices that do all the processing by the hardware.
`
`The manufacturers of the fingerprint readers used to deliver
`the fingerprint processing software with the hardware. Today, the
`market specializes. Even if it is still possible to buy a fingerprint
`reader with a software package (this is the popular way especial-
`ly for the low-end devices for home or office use) there are many
`manufacturers that produce fingerprint hardware only (e.g. finger-
`print silicon chips by Thomson) or software companies that offer
`device-independent fingerprint processing software (e.g. Neuro-
`dynamics). Device-independent software is not bound to images
`obtained by one single input devices, but their accuracy is very low
`if various input devices are mixed.
`
`access control
`
`systems
`
`pores
`
`processing
`
`software
`
`

`

`Biometric Systems
`
`18
`
`2.2
`
`Iris
`
`The iris
`
`is
`
`the
`
`colored ring of tex-
`tured
`tissue
`that
`
`Each iris is a unique structure
`featuring a complex pattern.
`
`This can be a combination of
`
`the gupil
`Slfl‘rrtclTnds
`0
`e eye.
`ven
`thIIIS. have
`dlffer-
`ent II‘IS patterns and
`everyone’s left and
`too. Research shows that the matching
`right iris is different,
`accuracy of iris identification is greater than of the DNA testing.
`
`specific characteristics known
`as corona, crypts, filaments,
`freckles, pits, furrows, stria-
`tions. and rings,
`
`The iris pattern is taken by a special gray-scale camera in the
`distance of 10—40 cm from the camera (earlier models of iris scan-
`
`ners required closer eye positioning). The camera is hidden behind
`a mirror, the user looks into the mirror so that he/she can see his/her scanning
`own eye, then also the camera can “see” the eye. Once the eye is
`stable (not moving too fast) and the camera has focused properly,
`the image of the eye is captured (there exist also simpler versions
`without auto-focus and with a capture button).
`
`position.
`
`Source: Iridian Technologies [7]
`The PC iris uses a hand-held personal iris imager that functions as a computer pheriph-
`eral. The user holds the imager in his hand, looks into the camera lens from a distance
`of 10 cm and presses a button to initiate the identification process. The Iris Access is
`more advanced. It is auto-focus and has a sensor that checks Whether an individual has
`
`stepped in front of the camera. It is also able to guide the person audily into the correct
`
`

`

`Biometric Systems
`
`19
`
`The iris scanner does not need any special lighting conditions
`or any special kind of light (unlike the infrared light needed for
`the retina scanning). If the background is too dark any traditional
`lighting can be used. Some iris scanners also include a source of
`light that is automatically turned on when necessary.
`
`The iris scanning technology is not intrusive and thus is deemed
`acceptable by most users. The iris pattern remains stable over a
`person’s life, being only affected by several diseases.
`
`Once the gray-scale image of the eye is obtained then the soft-
`ware tries to locate the iris within the image. If an iris is found
`then the software creates a net of curves covering the iris. Based
`on the darkness ofthe points along the lines the software creates the
`iriscode, which characterizes the iris. When computing the iriscode
`two influences have to be taken into account. First, the overall
`
`darkness of the image is influenced by the lighting conditions so
`the darkness threshold used to decide whether a given point is dark
`or bright cannot be static, it must be dynamically computed ac-
`cording to the overall picture darkness. And second, the size of the
`iris dynamically changes as the size of the pupil changes. Before
`computing the iriscode, a proper transformation must be done.
`
`lighting
`
`iriscode
`
`In the decision
`
`process the match-
`ing software given 2
`iriscodes
`computes
`the Hamming dis-
`tance based on the
`number 0f dlfferent
`bits. The. Hamming
`distance 1s a score
`
`Source: Iridian Technologies
`
`[7]
`
`
`
`The iriscode is computed very
`
`fast and takes 256 bytes. The
`
`probability that 2 different
`irises could produce the same
`iriscode is estimated as low as 1 : 1078 The probability oftwo
`persons with the same iris is very low (1 z 1052).
`
`(within the range 0 — 1, where 0 means the same iriscodes), which
`is then compared with the security threshold to make the final de-
`cision. Computing the Hamming distance of two iriscodes is very speed
`fast (it is in fact only counting the number of bits in the exclusive
`OR of the two iriscodes). Modern computers are able to compare
`over 4 000 000 iriscodes in one second.
`
`An iris scan produces a high data volume which implies a high
`discrimination (identification) rate. Indeed the iris systems are suit-
`able for identification because they are very fast and accurate. Our
`
`

`

`Biometric Systems
`
`20
`
`discrimination
`
`rate
`
`not easy to
`forge
`
`experience confirms all that. The iris recognition was the fastest
`identification out of all the biometric systems we could work with.
`
`We have never encountered a false acceptance (the database was
`not very large, however) a