Biometric Authentication System for Information Security

Objective
To explain about biometric system that can be used by the organization. By understand the biometric differences; organization can decide which technique is the most suitable for the business.
Methodology
The method used to know about biometric is scientific literature which will develop quantitative identification as the measurement for the authentication.
Outcome
To give better understanding about biometric system, biometric techniques as well as the advantages and disadvantages of biometric use in organization.
Conclusion
Organization can understand better value of biometric system and what is needed to implement the biometric system into the company.
Keywords
Biometrics

CHAPTER I
INTRODUCTION
1.1 Background
Since January 2008, the technology had developed rapidly causing the world advancing towards a new era. A survey on 2008 had estimated about 541.7 million computers are connected in more than 250 countries on every continent even Antarctica. The internet is not a single network but it is a worldwide network that connected every individual computer hosts to network connection, in a variety ways. Thus, individuals and organizations can reach the internet without regard to national or geographic boundaries or time of day.

However, along with the advantages and easy access to get information, there are also many risks such as the valuable information will be lost, stolen, changed or misused by other people. If information is recorded electronically and is available on networked computers, it is more vulnerable than the printed information or the file that locked in a file cabinet. People such as intruders or hackers do not need to enter the office or even in the same country to steal the information. They can steal without touching a piece of paper or photocopier. They can also create new files, run their programs and hide the evidence of their unauthorized activity.

The world had changed into computer-driven era, where almost everything used internet to grow the business and also as social network. People have multiple accounts and multiple passwords on an ever-increasing number of computers and websites. To maintain and manage access while protecting both the user’s identity and computer’s data has become increasingly difficult to do. One of the ways to protect the information is by using authentication which is a concept of security to verify the user of data or system.

There are three ways to authenticate an identity that are: by something the user knows (such as password or identification number), something the user has (such as personal card) or something the user is (physical characteristic such as fingerprint) or we can called as biometric. Biometric authentication has been widely regarded as the most foolproof or at least the hardest to forge or spoof.

Since the early 1980s, systems of identification and authentication based on biometric (physical characteristics) have been available to enterprise IT. Biometric systems were slow and expensive, but they had proved workable for high-security demand because they were mainly used for guarding mainframe access or restricting physical entry to relatively few users. Twenty years later, computers are much faster and cheaper than ever. This, plus new, inexpensive hardware, has renewed interest in biometrics.

1.2 Scope A. What Is Biometric?
This section will explain what biometric is, the benefits and drawback and how the system actually work. It also will explain about the difference between biometric and traditional technologies in authentication such as using password or access card. B. Biometric Techniques
This section will explain the biometric methods (at least 10 different types are available nowadays). Unfortunately, only few have gained wide acceptance. C. The Core Biometric Technology
This section will explain what conditions must be fulfilled for a biological measurement to become a biometric. D. Advantages and Disadvantages
This section will explain the advantages and disadvantages of using biometric authentication.

1.3 Objectives
The objectives of this study are: * Understand the definition of biometric * Understand the benefits of biometric * Understand the concepts of biometric techniques * Understand the Approaches to Biometric Implementation

1.4 Methodology
The scientific literature on quantitative measurement of humans for the purpose of identification dates back to the 1870s. Henry Faulds, William Herschel and Sir Francis Galton proposed quantitative identification through fingerprint and facial measurements in the 1880s is the start of the biometric study. The development of digital signal processing techniques in the 1960s led immediately to work in automating human identification.

1.5 Systematic Writing * CHAPTER I: INTRODUCTION
This chapter will give a brief introduction to how information stored nowadays and the security. This chapter also gives a thorough view for what will be discussed in this paper.

* CHAPTER II: THEORITICAL FRAMEWORK
This chapter will discuss basics theories and concepts of biometric system. This chapter will give knowledge of the meaning of some terms used in this paper.

* CHAPTER III: BIOMETRIC AUTHENTICATION SYSTEM
This chapter will give description of how biometric works. Biometric techniques, the advantages and disadvantages are also explained in this chapter to give the reader the knowledge of biometrics.

* CHAPTER IV: CONCLUSION AND RECOMMENDATION
This chapter will summarize the biometric authentication system and also the recommendation for organizations on choosing biometric system as their security.

CHAPTER II
THEORETICAL FRAMEWORK

2.1 General Theories 2.1.1 Information
Information system (Satizinger et al, 2012, p4) is a set of interrelated computer software program that executes on a computing device to carry out a specific function or set of related functions.

2.1.2 Internet
Internet according to The Federal Networking Council (Resolution of the U.S. Federal Networking Council, 1995) refers to the global information system that is logically linked together by a globally unique address space based on the Internet Protocol (IP) or its subsequent extensions/follow-ons; is able to support communications using the Transmission Control Protocol/Internet Protocol (TCP/IP) suite or its subsequent extensions/follow-ons, and/or other IP-compatible protocols; and provides, uses or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein."

2.1.3 Information Security
The U.S. National Information Systems Security Glossary defines "Information Systems Security" as the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.

CHAPTER III
BIOMETRIC AUTHENTICATION SYSTEM

3.1 What Is Biometric?
Biometric comes originally from the Greek words “bio” means life and “metric” means measure. Biometric is automated methods of identifying a person or verifying the identity of a person based on a physiological or behavioral characteristic.
Biometric recognition is the automatic recognition of a person based on one or more of these traits. The word “biometrics” is also used to denote biometric recognition methods.

Biometric technologies can be divided into 2 major categories according to what they measure: * Devices based on physiological characteristics of a person (such as the fingerprint or hand geometry). * Systems based on behavioral characteristics of a person (such as signature dynamics).

Biometric systems from the first category are usually more reliable and accurate as the physiological characteristics are easier to repeat and often are not affected by current (mental) conditions such as stress or illness.

Most significant difference between biometric and traditional technologies lies in the answer of the biometric system to an authentication/identification request. Biometric systems do not give simple yes/no answers. While the password either is ’abcd’ or not and the card PIN 1234 either is valid or not, no biometric system can verify the identity or identify a person absolutely. The person’s not always the signature never is absolutely identical and the position of the finger on the fingerprint reader will vary as well.

How does biometric recognition work?
A biometric recognition system is a pattern recognition system. During biometric recognition, biometric traits are measured and analyzed to establish a person’s identity. This process involves several stages:

1. Enrollment
During enrollment, a user’s physical or behavioral trait is captured with a camera or sensor and placed in an electronic template. This template is securely stored in a central database or a smart card issued to the user.

2. Recognition
During recognition, a sensor captures a biometric trait. The trait is then analyzed with an algorithm that extracts quantifiable features, such as fingerprint minutiae or face shape. A matcher takes these features and compares them to an existing template in the enrollment database.

Benefits and Drawbacks
The main benefit of using a biometric authentication factor instead of a physical token is that biometrics can't easily be lost, stolen, hacked, duplicated, or shared. They are also resistant to social engineering attacks – and since users are required to be present to use a biometric factor, it can also prevent unethical employees from repudiating responsibility for their actions by claiming an imposter had logged on using their authentication credentials when they were not present.

"Biometric systems can be much more convenient than tokens and other systems, and are useful to augment existing security methods like passwords," said Alan Goode, a security analyst at Goode Intelligence. "For added security they are also sometimes used as a third factor," he added.

The main drawback of any biometric system is that it can never be 100 percent accurate. To use a biometric system, it is first necessary for each user to enroll by providing one or more samples of the biometric in question (such as a fingerprint) which is used to make a "template" of that biometric. When a user attempts to authenticate, the biometric they provide is then compared with their stored template. The system then assesses whether the sample is similar enough to the template to be judged to be a match.

3.2 Biometric Techniques
There are lots of biometric techniques available nowadays. A few of them are in the stage of the research only (e.g. the odor analysis), but a significant number of technologies is already mature and commercially available (at least ten different types of biometrics are commercially available nowadays: fingerprint, finger geometry, hand geometry, palm print, iris pattern, retina pattern, facial recognition, voice comparison, signature dynamics and typing rhythm).

3.2.1 Fingerprint Technology
Fingerprint identification is perhaps the oldest biometric of all the biometric techniques. In Old China, fingerprints were used as a means of positively identifying a person as an author of a document. The system that can automatically check details of a person’s fingerprint have been in use since 1960s by law enforcement agencies. The U.S. Government commissioned a study by Sandia Labs to compare various biometric technologies used for identification in early seventies. This study concluded that the fingerprint had the greatest potential to become the best identification system.

Fingerprint Readers
The traditional method uses the ink to get the fingerprint onto a piece of paper, and then the paper is scanned using a traditional scanner. This method is rarely used today when old paper-based database is being digitalized. Nowadays, to scan a fingerprint found on a scene of a crime can be processed using modern live fingerprint readers. These readers do not require the ink anymore. These live fingerprint readers are most commonly based on optical, thermal, silicon or ultrasonic principles. This is an example of a fingerprint bitmap image obtained by an ultrasonic fingerprint reader.

3.2.2 Iris Scan
The iris is the colored ring of textured tissue that surrounds the eye’s pupil. Even twins have different iris patterns and each left and right iris is also different. Research shows that the matching accuracy of iris identification is greater than the DNA testing.
The iris scanning technology is not intrusive and thus is deemed acceptable by most users. Iris pattern will remain stable over a person’s life, it only affected by several diseases.

Iris Scanner
The iris scanner does not need any special lighting conditions or any kind of light (unlike infrared light needed for retina scanning). If the background is too dark, any lightning can be used. Some iris scanners also include a source of light that is automatically turned on when necessary.

The PC iris uses a hand-held personal iris imager that functions as a computer peripheral. The user holds the imager in his hand looks into the camera lens from a distance of 10 cm and presses a button to initiate the identification process. The Iris Access is more advanced. It is auto-focus and has a sensor that checks whether an individual has stepped in front of the camera. It is also able to guide the person audibly into the correct position.

3.2.3 Retina Scan
Retina scan technology is older than the iris scan technology. Retina scan is based on the blood vessel pattern in the eye’s retina. The first retinal scanning systems were launched by EyeDentify in 1985.

Retinal scanning is rarely used today because it is not user friendly and very expensive. Retina scan is suitable for applications which require high security and the user’s acceptance is not a major aspect. Retina scan systems are used in many U.S. prisons to verify the prisoners before they are released.

The main drawback of retina scan is its intrusiveness. The method of obtaining a retina scan is personally invasive where a laser light must be directed through the cornea of the eye. To operate the retina scanner will need a skilled operator and the person being scanned has to follow directions.

The company EyeDentify is the only producer of the retinal eye scanners. It has been founded in the late seventies and since then has developed a number of retina scanners. The current model 2001 is equipped with the memory for 3300 templates and (after the image has been captured) is able to verify an individual in 1.5 seconds or run identification (within the stored 3000 templates) in less than 5 seconds.

3.2.4 Hand Geometry
Hand geometry is based on the fact that nearly every person’s hand is shaped differently and it does not change after certain age. Hand geometry systems produce estimates of certain measurements of the hand such as the length and the width of fingers. Various methods are used to measure the hand. These methods are most commonly based either on mechanical or optical principle. The latter ones are much more common today. Optical hand geometry scanners capture the image of the hand and using the image edge detection algorithm compute the hand’s characteristics.

Hand geometry scanners are easy to user where the hand must be placed accurately, guide markings have been incorporated and the units are mounted so that they are at a comfortable height for majority of the population.
The verification of hand geometry takes about only one second. The speed is not a crucial point because the hand geometry systems can be used for verification only. This is a 2D picture of the hand shape. Most modern systems use all three dimensions to measure the hand’s characteristics.

3.2.5 Signature Dynamics
The signature dynamics recognition is based on the dynamics of making the signature, rather than a direct comparison of the signature itself afterwards. The dynamics is measured as a means of the pressure, direction, acceleration and the length of the strokes, dynamics number of strokes and their duration.
There are various kinds of devices used to capture the signature dynamics. These are either traditional tablets or special purpose devices. Tablets capture 2D coordinates and the pressure. Special pens are able to capture movements in all 3 dimensions.

Tablets have two significant disadvantages. First, the resulting digitalized signature looks different from the usual user signature. And second, while signing the user does not see what he/she has written so far. He/she has to look at the computer monitor to see the signature. This is a considerable drawback for many (inexperienced) users. Some special pens work like normal pens, they have ink cartridge inside and can be used to write with them on paper.

A person does not make a signature consistently the same way, so the data obtained from a signature from a person has to allow for quite some variability. Most of the signature dynamics systems verify the dynamics only; they do not pay any attention to the resulting signature.

E-pad Smartpen

3.2.6 Facial Recognition
Facial recognition is the most natural means of biometric identification. The method of distinguishing one individual from another is an ability of virtually every human.

Any camera (with a sufficient resolution) can be used to obtain the image of the face. Any scanned picture can be used as well. Generally speaking the better the image source (i.e. camera or scanner) the more accurate results we get. The facial recognition systems usually use only the gray-scale information. Colors (if image source available) are used as a help in locating the face in the image only. The lighting conditions required are mainly dependent on the quality of the camera used. In poor light condition, individual features may not be easily discernible. There exist even infrared cameras that can be used with facial recognition systems.

Most of facial recognition systems require the user to stand a specific distance away from the camera and look straight at the camera. This ensures that the captured image of the face is within a specific size tolerance and keeps the features (e.g., the eyes) in as similar position each time as possible.

The face recognition system does not require any contact with the person and can be fooled with a picture if no countermeasures are active. The aliveness detection is based most commonly on facial mimics. The user is asked to blink or smile. If the image changes properly then the person is considered “live”. A few systems can simultaneously process images from two cameras, from two different viewpoints. The use of two cameras can also avoid fooling the system with a simple picture.

3.2.7 Speaker Verification
The principle of speaker verification is to analyze the voice of the user in order to store a voiceprint that is later used for identification/verification. Speaker verification and speech recognition are two different tasks. The aim of speech recognition is to find what principle has been told while the aim of the speaker verification is who told that. Both these technologies are at the edge between research and industrial development.

The greatest advantage of speaker verification systems is that they do not require any special and expensive hardware. A microphone is a standard accessory of any multimedia computer. Speaker verification can also be used remotely via phone line.

3.2.8 Other Biometric Techniques * Palmprint
Palmprint verification is a slightly different implementation of the fingerprint technology. Palmprint scanning uses optical readers that are very similar to those used for fingerprint scanning, their size is, however, much bigger and this is a limiting factor for the use in workstations or mobile devices.

* Hand vein
Hand vein geometry is based on the fact that the vein pattern is distinctive for various individuals. The veins under the skin absorb infrared light and thus have a darker pattern on the image of the hand taken by an infrared camera. The hand vein geometry is still in the stage of research and development.

* DNA
DNA sampling is rather intrusive at present and requires a form of tissue, blood or other bodily sample. This method of capture still has to be refined. So far the DNA analysis has not been sufficiently automatic to rank the DNA analysis as a biometric technology. The analysis of human DNA is now possible within 10 minutes. As soon as the technology advances so that DNA can be matched automatically in real time, it may become more significant. At present DNA is very entrenched in crime detection and so will remain in the law enforcement area for the time being.

* Thermal imaging
This technology is similar to the hand vein geometry. It also uses an infrared source of light and camera to produce an image of the vein pattern in the face or in the wrist.

* Ear shape
Identifying individuals by the ear shape is used in law enforcement applications where ear markings are found at crime scenes. Whether this technology will progress to access control applications is yet to be seen.

* Body odor
The body odor biometrics is based on the fact that virtually each human smell is unique. The smell is captured by sensors that are capable to obtain the odor from non-intrusive parts of the body such as the back of the hand. Methods of capturing a person’s smell are being explored by Mastiff Electronic Systems. Each human smell is made up of chemicals known as volatiles. They are extracted by the system and converted into a template.

* Keystroke dynamics
Keystroke dynamics is a method of verifying the identity of an individual by their typing rhythm which can cope with trained typists as well as the amateur two-finger typist. Systems can verify the user at the log-on stage or they can continually monitor the typist. These systems should be cheap to install as all that is needed is a software package.

* Fingernail bed
The U.S. Company AIMS is developing a system which scans the dermal structure under the fingernail. This tongue and groove structure is made up of nearly parallel rows of vascular rich skin. Between these parallel dermal structures are narrow channels and it is the distance between these which is measured by the AIMS system.

3.3 The Core Biometric Technology
Any human physiological or behavioral characteristics can become a biometric provided the following properties are fulfilled: * Universality: This means that every person should have the characteristics. It is really difficult to get 100% coverage. There are mute people, people without fingers or with injured eyes. All these cases must be handled.

* Uniqueness: This means that no two persons should be the same in terms of the biometric characteristics. Fingerprints have a high discrimination rate and the probability of two persons with the same iris is estimated as low as 1:1052. Identical twins, on the other side, cannot be easily distinguished by face recognition and DNA-analysis systems.

* Permanence: This means that the characteristics should be invariant with time. While the iris usually remains stable over decades, a person’s face changes significantly with time. The signature and its dynamics may change as well and the finger is a frequent subject to injuries.

* Collectability: This means that the characteristics must be measured quantitatively and obtaining the characteristics should be easy. Face recognition systems are not intrusive and obtaining of a face image is easy. In the contrast the DNA analysis requires a blood or other bodily sample. The retina scan is rather intrusive as well.

* Performance: This refers to the achievable identification/verification accuracy and the resources and working or environmental conditions needed to achieve an acceptable accuracy.

* Acceptability: This indicates to what extend people are willing to accept the biometric system. Face recognition systems are personally not intrusive, but there are countries where taking pictures of persons is not viable. The retina scanner requires an infrared laser beam directed through the cornea of the eye. This is rather invasive and only few users accept this technology.

* Circumvention: This refers to how difficult it is to fool the system by fraudulent techniques. An automated access control system that can be easily fooled with a fingerprint model or a picture of a user’s face does not provide much security.

There are two kinds of errors that biometric systems do: * False rejection (Type 1 error) – a legitimate user is rejected (because the system does not find the user’s current biometric data similar enough to the master template stored in the database). * False acceptance (Type 2 error) – an impostor is accepted as a legitimate user (because the system finds the impostor’s biometric data similar enough to the master template of a legitimate user).

In an ideal system, there are no false rejections and no false acceptances. In a real system, however, these numbers are non-zero and depend on the security threshold. The higher the threshold, the more false rejections and less false acceptances and the lower the threshold, the less false rejections and more false acceptances. The number of false rejections and the number of false acceptances are inversely proportional. The decision which use threshold depends mainly on the purpose of the entire biometric system. It is chosen as a compromise between the security and the usability of the system. The biometric system at the gate of the Disney’s amusement park will typically use lower threshold than the biometric system at the gate of the NSA headquarters.

The number of false rejections/false acceptances is usually expressed as a percentage from the total number of authorized/unauthorized access attempts. These rates are called the false rejection rate (FRR)/false acceptance rate (FAR). The values of the rates are bound to a certain security threshold. Most of the systems support multiple security thresholds with appropriate false acceptance and false rejection rates.

3.4 Advantages and Disadvantages
Acceptability is one more disadvantage of biometric authentication systems. New systems can only be successful if they are accepted. In the case of biometric authentication systems some people are concerned about their acceptance in society. Nataliya B. Sukhai for example writes in her article that there are many people who would hesitate using fingerprints for authentication because fingerprints are associated with criminals. Other people would never use an iris scanner, because they are afraid that the light used to scan the iris is harmful for the eyes.

Another disadvantage is the high cost of biometric authentication technologies. An article claims that “Biometric systems do impose the highest costs of any authentication technology.” The high cost results on the one hand from higher costs for hardware and software and on the other hand from high costs for integrating biometric authentication into the current network.

The varying reliability of biometric systems is another disadvantage, which is already shortly mentioned above. The biometrics of people can change when they age or suffer physical injuries or diseases. This might for example affect their fingers or their eyes. In addition to that environmental conditions might affect the reliability of biometric systems. Background noise for example might hinder voice recognition systems or a cut in a finger might result in not being able to access a system using fingerprint recognition.

One more disadvantage not yet mentioned, is the problem of integrating biometric authentication into corporate infrastructures. According to the article of Clare Hist the support for platforms and applications is very limited and current standards are not or only poorly supported.

Besides all mentioned disadvantages, biometric authentications systems are very desirable because of the following advantages. The most obvious advantage is that biometric data can’t get lost, stolen, duplicated or forgotten like keys or access cards. They also can’t be forgotten, compromised, shared, observed or guessed like passwords, secret codes or PINs. In addition to that people can’t write them down (“25% of the people appear to write their PIN on their ATM card”) which would make is easy for other people to steal it. People also don’t have to change the data used for authentication every three months like we sometimes have to do with passwords. Therefore authentication systems using biometric data are more convenient to use.

The most important advantage is that biometric authentication systems can increase the security of the system, if the accuracy is high, the hardware used can’t be cheated easily and if it is used together with other authentication methods. Clare Hist states for example that biometrics used in conjunction with smart cards “can provide strong security for PKI credentials held on the card.”

In addition to that biometric authentication systems reduce costs because it is possible to eliminate overheads resulting from password management. The reason for this is that people can’t forget their passwords anymore and so the queries at help desks become less. Besides reducing the mentioned overhead this also saves money because there are no more costs for distributing new passwords in a secure way.

CHAPTER IV
CONCLUSION AND RECOMMENDATIONS

4.1 Conclusion
There seem exist more disadvantages than advantages for using biometric authentication systems. This is one reason why such systems are not yet widely used. But the advantages mentioned above are so important and people want to benefit from them that the disadvantages will be more and more reduced in the future. The discussion above shows that biometric authentication is an interesting topic that a lot of research is going on in this area and that it can be used for secure systems despite all disadvantages.
At the moment it is recommended to combine biometric authentication with any other authentication technology. Such multi-factor authentication systems are always more secure and it is also common practice to use combinations of different authentication methods. ATMs require for example a PIN and a bank card with additional authentication information saved on a chip. When talking about biometric data questions about the privacy of personal data come up automatically. It is a difficult topic but it is obvious that biometric authentication systems have to store the biometric samples in a secure way and it has to be ensured that such data cannot be used otherwise. The best would be if biometric data is kept under the control of the person to which it belongs. This could be done for example by saving the biometric sample only on a smart card which is used in combination with the biometric in an authentication process. To sum up it can be clearly said that the usage of biometric authentication will increase more and more in the future.
This will be supported among other things by the steady improvement of the technologies and the reduction of the prices for hardware and software. Biometric authentication can and probably will be used in many areas, for example ATMs, access to Personal Computers, PDAs and mobile phones, DRM systems, access to buildings and cars and many more we can’t even think about.

4.2 Recommendations
While biometrics technology provides a strong user authentication solution, there are other variables to be considered in the authentication protocol. When a high level of security is needed, it is recommended that we combine other authentication factors with biometrics. When we combine what we know, what we have, and what we are, we will have achieved the highest level of security across multiple applications and systems. According to information made available by the International Biometrics Group, “there is no one right biometrics technology for every application.”

Bibliography

Kay, R. (2005, April 4). Biometric Authentication. Retrieved from Biometric Authentication: http://www.computerworld.com/article/2556908/security0/biometric-authentication.html
Pesante, L. (2008). Retrieved from https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf
Pesante, L. (2008). Information Security Basic. Retrieved from Information Security Basic: https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf
Riha, Z. (2000). Biometric Authentication Systems. Czench Republic: FI MU.
Sukhai, N. B. (2004). Access control & biometrics. New York: ACM Press.
What Is Biometrics. (n.d.). Retrieved from Michigan State University.