DOORS AND HARDWARE • MARCH 200614

Biometrics are not new. T he f irst book-style passports issued by Britain in 1915 contained more biometric measures than the same country’s planned biometric iden-tity card database, due to start in 2008.

A biometric is, after all, just a measurement of the human body, and the 1915 passport included a photograph, descriptions of the shape of the holder’s face, his or her complexion and other measure-ments: “nose: large, forehead: broad, eyes: small,” to quote an example given by the UK Passport Service.

As a result, UK human rights group Liberty does not oppose the use of biometrics, even if an iris scan is far more sophisticated than “eyes: small.” “Our position has always been that, given we don’t object to passport with a traditional photograph, the fact that you’re using another identifier isn’t the problem,” says Barry Hugill, a spokesman for the group. “It’s the use to which it is put. We think it’s delusional to believe that biometrics are some kind of magic solution that can’t be faked.”

This is not the position of many govern-ments, including the United States, a con-sensus within the European Union and, in particular, Britain: computerised biometric measurements (unlike all those in the 1915

passport, which would be checked by human eye) are the fashionable security solution. But are they up to the job?

The countries have agreed to add a contact-less microchip containing the old biometric—the photograph passports already carry—to their passports. This measure doesn’t change the data on the passport, it just makes it hard-er to forge.

But the United States has effect ively bounced the 27 countries within its visa waiv-er scheme into introducing further biomet-rics, through its Enhanced Border Security and Visa Entry Reform Act of 2002. This orig-inally required all member countries to start issuing passports with biometrics (which for the US means, primarily, fingerprints) by 26 October, 2004, or leave the programme—meaning every visitor to the US from that country would have to apply in person at an embassy for a biometric visa. Last August, the US extended its deadline by one year, but as a holding measure visa waiver programme users must now give fingerprints and have a photo taken when entering the US.

The European Union looks to be following suit: in October 2003, the Justice and Home Affairs Council of Ministers agreed that mem-ber nations will add digitised fingerprints as well as photos by the end of 2007. The UK, whose government is among the most enthu-siastic, will use iris scans as well.

Biometrics:what are they good for?b y S. A . M A t h i e S o n

biometric technology is being deployed in anger, in the wake of the twin towers attack, and other security incidents. Steven Mathieson looks at the strengths and weaknesses of biometric technologies.

MARCH 2006 • DOORS AND HARDWARE 15

Cutting the Mustard

But is the technology up to the job? Crucially, there are two ways of using biometrics. The first is a one-to-one check: checking someone is who they say they are, by comparing the bearer with their recorded biometrics, either on a document they present or a cen-tral database. Even a relatively low rate of success, such as 90% accuracy, would be of some use with one-to-one checks—but a 10% failure rate was reported for such passports in October.

The other is a one-to-many check, and this is where many biometrics become unstuck. The UK’s plan for an identity register does not require citi-zens to carry the card, as any impor-tant identity checks will require a scan of the person’s irises and/or finger-prints. The person will then be looked up on the database, with their biomet-rics acting as a human bar-code.

This kind of check requires the bio-metrics in question to work incredibly well. A system that makes a mistake on a one-to-one match one time in every million would be excellent for one-to-one checks. But for a one-to-many check, it depends on the size of the database the system has to scan. The chances of the system finding the one correct match—no more, no less—can be calculated by its one-to-one success rate to the power of the database size.

If the database size is two, this would make the one-to-many success rate equal to 0.999999 squared, or 0.999998. A database of 100 people would produce a 0.9999 success rate, excellent for, say, proximity access to a company’s secure department. But increasing the database to 100,000 reduces this to a 0.9048 success rate, and a database of the UK’s adult pop-

ulation (50 million) leads to a success rate of less than one in five thousand billion billion. In other words, the chances of the one-in-a-million sys-tem coming up with only the one true match is essentially zero.

The answer could be to stick to the one-to-one check, but this signifi-cantly degrades such schemes. Firstly, it requires individuals to carry their identity card or passport at all times it may be needed, creating a new crime to be policed. Secondly, it means accept-ing that the database will include false identities, as only an accurate one-to-many check is capable of confirming that someone has not already enrolled. T hird ly, going on from the second, it makes forging identi-ty documents worth-while.

UK government ministers have said t he on ly rea son they are mov ing ahead with an iden-tity register now is because biometrics make it possible to run one-to-many checks: but is this t r ue? It doesn’t help to use several biometrics, as this simply compounds errors: what do you do if the iris sys-tem comes up with one person, and the fingerprint anoth-er? The only solu-tion is to use one primary biometric that is good enough to cope with a data-base of tens of mil-lions of people, even

if a secondary one has to be used for those who cannot use the first one.

Irises

I r i s sc a n n i ng cou ld be t h at biometric. Its inventor, Dr John Daugman, says that statistically, it is capable of picking out one person from a database of 50 million, with a failure rate of just one in a million. (Daugman explains why false match probability does not accumulate in large database searches at http://www.cl.cam.ac.uk/users/jgd1000/largedatabases.html).

Furthermore, iris scans have some advantages for privacy. They are not physically invasive, yet it is difficult to take an iris scan without permis-sion or knowledge. Images from the average surveillance cameras are too low in resolution to produce a scan,

DOORS AND HARDWARE • MARCH 200616

although high-quality posed pho-tographs can be used. In 2002, iris scans gathered from a portrait of Shar-bat Gula, an Afghan woman in her late 20s, were compared by Dr Daugman to scans from the image of an Afghan girl which appeared on the front cover of National Geographic magazine in 1985. (The fact that Gula remembered being photographed in the mid-1980s back up Daugman’s finding that she and the girl on the 1985 cover were the same person).

However, iris scanning has its dis-advantages. Firstly, a photograph or another ‘copy’, such as the wear-ing of special contact lenses, can fool some cameras. There are ways around this, such as changing the light levels and watching to see that the pupil changes in size, but this adds to the cost of the equipment. The second is the difficulty of acquir-ing a usable image. Markus Kuhn, a lecturer at Cambridge University’s computer laboratory, says that indi-vidual iris scans suffer from a rela-

tively high rejection rate, due to such things as people blinking. Although a repeat test usually solves the problem, it helps if the equipment has a human operator to advise users—making it a good option for borders, but less suit-able for lower-value transactions.

Thirdly, some equipment cannot take a scan from subjects who cannot control their eyes. More expensive camera equipment can get around this, but people without irises and those with opaque corneas cannot use the technique at all. The over-all problem is high cost. “Iris doesn’t come in a cheap and cheerful ver-sion,” says Graham Titterington, a principal analyst for research firm Ovum. “It’s Rolls Royce or nothing.” This can price it out of even relatively high-value uses. Nationwide building society (a UK mutually-owned bank) trailed iris recognition-driven cash machines at its head office branch in Swindon during 1998/9. It says this was successful and popular with users, with a six-month test extend-ed to two years, but that extending it to all branches would have had huge cost implications.

Fingerprints

Fingerprints are a more familiar biometric, having first been used by Dr Henry Faulds, who in the 1870s disproved the guilt of a man in Tokyo who was accused of robbery, having

seen that f in-gerprints appear to be unique to each individual.

They do have pr ivac y prob-lems compared with iris scans, as people leave prints behind all

the time, hence their value in fighting crime. Last year [2004], a memorial to Dr Faulds was unveiled in his home-town of Beith in Scotland.

T he unvei l ing ceremony was attended by Shirley McKie, another Scot, whose case throws doubt on the reliability of fingerprints—at least single ones—as a unique identi-fier. In February 1997, as a detective constable with Strathclyde Police, a thumbprint was found at a murder scene which appeared to belong to McKie: the match was confirmed by four experts at the Scottish Criminal Record Office (SCRO), which handles fingerprints for all police forces in Scotland. (Police officers’ prints are stored alongside those of criminals).

At the murder trial, McKie denied having been in the room where the print was found. Although the trial successfully convicted David Asbury for murder, McKie was put on trial for perjury (lying to a court). Howev-er, with the aid of fingerprint experts who said the prints did not match, she was found not guilty.

Asbury, whose conviction was based on fingerprint evidence processed by SCRO, was also released from prison after having served three years and a half of his life term, and in 2002 his sentence was quashed.

This could be blamed on prob-lems with this agency, or the differ-ence between a scene-of-crime print (which, obviously, is not taken in ideal conditions) and those used in an iden-tity check. But they do show that fin-gerprints are fallible. “A single finger has a quite noticeable 1 in 100 to 1 in 1,000 equal error rate,” says Dr Kuhn: the equal error rate refers to the fail-ure rate if the sensitivity of the equip-ment is adjusted so that false positives equal false negatives. (One of the two will normally be preferable: banks may

Doctor

Henry

Faulds

Founder of

Biometrics

Hist

oric

pho

to o

f Dr.

Henr

y Fa

ulds

FREE ADVERTISER INFORMATION AT: www.thru.to/dhi

DOORS AND HARDWARE • MARCH 200618

prefer false negatives, as they may be happier to write off a few wrongly-authorised transactions than annoy customers and lose retailers sales by falsely rejecting them; whereas failing to give an employee immediate access to a nuclear power plant is better than letting in someone who should be denied). “If you want to use them with large databases, you will need to use several fingerprints to get the neces-sary entropy,” Dr Kuhn adds.

Fingerprints have the advantage of cheapness: Graham Titterington says scanners can start at $20, and are appearing in hardware such as laptops. However, there is a drawback: “Most of them store data about the image, rather than the image,” he says.

A computerised check will compare the co-ordinates of key points in a fin-

gerprint, such as where ridges bifur-cate, to establish a match. However, for a stronger manual check (such as those used by police forces), an image of the fingerprint is needed.

An image can help in spotting casts of fingerprints, which have been able to fool recognition systems by dis-playing the same bifurcation points, and with matching scene-of-crime prints, which are usually incomplete.

Other methods of checking for a real print include checking for electrical current transmitted through perspi-ration: this could catch both casts and the grisly alternative of dead, removed fingers.

Faces

We currently rely on the human eye and brain as a facial recognition systems for controlling checkpoints: although this does a decent job one-to-one, it is not an option for swift one-to-many check. For a computer to perform such checks requires it to take a variety of measurements of key points on the face.

But these computerised versions currently have a poor reputation: “It’s useless at the moment,” says Graham

Titterington, for picking an indi-v idu a l f rom a crowd. The face is a three-dimen-sional biometric, which can be dis-guised with items s uc h a s h at s , facia l hair and glasses without attracting atten-tion. Although a controlled situa-tion can remove most of t hese

problems, there is also the extreme option of plastic surgery.

“There are massive privacy impli-cations if it ever works in future, but for now it’s [only suitable for] one-to-one,” adds Titterington. Unlike an iris or a fingerprint, someone walking around London can expect to have a record of this particular biometric recorded several hundred times a day.

Other Options

Hand geometry presents an alter-native to fingerprints, although it is not currently widely used. It could be useful for those unable to give finger-prints, such as manual workers whose prints can get worn away temporarily, ethnic groups with weaker prints, or even for workers with dirty hands.

Another possibility comes from voice recognition. “A few years ago, I expected voice recognition to do well, but it hasn’t made progress,” says Titterington. It would be cheap to deploy—with the prevalence of microphones and mobile phones, the hardware is already in place—but is not currently seen as reliable.

The Big Drawback

There is a final problem with all biometric measurements: if yours are compromised, they are compromised for life. “If you don’t have live tissue verification, [such as for] unsuper-vised sensors for building access control, your biometric becomes a password, something to keep secret,” says Dr Kuhn. “That I find a worry.”

Making sure that a biometric is indeed a measure of a l ive, wil l-ing human body may mean forgo-ing remote usage. The only certain application looks to be supervised checks, with operators trained to spot the likes of rubber fingerprints and iris-replacing contact lenses. In these applications, a biometric could be an excellent but expensive iden-tity check. If it is used more widely, stealing someone’s biometrics could become very worthwhile indeed.

SA Mathieson writes about IT for t itles including the Guardian and Health Service Journal. Copyright © SA Mathieson 2004.

it’s useless at the moment for picking an individual from a crowd.

facial recognition