As biometric identification management deployments continue to evolve around the world, the scope and complexity of administering these projects continues to grow as program administrators begin to expand the technology’s reach to more and more segments of society. A technology once used exclusively by government entities mostly in a military capacity has expanded to include virtually all classes and cultures thanks in large part to advances in system inefficiencies, lower costs, and wider acceptance and understanding of the benefits by the public.
The intricacies and conditions of biometric identification deployments from initial set up to enrollment to identification/verification and the ever present push to achieve near 100% identification accuracy has been a key motivator for biometric identification management vendors who design and build the software and hardware that power deployments. There is little doubt that biometric systems have become more user-friendly, customizable, ergonomical, and efficient, however end users don’t assess the effectiveness or develop opinions on the use of biometrics based on these factors. They are much more in tune with the basic tenet of just about any piece of technology they come in contact with — does it work and do I trust it? Faith and trust in a biometric identification system is largely defined by the ability of the technology to accomplish what it promises and that is to accurately identify individuals, no matter what the conditions.
End users expectations are that biometric identification management systems will be able to identify them regardless of the condition of their own physiological attributes or the environment where the system is used. After all, the effectiveness and security of a biometric system hinges on its ability to enroll as many eligible end users as possible, and accurately identify them on subsequent use of the system. Unfortunately, limitations in the ability of certain biometric hardware modalities to effectively capture individual biometrics due to problems like skin integrity, or climate as well as the use of unimodal (biometric systems that comprise one hardware modality) systems for larger scale deployments raise the risk that the technology will not perform as expected.
Factors that effect risk in biometric identification management deployments are defined by multiple categories including:
- Spoofing and Mimicry Attacks
- Server Side – Fake Template Risks
- Communication Links Risk
- Cross-System Risk
- Component Alteration Risk
- Emrollment, Administration, and System Use Risks
- Noise and Power Loss Risks
- Power and Timing Analysis Risks
- Residual Characteristic Risk
- Similar Template — Similar Characteristics Risk
- Brute Force Attack Risk
While not all of these potential risks can be mitigated by strategic use of biometric hardware, technological advances for the selection of a proper biometric device to capture, store, and identify/authenticate end users have helped system administrators to help hedge some risk such as Spoofing and Mimicry Attacks, and Enrollment, Administration, and System Use Risks. Particularly effective and rising quickly in the battle to hedge risk is the use of modern, sophisticated, hybrid, fused biometric hardware devices that simultaneously captures two biometric attributes or identifiers and that can perform both one-to-many (1:N) and one-to-one (1:1) matching in a single environment. Plus, due to increases in spoofing and forgery, more end users are choosing hybrid biometric devices in a multimodal (biometric deployments that combine two or more unique biometric atttributes) capacity that also include “liveness detection” which simultaneously looks at and beneath the skin surface, provides protection from published and unpublished finger copying methods, and is highly adaptable for future spoof threats.
Despite their clear superiority over other more traditional forms of identification, unimodal biometric systems are not without accuracy limitations when deployed in certain environments, depending on a number of factors, including:
- Noisy sensor data: “Noise,” or factors affecting the quality of the image produce by the biometric device, can be present in the acquired biometric data mainly due to defects or environmental conditions.
- Non-universality: If every individual in the target population is able to present the biometric trait for recognition, the trait is said to be universal; however, not all biometric traits are truly universal (e.g. – people with hand related disabilities, manual workers with low skin integrity caused by cuts and bruises on their fingertips, and people with very oily or dry fingers). The National Institute of Standards & Technology reported that 2% of the world’s population can’t enroll in biometric fingerprint systems[i] because of skin integrity issues.
- Lack of individuality: Features extracted from biometric characteristics of different individuals can be very similar (e.g. – a small proportion of the population can have nearly identical facial appearances due to genetic factors).
- Intra-class variations: The biometric data acquired from a user during verification will not be identical to the data used for generating the user’s template during initial enrollment.
- Spoofing: Although it is extremely difficult to steal someone’s biometric traits, it is possible with some biometric devices for an impostor to circumvent a biometric system using spoofed traits (behavioral traits like voice and signature are more susceptible to these types of attacks than those based on physiological traits).
Advances in biometric identification management hardware and software solutions over the past few years have presented opportunities for end users to hedge risk and raise the integrity of a matching system by not relying on a single physiological characteristic, which can be significant in very sensitive or high-security environments. Therefore, the ability of a unimodal biometric system to accurately and consistently identify 100% of a population is limited. In addition, because of the rapid growth of large-scale deployments, a unimodal system can be considered undesirable unless combined with a second biometric modality.
While there are many more ways to hedge additional risk in biometric identification management deployments, the use of hybrid hardware that combines two modalities is certainly a step in the right direction.
What other ways can you hedge risk in biometric identification management deployments?