Tech Talk: Knowing How Biometrics Can Be Beaten Helps You Win
Biometrics is one of the most fascinating areas of electronic security, representing both the epitome of high tech and the nadir of false authentication and vulnerability to compromise. But improvements continue to emerge, and so long as security professionals remain aware of potential issues biometrics can have a place in your access control mix.
Biometric sensor sensitivity is constantly challenged with keeping both False Acceptance Rates (FAR) and False Rejection Rates (FRR) very low, especially with large enrollee populations. CER is the acronym for Crossover Error Rate.
Those of you who have been on this planet for a few decades may remember a famous 1971 television advertisement in which the question was asked, “Is it live or is it Memorex?” The challenge was to tell if a fine crystal glass was being broken with the sound of a high note coming from the original singer or a reproduction by the audiotape manufactured by Memorex. As you might expect the answer was Memorex. They were able to mimic similar results of a human voice. While this is entertaining it can be a real problem in the world of biometrics and security.
Now we step forward to 2005 and the bizarre theft of a biometrics-activated Mercedes automobile. After the thieves stole this special car and had been riding around for a while, they decided to dump the owner. Before doing so they realized they needed his biometric token, and hacked off his finger. And so began the beginning of “spoofing” biometric sensors.
The biometric industry has recently mushroomed and as popularity grows so does the opportunity for security compromise. This month we will take a look at some of the areas one should understand and compare when looking for the best biometric device/system for the application. We will look at technologies that can best detect the biometric “liveness” of the person accessing a system.
Sensor Performance Parameters
The concept is simple but challenging — deploy a sensor that enrolls a person quickly and then recognizes them accurately. Non-authorized personnel are accurately rejected from the system. Some performance guidelines are:
False Acceptance Rate (FAR) — The probability that a system will authorize a non-authorized person. This is usually expressed as a percentage of invalid inputs that are incorrectly accepted.
False Rejection Rate (FRR) — The probability that a system will reject an authorized person. This is often due to the sensor not matching the input with the person’s enrolled template. This is usually expressed as a percentage of valid inputs that are incorrectly rejected.
Crossover Error Rate (CER) — The rate at which the FRR and FAR are equal. This matching algorithm determines how close to the template the input must be for a match. This threshold value is sometimes called “sensitivity” or the Equal Error Rate (see diagram).
Speed — This is another factor of biometric devices and software that will allow time to enroll and authenticate. A few seconds difference may be of consideration when you have a large population.
Digging Into Biometric Technologies
Basic fingerprint readers look at the fingerprint pattern on the surface. An easy spoofing method is to make fingerprint dummy fingers with silicone and even gummy bears, and place on another person’s finger. Just like in some Hollywood movies, fingerprint images can even be lifted from the reader sensor surface and replicated. These are examples of a very poor liveness rating.
There can also be a problem with dirty fingers or no legible fingerprints at all. It has been reported that about 2 percent of the U.S. population does not have legible fingerprints.
One technology, known as multispectral imaging, is catching on and being used by partnering manufacturers i-Evo and Lumidigm (www.lumidigm.com/ievo-reader). These sensors capture fingerprint data below the surface of the skin so that dryness or even damaged or worn fingers create no problem for reliable reads. According to the manufacturer, this technology can even read accurately through some latex gloves.
Using multiple wavelengths of light and advanced polarization techniques, this technology extracts data from both the surface and subsurface. Using this technology has allowed i-Evo readers to have a FRR of less than 0.1 percent and a FAR of less than 0.00001 percent. This helps significantly counter liveness spoofing.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!