Introduction

Biometrics are automated methods of identifying a person or verifying the identity of a person
based on a physiological or behavioral characteristic. Biometric-based authentication is the
automatic identity verification, based on individual physiological or behavioral characteristics,
such as fingerprints, voice, face and iris. Since biometrics is extremely difficult to forge and
cannot be forgotten or stolen, Biometric authentication offers a convenient, accurate,
irreplaceable and high secure alternative for an individual, which makes it has advantages over
traditional cryptography-based authentication schemes. It has become a hot interdisciplinary
topic involving biometric and Cryptography. Biometric data is personal privacy information,
which uniquely and permanently associated with a person and cannot be replaced like
passwords or keys. Once an adversary compromises the biometric data of a user, the data is
lost forever, which may lead to a huge financial loss. Hence, one major concern is how a
person’s biometric data, once collected, can be protected.

HISTORY AND DEVELOPMENT OF BIOMETRICS

The idea of using patterns for personal identification was originally proposed in 1936 by
ophthalmologist Frank Burch. By the 1980’s the idea had appeared in James Bond films, but it
still remained science fiction and conjecture. In 1987, two other ophthalmologists Aram Safir
and Leonard Flom patented this idea and in 1987 they asked John Daugman to try to create
actual algorithms for this iris recognition. These algorithms which Daugman patented in 1994
are the basis for all current iris recognition systems and products.
Daugman algorithms are owned by Iridian technologies and the process is licensed to several
other Companies who serve as System integrators and developers of special platforms
exploiting iris recognition in recent years several products have been developed for acquiring
its images over a range of distances and in a variety of applications. One active imaging system
developed in 1996 by licensee Sensar deployed special cameras in bank ATM to capture IRIS

images at a distance of up to 1 meter. This active imaging system was installed in cash
machines both by NCR Corps and by Diebold Corp in successful public trials in several
countries during I997 to 1999. a new and smaller imaging device is the low cost “Panasonic
Authenticam” digital camera for handheld, desktop, e-commerce and other information
security applications. Ticket less air travel, check-in and security procedures based on iris
recognition kiosks in airports have been developed by eye ticket. Companies in several,
countries are now using Daughman’s algorithms in a variety of products.

Page 1
TYPES OF BIOMETRICS
Fingerprints: The patterns of friction ridges and valleys on an individual's fingertips are unique
to that individual. For decades, law enforcement has been classifying and determining identity
by matching key points of ridge endings and bifurcations. Fingerprints are unique for each
finger of a person including identical twins. One of the most commercially available biometric
technologies, fingerprint recognition devices for desktop and laptop access are now widely
available from many different vendors at a low cost. With these devices, users no longer need
to type passwords – instead, only a touch provides instant access.

Face Recognition: The identification of a person by their facial image can be done in a number
of different ways such as by capturing an image of the face in the visible spectrum using an
inexpensive camera or by using the infrared patterns of facial heat emission. Facial recognition
in visible light typically model key features from the central portion of a facial image. Using a
wide assortment of cameras, the visible light systems extract features from the captured
image(s) that do not change over time while avoiding superficial features such as facial
expressions or hair.
Speaker Recognition:. Speaker recognition uses the acoustic features of speech that have
been found to differ between individuals. These acoustic patterns reflect both anatomy and
learned behavioral patterns .

Speaker recognition: This incorporation of learned patterns into the voice templates has
earned speaker recognition its classification as a "behavioral biometric." Speaker recognition
systems employ three styles of spoken input: text-dependent, text-prompted and text
independent. Most speaker verification applications use text-dependent input, which involves
selection and enrollment of one or more voice passwords. Text-prompted input is used
whenever there is concern of imposters. The various technologies used to process and store
voiceprints include hidden Markov models, pattern matching algorithms, neural networks,
matrix representation and decision trees.

Iris Recognition: This recognition method uses the iris of the eye which is the colored area that
surrounds the pupil. Iris patterns are thought unique. The iris patterns are obtained through a
video-based image acquisition system. Iris scanning devices have been used in personal
authentication applications for several years. Systems based on iris recognition have
substantially decreased in price and this trend is expected to continue. The technology works
well in both verification and identification modes.

Page 2
Hand and Finger Geometry: To achieve personal authentication, a system may measure either
physical characteristics of the fingers or the hands. These include length, width, thickness and
surface area of the hand. One interesting characteristic is that some systems require a small
biometric sample. It can frequently be found in physical access control in commercial and
residential applications, in time and attendance systems and in general personal authentication
applications.

Signature Verification: This technology uses the dynamic analysis of a signature to

authenticate a person. The technology is based on measuring speed, pressure and angle used
by the person when a signature is produced. One focus for this technology has been e-
business applications and other applications where signature is an accepted method of
personal authentication.

APPLICATIONS
Iris-based identification and verification technology has gained acceptance in a number of
different areas. Application of iris recognition technology can be limited only by imagination.
The important applications are those following:--
Used in ATM’s for more secure transaction.

Used in airports for security purposes.

Computer login: The iris as a living password.

Credit-card authentication

Secure financial transaction (e- commerce, banking).

“Biometric—key Cryptography “for encrypting/decrypting messages.

Driving licenses and other personal certificates.

Entitlements and benefits authentication.

Forensics, birth certificates, tracking missing or wanted person.

ADVANTAGES AND DISADVANTAGES

A critical feature of this coding approach is the achievement of commensurability among iris
codes, by mapping all irises into a representation having universal format and constant length,
regardless of the apparent amount of iris detail. In the absence of commensurability among the
codes, one would be faced with the inevitable problem of comparing long codes with short
codes, showing partial agreement and partial disagreement in their lists of features.

Page 3
Advantages
It is an internal organ that is well protected against damage by a highly transparent and
sensitive membrane. This feature makes it advantageous from finger print.

Flat , geometrical configuration controlled by 2 complementary muscles control the

diameter of the pupil makes the iris shape more predictable .

An iris scan is similar to taking a photograph and can be performed from about 10 cm
to a few meters away.

Encoding and decision-making are tractable .

Genetic independence no two eyes are the same.

Disadvantages
The accuracy of iris scanners can be affected by changes in lightning.
Obscured by eyelashes, lenses, reflections.
Deforms non-elastically as pupil changes size.

Iris scanners are significantly more expensive than some other form of biometrics.

As with other photographic biometric technologies, iris recognition is susceptible to

poor image
quality, with associated failure to enroll rates
As with other identification infrastructure (national residents databases, ID cards, etc.),
civil rights
activists have voiced concerns that iris-recognition technology might help governments to
track individuals beyond their will.

Biometrics and Privacy

Whenever biometric identification is discussed, people always want to know about the
implications for personal privacy. If a biometric system is used, will the government, or some
other group, be able to get personal information about the users? Biometric measures
themselves contain no personal information. Hand shape, fingerprints or eye scans do not
reveal name, age, race, gender, health or immigration status. Although voice patterns can give
a good estimation of gender, no other biometric identification technology currently used
reveals anything about the person being measured. More common identification methods, such
as a driver’s license, reveal name, address, age, gender, vision impairment, height and even

Page 4
weight! Driver’s licenses, however, may be easier to steal or counterfeit than biometric
measures.
Biometric measures can be used in place of a name, Social Security number or other form of
identification to secure anonymous transactions. Walt Disney World sells season passes to
buyers anonymously, then uses finger geometry to verify that the passes are not being
transferred. Use of iris or fingerprint recognition for anonymous health care screening has also
been proposed. A patient would use an anonymous biometric measure, not a name or Social
Security number, when registering at a clinic. All records held at the clinic for that patient
would be identified, linked and retrieved only by the measure. No one at the clinic, not even the
doctors, would know the patient’s “real” (publicly recognized) identity.
The real fear is that biometric measures will link people to personal data, or allow movements
to be tracked. After all, credit card and phone records can be used in court to establish a
person’s activities and movements. There are several important points to be made on this
issue.
Phone books are public databases linking people to their phone number. These databases are
even accessible on the Internet. Because phone numbers are unique to phone lines2, “reverse”
phone books also exist, allowing a name to be determined from a phone number. Even if a
number is unlisted, all information on calls made from that number may be available to law
enforcement agencies through the subpoena process. There are no public databases, however,
containing biometric identifiers, and there are only a few limited-access government
databases. Five US states have electronic fingerprint records of social service recipients
(Arizona, California, Connecticut, New York and Texas); six states (Cali- fornia, Colorado,
Georgia, Hawaii, Oklahoma and Texas) maintain elec- tronic fingerprints of all licensed
drivers3; nearly all states maintain copies of driver’s license and social service recipient
photos; the FBI and state governments maintain fingerprint databases on convicted felons and
sex offenders; and the federal government maintains hand geometry records on those who
have voluntarily requested border crossing cards General access to this data is limited to the
agencies that collected it .

but like credit card and phone “toll records”, this information can be released or searched by
law enforcement groups acting under court order. Unlike phone books, however, databases of
biometric measures cannot
generally be reversed to reveal names from measures because biometric measures, although
distinctive, are not unique. Fingerprint, retinal and iris databases may be exceptions, allowing
reversal if the biometric data was carefully collected. But general biometric measures do not
serve as useful pointers to other types of data. The linking of records is always done by unique
identifiers such as Social Security and credit card numbers. Bio- metric measures are not

Page 5
generally useful in this regard, even if databases linking information to measures were to exist.
For these reasons, biometric measures are not useful for tracking the movements of people, as
is already possible using telephone and credit card numbers.
Databases of biometric images, and the numerical models or templates derived from them, are
often encrypted with the intention of inhibiting their compromise in bulk. But compromise of
individual measures cannot always be prevented by protecting databases and transmission
channels because biometric measures, although privately owned, are sometimes publicly
observable (e.g. a photo of a person’s face can be taken with a camera or downloaded from a
web page). In general, biometric measures are not secret, even if it might be quite complicated
to acquire usable copies (e.g. a retinal map) without the cooperation of the owner. When used
for security, bio- metric characteristics are more like public keys than private keys. Unlike
public keys, however, biometric measures cannot be revoked if stolen or mimicked. The
industry is currently working on methods for “live-ness testing” and revocation, hoping to
ameliorate these problems

The privacy issues raised by the use of biometrics.

[Link],biometricmeasurescontainno
personal information and are more difficult to forge or steal.

[Link] secure anonymous

transactions.

[Link] biometric measures(faceimages,voicesignalsand“latent”fingerprintsleft on surfaces)

can be taken without a person’s knowledge, but cannot be linked to an identity without a pre-
existing invertible database.

[Link],andsometimesevenalegalname,can identify a person in a

large population. This capability has not been demonstrated using any single biometric
measure.

[Link],biometricdatabasescanbesearched outside of their

intended purpose by court order.

[Link] credit card,telephoneorSocialSecuritynumbers,biometriccharacteristics change from

one measurement to the next.

Page 6
[Link] efficient as using
better identifiers, like legal name or Social Security number.

[Link],butaresometimespubliclyobservable and cannot be

revoked if compromised.

A System Model
Although these devices rely on widely different technologies, much can be said about them in
general.

Data Collection
Biometric systems begin with the measurement of a behavioral/physiolog- ical characteristic.
Key to all systems is the underlying assumption that the measured biometric characteristic is
both distinctive between individuals and repeatable over time for the same individual. The
problems in mea- suring and controlling these variations begin in the data collection
subsystem.
The user’s characteristic must be presented to a sensor. The presentation of any biometric
characteristic to the sensor introduces a behavioral (and, consequently, psychological)
component to every biometric method. This behavioral component may vary widely between
users, between applica- tions, and between the test laboratory and the operational
environment. The output of the sensor, which is the input data upon which the system is built,
is the convolution of: (1) the biometric measure; (2) the way the mea- sure is presented; and
(3) the technical characteristics of the sensor. Both the repeatability and the distinctiveness of
the measurement are negatively impacted by changes in any of these factors. If a system is to
be open, the presentation and sensor characteristics must be standardized to ensure that
biometric characteristics collected with one system will match those collected on the same
individual by another system. If a system is to be used in an overt, non-cooperative application,
the user must not be able to will- fully change the biometric or its presentation sufficiently to
avoid being matched to previous records.

Transmission
Some, but not all, biometric systems collect data at one location but store and/or process it at
another. Such systems require data transmission. If a great amount of data is involved,
compression may be required before transmission or storage to conserve bandwidth and
storage space. Figure 1.1 shows compression and transmission occurring before the signal pro-

Page 7
cessing and image storage. In such cases, the transmitted or stored com- pressed data must
be expanded before further use. The process of compression and expansion generally causes
quality loss in the restored signal, with loss increasing with increasing compression ratio. The
com- pression technique used will depend upon the biometric signal. An inter- esting area of
research is in finding, for a given biometric technique, compression methods with minimum
impact on the signal-processing subsystem.
If a system is to be open, compression and transmission protocols must be standardized so
that every user of the data can reconstruct the original signal. Standards currently exist for the
compression of fingerprints (Wavelet Scalar Quantization), facial images (JPEG), and voice
data (Code Excited Linear Prediction).
Signal Processing
Having acquired and possibly transmitted a biometric characteristic, we must prepare it for
matching with other like measures. Figure 1.1 divides the signal-processing subsystem into four
tasks: segmentation, feature extraction, quality control, and pattern matching.
Segmentation is the process of finding the biometric pattern within the transmitted signal. For
example, a facial recognition system must first find the boundaries of the face or faces in the
transmitted image. A speaker verification system must find the speech activity within a signal
that may contain periods of non-speech sounds. Once the raw biometric pattern of interest has
been found and extracted from larger signal, the pattern is sent to the feature extraction
process.
Feature extraction is fascinating. The raw biometric pattern, even after segmentation from the
larger signal, contains non-repeatable distortions caused by the presentation, sensor and
transmission processes of the system. These non-controllable distortions and any non-
distinctive or redundant elements must be removed from the biometric pattern, while at the
same time preserving those qualities that are both distinctive and repeatable. These qualities
expressed in mathematical form are called “fea- tures”. In a text-independent speaker
recognition system, for instance, we may want to find the features, such as the mathematical
frequency relation- ships in the vowels, that depend only upon the speaker and not upon the
words being spoken, the health status of the speaker, or the speed, volume and pitch of the
speech. There are as many wonderfully creative mathemat- ical approaches to feature
extraction as there are scientists and engineers in the biometrics industry. You can understand
why such algorithms are always considered proprietary. Consequently, in an open system, the
“open” stops here.
In general, feature extraction is a form of non-reversible compression, meaning that the
original biometric image cannot be reconstructed from the extracted features. In some
systems, transmission occurs after feature extraction to reduce the requirement for bandwidth.
After feature extraction, or maybe even before, we will want to check to see if the signal

Page 8
received from the data collection subsystem is of good quality. If the features “don’t make
sense” or are insufficient in some way, we can conclude quickly that the received signal was
defective and request a new sample from the data collection subsystem while the user is still at
the sensor. The development of this “quality control” process has greatly improved the
performance of biometric systems in the last few short years. On the other hand, some people
seem never to be able to present an accept- able signal to the system. If a negative decision by
the quality control module cannot be overridden, a “failure to enroll” error results.
The feature “sample”, now of very small size compared to the original signal, will be sent to the
pattern matching process for comparison with one or more previously identified and stored
feature templates or models. We use the term “template” to indicate stored features. The
features in the template are of the same type as those of a sample. For instance, if the sample
features are a “vector” in the mathematical sense, then the stored template will also be a
“vector”. The term “model” is used to indicate the construction of a more complex
mathematical representation capable of generating features characteristic of a particular user.
Models and features will be of different mathematical types and structures. Models are used in
some speaker and facial recognition systems. Templates are used in finger- print, iris, and hand
geometry recognition systems.
The term “enrollment” refers to the placing of a template or model into the database for the
very first time. Once in the database and associated with an identity by external information
(provided by the enrollee or others), the enrollment biometric data is referred to as the
template or model for the individual to which it refers.
The purpose of the pattern matching process is to compare a presented fea- ture sample to
the stored data, and to send to the decision subsystem a quanti- tative measure of the
comparison. An exception is enrollment in systems allowing multiple enrollments. In this
application, the pattern matching pro- cess can be skipped. In the cooperative case where the
user has claimed an identity or where there is but a single record in the current database
(which might be a magnetic stripe card), the pattern matching process might only make a
comparison against a single stored template. In all other cases, such as large-scale
identification, the pattern matching process compares the present sample to multiple
templates or models from the database one at a time, as instructed by the decision subsystem,
sending on a quantitative “distance” measure for each comparison. In place of a “distance”
measure, some systems use “similarity” measures, such as maximum likelihood values.
The signal processing subsystem is designed with the goal of yielding small distances between
enrolled models/templates and later samples from the same individual and large distances
between enrolled models/tem- plates and samples of different individuals. Even for models and
samples from the same individual, however, distances will rarely, if ever, be zero, as there will
always be some non-repeatable biometric-, presentation-, sensor- or transmission-related

Page 9
variation remaining after processing.
Storage
The remaining subsystem to be considered is that of storage. There will be one or more forms
of storage used, depending upon the biometric system. Templates or models from enrolled
users will be stored in a database for comparison by the pattern matcher to incoming feature
samples. For sys- tems only performing “one-to-one” matching, the database may be distrib-
uted on smart cards, optically read cards or magnetic stripe cards carried by each enrolled
user. Depending upon system policy, no central database need exist, although in this
application a centralized database can be used to detect counterfeit cards or to reissue lost
cards without re-collecting the biometric pattern.
The database will be centralized if the system performs one-to-N matching with N greater than
one, as in the case of identification or “PIN- less verification” systems. As N gets very large,
system speed requirements dictate that the database be partitioned into smaller subsets such
that any feature sample need only be matched to the templates or models stored in one
partition, or indexed by using an appropriate data structure which allows the templates to be
visited in an advantageous order during the retrieval [61]. These strategies have the effect of
increasing system speed and decreasing false matches, at the expense of increasing the false
non- match rate owing to partitioning errors. This means that system error rates do not remain
constant with increasing database size and identification systems do not scale linearly.
Consequently, database partitioning/ indexing strategies represent a complex policy decision .
If it may be necessary to reconstruct the biometric patterns from stored data, raw (although
possibly compressed) data storage will be required. The biometric pattern is generally not
reconstructable from the stored templates or models, although some methods [41] do allow a
coarse recon- struction of patterns from templates. Further, the templates themselves are
created using the proprietary feature extraction algorithms of the system vendor. The storage
of raw data allows changes in the system or system vendor to be made without the need to re-
collect data from all enrolled users.
Decision
The decision subsystem implements system policy by directing the data- base search,
determines “matches” or “non-matches” based on the distance or similarity measures received
from the pattern matcher, and ultimately makes an “accept/reject” decision based on the
system policy. Such a deci- sion policy could be to reject the identity claim (either positive or
negative) of any user whose pattern could not be acquired. For an acquired pattern, the policy
might declare a match for any distance lower than a fixed threshold and “accept” a user
identity claim on the basis of this single match, or the policy could be to declare a match for
any distance lower than a user-dependent, time-variant, or environmentally linked threshold
and require matches from multiple measures for an “accept” decision. The policy could be to

Page 10
give all users, good guys and bad guys alike, three tries to return a low distance measure and
be “accepted” as matching a claimed template. Or, in the absence of a claimed template, the
system policy could be to direct the search of all, or only a portion, of the database and return
a single match or multiple “candidate” matches. The decision policy employed is a
management decision that is specific to the operational and security requirements of the
system. In general, lowering the number of false non-matches can be traded against raising the
number of false matches. The optimal system policy in this regard depends both upon the
statistical characteristics of the comparison distances coming from the pattern matcher, the
relative penalties for false match and false non-match within the system, and the a priori
(guessed in advance) probabilities that a user is, in fact, an impostor. In any case, in the testing
of biometric devices, it is necessary to decouple the performance of the signal processing
subsystem from the policies implemented by the decision subsystem.

The importance of using biometric authentication in security

systems:

1. **Enhanced Security:** Biometric authentication offers a high level of security compared to

traditional methods like passwords or PINs. Biometric identifiers such as fingerprints, iris
scans, and facial features are unique to individuals, making it extremely difficult for
unauthorized users to gain access.

2. **Reduced Risk of Identity Theft:** Unlike passwords or PINs, which can be stolen,
forgotten, or shared, biometric traits are inherent to individuals and cannot be easily replicated
or forged. This significantly reduces the risk of identity theft and unauthorized access to
sensitive information or resources.

3. **Improved User Experience:** Biometric authentication provides a seamless and user-

friendly experience. Users no longer need to remember complex passwords or carry physical
tokens for authentication. By simply using their biometric traits, such as a fingerprint or facial
scan, users can quickly and securely access their devices, accounts, or physical spaces.

4. **Increased Accountability:** Biometric authentication systems create a reliable audit trail

by accurately recording and verifying individuals' identities. This enhances accountability and
traceability, particularly in environments where access control and security monitoring are
critical, such as in government facilities, financial institutions, and healthcare organizations.

Page 11
5. **Customizable Security Levels:** Biometric authentication systems can be tailored to
meet specific security requirements and risk profiles. Organizations can implement multi-factor
authentication by combining biometric traits with other authentication methods, such as
passwords or smart cards, to further fortify security measures and mitigate potential
vulnerabilities.

6. **Compliance with Regulatory Standards:** Many industries and regulatory bodies

mandate the use of biometric authentication to ensure compliance with data protection and
privacy regulations. By adopting biometric authentication technologies, organizations can
demonstrate their commitment to safeguarding sensitive information and adhering to industry
standards.

7. **Future-Proofing Security Systems:** As technology evolves, biometric authentication

continues to evolve and adapt to emerging threats and challenges. With ongoing research and
development, new biometric modalities and techniques are being developed to enhance
security resilience and combat evolving cyber threats.

8. **Mitigation of Insider Threats:** Biometric authentication helps mitigate insider threats by

ensuring that only authorized individuals have access to sensitive resources or information.
Since biometric traits are unique to each person, it becomes significantly harder for malicious
insiders to impersonate or misuse credentials to gain unauthorized access.

9. **Versatility Across Industries:** Biometric authentication is versatile and applicable across

various industries and sectors. From financial institutions and government agencies to
healthcare facilities and educational institutions, biometric technology can be integrated into a
wide range of security systems to enhance protection and streamline authentication
processes.

10. **Adaptability to Mobile and IoT Devices:** With the proliferation of mobile devices and
the Internet of Things (IoT), biometric authentication has become increasingly relevant in
securing these connected devices and platforms. Features like fingerprint scanners and facial
recognition are commonly integrated into smartphones, tablets, and wearable devices, offering
convenient and secure access to personal data and services.

11. **Deterrence Against Fraud and Cyber Attacks:** Biometric authentication serves as a
deterrent against fraud and cyber attacks by raising the level of complexity required for
unauthorized access. Hackers and cybercriminals often target vulnerabilities in traditional

Page 12
authentication methods, but biometric identifiers provide an additional layer of protection that
is difficult to compromise.

12. **Cost-Effectiveness in the Long Run:** While the initial implementation costs of
biometric authentication systems may be higher compared to traditional methods, the long-
term benefits often outweigh the investment. Reduced incidents of data breaches, identity
theft, and security incidents can result in significant cost savings and reputational benefits for
organizations over time.

13. **User Acceptance and Convenience:** Biometric authentication offers a convenient and
user-friendly alternative to traditional authentication methods. Users appreciate the simplicity
and speed of biometric authentication, leading to higher levels of acceptance and satisfaction
with security protocols and systems.

In conclusion
the adoption of biometric authentication in security systems is driven by its effectiveness in
enhancing security, reducing risks, improving user experience, and ensuring compliance with
regulatory requirements. As technology continues to evolve, biometric authentication will play
an increasingly integral role in safeguarding digital assets, protecting privacy, and maintaining
trust in an interconnected world.

summary
the use of biometric authentication in security systems offers a robust and reliable means of
verifying individuals' identities, improving security posture, enhancing user experience, and
ensuring compliance with regulatory standards. By leveraging biometric technologies,
organizations can effectively mitigate risks, protect sensitive information, and uphold the
integrity of their security infrastructure.

Page 13