SWE577 2010F 1

Biometric Techniques for Personal Identification

Ozan Can Çalı
Abstract - In the modern-day Information Era, various methods are used to recognize
and verify a person for performing actions such as access management and access
control in working places, in houses and on the internet. Formerly, these methods relied
on processes such as username- and password verification. Today, this kind of methods
that solely use non-intrinsic personality traits are not regarded as safe enough. Every
single person is differentiated from one another by means of their distinct physiological
and behavioral characteristics. Today, it is regarded as the optimum way to include
these distinct personality traits into personal identification processes.

I. INTRODUCTION
It is obvious that the constantly developing technology affects our world and everyday tasks
significantly. With the help of technology, we have become a more interactive society,
especially by the use of the Internet. This also brought some security issues regarding the
protection of the identity and data of individuals, since securing information on virtual
platforms is not always as safe and doubtless as keeping valuable papers in a safe as in old
times. Hence, security and protection of identity and valuable data should be of great concern
and should not be ignored.

Since improvements in technological fields let us share information and perform tasks more
easily, they also make it more difficult to maintain and manage access while protecting the
identity and data of the user.

II. IDENTITY THEFT

The most encountered crime causing the misuse of personal data is the so-called “identity
theft”, which covers a broad range of identification-based crimes that can be grouped into the
following categories:
 Financial Identity Theft: By this kind of theft, usually your name and social security
number is stolen and used for buying telephone/internet service, personal loan, or for
car renting and application for credit cards etc.
 Criminal Identity Theft: Upon coming across lawmakers, the thief provides the stolen
information instead of his/her own. Hence, the legal arrangements are issued in the
name of the innocent person whose information is stolen but not the imposter.
 Business or Commercial Identity Theft: In this method, the imposter uses the name of
a business / the name of the business he/she is working for to get credit cards or loans.
 Identity Cloning: The thief lives like the person whose identity information he/she has
stolen. This method is mostly preferred by the illegal aliens in a country.

Researches on identity theft show that in the USA between 2003 and 2006, the total number
of victims has decreased but the “quality” of the thefts has increased over time, meaning that
less people are affected by identity theft, but the lost value has increased1. This can prove that

1
cf. Bochkov, Y./Chiem J./Ying Sai, L. - Marymount University-LA, 2006. Use Biometric Techniques in
Combating Identity Theft
 SWE577 2010F 2

the society has become more conscious about identity theft, but still the optimal required
precautions must be taken since the imposters tend towards thefts wherein more money is
involved.

Consequently, the most essential type of security that should be established in order to protect
personal data is the identification authentication, which is the verification process of the user
who he/she claims to be. The following sentence reveals an important distinction:
“Identification says who you are and authentication specifies what you can do with that
identity.”2

III.SOLUTIONS FOR IDENTITY THEFT

We can group the methods/tools used for identity authentication in three categories:
 Something you know: This kind of information comprises passwords and PIN-codes,
which are required to be known by only one person. Its insecurity arises from the fact
that this kind of information can be easily stolen by imposters since it is not part of
personal characteristics. It is usually easy to guess as users tend to use passwords/PIN-
codes that are not complicated and easy to remember. A common issue is that people
usually create passwords similar to their birthdate or license plate numbers. Besides,
because of the increasing number of different passwords used by individuals for every
other platform, their management gets more difficult over time.
 Something you have: These include smart cards, pass-cards, smart cards or ID-grid
cards that are owned by only one individual. This has the similar problem as above;
they can be easily stolen or get lost.
 Something you are: This kind of identity authentication techniques composes
“biometrics”. The information involved in these techniques is a part of the user and
thus cannot be forgotten or easily replaced, preventing thefts. Hence, biometrics can
also test whether the rightful owner is trying to access to the data.

In most security systems, two or more of these methods, as well as more than one biometric
method are combined for enhanced security.

In this paper, biometric techniques for identity authentication are detailed.

A. Biometric Techniques
Today, techniques for personal identification increasingly base on biometric techniques or on
their combination with other techniques mentioned above. Biometric features of people are
very diverse and each of them is unique to that person, which makes it more secure than other
techniques. Biometric characteristics are studied in two groups:
 Physiological biometrics
 Behavioral biometrics

Physiological biometrics is rather tangible; they relate to the shape of users body. Most
common examples of physiological biometrics are fingerprint, palm-print, hand geometry,
face recognition, ear recognition, retina- and iris recognition, odor/scent and DNA.

2
http://www.itrportal.com/absolutenm/templates/article-storage.aspx?articleid=1613&zoneid=21 – access on
19.11.2010
 SWE577 2010F 3

On the other hand, behavioral biometrics relate to the behaviors of the user in certain fields
such as typing rhythm and gait of the user.

Theoretically, voice of a person is also a physiological feature since everyone has a unique
vocal tract, but voice recognition is mainly based on the way a person speaks, therefore is
considered as behavioral biometrics.

Biometric systems have two operation modes: In the first mode, the collected samples are
enrolled by the user and the templates created therefrom are stored in the database. In the
other mode, the user presents his/her characteristics and a match with the pre-enrolled
templates is searched in the database.

1) Physiological Biometrics
The most widely used biometrics technology for personal identification is the fingerprints. Its
individualization rate is amongst the highest. In this technique, the distinct protrusions and
recesses on the outermost skin of an individual’s finger, portioned between the fingertip and
the first knuckle, are captured and distinguished. Fingerprints are grouped in two types: flat or
rolled. Flat fingerprints capture only the area at the center of the finger, while rolled
fingerprints additionally capture the details on sides of the finger.

Hand geometry is another extensively used biometrics technique, wherein approximately 90

dimensional traits of the hand of a person are captured. These include the width, height and
length of the fingers, shapes of the knuckles and the distances therebetween are measured.
The measurement devices are optical cameras and light-emitting diodes that create templates
out of two-dimensional images of the hand.

Facial recognition captures the facial traits of one’s face wherein the traits include the
position of the eye socket and the distances of the main bones and features of a face. The main
disadvantage of facial recognition is that the images of a face can vary greatly under any other
condition such as the facial expression, the angle or the ambient light. Another problem is that
faces of people change a lot in the course of time. It is reported that even the best facial
recognition algorithms have error rates of nearly 50 percent when inspecting images of the
same face taken one year apart; the rates excluding the above-mentioned disadvantages3.
Besides, facial recognition is not as distinctive as the other physiological biometrics since
different faces can share similar characteristics (as in the identical twins).

Retinal scanning is performed by electronically scanning the retina of the eye. It analyzes the
characteristics of the blood vessels at the back of the eye. Retina is scanned by low-intensity
light and an optical reader records the provided data, which is highly accurate. During the
retinal scanning process, the user removes glasses and holds still for 15 seconds for the device
to perform the scan. Retinal scan is the most accurate and one of the most secure biometrics
technique since every retina is unique and it is almost impossible to replicate a retina. The
main disadvantages of retinal scanning are the high costs of the required devices and the
hardness of its implementation. Therefore, retinal scanning is mostly used in high-security
facilities instead of public areas such as universities and hospitals.

3
Sandy Pentland of the Massachusetts Institute of Technology and Jonathon Phillips of the National Institute of
Standards and Technology
 SWE577 2010F 4

Iris scanning is the process of taking a high definition picture of the colored portion of the eye
that surrounds the pupil. Iris of an individual can comprise up to 200 distinctive
characteristics, as opposed to 13 to 60 for other biometric technologies. Iris is so distinctive
that even the same person can have different iris patterns in each eye. These characteristics of
iris makes iris scanning extremely accurate that "the entire planet could be enrolled in an iris
database with only a small chance of false acceptance or false rejection."4 On the other hand,
the high costs of iris scanning process and the lack of ease-of-use for the user make it
undesirable.

2) Behavioral Biometrics
Behavioral biometrics are usually utilized as complementary to “something you know” or
“something you have”. Dynamic signature verification is one type of behavioral biometrics. It
is used to recognize the changes in speed and timing of the user while signing on a special pad
or signing with a special pen. Although it is an important advantage that it is hard to imitate
the way someone signs, the frequently faced variations in how people put signature under
different conditions such as elderliness, stress or sickness makes this technology impractical.

Keystroke dynamics is a type of behavioral biometrics similar to the dynamic signature

verification. This time, it accompanies the password the user enters through an input device
such as keyboard by measuring the typing speed of the user and the interval between two
keystrokes. Since the speed of the user most probably changes over time or the user does not
enter his/her password with the same speed and tempo every time, the system periodically
calculates the average speed and tempo of the user after it collects sufficient data and this
provides the false rejection rates to be reduced. The main advantage of keystroke dynamics is
that it does not try to replace any existing technology; it just tries to enhance the level of
security in facilities that utilize password protection, which is the most common security
method in today’s technology era. It is also a cheap technology since no additional hardware
is required and the technology is implemented only by means of a software.

Voice recognition is another extensively used biometrics technique. A predetermined phrase

spoken by the user is matched with the one in the database and when the adequate matching is
provided, the user is identified. It is widely used because it is a relatively inexpensive
technology and is easy-to-use. On the other hand; although it cannot be easily imitated, it is
easier to steal the required “pass phrase” from the user by i.e. secretly recording it without the
user realizing and afterwards, the system can be faked without even requiring the user to be
present in the identification process. The voice recognition technique can also be unreliable
especially in noisy environments.

4
cf. Bochkov, Y./Chiem J./Ying Sai, L. - Marymount University-LA, 2006. Use Biometric Techniques in
Combating Identity Theft
 SWE577 2010F 5

B. Error Probabilities
In an identity authentication process, there are mainly three cases that are tried to be reduced:
 False Acceptance Rate (FAR) refers to the probability that the identification system
unintentionally authorizes the entrance attempts that should have been rejected.

 False Rejection Rate (FRR) refers to the probability that the identification system does
not authorize the appropriate entrance attempts.

 Failure to enroll (FTE): Depending on the used biometrics technology, the enrollment
process can sometimes be troublesome substantially depending on the poor quality of
the input. For instance, in an iris recognition system, recognizing the iris of a user
wearing sunglasses can end up with erroneous and deficient results. This consequently
causes FRR.

As might be expected, FAR and FRR contrast with each other and the optimal way to solve
the contradiction therebetween is to elaborately adjust the determination threshold that
regulates the similarity between the template stored in the system and the input (which base
on the so called Receiver Operating Characteristic (ROC)). Namely, if the detection threshold
of the system is too low, the number of false non-matches between the template and the input
will be reduced, but the false accepts will be increased. In contrast, when the threshold is set
too high, the system will hardly accept any entrance attempts. Of course, in systems that need
higher security and thus have no tolerance for any false acceptance, the threshold should be
set very high, which may result in a lot more false rejection rates but make the system more
secure by not allowing any unauthorized user.

The optimal threshold value for a system is equalized to the equal error rate – EER (also
called crossover error rate – CER), which is obtained from FAR-FRR Diagram, the visual
presentation of the FAR-FRR figures calculated at different threshold values. The EER is the
value of the intersection point between the FAR and FRR curves (Figure 1).
 SWE577 2010F 6

Figure 1 - Error-Sensitivity Diagram of FAR and FRR. The point indicates EER 5

The efforts for minimizing the conflicts between FAR-FRR are mainly achieved by using
combined biometrics. For example, in a research conducted in Alexandria, the combined
application of face and ear biometrics resulted in an overall performance rate of 96.67% when
using a 0.995 threshold, which makes it more accurate than most of the biometric techniques.

In this research, there are a total of 300 entrance attempts, 200 of which are fraud attempts
and only 100 of which are authorized attempts. In Figure 2, we see that at low threshold
values, the number of FAR cases is high (59) and gets lower as the threshold value increases.
On the other hand, at high threshold values, there are no FAR cases but the number of FRR
cases is gradually increased.

Figure 2 - System Classification at Different Thresholds [5]

C. Comparison of Biometric Technologies

Biometric techniques are measured and compared by four main characteristics: their
permanence, performance, uniqueness and acceptability. Facilities employ these systems
according to their needs and the comparison of biometric technologies gives them a good
clue: If the security is not required to be extremely high and the identification process is
performed many times in a day, which is usual in libraries and cafeterias, the facility tend to
prefer the biometric technique which is faster and more accepted by the users but not as
5
http://www.biometricsdirect.com/Biometrics/biometricsterms.htm - - access on 02.01.2010
 SWE577 2010F 7

highly secure as the other biometric techniques. Figure 3 shows the level of various features
of different biometric techniques. As it is seen, acceptance of the users and the overall quality
of the biometrics in terms of security often contradict with each other.

Biometrics Permanence Performance Uniqueness Acceptability

Fingerprint H H H M
Hand Geometry M M M M
Retinal Scanning M H H L
Iris Scanning H H H L
Facial Recognition M L L H
Dynamic Signature L L L H
Keystroke Dynamics L L L M
Voice Recognition L L L H
H= High, M= Medium, L= Low
Figure 3 - Comparison of Various Biometric Techniques [4]

For example, fingerprinting process is considered highly secured whereas users are not very
fond of it because of hygiene reasons. On the other hand, voice recognition is usually not that
effective but is widely accepted by the users since it is a rather easy process just to say a
word. But in the end, the security concerns overcome the comfort of users: Fingerprint, hand
geometry, iris scanning and retinal scanning are widely used in biometric security systems
(Figure 4).

Figure 4 - Usability-Security Comparison of Various Biometric Techniques 6

6
URL: http://www.hitachi-ics.co.jp/product/english/about_fv.htm - access on 01.01.2010
 SWE577 2010F 8

The disadvantages of biometric techniques for personal identification are not much security
related; they are rather ethics- or cost related or caused by the lack of ease-of-use. In most of
the biometric technologies, most notably in fingerprinting and hand geometry, people
sometimes feel uncomfortable since they feel like being treated as criminals when their
fingerprints/hand geometry/iris/retina characteristics are captured for security purposes. The
discomfort caused by the fact that collecting personal data of people is also a major problem
about biometrics. Another concern is that the devices to collect fingerprint/hand images are
extensively used every day and that may cause sanitary problems. Problems with the iris- and
retinal scanning arise from the fact that the user should stand very still during the scanning
and should not wear glasses or contact lenses, which make these techniques impractical.
Another example for the difficulty of enrollment for the biometric techniques is that elderly
people often have worn-out fingers which make the fingerprint and hand geometry techniques
useless for them. Apart from these, some biometrics are disliked by forensic medicine as they
left no trace; for instance iris is not (and naturally cannot be) left as evidence by criminals on
the crime scene when an incident breaks out with an iris recognition-biometrics system.

IV. CONCLUSION
Technology is the emerging tool for any other field in our daily lives and the security of
important data as well as identification/authorization of individuals is done by means of
technology. Usernames and passwords as well as keys/cards – in other words, “something we
know” and “something we have”- are intensively used for these purposes. However,
management of these passwords/cards are hard; people often get frustrated when trying to
keep in mind a lot of different passwords or keeping the entrance card with them all the time.
Besides, these techniques are often vulnerable to theft; they can be easily stolen or cloned.

On the other hand, “something we are” is always more advantageous since it cannot be stolen
or forgotten. Besides, its uniqueness makes it more secure than any other personal
identification technique and thus, the system cannot be easily tricked when biometric
techniques are utilized. Nowadays, multimodal biometric systems are utilized wherein more
than one biometric technology is combined, enhancing the security.
 SWE577 2010F 9

V. REFERENCES

[1] Wikimedia Foundation, Inc. - Biometrics [16 November 2010]. Available from Internet:
<URL: http://en.wikipedia.org/wiki/Biometrics>

[2] Wikimedia Foundation, Inc. - Identity Access Management [16 November 2010].
Available from Internet:
<URL: http://en.wikipedia.org/wiki/Identity_access_management>

[3] IT Reseller Magazine - Biometrics: how do they work and what should we be asking [14
November 2010]. Available from Internet:
<URL: http://www.itrportal.com/absolutenm/templates/article-
storage.aspx?articleid=1613&zoneid=21>

[4] Bochkov, Y./Chiem J./Ying Sai, L. - Marymount University-LA, 2006 - Use Biometric
Techniques in Combating Identity Theft. Available from Internet:
<URL: http://www.academic-papers.org/ocs2/session/Papers/D7/843.doc>

[5] Hamdy, N./Ibrahim, H./El-Habrouk - M. Electronics & Communication Department,

Arab Academy of Science & Technology, Alexandria, Egypt, 2009 - Personal
Identification Using Combined Biometrics Techniques

[6] Iris Recognition PowerPoint Presentation – Natalia Schmid and John Daugman
<URL: www1.cs.columbia.edu/~belhumeur/courses/biometrics/.../IRIS_long.ppt>

[7] Masek, Libor – The University of Western Australia, 2003, Recognition of Human Iris
Patterns for Biometric Identification, page 1, 2, 27