Lecture 3 Notes
Biometrics








Why biometrics?
o Seen as desirable replacement for passwords
o What you are
o Cheap and reliable biometrics needed
o Very active area of research, but not yet lived up to promise
Fraud rate versus insult rate
o Fraud = false accept = false negative
o Insult = false reject = false positive
For any biometric, decreasing fraud or insult increases the other
o Equal error rate = rate where fraud = insult
 Not always a good metric but best measure for comparing
biometrics
For banking, want lower insult rate than fraud rate – keep customer happy,
accept some fraud as cost of doing business
o Banks want fraud rate of 1%, insult rate of 0.01% - beyond state of the
art in signature verification (at best 1% equal error rate for tabletbased signature recognition systems)
Biometric modes
o Identification – compare one to many, like fingerprint database
o Authentication
 Compare one to one, like thumbprint mouse
o Identification problem much more difficult
 More “random” matches since more comparisons
o This class focuses more on authentication
Binning
o Identify one bit to see if each of 10 fingers and thumbs has a
significant feature, like a whorl
Iris patterns
o Most secure biometric today
o Iris pattern development is “chaotic”
o Iris scan
 Scanner locates iris
 Take b/w photo
 Use polar coordinates
 Find 2-D wavelet trans – zooms on most interesting parts
 256-byte iris code – patented by Daugman
measuring iris similarity
o Based on fraction of non matching bits
o Define d(x,y) to be
 # of non match bits/# of bits compared
o Compute d(x,y) on 2048-bit iris code (256*8)
Perfect match is d(x,y) = 0
For same iris, expected distance is 0.08
 Due to things impeding image quality, or things
obstructing eye like eyelashes
 At random, expect distance of 0.50
 Choose a limit between 0.08 and 0.50 – 0.32 often chosen
o Look more at iris scan error rate – bell graph
 Some overlap in the 0.32 range between what is
accepted and what is rejected – this is where errors are
made
 Easy to accept or reject people at opposite extremes,
maybe take more time in the overlap range where likely
to make errors
Attacks on iris scan
o Good photo of eye can be sanned
 To prevent, scanner could use light to be sure it is a “live” iris
 Detect hippus – natural fluctuation of diameter of pupil at 0.5
Hz (but can’t differentiate between real or false hippus)
Iris scan is the only biometric that can achieve zero false accepts with
automatic recognition
Hand Geometry
o Popular form of biometric
o Measures shape of hand
o But human hands not unique
o Sufficient for many situations, authentication but doesn’t work for
identification
o Advantages
 Quick – 1 minute enrollment, 5 second recognition
o Disadvantages
 Cannot use on very young or very old
 Relatively high equal error rate
Equal Error Rate (EER) Comparison
o Fingerprint EER – 5%
o Voice recognition EER – 1% (ie 10^-2
 Face recognition worse
o Hand geometry EER – 10^-3
o Iris scan EER – in theory 10^-6
 But hard to achieve in practice – need extremely accurate
enrollment phase
o Most biometrics much worse than fingerprint
o Useful for authentication but much less useful for ID
o Combining biometrics not necessarily better
Enrollment vs. Recognition
o Enrollment phase
 Subject’s biometric info put into database














 Must carefully measure required info
 OK if slow and repeated measurement needed
 Must be very precise
 Weak point of many biometric schemes
o Recognition phase
 Biometric detection when used in practice
 Must be quick and simple
 Still needs to be reasonably accurate
Potential complication – uncooperative subjects
o Identification problem typically has uncooperative subjects
o Authentication problem usually has very cooperative subjects
GOOD TERM PROJECT: research state of the art speaker recognition
algorithms for user authentication and implement as iPhone app
Speaker/voice recognition
o EER of 1%
o Attacks – reconstruct new message from recordings of speaker (get
snippets, phonemes)
o NSA has test data for evaluating speaker recognition systems
o Speaker recognition – want to maximize differences between voices,
speech recognition wants similarities to get words
General biometric attacks
o Allow poor enrollment
o Collusion
o Environmental issues
o Health – cold, etc
o “Goats” – people for whom biometric does not apply or work well
 exceptions that have to be made can be exploited by attacker
ideal biometric
o univeral
o distinguish with certainty
o permanent – physical characteristic being measured never changes
o collectable – easy to collect required data
o safe, easy to use, etc.
Status of biometrics
o Hard to forge
 But attacker could steal or photocopy necessary biometric, or
subvert the software or database
o How to revoke a broken biometric?
 If someone takes over your biometric, you can’t change yours
o Not foolproof!
o Biometric use is limited today but will probably change in the future
Often used as a 2-factor identification