Methods of Biometric Authentication

Methods of authentication involve verifying the identity of an individual. The verification is usually obtained by the individual demonstrating something he knows, something he has, or something he is. The most traditional forms of authentication rely on the individual providing a username combined with a password, thus demonstrating something the user knows.

Biometric authentication methods are gaining popularity since hacking techniques have rendered traditional authentication methods ineffective. Combinations of usernames and passwords may be easily compromised using dictionary attacks or rainbow tables. Biometric authentication methods do not produce hashes of user input, which makes capturing and decoding user input all but impossible.

Biometric authentication relies on demonstrating something the individual is rather than something the individual knows. This renders biometric authentication less prone to an attack through duplication than traditional authentication methods. There are essentially three types of biometrics, which include physical biometrics, behavioral biometrics, and cognitive biometrics.

Physical Biometrics

Physical biometric systems are by far the most common. Most marketed physical biometric systems scan an individual in some manner for distinguishing characteristics. These scans essentially create images of the “individual's fingerprints, hands, face, iris, or retina” (Reference for Business, 2011). Physical biometric scanners make up roughly 86 percent of the biometric market.

Iris scanning measures the most stable individual characteristic because an individual’s iris pattern does not change from the time of birth. However, iris and retinal scanning require the individual’s eye to be in very close proximity to the scanner so people tend to prefer other methods. This may explain why iris and retinal scanners have not overtaken the market.

Whichever type of physical characteristic a biometric system measures, the end result is to create a template of an authorized individual’s biometric characteristics through a computer analysis of the scans. The template, which is a very large alphanumeric key, is created when the individual enrolls in the system. Future authentication scans are then compared to the template and access is granted or denied according to how closely a future scan matches the template (Reference for Business, 2011).

Behavioral Biometrics

Behavioral biometric authentication relies on measuring an individual’s voice patterns, signature characteristics, or typing style. Behavioral biometrics effectively “substitutes ‘the way you do something’ for ‘something you are.’ (Electronic Payments Week, 2005, p.1). Voice patterns can be easily captured and are unique between individuals. A problem with using voice patterns is that background noise may influence an individual’s attempt to authenticate into a system and create a false negative or block an individual who should be granted access.

Typing characteristics and signature dynamics are much more reliable measures than voice recognition because there is no background noise problem. Typing characteristics measure how someone types. The measured characteristics are the dwell time and flight time while typing a particular phrase. Dwell time is the amount of time that a user’s finger remains on a particular key while typing and flight time is the amount of time a user takes when moving between keys. When a user sets up an account, the user is prompted to type a particular phrase several times. The system measures the characteristics for the user while the user types that particular phrase. The user later types the same phrase while authenticating.

Biometric authentication based on signature dynamics work in a similar manner. “A new user can sign his or her signature several times, and the system measures things like pen pressure and pen speed, thus making that signature impossible to forge as far as the authentication system goes” (Electronic Payments Week, 2005, p.1). This method of authentication is simple for the user and provides a reasonable amount of certainty that the user is who he or she claims to be because not only must the signature match the individual’s signature but the signature must be signed in the same way.

Cognitive Biometrics

Cognitive biometrics is relatively new to biometric authentication. Simple forms of cognitive biometric authentication cause an individual to relate something from the past. Security questions for certain forms of Internet access rely on this form of cognitive biometric authentication, which causes a user to think. However, this simple form of cognitive biometrics presents some of the same problems as password authentication; a shoulder surfer could watch an individual answer the questions then duplicate those answers in the future.

Avalon Biometrics (n.d.) presented a more complex form of cognitive biometrics, which had a patent granted for an interface between an individual’s brain and a machine to measure cognitive responses to tasks.

A pattern of blood flow velocity changes is obtained in response to a set intelligence task, which is used to form a 'mental signature' that could be repeatedly recognized, in an automated man-machine interface system. The system is designed to go beyond passive recognition, but rather to set a desired level of 'mental performance', before access is gained into the system. (Avalon Biometrics, n.d.).

This form of cognitive biometric creates a signature based on an individual’s thought patterns, which would likely be the most difficult patterns to duplicate.

Concerns of disembodied fingers used to circumvent fingerprint scanners were prevalent in the early days of biometrics and are still concerns today although technology has improved significantly since those early days. Incorporating temperature sensors in fingerprint scanners can help prevent a cold finger from being used to gain access. Bayly, Castro, Arakala, Jeffers, and Horadam (2010) mentioned the possibility that “Fake biometrics like gummy fingerprints, face masks or pre recorded voice could be presented by attackers at the sensors of a system” (p. 69). These possibilities would require manufacturers to include mechanisms to ensure that the biometric credentials originated from the presenter.

Building public confidence in biometric authentication methods posed serious problems to the biometric authentication system’s industry. Charndra and Calderor (2005) related the concerns of activist groups that claimed that biometrics are intrusive and provide for even greater reductions in personal privacy and liberty. “Unlike conventional identifiers (such as passwords and tokens), biometrics are inextricably linked to a specific person and cannot be changed, replaced, or modified” (p. 104). In the present age, individuals seem somewhat more likely to trade some privacy for security but the likelihood of the continuation of this trend is in question.

A final concern of individuals toward biometrics involves the central repositories used by the systems. Electronic Payments Week (2005) suggested that these repositories may be hacked into by an intruder. Such actions would devastate businesses and individuals alike; “opening consumers--and businesses—to having all their assets stolen from all their accounts, instead of from just one” (p. 1).

The effectiveness of biometric systems is tied to the ability of the systems to distinguish between samples from a given population. Biometrics do not provide for an undisputable determination. Charndra and Calderor (2005) stated “the literature defines biometrics as distinguishable (rather than unique) physiological and behavioral traits that may be used for identification and authentication” (p. 195). The definition provides that when a biometric sample matches a template the identity is considered a probable match, not an indisputable identification.

There are two stages to biometric authentication. The first stage is enrollment, when an individual registers with the system and creates the biometric template. The second stage is verification, when an individual presents a biometric scan to compare with the template. An individual could experience a problem with the scans during either stage. DigitalPersona promotes a fingerprint scanner that the company claims maintains a 90 percent success rate for enrollments and a 100 percent success rate for verifications. This means that 10 percent of the population experiences problems enrolling with the system.

Jain and Ross (2004) claimed that multibiometric systems, those employing more than one type of biometric scan, increase the effective likelihood that a probable match is in fact a true identity by matching more than one characteristic. These systems also reduce the possibility that an individual could successfully spoof the identity of another individual. An intruder attempting to use a finger mold would also need to copy another trait, such as the victim’s writing dynamics.

Charndra and Calderor (2005) stated that another limitation to the effectiveness of biometric devices is the degrees to which those devices are able to make probable matches after natural occurrences such as aging. An older person’s physical characteristics change with age and biometric devices must be able to match templates with samples even after these changes occur. Similar situations arise after certain types of surgery that alter appearance or accidents involving the loss of a limb. The alternative to biometric systems that cannot adapt to these changes would be to require the subject to reregister with the system after such changes occur, which would increase the cost of ownership.

The most common available hardware based biometric systems include fingerprint scanners and iris scanners. Software biometric systems include those that measure typing dynamics and signature characteristics. The cost to implement these systems depends on the type of system, the location of the system, and the number of users.

Centralized deployment of a fingerprint scanner would cost around $1200 for the DigitalPersona U. are U. scanner (Grotta, 2001). One security enhancement of this model is the device’s ability to encrypt an image while the image is acquired. Other devices send an un-encrypted image to the connected computer and require the computer to encrypt the image. Confidentiality should require an image to be encrypted before transmission to prevent tampering. Fingerprint scanners such as this are good choices for physical access control mechanisms.

Biometric Protection from unauthorized access to desktop computers has traditionally been accomplished using fingerprint scanners, such as the one mentioned above. These scanners can be cost prohibitive on a large scale. However, Yang (2002) described the Panasonic Authentication Iris Recognition Camera, which was designed for desktop authentication. The list price for the device is $239 or just over a quarter of the cost of the U. are U. fingerprint scanner. The declining cost of desktop computers combined with the low cost of this iris recognition technology should put desktop authentication on the plate for every major corporation.

Network access may now be affordably protected using software based typing dynamics with BioPassword 4.5 from NetNanny, “which tie a unique physical characteristic to an individual's network account to provide positive user identification. BioPassword links the specific typing style and patterns to a user's password for a flexible and secure solution” (Monro, 2001). Net Nanny offers a tiered pricing structure for the software ranging from $100 for a 50-user license to $40 for a 4,000 user license.

The traditional method of authentication, which uses a username and password to demonstrate something you know, no longer provides adequate protection to the confidentiality, integrity, and availability of organizational information assets. Passwords are easily compromised through brute-force methods or simply through observation. Another form of authentication is needed to provide adequate protection to information assets and systems.

Biometric authentication methods are replacing the traditional authentication methods to provide more adequate protection. There are three types of biometric authentication, which include physical biometrics, behavioral biometrics, and cognitive biometrics. Biometric authentication methods replace something you know with something you are, in the case of physical biometrics; or with something you do, in the case of behavioral or cognitive biometrics.

Although biometric authentication systems may effectively provide better protection for information systems, there are certain valid concerns that are slowing down the wide-spread implementation of these systems. These concerns include the possibility that a biometric authentication system may grant an unauthorized person access to systems or that the central repository of biometric templates may be compromised. However, improvements in the technology and the introduction of multibiometric systems are gradually leading the public toward acceptance of the technology.

The cost to implement a biometric authentication system depends on a number of variables, such as the location of the devices and the number of users. However, matched with the commodity-like cost of desktop computers, biometric authentication systems are becoming more affordable for organizations of all sizes. The low cost of protecting information systems and network transactions using biometric authentication methods should provide an incentive to implement this type of solution.

• Bayly, D., Castro, M., Arakala, A., Jeffers, J., & Horadam, K. (2010). Fractional biometrics: Safeguarding privacy in biometric applications. International Journal of Information Security , 9 (1), 69-82. doi:10.1007/s10207-009-0096-z
• Chandra, A., & Calderor, T. (2005). Challenges and constraints to the diffusion of biommetrics in information systems. Communications of the ACM , 48 (12), 101-106. Retrieved from EBSCOhost.

• Jain, A. K., & Ross, A. (2004). Multibiometric systems. Communications of the ACM , 47 (1), 34-40.