In the late 1970s, there was a rumor that research was being done on using the brain’s alpha waves as a unique identifier of a person. It was posited that alpha wave activity could be measured using electroencephalography (EEG) or magnetoencephalography (MEG) as someone walks through a portal.
There are a few potential problems: alpha waves are most common during relaxed wakefulness with eyes closed (rather than during alert activity such as walking) and their frequency is very low (about 10 waves per second) permitting only a small sample to be read. However, the concept behind the rumor points to the pot of gold at the end of the authentication rainbow: the ability to positively identify someone without them touching anything or requiring them to interrupt their activity — the goal as yet only seen in science fiction.
The first factor in positive access control relies on a credential that is physical, e.g., a card (what you have); memorized, e.g., a password (what you know) or a measurable aspect (biometric) of the person, e.g., fingerprint (what you are).
Card systems are becoming more and more sophisticated in their capability for multiple uses and also in their security. For example, HID Global’s Secure Identity Object (SIO) and Trusted Identity Platform (TIP) frameworks; however, on its own, validating an access card does not verify or validate the person — only the credential.
Password systems have evolved as our data has become more important and/or personal. Simple four-digit PINs have been replaced with passwords containing stronger mixes of alpha, numeric and special characters. Their limitations mostly relate to the frailty of the human memory that lead us to either select passwords that are easier to memorize.
Biometric identification has been around for eons: we use many human characteristics to recognize people we know: like face, voice and mannerisms, language, behavior, accents, hairstyle, clothing style and even eye color. Fingerprint, hand geometry and signature dynamics were three early leaders in a field that has expanded to include facial recognition, scanning of the iris, and blood vessel patterns in the eye, wrist, back of the hand, and the palm.
To be a candidate for biometrics, the characteristic under consideration must meet a number of criteria:
• The biometric must be measurable in real time — waiting an extended period of time at a door while a DNA sample is processed is far from acceptable.
• The biometric must be reducible to a template that can be recordable and searchable for comparison. Again, the processing time needs to be within fractions of a second to be acceptable.
• The characteristic must be sufficiently different to uniquely and repeatedly identify that person; and it should be stable over time.
• The biometric feature must be very difficult to falsify — for example, height and weight could easily be replicated, but blood vessel patterns would require extraordinary measures to synthesize.
A live biometric measurement never exactly matches the owner’s stored template, so some leeway is given to the acceptance/rejection threshold. On many biometric systems, error rates are adjustable, in some cases on a per-person basis to accommodate special characteristics. Examination of the point where errors are the same — the “Crossover Point” — enables comparison of different biometric systems.
Many biometric systems are based on hands. The PalmEntry2 from Fujitsu uses near-infrared light to measure vascular patterns in the palm. The device requires the blood in the veins to be flowing so the dismembered hand of a once authentic individual is not a valid credential. Taking the biometric measurements does not require contact with the sensor — the palm is held about two inches above the reader — and is not affected by surface skin conditions on the palm. It can include multi-factor authentication by adding PIN and/or card technologies.