Security Biometrics 101

Two years ago l fell in love with a Biometric product. I walked by a booth on the 3rd day of the ASIS show and stopped to watch as individuals enrolled into the system as fast as I have ever seen any Biometric system enroll a person. As fast as the individual enrolled they could stand at the appropriate distance and a second or so later they received a green signal to proceed. I was pleased by the performance and tried the system a few times to be sure that what I had witnessed was real. Well it turned out to be AOptix Technologies, a Campbell, Calif.-based iris innovator, who launched their first “iris at a distance” product, the InSight VM, early in 2009. I liked the company and product so much I introduced them to Brian Tuskan, Sr. Director at Microsoft Global Security and subsequently, after an extensive testing period, we installed an AOptix Technologies InSight at the entry to the Microsoft Global Security Operations Center (GSOC). ( A little background on “Iris” Vs “Retna”: Iris recognition is a method of biometric authentication that uses pattern-recognition techniques based on high-resolution images of the irides of an individual's eyes. Not to be confused with another, less prevalent, ocular-based technology, retina scanning, iris recognition uses camera technology, with subtle infrared illumination reducing specular reflection from the convex cornea, to create images of the detail-rich, intricate structures of the iris. Converted into digital templates, these images provide mathematical representations of the iris that yield unambiguous positive identification of an individual. ( My take: Like so many interesting things in the realm of security, I started researching biometrics. Jeff Carter of sums up my thoughts: Ever since the first lock and key or digital log-in and password were created, logical security and physical security have always been two separate concepts. Technologists have searched for decades attempting to find a converged solution and narrow the gap between protecting one's identity and controlling access to physical and virtual interactions. ( I could not have said it better. Now how quickly does technology change the biometrics industry and just what makes up the field of biometrics? Moore’s law ('s_law) is very active in this security segment. Not only is technology accelerating research but we are finding more ways of capturing biometric data. Some scoff at the idea of emerging biometrics, saying that the identification technology as a whole is still emerging. In reality, however, fingerprints have been used to identify criminals for nearly a century and around the world biometrics are used to gain access to buildings, get cash at ATMs and authenticate online transactions. The days when biometric scanners were merely props in James Bond movies are gone. The North American market appears to be on the precipice of a change. Use cases for secure authentication are everywhere, and the technology foundations to enable biometrics have matured. ( What are Biometrics? Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic. Among the features measured are; face, fingerprints, hand geometry, handwriting, iris, retinal, vein, and voice. Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions. As the level of security breaches and transaction fraud increases, the need for highly secure identification and personal verification technologies is becoming apparent. Biometric-based solutions are able to provide for confidential financial transactions and personal data privacy. The need for biometrics can be found in federal, state and local governments, in the military, and in commercial applications. Enterprise-wide network security infrastructures, government IDs, secure electronic banking, investing and other financial transactions, retail sales, law enforcement, and health and social services are already benefiting from these technologies. Biometric-based authentication applications include workstation, network, and domain access, single sign-on, application logon, data protection, remote access to resources, transaction security and Web security. Trust in these electronic transactions is essential to the healthy growth of the global economy. Utilized alone or integrated with other technologies such as smart cards, encryption keys and digital signatures, biometrics are set to pervade nearly all aspects of the economy and our daily lives. Utilizing biometrics for personal authentication is becoming convenient and considerably more accurate than current methods (such as the utilization of passwords or PINs). This is because biometrics links the event to a particular individual (a password or token may be used by someone other than the authorized user), is convenient (nothing to carry or remember), accurate (it provides for positive authentication), can provide an audit trail and is becoming socially acceptable and cost effective. ( An interesting side note: Apple Patent Shows Future of Biometrics Isn’t Security. A recent Apple patent and a strongly worded report from the National Research Council suggest that the future of biometrics lies with personalization, not security. The U.S. Patent and Trademark Office last week granted Apple a patent for biometric-sensor handheld devices that recognize a user by the image of his or her hand. In the not-too-distant future, anyone in the house could pick up an iOS device — or a remote control or camera — and have personalized settings queued up just for them. The patent (which Apple first applied for in 2005) protects handheld devices with one or more “touch sensors” — buttons, touchscreens or other interfaces — on any of the device’s surfaces. These sensors can take a pixelized image of a user’s hand, match it to a corresponding image on file, and configure the device’s software and user profile accordingly. A quick Biometric History: Biometric history indicates that the science did not originate at a single place. People all over the world were using the basics for mainly identifying individuals from each other. We'll explain about biometric history in brief over the next few paragraphs. The history of biometrics dates back to a long time. Possibly the most primary known instance of biometrics in practice was a form of finger printing being used in China in the 14th century, as reported by explorer Joao de Barros. Barros wrote that the Chinese merchants were stamping children's palm prints and footprints on paper with ink so as to differentiate the young children from one another. This is one of the most primitive known cases of biometrics in use and is still being used today. Apart from its Chinese genesis, use of biometrics was also noted elsewhere in the world. Up until the late 1800s, identification largely relied upon "photographic memory". In the 1890s, an anthropologist and police desk clerk in Paris, Alphonse Bertillon, decided to fix the problem of identifying convicted criminals and turned biometrics into a distinct field of study. Bertillon developed a technique of multiple body measurements which later got named after him - Bertillonage. His method was then used by police authorities throughout the world, until it quickly faded when it was discovered that some people shared the same measurements and based on the measurements alone, two people could get treated as one. After the failure of Bertillonage, the police started using finger printing, which was developed by Richard Edward Henry of Scotland Yard, essentially reverting to the same methods used by the Chinese for years. Biometric history in the recent past (three decades) has seen drastic advancements and the technology has moved from a single method (fingerprinting) to more than ten prudent methods. Companies involved with new methods have grown into the hundreds and continue to improve their methods as the technology available to them also advances. Prices for the hardware required continue to fall making systems more feasible for low and mid-level budgets and thus making this more adaptable in small businesses and even households. A great place to review the timeline (according to Google) is: (,or.r_gc.r_pw.&fp=33231368492673a0) Some areas of research, products and things I found interesting: Three biometric technologies that are on the cutting-edge of defeating the privacy and “spoofing” hurdles-eyeball reflexes, palm-vein patterns, and revocable biometric tokens. The focus is primarily on the “spoof proof” aspect of improving biometric technology and only minimally addresses the active debates over the privacy concerns. When an individual “spoofs” a biometric system he/she defeats the device’s security by using a phony sample. Biometric researchers must be aware of these deficiencies and vulnerabilities and must strive to assure that the authentication process is reliable. Eyeball Reflexes: Two Japanese scientists are working to tackle the spoofing and privacy hurdles by combining eyeball reflexes (saccade response) with unique ‘blind spot’ data points. The proposed development will not necessitate the secret storage of biometric information, and the researchers claim that the targeted biometric data is “spoof proof.” Their research indicates that “blind spots” alone are insufficient because of the potential to fraudulently copy a blind spot through complex surgery or high-tech contact lenses. However, the additional use of eyeball reflexes (saccade response) protects the identification system from replication. Specifically, the identification system places a visual target inside and outside the individual’s known blind spot. The system then seeks to track and record the resulting reflexes of the eyeball. These triggered reflexes in turn produce unique information that can identify and authenticate a particular user. Eyeball reflexes, are unique and are seemingly impossible for an imposter to copy since they are “beyond conscious control.” This research team is also experimenting with other potentially unique Palm-Vein Patterns: In another measure to increase the reliability of the authentication process, some industries are moving from fingerprints to palm-vein patterns. This technology uses an infrared scan to examine the veins in an individual’s palm. Palm-vein patterns are unique to individuals, even individuals that share the same DNA. In fact, an individual user will have unique vein patterns even between a left hand and a right hand. Displaying confidence in the difficulty of “spoofing” someone’s unique vein pattern, one commercial developer claims that the key to security is “in the palm of your hand.” This developer has successfully installed the palm-vein technology in ATM’s and is planning on integrating the technology for mobile phone security. Health care providers and hospitals are potentially a great target for this type of biometric identification. In 2007, a hospital in North Carolina installed these palm-vein scanners for identification of patients. Rather than storing a picture of the individual’s palm, the individual is assigned a unique identification number, thereby reducing privacy concerns from leaked information. The hospital administrators felt that the technology would increase patient security because it would minimize the potential for “leaking” private information (i.e. social security numbers) during the registration process of the patient. Competitive graduate admissions tests are also beginning to utilize this palm-vein scanning technology in the hope that this biometric system will reduce cheating. Fingerprint identification has not proved sufficiently “spoof proof” for takers seeking admission into top business schools. Select testing locations utilized these biometric devices in late 2008 and worldwide use is expected by the summer of 2009. This application of the palm-vein biometric technology will store a digital image of the vein pattern. Proponents of the technology feel confident that these vein scans are significantly more difficult to spoof than the traditional fingerprint scan. Regardless of the additional safeguards, privacy advocates argue that personal biometric information should only be stored for a set period of time, and then destroyed or revoked. However, currently the palm-vein scans are intended to permanently remain in the student’s file. The proponents of the technology rebut the privacy argument by pointing out that you “can’t leave a vein pattern at a crime scene;” therefore, the risk that a governmental authority will improperly seize the biometric information and use it to connect the individual to a crime is inconsequential. Revocable Biometric Tokens: The privacy advocates raised issues of revocability in the permanent storage of the palm vein patterns. These advocates and other prudent consumers care about revocability. Individuals, at their convenience, can typically open and close bank accounts, cancel credit cards, and change passwords and security protocols. However, in the realm of biometrics—revocability has not been the standard. Individuals cannot “easily” change their biometric identifiers: fingerprints, palm prints, gait, retina, etc. The biometric industry is realizing that revocability must be incorporated into the technology as an additional safeguard for individual privacy. One approach to revocability is the use of “biotokens.” There are four reasons why these biotokens exhibit increased privacy: (1) a biotoken may combine multiple human identifiers (i.e. the combination of a fingerprint and an iris scan), (2) a biotoken may add a level of encryption to the authentication and storage process which “provides cryptographically strong protection of the original biometric data,” (3) a biotoken may be stored in an alternate location from the original biometric identifiers, and (4) the revocable nature of the biotoken may allow for the token to expire and a new token issued without the recollection of the original biometric identifiers. A Colorado based company, Securics Inc., is exploring the benefits of biotokens; their unique biotokens are called ‘Biotope revocable identity tokens.’ The company’s self proclaimed goals are to enhance security while protecting privacy. The website indicates that Securics offers the only commercially available revocable biotokens for face and fingerprint. The Biotope technology “transforms the original biometric signature into an alternative revocable form (the Biotope) that protects privacy while it supports a robust distance metric necessary for approximate matching.” The company describes some additional advantages to this technology as follows: Network infrastructure is continually compromised by attacks involving man-in-the-middle key exchanges, dictionary attacks, and phishing. Standard biometrics and even secure ID tokens are not immune. Loss from these attacks is estimated to be as high as 3.2 billion dollars. Revocable Biotope tokens are impervious to these issues. At the core of our bio-cryptographic protocols is a Biotope token that is unique on a per transaction basis. This approach completely prevents known attacks; non-public transmitted data is never reused. The Biotope technology supports nesting, allowing stored tokens to be used to generate new tokens in real time — something no other privacy enhanced biometric technology can do. The initial commercial function for these biotokens is an authentication application for Web-based transactions; however, the company is hoping that the Biotope token will expandable for use in drivers’ licenses and passports. Conclusion: Eyeball reflexes, palm-vein patterns, and revocable biometric tokens are three examples of cutting edge biometric technologies each with a unique approach to spoof proofing and enhancing the privacy of the underlying data. Other approaches to making a biometric device more secure might include adding a password or an additional biometric device. Spoof proofing technologies is an underlying hope for the biometric industry. Many researchers hope to achieve this goal and to create such a technology. Other researchers assert that there is no technology that is spoof proof. These researchers insist that the key to security is to stay technologically ahead of bad guys. ‘Staying ahead of the bad guys’ is the theme that is driving the biometric industry. Regardless of some of the existing biometric shortcomings, the industry, as a whole, is excelling in today’s economy. An FBI statement made while announcing a $1 billion dollar biometric contract illustrates this sentiment: "Due to the many issues associated with identity theft, lost and stolen documents, and the ability to spoof standard name-based identity management systems, coupled with the rapid advances in technology and the nation's focus on combating terrorism, there are increasing needs for new and improved identification services." ( An interesting side note: If Motorola or AT&T’s recent patents show, biometric controls are coming for cell phones. AT&T envisions a means to unlock your phone with your voice while Moto has begun developing a means to use a cell phone to deliver a “shocking message” to your body on command. Wow, got to love that! ( Voice biometrics: Identifies speakers using only their vocal characteristics. The concept is similar to other well-known biometric technologies, such as fingerprint and face recognition. All methods are based on physiological identifiers unique to every individual. In voice biometrics, these identifiers are related to the shape of the vocal tract. During enrollment of new speakers, the identifiers, also known as features, are extracted from several voice samples and are used to create a voice template, or voiceprint, which is stored in the system's database. The voice template describes the distribution of the features, but does not contain actual voice samples. During verification, the features are extracted from the test segment and compared with a single voice template or a set of voice templates. The result of this comparison is a numerical score, describing the likelihood that the same speaker who created the voice template is speaking in the test segment. Comparing this numerical score with a threshold yields a binary accept/reject decision. This process can be repeated for several voice templates, providing one-to-many identification results. ( On the lighter side: While Japanese banks have been using the technology for a few years, now Hitachi has introduced a vending machine that eschew coins and credit cards for the veins in your fingers. Hitachi's proprietary biometric authentication system requires that users first register an account (probably linking their vein pattern to a credit card), but it allows one to purchase, say, a delicious can of green tea or icy cold black coffee by inserting a cautious hand into a machine for a quick scan. Of course, the system exploits your identity a bit in the process, using age and gender information on file to display an appropriate video ad while you enjoy your refreshment. But hey, if a public Coke machine light-probing your innards doesn't bother you, why should a quick sales pitch? ( The Japanese ATMs use three-factor authentication for transactions–card, PIN and a vascular biometric, says Walter Hamilton, a senior consultant at ID Technology Partners and chairman of the International Biometrics and Identification Association. ( FaceOnIt implements a Biometric face recognition technology for the mobile phone industry, with the aim to demonstrate the use of this technology on a mobile device. It allows to enroll the face of a user and to verify that the user facing the camera is the one enrolled. FaceOnIt is the output of the project MOBIO which developed new mobile services secured with biometrics. Such services include accessing the device itself, Apps or private data on the device, or online services. FaceOnIt is powered by a face recognition Software Development Kit (SDK) developed at the Idiap research institute in Switzerland. ( Virtually indestructible, the Dunhill Biometric Wallet will open only with touch of your fingerprint. It can be linked via Bluetooth to the owner’s mobile phone – sounding an alarm if the two are separated by more than 5 meters! This provides a brilliant warning if either the phone or wallet is stolen or misplaced. The exterior of the wallet is constructed from highly durable carbon fiber that will resist all but the most concerted effort to open it, while the interior features a luxurious leather credit card holder and a strong stainless steel money clip. ( An interesting side note: “Using biometric identification is a non-repudiable process that links one identity to whatever business process the person associated with that identity is doing,” Marius Coetzee, COO of Ideco Biometric Security Solutions explains. “You cannot lend your fingerprint, and it cannot be stolen and used without you noticing. So, when a biometric is used to authorize a transaction, that evidence will stand up in court; a lost card or forgotten password will not. “We will see the use of biometrics increasing in the financial world over the next decade, eventually replacing insecure cards and PINs completely. This will not only happen for financial staff, but the physical and logical transactions of customers as well. Someone can easily steal your card and observe your PIN, but faking a fingerprint or iris is not that easy.” So, where is the government in all this? Evidently the Department of Defense (DoD) has a “Biometrics Identity Management Agency”. Biometrics Identity Management Agency Mission: The Biometrics Identity Management Agency leads Department of Defense activities to program, integrate, and synchronize biometric technologies and capabilities and to operate and maintain DoD's authoritative biometric database to support the National Security Strategy. Biometrics Identity Management Agency Vision: The Biometrics Identity Management Agency is a premier organization dedicated to protecting the nation through the employment of biometric capabilities. On July 13, 2010, BIMA celebrated a milestone — 10 years of DoD biometrics. Who would have thought that what began as a simple way of using new technology could have such far-reaching policy and mission impacts on DoD and across the federal government in such a short time? ( The U.S. government is spending $25 million this fiscal year to road test a universal secure identity card loaded with biometric and personal data and tied to government "watch lists." Though the program is aimed at simplifying the security checks that airport personnel and other transportation workers must go through, privacy experts are warning of unintended consequences. The card, known as the Transportation Worker Identity Credential (TWIC), will allow workers at the nation's railways, ports, mass transit agencies and airports to carry a single card to access secure areas within these facilities. Currently, many of these workers have to carry several individual cards. ( A new joint-commissioned report from DARPA, the CIA, and Homeland Security has concluded that the current state of biometrics–the technology that can identify individuals based on unique characteristics such as fingerprints, retinal and voice patters, or facial features–is “inherently fallible.” The report argues that the technology may be used for certain small-scale tasks, however it will cause major problems if utilized in a wide-scale framework. There are two main problems, the report argues, with the current state of biometrics. One, the systems rely on probabilistic results, they inherently rely on a certain degree of uncertainty. And also the technology assumes that the parameters it uses are static. Humans are mushy bags of tissue and organic material–our bodies change over time due to injury, disease, age, or any number of variables. This can lead to false-negatives or the inability to create an ID at all. ( Chris Hills CPP, CRMP is the 2011 ASIS Puget Sound (Greater Seattle) Chapter Chair, Member of the ASIS Information Technology Security Council, Certification Board Member - Certified Risk Management Professional (CRMP) for Governance, Risk & Compliance International (GRCSI), ITT School of Criminal Justice – Advisory Committee Member, Low Voltage University - Advisory Board Member, blogger and Managing editor of (