A Brief Intro to Biometrics (Summer, 2000) 
------------------------------------------
By Cxi~

A new area of physical security that has become increasingly popular, and will
become exponentially popular as its uses are more easily implemented and its
need is more clearly seen, is Biometrics or Bio-access. Access to what?
Biometrics is not just to be used for access to buildings or computers, but
will soon be used for access to your bank account, your credit cards, or even
to make a phone call. Biometric systems grant access based on personal
identification, which is based on a preprogrammed pattern of recognition,
providing not only identification but also verification. In order for this to
work, we must keep in mind the theory that physiological traits are unique for
everyone. I will give you a quick synopsis of what occurs when you use a
biometric system.

The process for identification begins with a request for recognition by a
person who submits certain biological information. This is then compared to an
existing database. The speed of this process all depends on the size of the
database, size of the usually large file, and processing speed of the
computers. New compression technology is shrinking the file size of this "bio
411," allowing for a larger capacity to process large amounts of comparison
data.

For the most part, biometrics requires contact with body parts. Because of the
chances of disease transmission, video and laser scanning are being implemented
in many applications to eliminate the need for anyone to touch anything. With
the constant use of computers today, securing access and information is no
longer a business matter, but something that people have to be concerned about
in their private lives as well.

There are seven common biometric categories being used today. Fingerprint, hand
geometry, retina scan, iris scan, facial geometry, voice verification, and
signature verification are all considered a part of biometric security.
Fingerprint analysis is the oldest and most commonly known form. But this has
evolved from the old ink and paper system. Current systems take video images of
the fingerprint and break it down into various components. The ridges on the
fingerprint are converted into mathematical keys so that each fingerprint is
really a series of mathematical equations. Also, the more fingers used for
identification means a more accurate verification process. But, this also means
doubling, tripling, or even quadrupling the storage size needed. Higher
resolution of the systems allows for more of these equations, which in turn
results in greater accuracy. Initial reading and storage can take anywhere from
five to ten seconds and verification only about one or two seconds. Hand
geometry is very similar to fingerprint systems and is actually just an
extension of them. It creates mathematical equations usually based on the
height, width, and length of the hand. This could lead to a possible problem
with very identical twins who have the same hand size. Retinal scans require
the examination of the eye at a close range (about one to two inches). This is
very intrusive and long and therefore has only been implemented in places with
very high security requirements. An iris scan makes a mathematical map of the
iris (area around the pupil). With an estimated 200 points within the iris, it
is fairly easy to do so and can be very discriminating depending on how many
points are processed. Since eye color is not the issue, black and white cameras
(which translates to cheaper systems) can be used to capture the image, which
will be stored and compared to a live scan during the next verification
process. This is much more accurate than hand geometry because even members of
the same family, including those very identical twins, will have different iris
scans. Face geometry is the result of hand and finger recognition. It takes a
video image and selects facial points in order to make a decision to grant
access. The most common use determines the distance between two points on the
face. Another use involves measuring heat spots with an infrared camera (which
translates to more expensive systems). This avoids problems created by objects
that may cover the face. Voice verification has also become increasingly
popular. It analyzes voice pitch, speed, and pattern and forms it into a
personal digital signature. Many systems have been made more accurate by
requiring a standard word pattern to be used for reference identification and
confirmation. This is also a system that avoids disease transmission because it
requires absolutely no physical contact. Signature verification divides a
person's signature characteristics into two parts: those that remain constant
and those that change. This usually requires using an integrated writing tablet
system and can be very costly.

There have also been many different implementations of these kinds of
bio-access. Many require some form of card access that is verified by one of
the previously described methods. This makes the verification process much
quicker since the computer merely compares the live data to the data matching
the owner of the card as opposed to searching the entire database for a match
(or to not find a match). Future technology will use smart cards to hold the
comparison data themselves and therefore eliminate the need for larger, quicker
databases to store and process these large bioinformation files. But can you
just imagine what would happen if someone (and you know they will) figured out
how to hack one of those smart cards? People would be able to create their own
identities pretty easily and gain access to restricted places without much
effort on their part, since the computer let them in. And computers never lie,
kid (sorry... lame ass "Hackers" quotation. I know... but it had to be done).
Also, compatibility is an issue. Many manufacturers of these systems use
different protocols and therefore you can't have a "universal file" to be used
on all security systems everywhere... yet. But obviously this is something the
government (Department of Defense) would want and supports not only with words
but also with funding supplied by the National Registry. With the possibility
to keep every person's unique characteristics on file (not to mention what else
would be possible) and maybe not even need to store the file on your own
computer with the new smart cards, wouldn't you prefer to do this? A committee
known as Bio-API has been formed to look into creating standards for the
industry. Another standard developed by many industrial developers, the
government, and even MIT is the Speaker Verification-API (SVAPI). There is a
free software developer's kit online, which I suggest you download if you're a
Windoze person (95 and NT).

Biometrics itself is such an intrusive and invading procedure that many have
said it needs its own form of security. However, as of yet there is no law or
regulation governing the sale or transfer of biometric information that is
legally acquired. This means that if you apply for a job and are required to
submit to a biometric scan, the controlling agency provides absolutely no
protection for your private information. There is a pending California bill,
AB50, which is attempting to stop the copying of biometric information. Another
issue for concern is the efficiency of such systems. Are they really needed?
Are people going to stop using ATMs or banks because they can't stand to wait
for that damn iris scan only to learn that they can't get their money because
of some system bug? Well, the National Biometrics Test Center has developed
testing standards for evaluating the performance of biometric access equipment,
previously only performed by the manufacturers. The best chance for
standardization has come from the National Computer Security Association, which
has created a certification program for systems and system components such as
scanners that will set error rates based on a standardized testing method.

Now, we can look at this new technology any way we choose. If it's left in the
hands of the private and business sectors, and used in ways that doesn't
discriminate or eliminate people's options for doing things, this can be a
great thing and an added level of security for people in their homes, and for
businesses fearing corporate espionage or whatever paranoia they may have.
However, if placed in the hands of the government, we could be giving them one
more power that would enable them to control and monitor our lives. Depending
on where these systems are made, the government could be able to watch when we
come and go from our houses, log on to our computers, take money from an ATM,
or even see what pay-per-view movies we buy. That my friends, is a very scary
thought and something I hope I never have to think of as a reality.

Shouts: ASleep, glock, minus, LordViram, and the rest of the ct2600 crew!