Biometric Authentication

security

Definition

Biometric Authentication

Biometric authentication verifies a user’s identity by measuring biological or behavioural characteristics. It is an instance of inherence-based authentication: something the subject is.

Categories

Passive

Definition

Passive Biometric Authentication

Passive biometric authentication verifies identity by measuring a biological characteristic of the user without requiring any active participation beyond presenting the trait.

It is a form of biometric authentication.

Link to original

Active

Definition

Active Biometric Authentication

Active biometric authentication verifies identity by measuring a behavioural characteristic that requires the user to perform a specific action.

It is a form of biometric authentication.

Link to original

Desired Characteristics

Universality

Every user of the system must possess the trait.

Uniqueness

The trait should be sufficiently different between individuals such that it can be used to distinguish one individual from the others.

Measurability

The trait must be measurable in a quantitative way. Data can be collected in a form that permits subsequent processing and extraction of relevant features.

Permanence

The trait should not vary too much over time. The matching algorithm should be resistant to small measurement changes.

Unforgeability

The trait should be difficult to forge or imitate.

Performance

The trait should be quick, accurate, and efficient to measure and compare.

Error Measures

Deviations

Deviations must be taken into account when comparing biometric traits.

• Face recognition: glasses, beard, haircut
• Fingerprint: sweating, dirt on the reader

This tolerance may lead to mistakes — false positives and false negatives.

False Acceptance Rate (FAR)

Measures the security of the system: how many unauthorised users are given access.

$$\text{FAR}=\frac{\text{Number of false acceptances}}{\text{Total number of impostor attempts}}$$

False Rejection Rate (FRR)

Measures the usability of the system: how many authorised users are denied access.

$$\text{FRR}=\frac{\text{Number of wrong rejections}}{\text{Total number of legitimate attempts}}$$

Equal Error Rate (EER)

The equal error rate represents a good compromise between security and usability. The tolerance value is chosen so that $\text{FAR}=\text{FRR}$.

A different value can be chosen depending on the actual security and comfort requirements.

Typical Values

Biometric Feature	Typical FAR (in %)	Typical FRR (in %)
Fingerprint	0.001 … 2	0.1 … 5
Iris recognition	0.0001 … 1	0.1 … 2
Face recognition	0.5 … 2	1 … 3
Hand geometry	1 … 4	1 … 5

Attacks

Spoofing

Many attack techniques against biometrics have been successful.

• Face recognition: usage of photos, masks, 3D reconstructions.
• Fingerprint: creation of artificial fingers with stolen fingerprints.

Liveness Detection

Liveness detection can counter spoofing attacks.

• Fingerprint: measuring blood pressure or blood flow.
• Iris scanning: analysis of pupil movement.

Advantages and Disadvantages

Advantages	Disadvantages
No need to remember any authentication information if used as the unique factor.	Generally inapplicable on the Internet. Privacy issues: users are not willing to share biometric data online.
Authentication information cannot be forgotten or lost.	Reliability problems: bypasses due to different users with similar biometric traits.
	Revocation is difficult or impossible. What to do in case of forging?