Secure Biometrics Authentication: A brief review of the

Literature
Fahad Al-harby, Rami Qahwaji, and Mumtaz Kamala

School of Informatics, University of Bradford BD7 1DP, UK


Abstract— this paper presents a brief overview of the literature in the field of Biometrics authentication, The advent of the Internet
saw technological innovations such as Biometrics device, in particular fingerprint reader, as an electronic equivalent to manuscript
authentication in the online environment. However, the use of this technology is still insignificant. The aim of this paper is to review the
various studies that have explored the technical and legal issues associated with Biometrics authentication with an objective to provide
insights on their lack of acceptance.

Index Terms— Authentication, Biometrics, e-transaction, Fingerprint

INTRODUCTION

Biometric authentication is one of the most exciting technical improvements of recent history and looks set to change the way
in which the majority of individuals live, Security is now becoming a more important issue for business, and the need for
authentication has therefore become more important than ever. The use of biometric systems for personal authentication is a
response to the rising issue of authentication and security. The most widely used method of biometric authentication is fingerprint
recognition. This paper is organised as follows: by now, the reader is already familiar with the content of section one which
consisted of an introduction followed by the concepts of Biometrics in section two, the study objectives and the hypothesis in
section three and four, followed by the investigation methods in section five, section six will consist of the selection of the
participants. Section seven will illustrate how the investigation was conducted and which methodological choices were made.
This is followed by the survey in section eight. Finding and results in section nine. In the final section the conclusions and
recommendations will be proposed as well as suggestions for further research in sequence in section ten and eleven.

LITERATURE REVIEW

The term biometrics comes from the Greek words bios, meaning life, and metrics, meaning measure. Biometrics can be defined as
measurable physiological and/or behavioural characteristics that can be utilized to verify the identity of an individual, and include
fingerprint verification, hand geometry, retinal scanning, iris scanning, facial recognition and signature verification [1]. Biometric
authentication is considered the automatic identification, or identity verification, of an individual using either a biological feature
they possess physiological characteristic like a fingerprint or something they do behaviour characteristic, like a signature [2]. In
practice, the process of identification and authentication is the ability to verify and confirm an identity. It is accomplished by
using any one or a combination of the following three traditional identification techniques: something you possess; something you
know; or something you are [1].

 Something you possess: often referred to as a token and can be produced from a multitude of different physical objects. There
are two basic types of tokens in use today: manual and automated. If a token is described as manual it means that the
identification process requires some form of human intervention; in other words, a person will make the final decision of
whether an identity is approved or not. Good examples of manual tokens are paper ID documents and passports. Automated
tokens, on the other hand, do not involve human intervention in the identification process, but rather the identity is verified
by a system/computer such as magnetic-stripe cards, memory cards, or smart cards [1].

 Something you know: the knowledge should not be commonly held, but secret. Examples of regularly used secrets are
passwords, pass-phrases, and personal identification numbers PINs.
 Something you are: recognizing an entity through what "they are" requires measuring one or more of their biological features.
Biological features can be either physiological characteristics like fingerprints or behavioural traits like an individual's
signature [1, 2].

The following table outlines a comparison between passwords vs. tokens vs. biometrics [3-5].

- Can be forged and used without the knowledge of the original holder. For example,
Tokens a forger can "steal an identity" and create a fake ID document using another
person's information.

- Can be lost, stolen or given to someone else.

Passwords - Can be obtained or "cracked" using a variety of techniques such as using
programs/tools to crack the password.
- Can be disclosed. If the password is disclosed to a person they will be able to gain
access to information for which they are not authorized.
- Can be forgotten which will place a further burden upon an organization’s
administration.

- Cannot be forged [5]

Biometrics
- Can be destroyed, and a biometric characteristic's ability to be read by a system
can be reduced. An individual's fingerprints, for example, can be affected by cuts and
bruises and can even be destroyed by excessive rubbing on an abrasive surface [4].
Also, Accuracy of Biometrics depends mainly on the software that is dealing with
them.
Table 1: Passwords vs. Tokens. vs. Biometrics

Biometric characteristics can be separated into two main categories [1] :

 Physiological characteristics are related to the shape of the body. The trait that has been used the longest, for over one hundred
years, are fingerprints; other examples are face recognition, hand geometry and iris recognition.
 Behavioural characteristics are related to the behaviour of a person. The first characteristic to be used that is still widely used
today is the signature.

Generally, physical and behavioural characteristics used by biometrics include the following taxonomy [6] :

Figure 1: physical and behavioural characteristics used by biometrics

Source: Adapted from source - Zhang, D. [6]. Automated Biometrics: Technologies and Systems, Norwell, MA: Kluwer Academic Publishers.
 The accuracy of a Biometrics system is measured by:

 FMR False match or acceptance rate: the lower the biometric identification system's FMR, the better the security. FMR
means the rate at which the biometric measurements from two different individuals is mistaken to be from the same
individual [5].
 FNMR False non-match or rejection rate: the lower the biometric identification system's FNMR, the easier the system is
to use. FNMR means mistaking two biometric measurements from the same individual to be from two different
individuals [5].
In summary, all biometric systems work in similar ways, but it is important to remember that the ease of enrolment and quality of
the template are critical success factors in the overall success of any biometric system [7] .

Allan [7] provides a list of some of the strengths, weaknesses and suitable applications for each biometric methodology:

Figure 2: Strengths, Weaknesses and Suitable Applications

Source: Adapted from source - Allan, A. [7] “Biometric Authentication: Perspective.” Gartner Research, ID Number: DPRO-
95808.

Today there are several biometric characteristics that are in use in various applications. Each biometric has its own strengths and
weaknesses, and suitable applications for each biometric methodology. There are no particular biometrics which may successfully
meet the requirements of all applications. Depending on the application’s usage and the biometric characteristic’s features we are
able to suitably match a particular biometric to an application [5]. Explain that the fingerprint- and iris-based techniques are more
accurate than the voice-based technique. Nevertheless, in a phone banking application, the voice-based technique might be
preferable as the bank could integrate it seamlessly into the existing telephone system.
The following table briefly compares five biometrics according to seven parameters [5] .

Figure 3: Comparison of Biometrics

Harris and Yen [8] take into account the advantages and disadvantages of biometric identification systems which can be
summarized in the following two figures:

Figure 4: Summary of Biometric advantages

 Figure 5: Summary Of Biometric Disadvantages
Source: Adapted from source - Harris, A. J. and Yen, D. C. [9] "Biometric authentication: assuring access to information."
Information Management and Computer Security 10(1): 12-19.

To summarize, the advantages and disadvantages of the biometric identification system require assessment by the organization in
order to determine the most appropriate identification technique for their business purposes.

A number of studies have been carried out in several countries by prospective users, vendors, and governments. The following is
a sampling of these studies: A six month study was carried out in the UK in April 2004 to assess processes and record testimony
of user experiences and attitudes to incorporate biometric information into new passports and the proposed national identity card.
10,016 users joined in the study which used facial, iris and fingerprint biometrics. Six static and one mobile centre in different
regions of the UK were used to gather data. The study covered the testing of the use of biometrics through a simulated application
process; measurement of the process times; assessment of customer perceptions and reactions; testing fingerprint and iris
biometrics for one-to-many identification and testing; and facial, iris and fingerprint biometrics for one-to-one verification.
However, the outcome of this study revealed high enrolment times: on average 8 minutes and 15 seconds, and 10 minutes and 20
seconds for disabled participants. A recommendation by the study’s organisers was presented for example a number of such as
good design and management of the enrolment, environment is significant to accomplish high success rates; a number of
measures require to be put in place for the enrolment of disabled people; improved processes for failed enrolments are necessary;
testing is essential. The UK’s National Health Service NHS have adopted the use of biometric authentication with about 11,000
employees enabled with fingerprint recognition technology in over 60 hospitals, and with over 30,000 employees able to access
patients records remotely. In a recent ISL Biometrics assessment in a UK Bank, 91 per cent of clients seemingly favoured
biometrics over user-name/password authentication systems. In the USA, United Bank provides a fingerprint sensor for their
clients to access their account rather than using a username and password. In addition Westpac is reported to be carrying out an
assessment of biometric security technology that would issue clients with biometric fingerprint devices to allow them to access
their accounts online. JCB Japan, a financial services organisation, undertook a biometric authentication trial using fingerprint
authentication for mobile access to JCB's on-line card member account inquiry service. According to the Civil Aviation
Authority of Singapore, a project at Singapore's Changi Airport known as Fully Automated Seamless Travel (FAST) is expected
to decrease traveller processing time from 15 minutes or longer to two minutes by using fingerprint and facial recognition
equipment.

Woodward, Webb, Newton, Bradley and Rubenson [10] identified that people related concerns as a major hindrance to the
acceptance of a biometric system. The concerns raised can be divided into three major areas:
• Informational privacy;
• Physical privacy;
• Religious objections.
These concerns are what might be labelled “emotional” issues as they are driven by a fear of loss of privacy or a fear of physical
harm.

The following concerns relating to information privacy were identified:

1- The “function creep” is the process of using information for something other than for what it was initially intended [5,
10].
2- The “tracking” is a concern many people share given that access to data relating to a individual, governments could start
to develop into “Big Brother” institutions capable of tracking a citizen’s every move [5, 10].
3- The final concern is the misuse of data [10]; for example, the capture and abuse of biometric information in an online
environment .

Many biometrics have a certain stigma attached to them and can prevent people from using the system comfortably.
Fingerprinting, for example, has an undeserved stigma from association with criminal activities [5, 10], and, because of this, users
feel that they are being criminalised when asked to give a fingerprint, especially when this fingerprint submission is a mandatory
event. Concerns relating to actual harms can include physical harm to an individual from the sensor; for example, the laser used
in retinal scanning, as well fear that an impostor might want to sever a limb, such as a finger, in order to bypass the biometrics
system [5, 10]. Another concern raised regarding working within the iris recognition industry is whether eye infections such as
conjunctivitis are transferable by the camera. Users of the touch-based biometric scanners also often fear the transmission of
illness and bacteria through the use of scanners [5, 10].

Different countries have different cultures and religious beliefs which govern business and social practices, and people will be
hesitant to adopt practices considered contrary to their cultural or religious dictates. Many Christians, for example, believe
biometrics represent the “Mark of the beast” as described in Revelation [5, 10] and this could result in prohibiting their use. In
addition women’s facial recognition would be prohibiting in some Muslim countries such as Saudi Arabia.

CONCLUSION

Biometric authentication is one of the most exciting technical improvements of recent history and looks set to change the way in
which the majority of individuals live. The literature review has served to expand the concepts behind biometric authentication,
give explanations of how such systems work and to estimate their effectiveness. The point is not to support the reader with deep
knowledge of the main physiological biometrics: fingerprint, hand geometry, facial recognition, and iris recognition, but rather to
show how these biometrics are surprisingly alike in design. They all function and mainly use of the same techniques. In this
review, the most important physiological and behavioural biometrics have been reviewed and it has become clear that the inner
workings of behavioural biometric systems are overall significantly more complex than physiological systems. Using multiple
biometrics in one application is one of most interesting aspects of the research, and an approach has been introduced to evaluate
the possibility of employing biometrics in a central database environment. This approach allows a single biometric to be used in
multiple applications and multiple biometrics to be used in a single application. The use of biometrics will become an
increasingly essential part of our lives, changing the traditional method of transactions like tokens, usernames and passwords. E-
transactions are the way of the future. Financial institutions and banks, along with many other organisations, are being forced to
modify the techniques with which they carry out business. These technological changes have brought with them e-transaction
hackers and identity theft. These cyber crimes have become common and are only expected to increase. However, a more
efficient means of protecting identities and transactions is required to be implemented and the best method of providing such
secure identification at this time is by employing biometric systems.
 REFERENCES

[1] Ashbourn, J., Biometrics: Advanced Identity Verification: The Complete Guide. Springer-Verlag, London, . . 2000:
Springer. 201.
[2] Wayman, J.L. and L. Alyea, Picking the Best Biometric for Your Applications, in National Biometric Test Center
Collected Works. 2000, National Biometric Test Center: San Jose. p. 269-275.
[3] Pfleeger C.P., Security in computing. second edition ed. 1997: Prentice Hall PTR.
[4] Tiwana, A., Web Security. 1999: Digital Press An imprint of Butterworth-Heinemann.
[5] Prabhakar, S., S. Pankanti, and A.K. Jain, Biometrics Recognition: Security and Privacy Concerns. IEEE Security &
Privacy, 2003. 1(2): p. 33-42.
[6] Zhang, D., Automated Biometrics: Technologies and Systems 2000, Norwell, MA: Kluwer Academic Publishers. 331.
[7] ALLAN, A., Biometric Authentication. Perspective. Gartner Research, 2002a: p. 1-31.
[8] HARRIS, A.J. and D.C. YEN, Biometric authentication: assuring access to information. Information Management and
Computer Security, 2002. 10(1): p. 12-19.
[9] Dugelay, J.L., et al., Recent Advantages in Biometric Person Authentication, in ICASSP International Conference on
Acoustics, Speech and Signal Processing. 2002: Orlando, Florida, USA.
[10] Woodward, J.D., et al., Army Biometric Applications: Identifying and Addressing Sociocultural Concerns. 2001:
RAND.