It is the stuff of James Bond films: computer systems that can be accessed via retina scans or fingerprint recognition. But are they really the stuff of pulp fiction? There are signs, that after years of promise and hype, such biometric devices are poised to enter the mainsteam, not just the underground lairs of megalomaniac super-villains out to destroy the world.
Biometrics is a technology that digitises characteristics such as fingerprints and voices and compares them with a version stored in software to verify identity. The technology has been around for decades, but the circumstances for the application of biometrics in a security role for the consumer market is only now falling into place.
Biometrics work because of the physical uniqueness of human bodies. Several more obscure body parts and attributes have been considered biometric possibilities, including the resonance of the skull, the human stride and the configuration of the ear. But currently only the face, the fingerprint, the shape of the hand, the iris and the voice are actually used.
The face is the least intrusive to measure, although it is quickly changeable, so it is best for short-term uses. In Malaysia, US company Visionics supplies an airport security system which takes a picture of each traveller, then uses an algorithm to convert it to a digital template. This is stored on a reusable smart card that contains a computer chip. A similar card is also placed on passengers' luggage, which is cross-matched when they arrive at the departure gate.
The basic premise of biometrics is that a person has a sample of their biometric data captured. A biometric system then goes through a four-stage process to determine whether it matches with another sample. The four stages are capture - a physical or behavioural sample is captured by the system during enrolment; extraction - unique data is extracted from the sample and a template is created; comparison - the template is then compared with a new sample; and match/non-match. The system then decides if the features extracted from the new sample are a match or a non-match with the template.
Biometric systems are often hyped as being foolproof because humans, even identical twins, have unique identifying characteristics, whether it is the crinkle of their eye or the prints on their hands. In fact the systems are not perfect.
According to research conducted by the National Biometric Test Centre at the San Jose State University in the US, some 2% to 3% of people cannot use them at a given time because they do not have the (body) part or the part does not look and work like most people's. But for the remaining 97% of the population, this technology offers security and convenience.
Because of the remaining 3% however, biometric systems must allow for subtle changes in the samples, such as scarring, ageing and so on. For this reason, systems operate within a set threshold of accuracy score.
In this case, the comparison between the template and the new sample must exceed the accuracy threshold before a match is recorded.
In the past, biometric technology has been used to control access to buildings, but it is now being tested in applications ranging from electronic commerce, banking transactions and data security. According to research firm Frost and Sullivan, the biometrics equipment and software markets are expected to be worth around £107 million in 2003.
The changing market is a direct result of today's advanced computer hardware.
The faster, cheaper PCs on the market can handle the data processing needed to verify an identify from a fingerprint, a voice or a face.
As the number of businesses encouraging the formation of a remote workforce and telecommuting increases, so too IT managers need stronger and easier ways to identify and authenticate those users. Mere names and passwords will soon no longer be enough.
One way of improving security is to use a token-based system making use of one-time dynamic passwords. But biometrics provides an even greater level of security.
Police have used the physiological biometric of fingerprints to catch and convict criminals for ages. In fact, the most widespread example of fingerprint technology is the Automated Fingerprint Identification System (AFIS) used by law-enforcement agencies worldwide. The system costs millions of pounds to maintain, but it has proven so successful and speedy that other types of agencies, such as those that administer welfare benefits and regulate border crossings, have installed similar systems.
Some law enforcement and government agencies have adopted face recognition systems as well. The US Immigration and Naturalisation Service (INS) uses a system that measures the three-dimensional configuration of an individual's hand to speed entry for qualified low-risk travellers at airports in Newark, New Jersey, New York and Toronto.
IBM's experimental FastGate system uses a hand, voice or fingerprint to ease business travellers through passport control. IBM's FastGate biometrics system is actually a fast track for passengers in a hurry and with no desire to be held up in the seemingly interminable queues at passport control. A product of the pioneering Hurls Laboratory in the UK, the technology is on trial at Bermuda International Airport.
Fast track for passengers
FastGate identifies travellers by comparing their fingerprints, palmprints or voice patterns with a digital record stored on a central database.
By combining this biometric data with standard personal identification information contained on a plastic swipe card, the system is said to considerably speed up immigration and passport control.
In the UK, Nationwide Building Society has become one of the UK's first financial institutions to evaluate speech verification software to give customers access to accounts. Preliminary tests began this year to establish whether the software is resilient enough to handle the 17,000 calls a day made to Nationwide's three call centres.
Speech verification software could be an alternative to PIN numbers and code words, which customers use to prove their identity to call-centre agents. The software, from Vocalis, would sit on the call-centre server and be incorporated into the bank's existing applications.The software recognises the way an individual pronounced vowels and certain words, although the company admits that 0.7% of calls could fail to be recognised.
Nvisage is a facial recognition system that uses 3D facial scans to verify identity in less than a second. Created by UK company Neurodynamics, the system is now being tested at two unnamed user sites, one of which is a local authority. The product is likely to become commercially available in eight months and is expected to sell for around £10,000.
The system runs on a Pentium 400MHz PC or greater and can be linked to a single camera or scaled up to run on multiple cameras and workstations.
Neurodynamics's biometric technology manager, Mike Dell, says the cost of biometric technology is coming down rapidly, prompting more companies to consider implementations. "There will be lots of people willing to try it," he believes.
To date, IT managers have tended to shy away from biometrics as a result of a series of practical difficulties in administration. Cost has not in itself been a major inhibitor. Fingerprint recognition has an established track record in the law enforcement community and can be computerised fairly cheaply. Compaq, for example, offers a low-cost fingerprint reader as a peripheral to its Deskpro line.
But even if the technology is there, the human factor needs to be built in to any discussion of biometrics, particularly in relation to potential cultural resistance.
Tom Martin, director of ICL's Lifestyle self service programme, says: "We have deployed ICL biometric solutions in about 70 sites around the world, the majority of which are in the US. I would accept however that it is taking off very slowly in the open market. In the UK, there has been a quicker take-up of smart cards than in some other countries.
In the financial services sector, the interest is focused on voice recognition systems. These have to deal with problems such as accent, dialects and how many languages you need to support. I think what will happen is that you will see voice recognition used initially for authentication, but longer term it will move into other areas."
- A widespread commercial adoption of biometrics is unlikely to take place until there are universal standards in place. Such standards should, in theory, make biometric technology consistent, interoperable and interchangeable.
This will in turn encourage more end users to experiment with the technology.
To date there has been precious little interoperability between devices from different suppliers. Equally importantly, there is not a perceived simple manner in which to integrate biometric authentication mechanisms into existing applications.
The result is that the early implementers of biometric technology have found themselves limited to single application implementations based on single vendor product offerings. This clearly limits the use of such technology in any practical sense.
There are now efforts underway to improve the situation. Both IBM and a leading US fingerprint ID company, The National Registry, have posted their own generic APIs. It remains to be seen if they can become de facto standards for developers, but both companies are actively involved with the two major standards organisations in biometrics: the US government-sponsored Biometric Consortium and the commercial International Customer Service Association (ICSA).
There are some existing standards, most notably the Automated Fingerprint Identification Systems (AFIS) standard, which have laid the foundation for today's standards initiatives. There are essentially two AFIS standards: one for the interchange of finger image data; and one for finger image compression.
The AFIS standards have had considerable influence over the biometrics industry thanks to their adoption and implementation by three bodies: the FBI, the UK Home Office and Interpol.
The most controversial of the existing standards is EN5013-1, which is supposed to be used for access control applications in any European Union state. What makes it unpopular among biometrics vendors is that it was put together without consulting any of them.
The Speaker Verification Application Programming Interface (SVAPI) is the first non-proprietary biometric API. Novell is one of the prime movers behind the development of SVAPI with support from the likes of IBM, Motorola, Texas Instruments and various US government departments.
SVAPI aims to give application developers greater choice when selecting and installing technologies from speaker verification vendors. The API is designed to integrate with a range of data and telecommunication networks.
The vendors supporting the initiative are typically those with ambitions to establish a competitive edge in the Internet and telephony markets.
BIOMETRIC TECHNOLOGY GLOSSARY
- Finger scan systems fall into two broad camps: verification systems and Automated Fingerprint Identification Systems (AFIS). Verification systems capture the flat image of a finger and perform one-to-one verification.
AFIS systems can be subdivided into forensic and civil versions. Forensic systems capture images from all 10 fingers to provide more data for forensic - typically criminal - investigations, while civil systems will be based on a few fingers only. There are three types of finger scan capture devices: optical - where the finger is placed against a surface, typically glass, and a picture of the finger is captured; ultra sound - the finger is placed on a surface and an ultrasonic scan is taken; and chip-based - where the fingers are placed directly onto silicon chips. Current AFIS's only use optical scanners. Verification systems use all three types of devices.
- A camera is used to acquire an image of the face from a distance of a few metres away. The system then analyses the geometry of face such as the distance between the eyes and the nose. Most systems feature a face-locating function that searches for faces within the field of view.
Face recognition systems are designed to compensate for glasses, hats and beards. The technology can perform verification and identification.
- This category incorporates hand geometry, single-finger geometry, and two-finger geometry. Hand geometry involves the user placing his hand on a plate, where it is positioned by lining it up with five guide pegs.
The system takes a picture of the hand and examines 90 characteristics, including the three-dimensional shape of the hand, the length and width of fingers and the shape of knuckles. For single-finger geometry, the user places a finger in a plunger and pushes forward into the device.
The system has a set of rollers that roll around the finger and take measurements of 12 cross sections of a 1.5in span of the finger. To use a two-finger geometry system, the user places the index and middle finger on a plate.
- Iris recognition technology involves using a camera to capture an image of the iris. The iris is an excellent choice for identification as it never changes, is not susceptible to injury and contains a pattern unique to the individual. Furthermore, an individual's right and left iris patterns are completely different. There are two types of iris recognition systems: active and passive. In the active system, the user must adjust the camera by moving forward or backward a few inches in order to bring the iris into focus. Further, the user must be within 6in to 12in of the camera.
This requires substantial supervision and instruction. The passive system incorporates a set of cameras to automatically locate the user's face and eye, thereby removing the need to manually focus the camera.
- The user signs a signature on a digitised graphics tablet. Signature dynamics, such as speed, relative speed, stroke order, stroke count and pressure are analysed. The system compares not merely what the signature looks like, but also how the signature is signed.
- The user states a given pass phrase and the system creates a template based on numerous characteristics, including cadence, pitch, tone and shape of larynx. Speaker verification works with a microphone or with a regular telephone handset. Although the voice pattern is determined to a large degree by the physical shape of the throat and larynx, it can be altered by the user. Background noise greatly affects how well the system operates. Because of this, the technology is considered to be less accurate than fingerprint and iris scan technology. It is used solely for verification and requires user co-operation.
- This analyses the way one types. It is a very new technology to the biometrics arena. Users enrol by typing the same word or words many times.
Verification is based on the concept that the rhythm with which one types is distinctive.
USER STUDY: fighting crime in Newham
- Newham Borough Council in east London is the first user of a facial recognition system in a closed circuit television control (CCTV) room application as part of a revolutionary anti-crime initiative. FaceIt, from US firm Visionics, is part of a CCTV-based system called Mandrake.
The Mandrake system uses the FaceIt software in conjunction with other control-room software and hardware to automatically scan the faces of people passing 144 CCTV cameras located around Newham.
The system's specific objective is to reduce crime in Newham by searching for matches in a video library of known criminals stored in a local police database. When the system spots one of those faces, a security officer in the control room is alerted and can then contact the police.
The FaceIt engine makes use of sophisticated algorithms for pattern recognition.
These are an outgrowth of recent discoveries on how the human brain recognises faces, and have been shown to outperform all other leading facial recognition algorithms in recent US government testing.
Malcolm Smith, council director and lead government official in charge of the Newham CCTV system, explains: "Once a face is recognised by the FaceIt recognition tool, it then becomes the responsibility of our operators to make a judgement as to whether to contact the police. Once the police are contacted, they can determine whether the person presents a shoplifting threat, a burglary threat or whatever, and decide whether to take action or not." The Mandrake system provides the police and security officers with a tool that indicates a percentage score of how confident the computer was that the person spotted was one of the individuals in the database.
Newham is at the forefront of CCTV anti-crime measures and is in the process of expanding the system to 240 cameras.
Borough security chiefs believe that there are 10 or so active muggers operating in and around its main shopping area. They also hope to add the facial identities of known paedophiles to Mandrake's automated watch list in the near future.
But the citizens of Newham need have no fears of Big Brother watching them, insists Joseph Atick, Visionics CEO.
"The emphasis here is on responsible use," he argues. "This is not a system that invades the privacy of innocent individuals. First, the only faces in the watch list are those of convicted criminals, who have repeatedly targeted this community. Second, the system is simply designed to perform a real-time comparison of the faces in the live video to those in the watch list. Faces that do not match are immediately discarded."
Instapaper to 'go dark' in Europe until it can work out GDPR compliance
James Robbins of ArrowXL says that AI is no longer 'tomorrow's technology'
Staff told to beware of "unusual sounds" after an employee reported mystery symptoms
Sophisticated malware comprises code previously used to attack Ukraine