When looking at a PC or a printer we just see a piece of equipment not really thinking of what makes the system work. Obviously there are physical components that make up a complete PC – CPU, Motherboard, Screen, Hard Disk Drives, Keyboard and Mouse that is essential hardware components that is necessary to able to use the PC. But we rarely think of the Operating System that is at the heart of making the different components work together to make a functioning PC. A PC Operating System is nothing more than a very complex set of logical mathematical equations and it is not the type of mathematics that we struggled with at school – it can almost be described as a dark art
The same principle applies to biometric devices. On most biometric devices we see different hardware components that makes up the biometric device as a whole. On a Fingerprint Biometric Device, for instance, we will see a fingerprint scanner lens where we place our finger, a screen that informs us if access is granted or denied and maybe a numerical keypad.
But we give very little thought to what makes a biometric device function as a device that can either verify who we are of identify who we are. The quality of the components used is also of very high importance to make a feasible and successful biometric device but what makes it work as a successful biometric device are the mathematics used to verify or identify the physical biometric attributes of an individual and compare it to what is stored in the systems database
In biometrics we call this mathematical equation an algorithm as the specific biometric features of an individual is reduced, via an algorithm, to a mathematical string or a template. This template is stored in some sort of database and when the user places his or her finger on the fingerprint scanner the algorithm compares the template from the fingerprint scanner to the template stored in the database.
This is true of all biometric devices whether it be fingerprint, palm, iris or facial recognition biometric systems. The unique features of a face can just as easily be reduced to a mathematical string as the unique features of a fingerprint. I use the word “easily” very flippantly because there is nothing easy about the algorithm that converts these unique features to mathematical strings.
There are two functions involved in either verifying a template or identifying a template. The first is the extraction function and the second is the comparison function. Simply put, the extraction function takes the image presented to it from the scanning device and converts it to a mathematical string or template. The second function then compares the extracted template with the template saved on the database and if enough points of comparison correspond the system will verify or identify an individual.
Biometric algorithms are extremely complex logical mathematical equations and the complexity of the algorithm ultimately determines the success of the biometric device. To understand why different fingerprint biometric devices uses more complex algorithms than others we need to understand that different algorithms uses different levels and quantities of features on the templates
In fingerprint biometric systems there are three levels for either verification or identification.
- Level 1 uses the loops, whorls and arches which is present in 60-70% of the population. Level 1 is used mainly one-to-one verification purposes – in other words the system just confirms who I am and is found more often than not in the cheaper variant of biometric devices and can be subverted with properly faked fingerprints manufactured out of something as simple as candle wax and household silicon sealant
- Level 2 uses minutiae points such as ridge endings, bifurcations, deltas and ridge dots. Level 2 can give more than 100 reference points for the fingerprint biometric device to use to either verify or identify a specific fingerprint. When the biometric system identifies a template it compares the fingerprint presented to the fingerprint scanner (converted to a template) against all the templates in the database. It is more secure as the algorithm can use more reference points and the possibility of multiple fingerprint templates are negated.
- Level 3 uses both of the above but then also uses unique geographical and dimensional characteristics such as the depth of the fingerprint ridge.
Level 1 and 2 is used in commercial applications such as Access Control and Time and Attendance whilst Level 3 is used in systems such as Passport & Entry Control, Law Enforcement and Military applications and is more commonly known by the name of AFIS.
From the above it is quite clear that certain biometric algorithms are more complex than others and it becomes a question of how secure the end-user wants his biometric system to be.
The more complex the algorithm, the more secure the storage of the template is as not only is an image of a fingerprint converted into a mathematical equation that is exceedingly long and complicated, the more complex algorithms are also encoded in proprietary fashion almost nullifying the possibility of manually tampering with the template
Why all the effort in converting an image of a fingerprint into a mathematical equation? Why not just keep an image of the fingerprint on the database and then to have the system do a visual comparison?
The answer to this is simple – privacy. In many countries in the world legislation exist that forbids the holding of data that is deemed personal on databases and nothing can be more personal than a fingerprint. Even in South Africa we have draft legislation that will prohibit the storage of a fingerprint image.
In an opinion piece written for Human Capital Review specifically surrounding the issue of using fingerprint biometrics, Eva Mudely and Lusanda Raphulu of Bowman Gilfillan Attorneys mentions the Protection of Personal Information Act (POIPA), which is currently in draft form. In the opinion piece they make specific reference to the following: “ Although POIPA does not have the force and effect of law, employers should be guided by its provisions when dealing with employees’ personal information… Employers can thus make highly effective use of fingerprint biometrics in a manner which is beneficial to the organization, but which also protects the privacy the individual employee. “
The next question comes to mind – how simple or how complex is the algorithm that is used in a specific device? How do I make a choice between device A and device B? Is there an independent body that rates biometric algorithms? The answer is yes – there are two actually.
The first is most commonly known as the FVC Ongoing (Fingerprint Verification Competition), which is an independent organization, called bioLab, hosted by the University of Bologna (Italy) but also has inputs form Michigan State University (USA), San Jose State University (USA) and Universidad Autonoma de Madrid (Spain). It is an on-line facility whereby different algorithms are tested against two ISO standard templates. The first being ISO Standard for commercial applications and the second being ISO Hard for Military/Law Enforcement/Governmental applications. During this test the speed of the algorithm is measured, transaction time is measured, enrolment time is measured but most importantly it measures the False Acceptance Rate (FAR – I am not on the system but it accepts my template) and the False Rejection Rate (FRR – I am on the system but the system does not accept my template). It is a bit of a seesaw – if the one is high the other is low. The best algorithms keep the best balance between the two and this is where the Equal Error Rate (EER) comes in. The lower the EER, the more successful and secure the algorithm. An EER of 0,2% is far superior than an EER of 0,8% and translates to the former being 99,8% successful and the latter 99,2%
The second independent body is IAFIS & FBI and this body puts biometric algorithms through the most stringent of test. But if the algorithm is successful it either receives a PIV from IAFIS / FBI or is certified as IAFIS / FBI and is deemed to be suitable for use in Law Enforcement, Passport & Entry control and Military applications. It must however be put on record that not only the algorithm is tested but the whole biometric device gets tested.
Simply put, the mathematical engine powers the biometric device – almost like a car and there are reasons why some cars have expensive but complex engines and others have inexpensive but DYI engines. Unfortunately, when it comes to security very few can afford to have the DYI engine.