Biometrics For Dummies

Chapter 1

Understanding Biometrics

In This Chapter

Getting a handle on biometrics

Sampling physiological and behavioral biometrics

Defining biometric systems

Protecting biometric systems

Here’s our “nickel tour” of biometrics — well, okay, that’d be a dollar or two in today’s money — back in the day, a nickel tour meant you got a pretty good overall look at something in a short time. This chapter is like that. If you’re going into a meeting about biometrics in thirty minutes, and you don’t want to appear clueless about it, this chapter will show you all the basics you need. But if you’re standing in the bookstore looking for more of a clue, you’re much better off buying the book and taking it home where you can drill deeper into the topics you’re really interested in.

What Biometrics Are and Who’s Using Them

The term biometrics comes from the ancient Greek bios = “life” and metron = “measure.” Biometrics refers to the entire class of technologies and techniques to uniquely identify humans. Though biometric technology has various uses, its primary purpose is to provide a more secure alternative to the traditional access-control systems used to protect personal or corporate assets. Many of the problems that biometrics help to solve are the weaknesses found in present access-control systems — specifically these:

Weak passwords: Computer users are notoriously apt to use poor, easily guessed passwords, resulting in break-ins where intruders can guess another user’s credentials and gain unauthorized access to a computer system. This could lead to a security breach where personal or business secrets are stolen by an outsider. If your password is currently password, 123456, abc123, letmein, or qwerty, please stop reading this book long enough to change it — to the first character of each word in your favorite passage from Moby Dick. We’ll wait.

Shared credentials: In both small and large organizations, we often hear of cases like this: A computer user shares his or her password with a colleague who requires access — even though, in most organizations (and in many security-related laws and regulations), this is forbidden by policy. People by nature are willing to help a colleague in need, though, even if it means violating policy to achieve a greater purpose.

Lost key cards: Many times in our careers we have both found lost key cards in parking lots and other places. Often they have the name of the organization on them, so it’s like finding a key with an address on it, permitting the person who found it a free after-hours tour of some American corporation.

Biometrics can solve all these problems by requiring an additional credential — something associated with the person’s own body — before granting access to a building, computer room, or computer system. An access-control system that utilizes biometrics will include an electronic device that measures some specific aspect of a person’s body or behavior that positively identifies that person. The device might be a fingerprint reader, a digital camera to get a good look at an iris, or a signature pad. (We discuss all the common types of biometrics in the next section.)

Biometric technology as a means of protecting assets has been around for quite a while in some fields. Military, intelligence, and law enforcement organizations have been using biometrics to enhance physical and logical access controls for decades.

But in the past several years, there has been an uptick in the use of biometrics to protect high-value assets. Internet data centers (the kind that lease rack space and cage space to companies that prefer not to build their own fortresses) often use biometrics for admitting personnel to the data-center floor. Fingerprint-biometric devices are showing up everywhere — even built in to laptops, PDAs, and USB drives. Facial recognition is available on a few laptop models. And for protecting businesses and residences, fingerprint-biometric door-lock sets are available at your favorite big-box home-improvement center (though most of these have key-based bypass systems, reducing the actual security you get to the level of a key-based system).

We’ve also seen a grocery-store chain here in Seattle experiment with using fingerprint scanners for checkout-line payment. Walt Disney World in Orlando, Florida uses fingerprint readers for customers who purchase multi-day passes, to ensure that those who reenter the facility on subsequent days are the same people who purchased the tickets on the first day. Everyone who attended Super Bowl XXXV had their faces compared to the faces of known criminals, using biometrics. Anyone entering the United States since September 30, 2004, has submitted prints of both index fingers — and in December 2008 that will extend to all prints from both hands.

Types of Biometrics

Although there are close to a dozen more-or-less effective ways to use biometrics to identify someone, they all fall into two classes (see Figure 1-1): physiological and behavioral.

Physiological

Physiological biometrics measure a specific part of the structure or shape of a portion of a subject’s body. The types of physiological biometrics include:

Fingerprint: Officially established as a means of uniquely identifying people since around 1900, fingerprints are easily registered and measured — and devices for doing so are small and inexpensive. You can find them built in to laptop computers, PDAs, USB drives, door locks, and even credit cards.

Hand scan: The geometry of an entire human hand is quite unique, almost as much as fingerprints themselves. Usually a hand scan does not measure the fingerprint-like patterns in the fingers and palms, but instead relies on the lengths and angles of fingers, the geometry of the entire collection of 27 bones, plus muscles, ligaments, and other tissues.

Hand veins: If you shine a bright light through your hand, you can see an interesting pattern of veins — and also the bones and other elements in your hand.

Iris scan: The human iris is the set of muscles that control the size of the pupil — that little hole in the middle of your eye. The human iris, when viewed up close, is the complex collection of tiny muscles that are stained various colors of brown, gray, blue, and green. When we say that someone has blue, green, or brown “eyes,” the color we’re referring to is the color of the iris.

Retina scan: The retina is the surface at the rear of the interior of the eye. It’s not normally seen except when (say) a doctor shines a bright light through the pupil just right. But it does show up when you have a photo with “red eye” — that’s the reflection of the retina. Red eye is not sufficient to identify someone; instead, it is necessary for a person to get their eye close up to a little camera that can see inside the eye.

Face recognition: We recognize faces almost from birth, although how we recognize them is better understood now, enough that we can teach computers how to do it under certain conditions. Some laptop computers use facial recognition as a form of authentication before a subject can access the computer.

The characteristic in common with physiological biometrics is that they’re more-or-less static measurements of a specific part of your body. You might have to swipe your finger, place your hand, or look at the red dot, but the biometric equipment does the rest. Just hold still . . . there, got it.

Physiological biometrics are discussed in detail in Part II. There you can also read about some of the unusual biometrics that may be used someday.

Behavioral

Behavioral biometrics are more concerned with how you do something, rather than just a static measurement of a specific body part. Some of the behavioral biometrics in use include these:

Handwriting: Everyone’s handwritten signature is different, probably uniquely so. Biometric systems measure signatures in a number of different ways:

• Static image. This is the oldest type of handwriting recognition where we compare a stored signature image with a new sample to see if they match. Arguably, with practice, the image of someone’s signature can be forged, although it’s extremely unlikely that the forger will create the signature the same way that the original person does, which leads to the next two forms of handwriting biometrics:

• Signature dynamics. Here we’re measuring either (a) the motion of the stylus or pen or (b) the dynamics of how the signature image itself is created.

• Stylus pressure. We can also measure the dynamics of the downward force of the stylus on the writing surface while the signature is being made.

Keystroke dynamics: The rhythm of someone’s typing (or keyboarding as we tend to call it these days) is as unique as someone’s signature. The precise timing of individual keystrokes is a product of the geometry of the hand, the tone of the muscles in the hands and forearms, as well as the brain’s ability to send out the right signals at the right...