Issue No. 02 - February (2000 vol. 33)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/2.820038
Wouldn't you feel better about flying from an airport that could identify criminals wearing disguises? Wouldn't you love to replace password-based access control to avoid having to reset forgotten passwords and worry about the integrity of your system? Wouldn't you like to rest secure in the comfort that your healthcare system does not rely merely on your social security number as proof of your identity for granting access to your medical records?
Because each of these questions is becoming more and more important, access to a reliable personal identification infrastructure is becoming increasingly essential. Conventional methods of identification based on possession of ID cards or exclusive knowledge—like a social security number or a password—are not altogether reliable. ID cards can be lost, forged, or misplaced; passwords can be forgotten or compromised.
One of the earliest and best-known biometric technologies is fingerprint recognition. Automatic fingerprint-based identification systems have been commercially available since the early 1960s. But until recently those systems were primarily used in forensic applications for investigating criminals. Biometric technology has now become a viable alternative to traditional identification systems in many government and commercial application domains.
In addition to fingerprint recognition technology, other biometric technologies are beginning to emerge. As Figure 1 illustrates, new biometric applications include face (both optical and infrared), hand, finger, iris, retina, signature, and voice recognition. Investigations of other characteristics, like ear, odor, keystroke entry pattern, and gait are under way. 1
A biometric system is a pattern recognition system that establishes the authenticity of a specific physiological or behavioral characteristic possessed by a user. Logically, a biometric system can be divided into two stages: the enrollment module and the identification module.
The enrollment module is responsible for training the system to identify a given person. During the enrollment stage, a biometric sensor scans the person's physiognomy to create a digital representation. A feature extractor processes this representation to generate a more compact and expressive representation called a template. For a facial image, these features may include the size and relative positions of the eye, nose, and mouth. The template for each user is stored in a biometric system database; the database can be a central or distributed database, such as the one in which each user's template is stored on a smart card and issued to the user.
The identification module is responsible for recognizing the person. During the identification stage, the biometric sensor captures the characteristic of the person to be identified and converts it into the same digital format as the template. The resulting template is fed to the feature matcher, which compares it against the stored template to determine whether the two templates match.
Identification can be in the form of verification, authenticating a claimed identity (verifying the claim, "I am Joe Smith") or recognition, determining the identity of a person from a database of known persons (determining who I am without knowledge of my name). In a verification system, when the captured characteristic and the stored template of the claimed identity are the same, the system concludes that the claimed identity is correct. In a recognition system, when the captured characteristic and one of the stored templates are the same, the system identifies the person with the matching template.
In "Face Recognition for Smart Environments," Sandy Pentland and Tanzeem Choudhury present an example of a typical biometric technology and its specific application.
If the demand for personal identification applications are so ubiquitous and the conventional means for personal identification are indeed inadequate, why, then, is biometrics technology not as pervasive and widespread as many of us expect it to be? One of the primary reasons is performance. Issues affecting performance include accuracy, cost, integrity, and ease of use. In addition to privacy being a concern of end users, system integration is a difficult task.
Presenting a correct password in a password-based authentication system always correctly results in acceptance of an identity claim. But even if a legitimate biometric characteristic is presented to a biometric-based authentication system, correct authentication cannot be guaranteed. This could be because of sensor noise, limitations of the processing methods, and, more importantly, the variability in both the biometric characteristic as well as its presentation, which Figure 2 illustrates. And there is also the possibility that an impostor could be incorrectly authenticated.
Furthermore, the accuracy of a given biometric implementation is sensitive to the target population. To successfully apply a biometric technology to a personal identification application, it is important to understand and realistically evaluate the technology in the context of the target application and target population. In "An Introduction to Evaluating Biometric Systems," Jonathon Phillips and his colleagues present key concepts in evaluating the accuracy of a biometric system.
Cost is tied to accuracy, as Figure 3 illustrates. Many applications—like logging in to a PC—are sensitive to the additional cost of including biometric technology. Given the increasing availability of inexpensive processing power—mass-scale production of inexpensive sensors—it will become possible to make biometrics accessible to new personal identification applications; increased usage of the sensors may lower their prices even more.
Some applications (like laptop login) cannot incorporate bulky biometric sensor hardware, which provides impetus for sensor miniaturization. Lawrence O'Gorman's "Personal Authentication" sidebar in Jonathon Phillips' article describes work on a commercially available, compact, and inexpensive solid-state fingerprint sensor.
Authentication is of no use if the system cannot provide assurance that the legitimate owner indeed presented the characteristic. Data from multiple, independent biometric characteristics can serve to reinforce the identity of a subject. Multiple biometrics can alleviate several other practical problems in biometrics-based personal identification.
For example, a fraction of the target population may either not actually possess a particular biometric identifier or may present a characteristic that does not tender any usable information, as Figure 4 illustrates. Furthermore, certain biometrics may not be acceptable to segments of the target population.
Consequently, the integration of multiple biometric systems will become increasingly important. In "BioID: A Multimodal Biometric Identification System," Robert W. Frischholz and Ulrich Dieckmann describe a multibiometric system that is based on integrating face and voice biometrics.
Ease of use
How easy is it to use a given biometric system? Does the usage necessitate considerable user cooperation or is the acquisition of the characteristic too intrusive? Does the system require a long training time? It is likely that obtrusive and cumbersome biometric authentication systems will be avoided much like we avoid systems requiring long passwords.
In "An Iris Biometric System for Public and Personal Use," Michael Negin and colleagues present an excellent example of how to harness technology for user-friendly and transparent signal acquisition.
Despite its obvious strengths, there are a few negative preconceptions about biometrics that often result in the following question: Will biometric data be used to track people, secretly violating their right to privacy? Thanks to sensational reporting and hype, there is a disparity between perception and reality when it comes to abuses of biometric technology.
It is dangerous to avoid certain technologies for fear they will be used unfairly. 2 In "Federal Biometric Technology Legislation," James L. Wayman dispels fear about Big Brother by discussing the scope of the federal government's biometrics-related applications.
Ease of development
To foster improvements and encourage widespread deployment, biometric technology needs to be made easily accessible for system integration and implementation. Harnessing and integrating biometric technology is not easy in its present form; one of the reasons is the lack of industry-wide standards.
While we are far from a single uniform data and API standard for all biometric technologies, efforts are already under way. In "An Emerging Biometric API Industry Standard," Catherine J. Tilton describes the communal effort to build a biometric API standard.
As fraud in our society grows, as the pressure to deliver inexpensive authentication services mounts, and as geographically mobile individuals increasingly need to establish their identity as strangers in remote communities, the problem of reliable personal identification becomes more and more difficult.
To catapult biometric technology into the mainstream identification market, it is important to encourage its evaluation in realistic contexts, to facilitate its integration into end-to-end solutions, and to foster innovation of inexpensive and user-friendly implementations. We hope that a pervasive, accountable use of biometrics technology will help establish a more open and fair society.
We thank all those who reviewed the special issue submissions.
Sharath Pankanti is Research Staff Member at IBM T.J. Watson Research Center, Yorktown Heights, N.Y. He received a PhD in computer science from Michigan State University. Contact him at firstname.lastname@example.org.
Ruud M. Bolle is Manager at IBM T.J. Watson Research Center. He received a PhD in electrical engineering from Brown University. Contact him at email@example.com.
Anil Jain is University Distinguished Professor at Michigan State University. He received a PhD in electrical engineering from Ohio State University. Contact him at firstname.lastname@example.org.