Limitations Of Biometrics
This paper focuses on the limitations of biometrics and demonstrates how the theory of cancellable biometrics can mitigate such limitations. Cancellable biometrics gives biometric systems, theoretically, the ability to re-issue biometric signals. Thus, if a biometric database is ever compromised, the biometric image can be re-set. Our team believes that cancellable biometrics should be a best practice when utilizing biometric technologies. This paper begins with a background of biometric technologies, the global biometric market, and general limitations of biometrics. The main body focuses on the background, concepts, and function of cancellable biometrics offered as a solution for some of the limitations addressed. Finally, an analysis of cancellable biometrics’ advantages and disadvantages concludes our paper.
What is Biometrics?
To define “biometrics,” you can look at the Greek translation. ‘Bios’ translates to life and ‘metric’ translates to measurement. This leads to a direct translation of “biometrics” to “life measurement.” (“Biometric Definition-What”, 2005) “Biometrics is a technique for identification of people that uses body characteristics or behavioral traits and is increasingly being used instead of or in conjunction with other forms of identification based on something you have (e.g. ID card) or something you know (e.g. password or PIN)”. (“8.5 Biometrics”) The direct Greek translation of “life measurement” is fitting because biometrics looks to measure physical or behavioral traits of a human for identification purposes.
There are two types of biometrics: behavioral and physical. Behavioral biometrics measures the characteristics that an individual naturally acquires over the span of their lifetime. Examples of this technology include speaker recognition, signature verification, and keystroke verification. Physical biometrics measures the physical characteristics and body measurements of an individual. Examples of this technology include facial recognition, iris and retinal scan fingerprinting, and DNA typing (“Biometric Definition-What”, 2005). There are also two modes that biometrics can operate in: verification and identification. Verification is used to validate a person against who they claim or present themselves to be. It is a one to one match between the acquired template of the individual and a stored template for matching. This mode relies on individuals entering their biometric information into the system prior to trying to gain access to it (“8.5 Biometrics”). Identification is the process of trying to figure out who an individual is. This involves a comparison of the individual to a list of templates stored in the database. (Yun, 2003) Physical biometrics can be used for either verification or identification while behavioral biometrics is typically only used for verification purposes. (“Biometric Definition-What”, 2005)
The History of Biometrics
Biometrics seems to be a modern day technology, but its concept was actually applied as far back as the fourteenth century. Chinese merchants used fingerprinting during the fourteenth century to identify children (Osborn, 2005). In 1890, Alphonse Bertillon developed a form of biometrics known as anthropometrics. Anthropometrics is a method of identifying individuals based on precise measurements of their body and physical descriptions. This method fell out of use when it was discovered that multiple individuals could share the same body measurements. (“Biometrics History,” 2006) Early in the 20th century, an applied mathematician named Karl Pearson used statistical history and correlation to biometrics research. Signature biometric authentication was developed during the 1960’s and 1970’s, marking a huge breakthrough in behavioral biometrics. (Osborn, 2005) Also during this time, the FBI pushed for automating their fingerprint recognition process. This automation was the start of modern day biometrics, a combination of the biometrics process with information technology. During the 2001 Superbowl in Tampa, Florida, face recognition software was installed at the stadium to identify known criminals. (“Biometrics History,” 2006) Post 9/11 terrorist attacks, there was a huge push by the U.S. government to implement biometrics on a large scale. The government began installing facial recognition hardware and software in airports to identify suspected terrorists. (Osborn, 2005)
Generic Biometric System
While there are many biometric technologies in use today, and many more being invested in and researched on, they all share a similar process flow (Yun, 2003). The following image is a basic block diagram of a biometric system:
Source: (Yun, 2003)
The process always starts with some type of sensor device. This is what captures the biometric information. The capture information is then sent through a processing phase. Here the information is cleaned up, noise is removed, and the important data is enhanced. The processed data is then put together to form a template. A template is what represents the biometric data within the system. If it’s the first time the individual is using the system, the template is stored within the system. Otherwise, the generated template is compared against an already stored template during the matching process. If the biometric technology is operating in a verification mode, the generated template is matched against a specific stored template. If the technology is operating in an identification mode, the generated template is matched against a list of stored templates. If the matching process yields a positive match, then the individual is granted access to the application device. (Yun, 2003)
Current Global Biometric Market
It is important to consider the prevalence of biometrics. Although it may seem futuristic, biometrics is being used in countries all over the world. According to Prabhakar, Pankanti, and Jain, biometric applications fall into three main categories: commercial, government, and forensic. The commercial category includes applications used in e-commerce, banking, and social networking sites. Governments use biometrics for driver’s licenses, immigration control, and e-passports. Forensic applications include devices used in criminal investigation and prisoner identity control. (Prabhakar, Pankanti, & Jain, 2003)
According to BCC research, the global biometric revenue increased from $1.950 billion in 2006 to $2.7 billion in 2007. The compound annual growth rate from 2007 to 2012 was expected to be 21.3% (“The Global Biometrics Market,” 2007). As you can see from the figure below, the biometric technology being used ranges from fingerprint scanners, leading the market, to hand geometry scanners.
The market statistics above were derived in 2007. As a means for comparison, our group thought it best to obtain market research from at least one more source. According to a more recent article, issued by homeland security newswire on January 18, 2011, the market is expected to grow at 18.9% per year until 2015, bringing estimated global revenue from biometrics up to $12 billion in 2015. Fingerprint technologies will still dominate the market, with face, iris, vein, & voice recognition following (“Biometrics market expected,” 2011). BCC assumed a 21.3% annual growth rate, which would have made 2011 expected revenue around $5.8 billion, the actual 2011 global biometric market revenues totaled $5 billion (“Biometrics market expected,” 2011). The main point is that the global biometrics market has been growing as expected and is expected to grow.
Biometric technology offers significant advantages, but there are some limitations that need to be addressed as the biometric market continues to grow. For example, although the US has been the leader of the biometric market, scanning of iris or fingerprints to use ATM machines has not been implemented due to privacy and expense concerns. (“Biometric ATMs not,” 2005) One of the major limitations is the issue of privacy. The issue of privacy and other limitations, if not resolved, may continue to prevent the biometric market growth as seen by Americans’ lack of biometric ATM machines. The following section will discuss limitations of generic biometric systems
Limitations of Biometrics
An obvious issue with biometrics is costs. The table below was derived from the product offerings of a leading biometrics supplier, digitalPersona, Inc., using the framework from their whitepaper on best practices. This chart includes all aspects of a typical authentication system. As you can see the cost of biometric technology hardware and software is expensive in itself and costs for training, design, maintenance, and security will also be incurred.
$100-$1,500 per user
1 hour – 5 days
Ensure compatibility with other systems
1 day – 10 days
Hardware and software purchases/configure
10 days – 30 days
Acquisition of biometrics
$50-$175 per user
$25-$200 per instance
Extra safeguards within system to ensure privacy
1 day – 10 days
Source: (“Best Practices”, 2009)
Another area of concern with biometrics is the fact that once a biometric image has been leaked or obtained by an unauthorized source, that image is no longer secure for use with any application (Teoh, Kuan, & Lee, 2008). Authentication tools, such as passwords, keys, and identification cards have always been easily cancellable and renewable, but biometrics have been a concern because users only have, in general, one face, two eyes, one set of fingerprints, etc. (Ratha, Connell, & Bolle, 2001). Although it is difficult to do, determined data thieves can extract biometric images and put them to improper use, rendering stolen images useless in terms of security.
The figure below demonstrates eight vulnerabilities of ordinary biometric systems.
Source: (Ratha, Connell, & Bolle, 2001).
Figure – www.fidis.netOnce original biometric data is obtained, reproduction can easily be achieved. Attacks around the sensor may include inputting fake or copied biometric signal (point 1) or using a copy of a genuine biometric, tape with fingerprint, to bypass the sensor (point 2) (Ratha, Connell, & Bolle, 2001). The other parts of the system, feature extraction method (points 3 and 4), the matching device and decision (points 4 and 8), the database that holds the biometric images (point 6), and the communication channel between database and matcher (point 7), are much harder to attack, but if successfully breached will result in the theft or alteration of biometric templates which cannot be replaced (Ratha, Connell, & Bolle, 2001).
The biggest disadvantage of biometrics is that biometric data cannot be changed or reset. For example, if a password is stolen, a new password can be created. However, if a biometric characteristic is stolen from a database, a new biometric characteristic cannot be issued. Thus, if a biometric database is compromised, that biometric used for authentication purposes cannot be used again.
Finally, there is a huge privacy concern, as seen with the US’s delay of implementing ATMs with biometric systems. The uniqueness of biometric data raises this concern. There is already an enormous amount of data being collected by social networking sites, employers, the government, retail stores, medical centers, etc., Each entity may identify someone with data that can either be changed or is not solely unique to them, such as an email address or a name (Joe Smith). Thus, if the government wanted information from a retail store about a particular person, they may not be able to determine, from the retailer’s database, whether it is Joe Smith from California or Joe Smith from Arkansas. Currently to make data sharing possible, data would have to be paired with more data in order to identify the right person and then share information about that person between entities. This idea of data sharing among entities produces a fear in some people with regards to the use of biometrics because biometric data is completely unique to a person. If all these entities have biometric data, data unique to just one individual, all the entities could share data in their databases (cross-matching). For example, data collected by private company can be matched with the government’s data. (Ratha, Connell, & Bolle, 2001)
One solution to this privacy concern is cancellable biometrics (Ratha, Connell, & Bolle, 2001). Cancellable biometrics allows authentication biometric signals to be re-set if a database is every compromised. Basically, cancellable biometrics distorts a biometric signal based on a certain transform during enrollment, and continues to distort it the same way for every presentation and authentication thereafter (Ratha, Connell, & Bolle, 2001). If biometric data is ever stolen, a new transform is used and re-enrollment is allowed (Gaddam, & Lal, 2010). The following sections further explain cancellable biometrics and how it can mitigate the risks of biometric systems’ vulnerabilities.
History of Cancellable Biometrics
The study and research around cancellable biometrics is relatively new with most research beginning around the turn of the 21st century. Although many have contributed to the field, several publications, including the Encyclopedia of Biometrics (2009) and The Journal of the Pattern Recognition Society credit Nalini Ratha with the concepts that led to the creation of cancellable biometrics (Teoh, Kuan, & Lee, 2008). Cancellable biometrics was conceptualized as a way to address the potential downsides and security concerns of ordinary biometrics. In order to prevent the preclusion of a biometric image, cancellable biometrics was created. The goal of cancellable biometrics is to provide biometric authentication that is not only unique to an individual, but one that also has the ability to be changed. Cancellable biometrics does not provide extra security around biometrically authenticated systems, but does provide a way to avoid losing the ability to use biometrics as an authentication method.
As its name suggests, cancellable biometrics allows a biometric template to be cancelled and replaced with a new image that is based on the same biometric data, resulting in one of many possible permutations (Teoh, Kuan, & Lee, 2008). According to the Encyclopedia of Biometrics (2009), cancellable biometrics allows biometric images to be reset by encoding each biometric image with a different distortion scheme for each application that uses the image (Lee & Jain, 2009). In order to assure the security of each permutated biometric image, a unique distortion scheme must be used for each unique application (Teoh, Kuan, & Lee, 2008). The use of a distortion scheme creates an image for storage in a database that is not an exact match to the original biometric measure, therefore changing the image is as easy as changing the distortion scheme. Next we will discuss the concepts behind cancellable biometrics that are used to increase the security of biometric authentication and to keep biometric data unique.
The Concepts Behind Cancellable Biometrics
There are three criteria that a cancellable biometric template must meet in order to be useful and secure: (1) each cancellable template must be used for only one application, (2) the revocation and reissue procedures must be straightforward, and (3) the template computation must not be able to be reversed in order to protect the original biometric data. These three steps may also be referred to as diversity, reusability, and one-way transformation, respectively (Teoh, Kuan, & Lee, 2008).
Using the same biometric template for multiple applications exposes data to the same threats that using the same password for multiple applications would. If an unauthorized user gains access to one application, access can be achieved to all applications that use the same template. When using one template for multiple applications, no matter how strong the security is for the strongest application, the security of all the applications with the same authorization template is only as strong as the weakest link.
Addressing the second criteria, that revocation and reissue procedures must be straightforward, is as it says, straightforward. Without a straightforward way to cancel and reissue a biometric template, biometric data is subject to interception and physical alteration (Teoh, Kuan, & Lee, 2008).
The third criterion, that the computation of the template not be reversible, is also meant to protect the integrity and the identity of the original biometric data (Teoh, Kuan, & Lee, 2008). If a computation can be reversed, and the original biometric data is revealed, the biometric measurement will be useless and unsecure. A popular method for creating non-invertible biometric data is to use a hashing function. Due to the unique characteristics of individual biometric data, there are several guidelines that a hashing function must take into account when creating non-invertible data. For example, regarding fingerprint data, Tulyakov, Mansukhani, Govindaraju, and Farooq (2007) suggest that hashing functions should have similar hash values for similar fingerprints, different values for fingerprints that are different, that the rotation of a fingerprint should not affect the hash value, and that, if sufficient minutiae is available, partial fingerprints should be matched. Minutiae refer to uniquely identifiable points on a set of fingerprints (Tulyakov, Farooq, Mansukhani, & Govindaraju, 2007).
Within cancellable biometrics there are two distortion techniques that are widely recognized, signal domain distortion and feature domain distortion. What signal and feature domain distortion basically provide are ways to either distort a biometric image directly after acquisition or extract features from a biometric image, such as minutiae, and then distort the features, respectively (Ratha, Connell, & Bolle, 2001). Signal domain distortion creates an independent image to be registered by a biometric reader, but still provides landmarks that can be compared to the original image, e.g. points on a person’s face or eyes, for authentication. Feature domain distortion extracts template features and scrambles them, providing a sufficient technique for biometric measurements, such as fingerprints, which would be difficult to preserve accurate minutiae and a similar image (Lee & Jain, 2009).
How it works:
Cancellable biometrics is achieved when a normal biometrics pattern is modified before it is stored in an intentional and repeatable method. This change in the pattern can be initiated by several methods, however this topic is still in development and a single industry best practice has not yet been distilled. Instead of the actual values from the biometric sensor being stored, a value that is the combination of the modifier and the sensor’s reading is stored. In the case that the biometrics is impersonated or the database is compromised, the modifier can be changed and the user can be authenticated with the system. (Ratha, Connell, & Bolle, 2001)
Modifiers can be anything from a random number, a personal identification number, or even another biometric reading. The combination of these two items, similar to two-factor authentication, can create a unique key that uses both an individually unique value with the independent but derived from the biometric. (Ratha, Connell, & Bolle, 2001)
Once the biometric reader scans the individual, an algorithm is applied to the value. This transformation can happen in either the scanning device or post-processed within the computer system before it is validated against the record within the database. These readers can be hardware devices that connect to a computer network or appliances which are self-contained. After successful verification of credentials the user is granted authentication. (Ratha, Connell, & Bolle, 2001)
Demo: use ppt slides to explain the images and how they are distorted and stored for cancellable biometrics.
Advantages of Cancellable Biometrics
Different entities and different applications use different transforms for the same signals. This prevents the sharing between databases of different entities (Gaddam, & Lal, 2010). For example, a law enforcement agency will use one transform for a fingerprint scan, and a commercial entity will use a different transform for the same fingerprint scan. This idea of ‘diversity’ makes cross-matching impossible. As seen in the figure below, the merchant takes the biometric data from the customer and compares it to a transform from one of the transform databases associated with a particular service (Ratha, Connell, & Bolle, 2001). This should ease privacy concerns as different transforms are held in different databases per entity.
Source: (Ratha, Connell, & Bolle, 2001)
Also, the authentication server never stores original biometrics (Ratha, Connell, & Bolle, 2001). The benefit is that the risk of identity theft is significantly reduced because the transforms are non-invertible. Even if a hacker accessed a template database, there would be no way for he/she to figure out the original biometric.
The reusability feature, described in the section titled “The Concepts Behind Cancellable Biometrics” of this paper, protects the biometric authentication process from becoming obsolete. If cancellable biometrics did not offer re-usability and data continually was compromised, theoretically, people would start to run out of body parts to use.
Limitations of Cancellable Biometrics
Cancellable biometrics is not the solution to all of the limitations of biometrics. Cancellable biometrics provides a solution for privacy concerns and resetting issues related to biometrics. However, it does not decrease the enormous cost associated with biometrics. Also, it does not prevent the use of a copied biometric signal (Ratha, Connell, & Bolle, 2001). For example, if someone found a way to obtain a copy of a fingerprint and used that copy of the genuine biometric to access a system/account/place etc., matching could be possible and access could be granted. Cancellable biometrics prevents identity theft by the use of non-invertible transforms and it increases privacy by preventing data sharing among entities because original biometric data is never stored, it doesn’t prevent people from using copies of genuine biometrics. As discussed in the section ‘Limitations of Biometrics,’ biometric systems are subject to attack. Cancellable biometrics does not prevent an attack, however, if a biometric database or other parts of the system are compromised, a new transform can be used for the authentication process and the hacker will not be able to obtain the original biometric. Thus it mitigates the damage, but not the risk of attack. Another limitation of cancellable biometrics is the trade-off of higher protection for higher error rates. The invertible feature increases protection of original data, but causes a decrease in recognition accuracy (Cheung, Kong, Zhang, Kamel, You, & Lam). This may lead to a higher false rejection rate. A higher false rejection rate is inefficient and costly.
The global biometric market is expected to continue growing. However, limitations of generic biometric systems may inhibit the market growth from its full potential. General limitations of generic biometric systems include enormous costs, fake enrollment, physical copies bypassing sensors, attacks on the system parts and/or database, threat to privacy of individuals, and failure to reset biometrics. Cancellable biometrics provides a solution to some of generic biometric system limitations. With cancellable biometrics, a biometric template must have three criteria: (1) each cancellable template must be used for only one application, (2) the revocation and reissue procedures must be straightforward, and (3) the template computation must not be able to be reversed in order to protect the original biometric data. These three criteria, also known as diversity, reusability, and one-way transformation (Teoh, Kuan, & Lee, 2008), disallow data-sharing among entities, protect the overall biometrics from becoming obsolete, and prevent a hacker from obtaining genuine biometrics. Our team believes that due to the demand for biometrics in general, cancellable biometrics has a potential market. IBM has been researching and developing cancellable biometrics. According to an article off IBM’s website, “Helping enhance security and protect identities,” several large banks have been talking with IBM about the use of cancellable biometrics. Cancellable biometrics also is applicable to sectors of the government like the IRS, Social Security administration, and law enforcement organizations (“Helping enhance security-“). Thus, cancellable biometrics may evolve from research and development into a marketable tool that may refresh the global biometrics market.
8.5 Biometrics. University of Leicester. Retrieved April 26, 2011 from
Citation: (“8.5 Biometrics”)
Biometric ATMs not being used in U.S. (2005, October 11). Retrieved April 25, 2011
Citation: (“Biometric ATMs not,” 2005)
Biometric Definition – What Is Biometrics? Biometrics Technology : Explained. (2005)
Retrieved April 25, 2011 from <http://www.questbiometrics.com/biometric-definition.html>.
Citation: (“Biometric Definition-What”, 2005)
Biometrics History. (2006). Biometrics.gov. NSTC Subcommittee on Biometrics,
April 18, 2011. <http://www.biometrics.gov/ReferenceRoom/Introduction.aspx>.
Citation: (“Biometrics History,” 2006)
Biometrics market expected to hit $12 billion in 2015. (2011, January 18).
Retrieved April 25, 2011 from http://homelandsecuritynewswire.com/biometrics-market-expected-hit-12-billion-2015-0
Citation: (“Biometrics market expected,” 2011)
Best Practices for Implementing Fingerprint Biometrics in Application. (2009).
DigitalPersona. Retrieved April 25, 2011 from http://www.digitalpersona.com/uploadedFiles/Collateral/White_papers/DP-wp-appbestpractices2009-08-21.pdf
Citation: (“Best Practices”, 2009)
Cheung, H.K, Kong, A., Zhang, D., Kamel, M., You, J., You, T., Lam. H-W., (n.d.). An
analysis on accuracy of cancellable biometrics based on biohashing. Unpublished manuscript, Department of Computing, Hong Kong Polytechnic University, China. Retrieved April 22, 2011 from http://pami.uwaterloo.ca/~cswkkong/publication/CheungKES2005Final.pdf
Citation: (Cheung, Kong, Zhang, Kamel, You, Lam)
Gaddam, S.V.K, & Lal, M. (2010). Efficient cancellable biometric key generation
scheme for cryptography. International Journal of Network Security, 11(2), 61-69. Retrieved April 22, 2011 from http://ijns.femto.com.tw/contents/ijns-v11-n2/ijns-2010-v11-n2-p61-69.pdf
Citation: (Gaddam, & Lal, 2010)
Helping enhance security and protect identities. IBM. Retrieved April 26, 2011 from
(“Helping enhance security-“)
Lee, S.Z., & Jain, A.K. (2009). Encyclopedia biometrics. Retrieved April 22, 2011 from
Citation: (Lee & Jain, 2009)
Osborn, A. (2005, August 17) Biometrics History — the History of Biometrics from past
to Present. Video Surveillance Systems, Security Cameras & CCTV Equipment Guide. April, 25, 2011. <http://www.video-surveillance-guide.com/biometrics-history.htm>.
Citation: (Osborn, 2005)
Piuri, Vincenzo (2008) Fingerprint Biometrics via Low-cost Sensors and Webcams.
IEEE. Retrieved April 25, 2011 from http://clem.dii.unisi.it/~vipp/files/prin/2008_Conf_BTAS__ImageProcessingForFingerprintBiometricsViaLowcostCamerasAndWebcams.pdf
Citation: (Piuri, 2008)
Prabhakar, S, Pankanti, S, & Jain, A. K. (2003, March). Biometric recognition: security
and privacy concerns. IEEE Security and Privacy. Retrieved April 25, 2011 from http://www.cse.msu.edu/biometrics/Publications/GeneralBiometrics/PrabhakarPankantiJain_BiometricSecurityPrivacy_SPM03.pdf
Citation: (Prabhakar, Pankanti, & Jain, 2003)
Ratha, N.K., Connell, J.H., & Bolle, R.M. (2001). Enhancing security and privacy in
biometrics-based authentication systems. IBM Systems Journal , 40(3), 614-634 Retrieved April 22, 2011 from http://www.google.com/#sclient=psy&hl=en&site=&source=hp&q=Enhancing+security+and+privacy+in+biometrics-based+authentication+systems&aq=f&aqi=g1&aql=f&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=f4864d47f9f205c8&biw=1366&bih=583
Citation: (Ratha, Connell, & Bolle, 2001)
Teoh, A.B.J., Kuan, Y.W., & Lee, S. (2008). Cancellable biometrics and annotations on
biohash. Journal of the Pattern Recognition Society, 41(6), 2034-2044 Retrieved April 22, 2011 from http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V14-4RBYCY01&_user=513551&_coverDate=06%2F30%2F2008&_rdoc=1&_fmt=high&_orig=gateway&_origin=gateway&_sort=d&_docanchor=&view=c&_searchStrId=1731821718&_rerunOrigin=google&_acct=C000025338&_version=1&_urlVersion=0&_userid=513551&md5=475892d68fa817e0474084b6dcd88f78&searchtype=a
Citation: (Teoh, Kuan, & Lee, 2008)
The Global Biometrics Market. (2007, December). Retrieved April 25, 2011 from
Citation: (“The Global Biometrics Market,” 2007)
Tulyakov, S, Farooq, F, Mansukhani, P, & Govindaraju, V. (2007). Symmetric hash
functions for secure fingerprint biometric systems. Pattern Reconition Letters, 28(16), 2427-2436. Retrieved April 22, 2011 from http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V15-4PFW6247&_user=513551&_coverDate=12%2F01%2F2007&_rdoc=1&_fmt=high&_orig=gateway&_origin=gateway&_sort=d&_docanchor=&view=c&_searchStrId=1731826413&_rerunOrigin=google&_acct=C000025338&_version=1&_urlVersion=0&_userid=513551&md5=827daed9e4525f816e7cf49eaa173152&searchtype=a
Citation: (Tulyakov, Farooq, Mansukhani, & Govindaraju, 2007)
Yun, W. (2003) “The ‘123’ of Biometric Technology”. [web] Accessed 18 April 2011
Citation: (Yun, 2003)Order Now