|
|
|||
|
|
|
Performance
|
Implementation
|
Security
|
Keyword search
|
Which features of a fingerprint can be used in an identification? |
Three types of features
are available for biometric identification:
|
Does everyone have fingerprints? |
In principle, yes. Indeed, individual fingers can be damaged permanently (e.g. with rare skin diseases) or temporarily (e.g., dirty or worn down from abrasion), which can hinder or render impossible the recording and analysis of a fingerprint. Even rare genetic disorders such as dermatopathia pigmentosa reticularis are known which may already prevent the formation of finger- and footprints. With good sensors and analysis software, the failure to enroll rate is around 5% for everyone. If office workers are exclusively considered, the failure to enroll rate falls to under 1%. |
What types of fingerprint sensors are there? |
|
How do fingerprint sensors work? |
All fingerprint
sensors try to generate a digital picture of the finger surface.
This picture normally has a pixel resolution of 500 dpi. The picture
generation can be different for every type of sensor.
Static Capacitive Sensor Type 1
|
Which type of sensor is the best? |
This question unfortunately offers no
definitive answer, as every application has different requirements and
each type of sensor has its specific advantages and disadvantages.
The following criteria can assist in reaching an answer:
|
Requirement | Type of sensor currently best |
Low costs | Capacitive silicon line sensor |
High level of development | Optical reflexive sensor |
High image quality | Optical reflexive sensor |
Small size | Thermal / capacitive line sensor |
High vandalism protection | Optical transmissive sensor |
High temperature span | Capacitive silicon sensor |
High forgery protection | Optical transmissive sensor |
High ESD strength | Optical reflexive sensor |
How do stripe and area sensors differ in practice? |
With area sensors,
the finger to be recognized has to be placed on the sensor statically while
for merchantable stripe sensors, also known as strip, swipe, or slide sensors,
the same finger area has to be moved (swiped) actively over the sensor
stripe.
|
What can a user do to avoid false rejections in a fingerprint authentication system? |
The finger should
be clean (free of sticky residue and grease), and depending on the sensor,
should not be too damp or too dry (breathe on it!). The finger should
always be applied on the sensor in the same manner (same position, same
direction) and with uniform pressure (e.g., avoid pressing while
twisting). The more finger area the sensor "sees", the better (i.e., don't
use the finger tip!).
With older stripe sensors swipe the finger even and consistently over the sensor with the correct speed (try it!) without lifting your finger. Especially stripe sensors need some practice. For that reason it may pay to repeat enrolment. If the enrolment was insufficient, normal recognition cannot be optimal! |
How do wounds affect identification? |
If a wound is not too deep, the finger lines will fully regenerate to their original state. Deep cuts leave line forming scars, and should be recognized as such by good identification algorithms, thereby barely impairing the identification performance. Most systems offer the possibility to record a "substitute finger" in enrollment, so that a fingerprint authentication can still take place during the healing process. |
Can a fingerprint be copied? |
Yes. Almost all biometric features can be copied at varying expense. Fingerprints can be copied in the form of data sets, paper prints, wax molds, etc. It is possible with criminal technical methods to observe, analyze, and copy latent fingerprints unwittingly left behind on beer glasses or door handles. One of the oldest descriptions of a high tech copy procedure has been given in a novel from R. Austin Freeman [Freeman]: Take a plate of chromate gelatin, expose this plate with the slide of the fingerprint and wash out the surface. Thereby those locations which have not been hardened by light are removed, thus leaving a fingerprint relief. Whether the copy is recognized as such or is accepted as the original depends on the fingerprint sensor and the analysis algorithm. Ultimately, however, the specific use dictates whether copying is worth while at all and whether it can be harmful. In most applications, it helps very little if a forger can make an exact copy of his own finger. From optimized protection systems, one can expect that a copy will cause no damage. |
How easy is it to copy a fingerprint? |
It is relatively
easy and inexpensive to copy the own fingerprint (may be compared
with the manufacturing of a duplicate key). This may be done in the form
of a rubber stamp which may be delivered by a stamp manufacturer on the
basis of an electronic fingerprint template. Mechanical copies require
as interim step a negative. Paper copies are made using a stamp pad. Copies
from the own finger are a risk for systems for which the feint of an authentication
by a complice can result in a damage (e.g., attendance system: feint of
attendance by abandoning a suitable fingerprint copy to a colleague).
Much more complicated is the manufacturing of a finger image copy from a non-cooperative person (feature theft). Here one has to get access to a fitting fingerprint of the foreign person. One way is to find latent fingerprints. However, latent prints often
|
What is compromisation of a fingerprint? |
Compromisation here signifies the stealing of a fingerprint's data set which is subsequently misused. When an application is based on keeping a fingerprint secret, it can naturally have serious consequences, as every finger is one of a kind, but (unlike a password) is not changeable. Fingers previously compromised can eventually no longer be used. |
Is the possibility of fingerprint compromisation a problem? |
No, provided that
the system is soundly laid out. A system's release of its own fingerprints
is not a problem, when for example the application does not receive a fingerprint
data set from just anywhere, instead the data can arrive exclusively via
the sensor which is secure. Appropriate measures can be added to
the sensor to reject mechanical fingerprint copies from a released data
set, e.g., through a liveness detection.
A personal pass provides a nice example for the possibility of reliable verification even for public biometric characteristics (here the face). It suffices if the personal pass is forgery proof, i.e. forgeries are relatively easy to recognize. |
What measures can be taken against forgery? |
The possibility to copy is no problem
in many applications, because of high cost, long processing time, or because
registered
users can control access themselves (fingerprint mobile phone, gun
trigger safety). In high-security applications, extra measures have
to be taken, to ensure that the authorized user's real fingerprint is used.
Here are a few examples:
The area of analysis is limited to a special part of the fingerprint, in order to ensure that remnants of fingerprints left behind by chance cannot be processed and misused. The probability then that the copied fingerprint matches this small part is minimal. This technique presumes that the finger can be repeatedly accurately positioned (e.g., with a finger guide) and that the number of authentication trials is limited. If the entire fingerprint processing, including the sensor and feature storage, is combined with a unique key pair (consisting of private and public keys), one obtains a unique combination of property, secret knowledge and biometrics, which can identify a user for any application or service. A forgery requires that the card falls into the wrong hands. In this case, the unchangeable key on the card can be blocked in the application. The card is then useless to the forger. If lost, the user must obtain a new card containing a new unique key, save the fingerprint again, and re-register for all applications and services. Of course one can avoid this process by simply having a back-up card with different keys. |
Is a fake detection test necessary for all applications? |
No. In practice,
forgers must overcome further hurdles beyond the biometric authentication.
The following examples should illustrate:
|
How is the similarity of two fingerprints determined based on minutia? |
Successively recorded
fingerprints are never identical, rather are at best highly 'similar' due
to differences in finger position, application pressure, finger angle,
dirtiness, and the physiological constitution of the user. The measure
of similarity is given a score. The higher this score, the more similar
the fingerprint, and vice versa. During the matching process in minutia
based systems, one tries to minimize the influence of positioning and angle
discrepancy, and incidentally size variations (in order to calculate out
the effects of growth until around 18 years). The actual picture
is adjusted and rotated with respect to the reference picture until the
distance between minutia is minimized. The resulting similarity score,
then depends on the following:
|
When was the uniqueness of fingerprints first used? |
In China since at least 700 AD, fingerprints were used to officially certify contracts. In Europe in 1858, fingerprint use in fighting crime was proposed and was implemented in Germany in 1903. [Heindl 1922, pps. 1-108] |
How does the use of multiple fingers affect a verification? |
There are two extreme
cases:
In Case 1, the false acceptance rate FAR improves (provided that the fingers n (0 < n < N+1) are statistically independent) according to:
Cases 1 and 2 are extreme cases. With suitable systems, the information fusion allows 'intermediate levels' to exist. In principle, every set recognition threshold should have a way, which by combining multiple fingerprints makes a simultaneous improvement of FAR and FRR possible. |
Is there proof for the uniqueness of a fingerprint? |
The uniqueness of
a fingerprint is a working hypothesis which in the mathematical sense is
difficult (if not impossible) to prove. The opposite is more provable,
namely finding two identical fingers. Until now, no two fingerprints
from different fingers have been found which are identical. This holds
true even for identical twins, between right and left fingers and can be
anticipated also for clones.
In a scientific sense, the term uniqueness has to be replaced by the probability to find two identical fingerprints from different fingers. This probability may be determined empirically by comparing all fingerprints of a forensic data base against each other. For example, if such a collection contains 100 million fingerprints, a probability of nearly 10-14 should be provable (due to inter-dependencies this probability is assumed to be higher but should lie below 10-6). However, such a large trial has not yet been undertaken until today. Furthermore, the probability for misnaming fingerprints (fingerprints from the same person/finger are filed under different names) is supposed to be much higher. This experience is well known from experiments with much smaller collections. As a result, the outcome of such a trial may become quite questionable. A scientific investigation
of the individuality of fingerprints has been published by |
What are minutiae? |
Minutiae are the endings and the branchings of the finger lines. Because these follow a strong random pattern, they are the carriers of "uniqueness". |
Fingerprint authentication is suitable for which applications? |
|
Which finger is most suitable for reaching high performance recognition? |
In principle, every
finger is suitable to give prints for authentication purposes. However,
there are differences between the 10 fingers, which are expressed in different
performance for FAR, FRR and FTE. These differences are based on:
|
How does reduction of the fingerprint area affect performance? |
The size of a fingerprint
generally determines the cost of a fingerprint sensor, the size of the
reference trait's saved data file, and last but not least, the processing
time. Therefore it can be advantageous to process only part of the
fingerprint. But how does this reduction affect performance?
A rough estimation is possible, if one simply assumes that different areas of the fingerprint are statistically independent of each other with respect to the analyzed features. In this case, the same treatment as for multiple fingers applies, only that the number of fingers is replaced by a size factor. Also here, the two same extreme cases are treated, whereby the "conjunctions" AND or OR depend on the algorithms used and thus generally lie outside of the area of influence of the system integrator. In principle however, a reduction in the area of a fingerprint results in a reduction of overall performance. (This treatment does not apply for different prints from different fingers. Here, by all means, smaller fingerprints may achieve better performance than large fingerprints!) |
Why is a good finger guide important? |
Modern cost effective
fingerprint sensors are generally smaller than a complete fingerprint,
and therefore process only part of the fingerprint. Suitable mechanical
finger guides nevertheless may lead to a good recognition performance.
A good finger guide has the following characteristics:
|
Against which attacks must a fingerprint system be secured? |
If the fingerprint
recognition is a part of a security concept, one has to expect specialized
attacks. The application determines quality and quantity of the security
requirement. The bandwidth extends from sole convenience applications up
to high security applications with its corresponding high potential of
damage. But even with the same potential of damage, not every kind of attack
is evenly meaningful. Therefore, for each application scenario the expected
attacks and their probability has to be determined to be able to find out
which is the expense for countermeasures against each kind of attack.
Another procedure may become inevitable, if a planned security concept turns out to be impracticable for a certain application. This concerns questions like "identification or verification", "local or central reference data bases", employment of chipcard with or without cryptoprocessor, or public versus non-public access to the fingerprint system. By a suitable choice of the security concept the requirements for the protection of the biometric component sometimes may be reduced considerably. In other cases, the result of the security analysis may directly lead the way to other biometric features than fingerprint! |
What kind of attacks against fingerprint systems are imaginable? |
The following list
compiles the most important attacks to biometric security components. It
depends on the actual application, against which attacks security measures
are necessary.
Brute force attackA brute force attack is an attack which offers a large number of different biometric features to the authentication system, anticipating a coincidence with the stored reference feature. The probability for success is given by the False Acceptance Rate (FAR). Note that the number of references in an identification system greatly influences the FAR!When specifying an FAR for fingerprint systems, it should be taken into consideration that every non-authorized person has ten fingers with completely different features. Ten trials with different fingerprints will increase the probability for a false acceptance by nearly a factor of 10! Latent print attacksIn fingerprint systems, a latent print recognition is necessary, depending upon the sensor type. This is because traces from the last fingerprint remain on the sensor and may be activated, e.g., by breathing upon the sensor surface. There are several measures against latent print acceptance available. Q.v. "How dangerous are latent prints on the sensor?".Replay attacksDepending on application and mechanical realization, replay attacks between sensor and processing unit may pose problems or not. An USB sensing device, e.g., needs special USB equipment to carry out replay attacks, however most attacks may be blocked by software which is able to detect succeeding features which differ too little. In office applications, replay attacks are much more difficult to perform than via keyboard when using passwords.Trojan horse attacksTheoretically, trojan horses may serve to perform replay attacks or to change the security adjustments of the PC's registry without user perception. This has to be prevented by up-to-date virus scanners. A better method is to perform all biometric processing in a separate hardware outside the PC.Fake feature attacksIn biometric systems, it might be possible to make mechanical copies of the feature to fool the sensor device (spoofing). While a liveness detection is suited to prevent attacks from dead body parts, a fake feature detection generally has to be much more sophisticated.Dead feature attacksIn biometric systems, it might be possible to obtain a positive identification with cut or dead body parts. If the application is susceptible to such attacks, a liveness detection will help. Examples are optical blood oxygen measurement or measurement of the response to controlled stimulation.Hill climbing attacksTo prevent hill climbing attacks, the score values must not be shown to the user (at least in too fine intervals).Software leaksThe most relevant security risk when designing security systems is that erroneous code or system faults may open security holes. This has to be prevented by extensive testing by security experts.Use of forceAn authorized person can forced to carry out an authentication with his own features to grant access to another person. Even the state of unconsciousness may be abused for that purpose.Other attacksAll interfaces within the whole system have to be secured, if necessary. The reference archive has to be protected against manipulation.Unknown attacksIt is most unlikely that all possible kind of attacks are known in advance. |
How dangerous are latent prints on the sensor? |
In test reports
about fingerprint sensor devices occasionally is criticized that residuals
of the fingerprint of an authorized person remaining on the sensor might
be activated by an attacker to gain unauthorized access (e.g., by breathing
on the sensor). This effect indeed can be demonstrated with a couple of
sensor types (e.g., capacitive and optical surface sensors). However, this
effect requires the sensor to be clean or cleansed (which is often not
even notified by the testers!). Touching the sensor surface several times
degrades the quality of the latent prints in such a way that a false acceptance
becomes very unlikely. Since in practice a cleaning of the sensor is hardly
ever necessary, latent prints on a sensor are a much smaller risk than
generally supposed.
The remaining risk might be further reduced by software, if fingerprints are refused whose position coincide too much with the last positively verified fingerprint. This may be attained by storing the position coordinates. Precondition for this method to work is, however, that the authorized person only touches the sensor if an authentication is requested. If the authorized person leaves a latent print on an inactive (and cleansed!) sensor, this way of latent print detection has no chance! A further software method to prevent reactivations of latent prints, is to slightly shift the finger during authentication such that a double recognition becomes possible at different sensor coordinates. |
Question to come |
Text |
Publications
|
Links
|
AuthorIn 1968, Manfred U. A. Bromba began an education as electronic technician at the company Nixdorf Computer AG. It followed a study of electrical engineering and physics at Paderborn University. After obtaining a "Dr. rer. nat." degree, he researched another two years in the field of digital signal processing. In 1983, he changed to the semiconductor division of Siemens AG where he was responsible for a series of multimedia innovations:In 1986, the company "Dr. Bromba Infrarotindikatoren" was founded. In 1997, Bromba assumed the biometrics activities of the Siemens division "Private Networks". 1999 the worldwide first prototypes of a cell phone with fingerprint authentication and an ID card with complete sensing and processing on card had been finished and shown at the CeBIT fair. Manfred Bromba is author of numerous publications and inventions. As a member of TeleTrusT e.V., CAST Forum, and the biometrics working group NI-AHGB/NI-37 of the DIN e.V., he actively participated in the promotion and standardization of biometric systems. |
Impressum |