BIOIDENTIFICATION Frequently Asked Questions Last Change: 2003-04-25
Biometrics	Deutsch English   Biometrics Fingerprint

Biometrics is the science of measuring an individual's physical properties.

By determining an individual's physical features in an authentication inquiry and comparing this data with stored biometric reference data, identification for a specific user can be determined and authentication for access can be granted.

Advancing automation and the development of new technological systems, such as the internet and cellular phones, have led users to more frequent use of technical means rather than human beings in receiving authentication.  Personal identification has taken the form of secret passwords and PINs.  Everyday examples requiring a password include the ATM, the cellular phone, or internet access on a personal computer.  In order that a password cannot be guessed, it should be as long as possible, not appear in a dictionary, and include symbols such as +, -, %, or #.  Moreover, for security purposes, a password should never be written down, never be given to another person, and should be changed at least every three months.  When one considers that many people today need up to 30 passwords, most of which are rarely used, and that the expense and annoyance of a forgotten password is enormous, it is clear that users are forced to sacrifice security due to memory limitations.  While the password is very machine friendly, it is far from user-friendly.

There is a solution that returns to the ways of nature.  In order to identify an individual, humans differentiate between physical features such as facial structure or sound of the voice.  Biometrics, as the science of measuring and compiling distinguishing physical features, now recognizes many further features as ideal for the definite identification of even an identical twin.  Examples include a fingerprint, the iris, and vein structure.  In order to perform recognition tasks at the level of the human brain (assuming that the brain would only use one single biometric trait), 100 million computations per second are required.  Only recently have standard PCs reached this speed, and at the same time, the sensors required to measure traits are becoming cheaper and cheaper.  Therefore, the time has come to replace the password with a more user friendly solution -- biometric authentication.

In the development of biometric identification systems, physical features for recognition are required which:

• are as unique as possible, that is, an identical trait won't appear in two people:  Uniqueness
• occur in as many people as possible:  Universality
• don't change over time: Permanence
• are measurable with simple technical instruments: Measurability
• are easy and comfortable to measure:  User friendliness

What factors contribute to a biometric feature's development?

Biometric traits develop:

• through genetics: genotypic
• through random variations in the early phases of an embryo's development: randotypic (often called phenotypic)
• or through training: behavioral

As a rule, all three factors contribute to a biometric trait's development, although to varying degrees.  The following table rates the relative importance of each factor (o is small, ooo is large):

*Randotypic patterns often show genotypic traits in their overall structure.  These genotypic traits may disappear with increasing refinement (e.g., development of branches on a tree).

**Most implementations react to learn effects to various degrees, and therefore don't have a negligible behavioral contribution.

How does the manner of formation influence the usefulness of biometric features for authentication?

Even though the type of developmental factor does not solely determine a feature's usefulness, there are a few things to take into account:

• pure genotypic traits can't differentiate between monozygotic (identical) twins or clones
• purely behavioral features are, by definition, easiest to imitate
• behavioral features are strongly affected by external influences and the disposition of the user
• normally for authentication purposes, randotypic contributions are essential due to their necessity for creating absolute uniqueness

The following must be considered:

• Even monozygotic twins have obviously differing features.
• As a rule of thumb, random variations do NOT follow bodily symmetry.  For example, the right and left iris have different details, and are not mirror symmetrical to each other.

Reasons for variation over time:

• Growth
• Wear and tear
• Aging
• Dirt and grime
• Injury and subsequent regeneration
• etc.

Biometric features, which are minimally affected by such variation are preferred.  The degree to which this is possible is shown in the following table.  Easily changed effects such as dirt and quickly healing injuries such as an abrasion, are not taken into consideration.

What records biometric features?

For recording and converting biometric traits to usable computer data, one needs an appropriate sensor (see table).  Of course, costs can greatly vary for different sensors.  However, we can't forget that many technical devices already have sensors built in, and therefore, offer possibilities to measure biometric features nearly free of cost.

Which biometric features are most suitable for authentication purposes?

Prior to comparing the relative worth of different biometric traits, we must define the appropriate criteria to be used.  For these purposes, we will use four categories:

• Comfort:  duration of verification and the ease of use
• Exactness:   minimal error rates  (clarity, consistency, measurability)
• Availability:  the portion of a potential user group who can use biometrics for technical identification purposes (universal, measurable)
• Costs:  essentially due to the sensors.

Note that some of the following ratings are based on current versions (status: March 2000) which could change drastically with new solutions.

As one can see, determining an 'optimal' biometric method is hardly possible.  For biometric traits ranking high in exactness, fingerprints currently have the lowest costs.  The iris rates high in all categories, unfortunately including cost.  If the costs would sink significantly, the iris would be ideal. DNA loses points in exactness, because it can't differentiate between monozygotic twins today.

ISO/IEC JTC1 (world)

DIN NI-AHGB & NI-37(Germany)

At the moment, biometric standards are still in progress or have been submitted for standardization to ISO. Among the topics treated are:

• Biometric vocabulary and definitions
• Biometric technical interfaces
• Biometric data interchange formats
• Profiles for biometric applications
• Biometric testing and reporting

From these subjects the following proposals have been submitted for ISO standardization:

• BioAPI (programming interface)
• CBEFF ("container format" for templates)
• DIN V 66400 (fingerprint-template format for matching on card)

In an identification, the recorded biometric feature is compared to all biometric data saved in a system.  If there is a match, the identification is successful, and the corresponding user name or user ID may be processed subsequently.

In a verification, the user enters her/his identity into the system (e.g., via a keypad or card), then a biometric feature is scanned.  The biometric trait must only be compared to the one previously saved reference feature corresponding to the ID.  If a match occurs, verification is successful.

If a system has only one saved reference trait, identification is similar to verification, but the user need not first enter his or her identity, as for example, access to a mobile phone which should only be used by its owner.

1. Verification is much faster than an identification when the number of saved reference features/users is very high.
2. Verification is more secure than identification, especially when the number of reference traits/users is very high.

In a verification, the user must first enter his or her identity to the biometric system.  User ID's can be forgotten and cards can be lost, making access impossible.  (Note, this is only relevant when a biometric system has more than one user.)

Fighting Crime

• Comparing evidence from a crime scene with previously or subsequently recorded biometric data
• Examples:  Fingerprint, DNA

Security

Verification of one's identity and granting authentication

For example:  granting access rights by voice and pass

Comfort

• Identifying a person and changing personal settings accordingly
• For example, setting the car seat, mirrors, etc. by facial recognition

Biometrics "Who I am"

Biometrics uses nature's oldest system to identify people -- via unforgettable and unchanging physical characteristics.  From time immemorial, humans have had to perform recognition tasks themselves.  Today, technology is advanced enough to assist us or even relieve us of recognition tasks.

Secret Knowledge "What I know"

Here authentication takes the form of (secret!) PINs and passwords, which the user has to keep track of. The authorized has to share the secret knowledge with the authenticator. Previously, this was the simplest method of identification for machines. Secret knowledge is applied also where several persons have to be authenticated in a simple way.

Personal Possession "What I have"

Examples for authentication are having a key, ID card, or pass (with or without a chip), which allows entrance, for example, into a private room. Essential is the existence of covered or overt but unique features.

Combination Systems

For security reasons, often two or all three of the above systems are combined, e.g., a bank card with a PIN. Following the definition above, a password written down on a sheet of paper exclusively belongs to the group of "personal possession"; it is no secret knowledge any more!

What makes up a biometric authentication system?

A basic biometric system is made up of:

• a sensor to record the biometric trait
• a computer unit to process and eventually save the biometric trait
• an application, for which the user's authentication is necessary


In detail, the processing unit comprises
 

• a "feature extraction unit" which filters the uniqueness data out of the raw data coming from the sensor and combines them into the request template,
• a "matcher" which compares the request template with the reference template and delivers a "score" value as result,
• and a "decision unit" which takes the score value (or values) as well as the threshold to derive a two-valued decision (authorized or non-authorized).

Generally, computation speeds adequate for pattern recognition are required.  This is about 100 million operations per second, which have only recently been attained by affordable hardware (PC, DSP).

Often "security" is said when the ability to prevent false authentication is meant.  False authentication could happen through:

• too high a false acceptance rate (FAR)
• fraud or forgery attempts
• technical deficiencies


Perfect protection cannot exist.  However, one can try to make the FAR as small as possible, forgery attempts as costly as possible, and through intensive testing minimize the technical deficiencies.

The security realm also includes protecting biometric and other personal data against misuse.

False Acceptance Rate (FAR)

The FAR is the frequency that a non authorized person is accepted as authorized.  Because a false acceptance can often lead to damages, FAR is generally a security relevant measure. FAR is a non-stationary statistical quantity which does not only show a personal correlation, it can even be determined for each individual feature (called personal FAR).

False Rejection Rate (FRR)

The FRR is the frequency that an authorized person is rejected access.  FRR is generally thought of as a comfort criteria, because a false rejection is most of all annoying. FRR is a non-stationary statistical quantity which does not only show a strong personal correlation, it can even be determined for each individual feature (called personal FRR).

Failure To Enroll rate (FTE, also FER)

The FER is the proportion of people who fail to be enrolled successfully. FER is a non-stationary statistical quantity which does not only show a strong personal correlation, it can even be determined for each individual feature (called personal FER).
Those who are enrolled yet but are mistakenly rejected after many verification/identification attempts count for the Failure To Acquire (FTA) rate. FTA can originate through temporarily not measurable features ("bandage", non-sufficient sensor image quality, etc.). The FTA usually is considered within the FRR and need not be calculated separately, see also FNMR and FMR.

False Identification Rate (FIR)

The False Identification Rate is the probability in an identification that the biometric feature is falsely assigned to a reference. The exact definition depends on the assignment strategy; namely, after feature comparison, often more than one reference will exceed the decision threshold.

Further Implicit Measures

False Match Rate (FMR). The FMR is the rate which non-authorized people are falsely recognized during the feature comparison. In contrast to the FAR, attempts previously rejected due to poor (image-) quality (Failure to Acquire, FTA) are not accounted for. Whether a falsely recognized feature leads to increases in FAR or FRR depends upon the application. (There are applications, which define a successful recognition as a rejection, when, for example, double release of identification cards for a person with a false identity is prevented by comparing the actual reference features with the centrally stored reference features of all cards released so far.)
False Non-Match Rate (FNMR). The FNMR is the rate that authorized people are falsely not recognized during feature comparison. In contrast to the FRR, attempts previously rejected due to poor (image-) quality (Failure to Acquire, FTA) are not accounted for. Whether a falsely recognized feature leads to increases in FAR or FRR depends upon the application.

The measurement of biometric features as well as the features themselves are subject to statistical fluctuations. Therefore, every biometric recognition system has a built-in acceptance threshold, which when raised both decreases FAR and increases FRR.  It should be clear that the given FAR and FRR values are belonging to the same threshold value. Stating only the FAR or only the FRR is thus misleading.

In biometrics FAR/FRR are not theoretically ascertainable, instead they must be determined statistically in costly tests. Determining statistical significance is equally difficult.  There were no standardized techniques, therefore results could vary due to differences in test conditions and sample size.  Clarity was only provided by disclosure of the test conditions.

Due to the statistical nature of the failure-to-enroll rate, a large number of enrollment attempts have to be undertaken to get statistical reliable results. The enrollment can be successful or unsuccessful. The probability for lack of success (FER(n)) for a certain person is measured:
 

FER(n) =

Number of unsuccessful enrollment attempts for a person (or feature) n  Number of all enrollment attempts for a person (or feature) n

These values are better with more independent attempts per person/feature. The overall FER for N participants is defined as the average of FER(n):
 

FER =

1 N

N n=1

FER(n)

The values are more accurate with higher numbers of participants (N). Alternatively, the median value may be calculated.

Finally, the result of an enrollment attempt has to be defined exactly:

An enrollment attempt is successful if the user interface of the application provides a "successful"- or "finished" message.
An enrollment attempt is unsuccessful if the user interface of the application provides an "unsuccessful"-message.
In cases where no defined completion is available, a fixed enrollment time interval has to be given to ensure comparability. If the time interval has expired the enrollment attempt is counted unsuccessful.

A prerequisite for authentication is enrollment, in which a biometric feature is saved as a personal reference either decentrally on a chip card or PC, or centrally in a data base.  Since the the quality of the enrollment essentially determines the performance of the authentication, it must be implemented carefully.  It is obvious that enrollment must take place in a secure environment.
During an authentication, a new scanning of the biometric feature is required.  This time it is not saved; instead, it is compared to the reference feature.  If the comparison is positive, access to the appropriate applications can be granted.

Most biometric systems show the following procedure in detail:

Taking a data set (e.g., image or sound) which includes the features to be extracted using an appropriate sensor

Examination of the data quality; if it is insufficient, the data are rejected immediately or appropriate user guidance is given to improve the quality

Extraction of the desired features from the data set and generation of a template

For enrollment: Storage of the template as "reference template" in the "reference archive"

For authentication: Comparison of the actual (request) template with the reference template using a "matcher" and generation of a score value which determines the degree of coincidence
For authentication: Exceeds the score value a predetermined threshold, access is granted, otherwise the request is rejected

Every biometric feature can occasionally or permanently fail.  Examples of temporary failures can be caused by worn down or sticky fingertips for fingerprints, medicine intake in iris identification (Atropin), hoarseness in voice recognition, or a broken arm affecting one's signature.  Well known permanent failures are, for example, cataract, which makes retina identification impossible, or rare skin diseases which permanently destroy a fingerprint.  Therefore, every biometric system needs a fall-back process.  One also needs a fall-back if a key is lost or a PIN is forgotten; so not only are biometric systems affected by user failure, rather all authentication systems.  In fact one can see that also here, biometric systems are preferable to conventional methods.

The false acceptance rate (FAR) can be adjusted in the recognition algorithm via the acceptance threshold - the higher the acceptance threshold, the lower the FAR.  Raising the acceptance threshold, however also raises the FRR.  Therefore, the goal must be to have as small an FAR as possible for any given FRR, and vice versa.  There are certain factors which primarily influence the FAR, while others mainly affect the FRR.  For a fixed FRR, FAR is dependent on the following factors:

• type of biometric feature
• quality of the sensors
• user behavior
• effectiveness of the recognition algorithm
• the number of biometric references in an identification system

Therewith, the optimization possibilities are clear:

• determine suitable biometric features: here the uniqueness of the feature essentially affects the FAR, whereas permanence and measurability affect the FRR
• choose the sensor with the best (picture) quality: this mainly reduces the FRR
• eliminate false operations of the user:  this also reduces the FRR
• optimize the recognition algorithm
• limit the number of biometric references in an identification system: this reduces the FAR and increases the FRR

In a verification a biometric feature is compared with only one reference, whereas in an identification, it is compared with N (N>1) different references.  This transition to an identification results in higher FAR, and in an ideal case is as follows:
 

FARN = 1 - (1 - FAR1)N

where FAR_N is the false acceptance rate for N different stored references. The formula is restricted to the "access control" case where the correct assignment to an identity is not essential. For an N·FAR₁ significantly smaller than 1,  we have approximated:
 

FARN ~ N·FAR1

Example:  A data base has 100 000 different references.  In an identification, FAR is raised from 10^-7 to about 10^-2!

If in an application the correct assignment of ID data is essential (e.g., for bank transactions), other methods have to be used, as explained under Determination of FIR.

During identification a request feature is compared to all reference features. Obviously, in contrast to a verification, more than one similarity value (score) is generated. This fact complicates the decision, whether a feature is to be accepted, or not. In particular, there are multiple ways to decide, if, e.g., several scores exceed a threshold. As a result, each decision procedure needs its own definition for a false rejection. Two examples are given:

One must differentiate between applications which allow access to personal data after a successful identification (e.g., access to a personal bank account), and applications which grant general access not dependent on one's identity (e.g., entrance to a room without a protocol of an identified person's presence). In the first case an assignment of a biometric feature to a false identity may happen. This is called a false identification, characterized by the False Identification Rate FIR. Furthermore, it is conceivable that more than on reference template will generate a score above the threshold. This case is treated in Determination of FIR, showing that different decision strategies may yield different results.

In the second case, with increasing numbers of different references, the false rejection rate FRR decreases!  How can that be?  Very simply:  it increases the probability that a justified user is "identified" not only from his or her own personal features, but also those of others, as normally would be considered a false acceptance.  The user, however, does not notice the system's mistake.  Mathematically, under ideal conditions this appears:
 

FRRN = FRR1(1-FAR1)N-1

A value is considered statistically significant when it is likely that is falls within a given error interval and the probability of falling outside this area by chance is relatively low.  Statistical significance is dependent upon the number of trials or sample size.  Because biometric values are difficult to model, the existence of statistical significance is hard to estimate.  As a rule of thumb ("Doddington's rule"), one must conduct enough tests that a minimum of 30 erroneous cases occur [Porter 1977]. Example: An FAR of 10^-6 can be considered reliable, when 30 errors occur in 30 million trials. One error in a million trials also has an FAR of 10^-6, but statistically is far less significant.  One can see that biometric tests are very expensive if performance needs to be very high.  The situation would be easier, if further information could be considered along with the yes/no questions (or accept/reject), as for example the proximity of a decision to the acceptance threshold.

A biometric system test usually starts by determining the similarities of different biometric features and a saved reference feature.  After many measurements, one receives a histogram or distribution for authorized users and another for unauthorized users showing the frequency of matches per similarity rating.  In an ideal case, the two distribution graphs should overlap as little as possible.  When setting a certain similarity rating as a threshold for determination of authorized versus non authorized users, the false acceptance rate (FAR) is the number of non authorized users whose similarity rating happens to fall above the threshold compared to all attempts.  On the other hand, a false rejection rate (FRR) is the number of authorized users whose similarity ratings happen to fall below this threshold compared to all attempts.  Through integration (in practice, successive summation) of these distribution graphs, FAR and FRR graphs are determined, which are dependent on the adjustable adopted threshold.

If one wants to compare different biometric systems, it is problematic that value "similarities" or, inversely, "distances" are defined very differently, and therefore threshold values often have incomparable meanings.  This difficulty is avoided by ROC, in which the similarity threshold parameter is eliminated and FRR is seen as a function of FAR.

Generally, yes.  This applies for false acceptance rate (FAR) as well as for false rejection rate (FRR).  We experience this in our everyday lives -- some faces are easy to recognize and remember, whereas others are difficult.  Therefore, the means of FAR and FRR, typical indicators, are not very helpful for individual users.  This dependence on the individual user is also responsible for the fact that statistical properties of FAR and FRR measurements are very difficult to quantify.

In this case, compromisation is the exposure of one or more biometric features allowing use for forgery purposes.

Yes and no.  Biometric features should be as unique and permanent as possible.  If compromised, it is dangerous that biometric features could be misused and then, like a password, rendered unusable, except that a password is always exchangeable whereas a biometric feature isn't.  The actual danger depends upon the application and the associated precautions.

No.  Almost all biometric features are more or less unconcealed and therefore public (face, fingerprint, iris, voice, etc.).  It is therefore a basic requirement of biometric systems' security, that openness to the public and the subsequent ability to be compromised cannot lead to damages.  If one starts with a system whose operator highly values a correct identification, the operator must make sure that the system only evaluates features that belong to the (living) person.  That means:  A biometric system for high-security applications cannot just compare features, instead it must also allow accurate monitoring of the source.  The input of copied data by an outside party is relatively easy to prevent.  It is significantly more difficult, although possible, to make sure that the scanned feature is not a mechanical copy.  (Sometimes it is said to be important that the original picture (e.g., the finger line picture) is not reconstructable from the feature's data record.  But this doesn't help much because any copy of a person's feature which produces the same data record is sufficient for misuse.)  If one wants to be certain, the biometric feature must be linked or combined to another unique but changeable data set (e.g., random number).  Both are verified during an authentication, with the changeable data set being used.  In case of failure, the changeable data set is blocked and a new data set is combined with the original biometric feature.

Yes.  Unfortunately after compromisation, dangerous misuse is possible.  Such applications could include those in which an authorized user cannot control the processing of his or her biometric traits and is not aware of the processing.  One example from the internet are 'cookies', which serve to re-recognize the identity of a surfer.  These are used in online shopping when a surfer fills a shopping cart and visits another site before purchasing.  The customer is recognized by marks (cookies) left by the online company on the specific surfer's computer, which can be read at any time.  Unfortunately, cookies are also used to track one's web behavior and (as soon as the user's email is entered) a known identity may be assigned.  The release of (biometric and non biometric) ID data can in principle have the same effect as complete surveillance of a user.

This shows that exposure of biometric features is less a security problem and more a privacy problem.

In private applications a compromisation is unexpected, as the user alone has access to his or her own data (e.g., a home computer).  Otherwise, one should only give the feature to trustworthy applications and partners.  The partner is obliged not to pass further the biometric trait and to securely store it.

In biometrics, possession of a chip card combined with biometric methods further increases security in a verification.  Not only are reference features saved on the chip card, but also identity data of the user.  For authentication, the card plus entry of the biometric feature is necessary.  The following advantages result:

• entry of a user ID via keypad is unnecessary
• no central data base storing reference features is necessary
• compromisation of the biometric feature without the possession of the card is not critical
• when using a chip card with an integrated crypto processor and feature matching device, systems allowing possible compromisation by decoding a readout are rendered impossible.
• if a normal chip card is stolen, it must be blocked and a new card issued.  With a crypto card on the other hand, only the saved, non displayed secret key must be changed.

Still higher security is achieved when using a crypto card which integrates biometric sensors in the card.  This offers more effective protection against input of compromised data records, as this sensor cannot be externally intercepted when it is the only interface for the input of biometric data.  Today's chip cards, however, don't yet offer the computational power required to extract the feature's data directly on the card.

For security applications, the usage of pure memory cards is not advisable, because when lost, they cannot be blocked and are especially easy for an unauthorized user to receive a printout of biometric data.

In order to investigate the performance of a biometric verification system, one looks at how the system reacts to a large number of inquires for biometric features from authorized as well as unauthorized users.  Due to natural fluctuations and measurement imperfections, the results of such an investigation are never absolutely certain, instead are only predictable to a certain extent.  In order to determine the error rates, "false acceptance" and "false rejection," the yes/no decisions of "authorized/unauthorized" are not used, instead the underlying degree of similarity between an inquiry and the saved reference feature.  In a series of measurements, similarity ratings ("score values") are collected for authorized and unauthorized users.  Then the frequency of incidence is counted for every similarity rating.  After being normalized with the total number of inquiries, both resulting histograms make up the probability distribution function.  They show the measured estimation of a certain similarity rating's (n) probability of occurring for authorized users (p_B(n)) and unauthorized users (p_N(n)):
 

pB(n) =

Number of measurements with similarity rating n for authorized user  Total number of measurements for authorized users

 

pN(n) =

Number of measurements with the similarity rating n for unauthorized  Total number of measurements for unauthorized users

The higher the total number of measurements, the more accurate the estimation.  (See "Statistical Significance" .  A mathematical determination of probabilities as a relationship between the relevant possibilities and the total number of possibilities fails because as opposed to dice, there are simply too many different possibilities to be able to include.)

In an ideal case (unfortunately unachievable), both distribution curves do not overlap.  That means, inquiries for unauthorized users have the low similarity ratings, whereas all the high similarity ratings are for authorized users.  In such a case it is easy to define a decision threshold, that clearly differentiates between authorized and unauthorized users.  In practice, however, there is always an overlap when the number of users is high enough. Here comes a typical diagram:

The error graphs of FAR and FRR are respectively defined as the probability that an unauthorized user is accepted as authorized, and that an authorized user is rejected as unauthorized.  The curves are dependent upon an adjustable decision threshold for the similarity of a scanned feature to a saved reference feature.  The following derivations apply under the assumption that a similarity rating value can be any whole number between 0 and K, and that, for simplicity's sake, the probability of value K occurring is 0. It also makes sense in practical applications, when we first consider the FMR and the FNMR and later extract the threshold-independent rejections due to insufficient image quality from the FAR and FRR. Furthermore, we assume that for acceptance the coincidence of two features and for rejection the non-coincidence is required.

If a general probability distribution function p is given for discrete similarity values n, the probability P_M(th) that the scanned feature with similarity rating n falls below threshold th ("misses") is:
 
 

PM(0)	:=	0
PM(th)	=	th-1 n=0	p(n)	th = 1, 2, 3, ..., K

The sum of correct matches and mismatches must equal the number of total events.  For that reason, the probability P_H(th) that the similarity rating of the scanned trait reaches or exceeds threshold th ("hits") will be:
 
 

PH(th) = 1 - PM(th) =

K n=th

p(n)

th = 0, 1, 2, ..., K

The False Match Rate FMR(th) is the probability that the similarity of two non-identical features does not reach or exceed a certain threshold value th.  Therefore:
 
 

FMR(th) := PH(th) = 1 -

th-1 n=0

pN(n)

th = 1, 2, 3, ..., K

For the False Non-Match Rate FNMR (th), applies the analogous:
 

FNMR(th)

:= PM(th) =

th-1 n=0

pB(n)

th = 1, 2, 3, ..., K

where p_N is the probability frequency function for non authorized users and p_B is for authorized users.  The limit values are:
 

FMR(0) = 1		FMR(K) = 0
FNMR(0) = 0		FNMR(K) = 1

To calculate FAR and FRR, the threshold-independent quality rejection rate QRR (equals FTA, depending on definition) has to be taken into consideration. Provided that a false acceptance is assigned to a false match, we obtain:
 
 

FAR(th) = (1 - QRR) FMR(th)

FRR(th) = QRR + (1 - QRR) FNMR(th)

For the border values we then get:
 

FAR(0) = 1 - QRR		FAR(K) = 0
FRR(0) = QRR		FRR(K) = 1

Setting a similarity rating th as the threshold to differentiate between authorized and non authorized users, results in the experimental estimation of false acceptance rate FAR(th), as the number of similarity ratings of non authorized users that fall above this threshold in comparison to all trials / number of similarity ratings.  Conversely, the false rejection rate FRR is the number of authorized user's similarity ratings which fall below this same threshold compared with the total inquiries.  Through integration (in practice, successive summation) of the probability distribution curves, FAR and FRR graphs are determined, which are dependent on the adjustable adopted threshold th. The following diagrams show typical results in linear and logarithmic scale:

The FAR/FRR curve pair is excellently suited to set an optimal threshold for the biometric system.  Further predictors of a system's performance, however, are limited.  This is partially due to the interpretation of the threshold and similarity measures.   The definition of the similarity measures is a question of implementation.  Almost arbitrary scaling and transformations are possible, which affect the appearance of FAR/FRR curves but not the FAR-FRR values at a certain threshold. A popular example is the use of a "distance measure" between the reference feature and the scanned feature.  The greater the similarity, the smaller the distance.  The result is a mirror image of the FAR/FRR curves.  A favorite trick is to stretch the scale of FAR/FRR curves near the EER (Equal Error Rate: FAR(th) = FRR(th)), (i.e., using more threshold values) thus making the system appear less sensitive to threshold changes.

In order to reach an effective comparison of different systems, a description independent of threshold scaling is required.  One such example from the radar technology is the Receiver Operating Characteristic (ROC), which plots FRR values directly against FAR values, thereby eliminating threshold parameters.  The ROC, like the FRR, can only take on values between 0 and 1 and is limited to values between 0 and 1 on the x axis (FAR).  It has the following characteristics:

•  The ideal ROC only have values that lie either on the x axis (FAR) or the y axis (FRR); i.e., when the FRR is not 0, the FAR is 1, or vice versa.
• The highest point (linear scale under the definitions used here) is for all systems given by FAR=0 and FRR=1.
• The ROC cannot increase

As the ROC curves for good systems lie very near the coordinate axis, it is reasonable for one or both axis to use a logarithmic scale:

The Receiver Operating Characteristic (ROC) offers an objective comparison of different biometric systems, in the form of a graph.  More practical would be the specification of one single measured value, which forms a kind of average of all the systems settings.  Therewith, only a global description of the system would be possible.  One must therefore understand that a system can be better overall, despite worse local functioning, for example in an operating point.

Separability is intuitively the ability of a biometric system to differentiate authorized and unauthorized users on the basis of a biometric feature.  The higher the separability, the fewer the errors while differentiating authorized and unauthorized users.  The measure of the separability, like that of the ROC, cannot be dependent on implementation specific scales.  Additionally, a separability measure should be easy to calculate.

A well known measure for the (inverse) separability is the Equal Error Rate (EER).  Unfortunately, the EER describes only one single point of the ROC.  While the definition is simple, the calculation is not so easy; the EER point does not exist as a measurement, instead it is derived through decision and approximation.

An (inverse) separability measure, which also prevents the EER disadvantages, is the area below the ROC graph.  It allows easy calculation of all ROC values through summation.  The only difficulty is the fact  that the ROC values are not equidistant.  Therefore, every y value (FAR) must be weighted by the distance between its corresponding x value (FRR) and the next value.  This distance for every ROC point is just the difference (that is the gradient) of two consecutive values in the FAR graph.  As a result, the distance is given by the probability distribution graph of non authorized users.  (For continuous functions, in which the sum can be replaced by an integral, this would be a consequence of the substitution rule for integrals!)   The ROC area, here called ROCA, is (K+1 is the number of similarity ratings considered):
 
 

ROCA =

K n=1

FRR(n)pN(n-1)

pN: Probability distribution function  for unauthorized users

This formula simply needs additions and multiplications of existing measured values.  Even though implementation specific similarity ratings n are summed, the ROCA is still independent of their definition. However, one must assume that no threshold-independent rejections occurs, i.e., FRR = FNMR and FAR = FMR.

Both EER and ROCA can take on values between 0 and 1.  Ideal separability of a biometric system and therewith the distribution p_B and p_N obviously result in EER and ROCA values of 0.  But what value belongs to the ideal non separability.  Intuitively, ideal non separability can only mean that both distributions p_B and p_N are exactly the same.  But in the case:
 

pN = pB

=>

FAR = 1 - FRR

=>

EER = ½

and:

pN = pB

=>

ROCA =

K n=1

FRR(n)pB(n-1)

~ ½

(Proof for the approximation: one replaces the sum with an integral and considers p_B as the derivative of FRR.  Now, only the rules for partial integration are needed.)

Reasonable vales for EER and ROCA lie between the extrema: 0 for perfect separability and ½ for perfect non separability.  What do values between ½ and 1 then mean?  This range is left for cases, in which distributions p_B and p_N trade roles and change places in the diagram.  For separability, this range has practically no meaning in biometrics.

Even though the false rejection rate, FRR, is intuitively easy to understand, there can be many problems when trying to fix an unequivocal or universal definition.  The following must be taken into account:

• The FRR is a statistical value whose measurement accuracy depends on the number of measurements.  Now the FRR is not only dependent on the biometric system, but on the users as well.  There is thus a personal FRR.  If one wants to deal with large numbers of people, it is important that the end result is not negatively affected by an individual.  Such could occur when the number of attempts per person differs.  This problem can be avoided, if one first identifies each personal FRR curve and calculates the mean from those (or uses the median, but this provides different values!).
• The exact meaning of rejection must be clarified.  Here for example, the total number of recognition attempts before the final assessment of a failed recognition play a role.  There are systems, which can continuously process a verification in real time.  Here a verification time slot is offered.
• Many biometric systems reject a verification due to poor picture quality (e.g., dirty or worn down fingers in a fingerprint verification, noisy surroundings in a voice recognition, poor lighting in a facial recognition, or sensor problems).  When such problems are not due to a faulty operation, rejections due to picture quality problems are still false rejections.  The user is indifferent to the reason for false rejections.
• Even the personal FRR can vary with time.  It sinks, for example, when one frequently uses the system, which can learn to avoid false rejections.  In such cases, it is only reasonable for comparisons to determine FRR during learning phases.
  In the case that a life/fake recognition is also used, this needs to be considered when determining the FRR.

Due to the statistical nature of the false rejection rate, a large number of verification attempts have to be undertaken to get statistical reliable results. The verification can be successful or unsuccessful. In determining the FRR, only fingerprints from successfully enrolled users are considered. The probability for lack of success (FRR(n)) for a certain person is measured:
 

FRR(n) =

Number of rejected verification attempts for a qualified person (or feature) n  Number of all verification attempts for a qualified person (or feature) n

These values are better with more independent attempts per person/feature. The overall FRR for N participants is defined as the average of FRR(n):
 

FRR =

1 N

N n=1

FRR(n)

The values are more accurate with higher numbers of participants (N). Alternatively, the median value may be calculated.

Important: the determined FRR includes both poor picture quality and other rejection reasons such as finger position, rotation, etc. in the reasons for rejection.  In many systems, however, rejections due to bad quality are generally independent of the threshold.  The FRR after quality filtering is similarly defined:
 

Number of rejected "qualified" attempts  Total number of "qualified" attempts

An FRR defined as such, generally yields better data sheet values, but these lower numbers are not reflected in reality from a user's perspective.

Finally, the result of a verification attempt has to be defined exactly:

A verification attempt is successful if the user interface of the application provides a "successful"-message or if the desired access is granted.
A verification attempt counts as rejected if the user interface of the application provides an "unsuccessful"-message.
In cases of no reaction, a verification time interval has to be given to ensure comparability. If the time interval has expired the verification attempt is counted unsuccessful.

Similar to the FRR, the false acceptance rate can be defined differently.

• The FAR is a statistical value, whose measurement accuracy depends on the number of measurements.  The FAR depends not only on the biometric system, but on the user as well.  There is also a personal FAR. If one wants to deal with large numbers of people, it is important that one individual does not negatively affect the end result.  Such could occur when the number of attempts per person differs.  This problem can be avoided, if one first identifies each personal FAR curve and calculates the mean from those (or uses the median, but this provides different values!).  In determining FAR, it is generally easier to limit the number of recognition attempts to 1 per person.  Further attempts per person will smooth out the ROC graph, but add little to the statistical significance.
• If the biometric system has picture quality management, which happens to reject a false user due to poor picture quality (click here for example) already before verification, this is of course a correct rejection, and leads to an improved FAR.
• Strong behavioral biometric features (e.g., voice or signature) are often purposefully forged or copied.  In investigating FAR, it needs to be determined whether tests simply recognize foreign features or also attempted forgeries.  This difference can be serious.

Due to the statistical nature of the false acceptance rate, a large number of fraud attempts have to be undertaken to get statistical reliable results. The fraud trial can be successful or unsuccessful. The probability for success (FAR(n)) against a certain enrolled person n is measured:
 

FAR(n) =

Number of successful fraud attempts against a person (or feature) n  Number of all fraud attempts against a person (or feature) n

These values are more reliable with more independent attempts per person/feature. The overall FAR for N participants is defined as the average of FAR(n):
 

FAR =

1 N

N n=1

FAR(n)

The values are more accurate with higher numbers of participants (N). Alternatively, the median value may be calculated.

Whether a correct rejection is due to poor picture quality or really to a person's unauthorized status, remains (just like in practice) extraneous.

The crucial number for the determination of statistic significance is the number of independent attempts.  Obviously, two attempts in which alternately one person is the reference and another places the request, are not independent of each other. Likewise, multiple attempts from one unauthorized user are considered dependent and therefore have less meaning for statistical significance.

Finally, the following items have to be settled, or defined, respectively:

• What is a fraud attempt?
• How is the result of a fraud attempt defined exactly?

Usually, during FAR determination, a fraud attempt is an attack using the features of a non-authorized person. This, however, pretends a high security which is not present since there are a lot of further possibilities for promising attacks.

A fraud attempt is successful if the user interface of the application provides a "successful"-message or if the desired access is granted.
A fraud attempt counts as rejected if the user interface of the application provides an "unsuccessful"-message.
In cases where no "unsuccessful"-message is available, a verification time interval has to be given to ensure comparability. If the verification time interval has expired the fraud attempt is counted unsuccessful.

Recent concerns with the possible uses and misuses of biometrics has led to a discussion whether biometrics is privacy-enhancing or privacy threatening.  A central question, according to Woodward (1999), is whether a user has full control over his data, knowing when, where, and why a submitted biometric feature is used.  Non-intended reuse is possible in non-biometric systems, but fear is increased due to the highly personal nature of biometric data, as opposed to simply an ID number.  Some biometric data, such as DNA, showing medical information can be passed along to commercial systems, insurance companies, or the government.  Privacy concerns with biometrics as summarized by Wirtz (2000) are:

• Unauthorized access to biometric data
• Unauthorized disclosure of biometric data to third parties
• Use of biometric data for other than intended purpose
• Collection of biometric data without the knowledge of the individual

Meeting privacy and data protection requirements is a central concern to the success of biometric systems.  Such concerns led to the formation of the IBIA (International Biometric Industry Association), an organization concerned with data protection and ID systems used in biometrics, particularly from the consumer viewpoint.  Legal concerns can help ensure that biometrics are properly applied and therefore increase an individual's security.

Regarding "Template on Card", a chip card stores the extracted reference template electronically. There are different ways of realization:

1. The chip card is a simple memory card, the storage is done without encryption
2. same as 1., however with encrypted template
3. The chip card is a processing card (and offers secret storage capabilities)
4. The chip card is a processing card with cryptographic functions

These possibilities fulfill increasing security requirements with increasing order. In all cases it must be noticed the communication partners of the chip card codetermine the security of the whole system.

Chip cards with integrated matcher do not only store the reference template, they also compare (match) the reference template with the incoming request template. For that reason the card needs an internal processor ("smartcard").

Advantage against other solutions

• Applications which use a PIN authentication on a smart card, may be extended to biometric authentication without changing the infra structure. Example: SIM card for mobile phones. Even in the case of a loss of the phone and/or the SIM card no unauthorized access to the net is to be feared.
• As the reference template need not leave the card, more privacy is guaranteed.

Drawback

There is only limited processing power and memory space available on the smart card. This requires some compromises with regard to biometric verification performance.

We consider the following possibilities for storage of biometric references on a chip card:

The chip card is a pure memory card, storage is unencrypted.

• The chip card can be read by anyone who finds it.
• The chip card can be duplicated by anyone; however, only the authorized can use it.
• In principle, cards with references of non-authorized users can be produced which grant access to the system.
• If the authorized user's (non-biometric) data is saved on the card, the danger of compromisation when lost is high.

The chip card is a pure memory card, storage is encrypted.

• The chip card can be read by anyone who finds it, but the contents cannot be interpreted.
• The chip card can be duplicated by anyone; however, only the authorized can use it.
• Authentication via cards with references of non-authorized users is generally prevented.
• Compromisation of data is prevented.

The chip card is a processor card (smart card) with crypto function

• The chip card's stored data can only be read and interpreted by a trustworthy communication partner (e.g., a secure PC or a secure Server via a non-secure PC)
• Duplication of the chip card is preventable
• Authentication via cards with references of non-authorized users is generally prevented
• Compromisation of data is prevented

It depends on a specific application which security level is necessary and what will be the possible solution.

We consider the following implementation possibilities:

The chip card is a pure memory card, storage is unencrypted

During enrollment, a biometric sensor connected to a PC extracts the biometric feature, and subsequently stores the extracted reference on chip card. At verification, the access seeker inserts her chip card into the chip card reader and then her biometric feature is again scanned. The scanned feature is then compared to the reference stored on the chip card at the PC. If the comparison exceeds a certain level of similarity, full clearance is granted to the network by sending the decrypted password (which is stored on the PC encrypted) from the PC to the server.

The chip card is a pure memory card, storage is encrypted.

See above. Additionally, however, decryption of the reference from the card is done on the PC or better yet on the server with a securely stored key. Alternatively, the comparison process should likewise occur on the server. Thereby, the current extracted feature is transmitted securely from the PC to the Server.

The chip card is a processor card (smart card) with crypto function

The communication partners of the crypto card are a PC, a biometric sensor and a secure server. During a log-on trial, the crypto card and the server create a secure connection. The server retrieves the reference data from the crypto card. Simultaneously, the PC extracts the biometric feature from the sensor's raw data and sends it (potentially secured by a one-time key) to the server where it is compared to the card's biometric reference feature. If the comparison is positive, the PC grants access to the network drives.

A template comprises the extracted unique features of the biometric data. The template is generated during the process of feature extraction, which frees the raw data coming from the biometric sensor from redundant information. By this way, both the storage requirements and the matching expense are reduced. Here, the definition of the template does not depend on its usage as reference or for a verification request. (Several authors only call the reference template a template, the request template is called "sample".)

During an identification, the requested feature is compared to many reference features and possibly, the similarity value will exceed the threshold for more than one reference. This is non-critical if only granting access, but can be very problematic if the correct assignment of personal data to the biometric feature is required (Example: access to a bank account via ATM).

The probability for the identification of further (by definition false) candidates (independent of the correct reference) can be calculated from the FAR since these candidates would represent false acceptances in the case of verification. Its value is given by:
 
 

1 - (1 - FAR1)N-1 ~ (N - 1) FAR1

whereby FAR₁ is the False Acceptance Rate for a system with one reference. N represents the number of references. The approximation (right side) applies in the case that the resulting value lies considerably under 1.

The False Identification Rate can first be calculated after selecting one of the candidates. One standard, which is often found in practical applications, could be, for example, that the candidate with the highest similarity value is chosen (presuming that there is only one). Unfortunately, the FIR is only ascertainable when the probability density functions are available for false acceptance as well as false rejection.

Easier to calculate is the rule that multiple candidates are completely rejected, which raises the FRR and lowers FAR. The following definitions apply here:
 

FAR		probability that a non-authorized person is identified
FRR		probability that an authorized person is not identified
FIR		probability that an authorized person is identified, but is assigned a false ID

These definitions result in the following formulas under ideal conditions (statistic independence, same error rates for all people, ...); where the index N is again the number of references:
 

FARN = N FAR1 (1 - FAR1)N-1

 

FRRN = 1 - (1 - FRR1 - FAR1 + N FRR1 FAR1) (1 - FAR1)N-2

 

FIRN = (N - 1) FRR1 FAR1 (1 - FAR1)N-2

In a positive identification the user is interested to be identified, in the negative case the user tries to avoid successful identification. For example, the thief is not interested in being identified by comparing the latent prints from the scene of crime with his fingerprints. This is a negative identification. If I am authorized to get access to my office, I am strongly interested to be identified, e.g., by iris recognition. This is a positive identification.

The main impact of positive versus negative identification regards user cooperation. In the negative case the user is not willing to cooperate (even if he is "innocent") at the stage of feature acquisition. Therefore, a negative identification often needs observation. Even the sensor may be affected by the type of identification: negative fingerprint identification needs full size sensors at least for the enrollment process.

This question at least poses two problems: biometrics is not equal to biometrics, and the term "secure" is in fact commonly used, but it is not exactly defined. However, we can try to collect pros and cons in order to find at least an intuitive answer.

It is a matter of fact that the security of password protected values in particular depends on the user. If the user has to memorize too many passwords, he will use the same passwords for as many applications as possible. If this is not possible, he will go to construct very simple passwords. If this will also fail (e.g., if the construction rules are too complex), the next fall-back stage is to notify the password on paper. This would transform "secret knowledge" into "personal possession". Of course, not every user will react this way. Rather the personal motivation plays an important role: is he aware of the potential loss caused by careless handling of the password? It is easy if the user is the owner. But often foreign possession (e.g., that of the employer) has to be guarded, whose value one often can hardly estimate. If motivation is missing, any password primarily tends to be felt bothersome. In this case, and that seems to be the normal case, it is assumed that biometrics has considerable advantages.

Contrariwise, passwords feature an unbeatable theoretic protection ability: an eight-digit password which is allowed to contain any symbol from an 8-bit alphabet offers 10²⁰ possible combinations! This is a real challenge for any biometric feature.  The requirements are obvious: such a password is maximally difficult to learn, it must not be written down, it must not be passed to anyone, the input must take place absolutely secret, it must not be extorted, and the technical implementations must be perfect. This leads us to the practical aspects: the implementation must be protected against replay attacks, keyboard dummies (e.g., false ATMs), wiretapping etc. Even biometric features have to cope with such problems. However, it can be assumed that the protection of biometric feature acquisition is not easier than the acquisition of the password, provided the implementation expense is comparable!

Conclusion: Surely, there are cases where passwords offer more security than biometric features. However, these cases are not common!

Responsible for the Biometrics FAQ's content: Dr. Manfred Bromba Security, Privacy, Disclaimer, Copyright