The Basics of Biometric Authentication

Dr. James L. Wayman

Proposed ISO/IEC Definition

Biometrics is the automatic recognition of individuals based on biological and behavioural traits If a person is recognized, a record for that person can be returned. That record is the identity. Validity of the data in the record is independent of the biometric data The connection to informational privacy If a person is not recognized, a flag not recognized can be returned

A Variety of Applications
Prevent multiple users of a single identity Recognition is good e-Passport Prevent multiple identities of a single user Non-recognition is good EURODAC UAE Programs can do both National ID card But biometrics does not validate the data in the record Biometrics cannot substitute for identity management

U.K. Leadership in Human ID

Grew (1641), Londonderry (1691) The need for continuity of recognition of humans over time 1853 Penal Servitude Act (Parole) 1869 Habitual Criminals Act (Perversity of perpetrator) Galton, Faulds, Hershel, Henry (1888+) Watson (1953) NPL and AEA (1970s) Jefferys (1985) AfB (1992) Daugman (1994) BWG (1999) SC27/37
4

The Major Technologies Face Fingerprint Hand/finger geometry Iris Voice

5

The Varieties of the Human Condition

Adult over 55

Child

College Student

Office Worker

Office Worker + 6 weeks

6

Errors, Accessibility and Public Systems

Humans are problem prone! The analogy to public transportation Provision for those with special requirements Luggage, prams Wheelchairs Provision for assistance Confused non-Londoners Provision for security Gate jumping

Successes
National Law Enforcement NAFIS Border Crossing BAA trial SmartGate Schipol Privium Large-scale Access Control Disney World Local Access Control Barlinnie Prison Benefits Management EURODAC/IND US State Department Consular Consolidated Database

Difficulties
Inadequate provision for human problems 1990 Barcelona World Games Cost/benefit uncertainties INSPASS US State Welfare Programs Security failures Schipol Travel Pass (1992) Legacy record management Argentina National ID Integration IAFIS/IDENT No commercial acceptance Intellitrak, Innoventry

Distinguishing Known from Unknown

Does relate to professional criminals
INTERPOL exchange of fingerprint data
Border crossing presents unique opportunity for detection

EURODAC search for professional asylum seekers National uses against professional benefit seekers
10

Distinguishing Known from Unknown

Relationship to terrorism? Most terrorists are unknown Lists of known terrorists may be highly protected Even terrorists can become registered travelers Use of biometrics at the intersection of terrorism with organized crime Narco-terrorism Illicit arms trade Professional asylum seekers 11

Conclusions
Biometrics can distinguish between unknown and unknown people Biometrics can indirectly point to other information (which may or may not be correct, up to date, etc.)
The connection to privacy

Biometrics can be used to tighten border processes

Border crossing represents a unique opportunity to search for criminals

Biometrics has only indirect application to terrorism 12 Systems must account for the human factor