Following the terrorist attacks of 11 September 2001 and the ongoing war against terrorism, there has been a worldwide effort by governments to develop a biometric standard that “could be used to identify airline passengers, control access to high-security buildings and record the details of convicted criminals...(implemented in) biometric technology, which uses a chip to store biological information, such as face scans, iris patterns and fingerprints.”1 Terrorism, ID fraud and cybercrime are just a few of the reasons for investigating biometrics.
The purpose of this article is to investigate the application of biometrics to the task of security, particularly the authentication/verification processes. In addition to the reasons provided above, there is a greater emphasis on e-business systems, with these applications being developed for distributed deployment and a diverse range of stakeholders. Clearly, a major issue is the authentication of remote users, that is, being reasonably certain that the individual is whom he/she purports to be. Traditionally, a number of electronic means have been attempted, such as user ID/passwords, public/private keys and various forms of encryption.
As technology advances and provides more specialised equipment, other means are becoming practical. This article looks at the potential of fingerprint recognition as a means of verifying a remote user. Fingerprinting has been selected as it is the least invasive biometric system. This article looks at the advantages and disadvantages, audit implications, and the usability of fingerprint authentication.
Like most technical fields, biometrics and its associated systems have a multitude of definitions. Most definitions are dependent on the context in which the subject is being discussed. For the purpose of this article, biometric systems will be defined as:
“Automated methods of verifying or recognising a living person on the basis of some physiological characteristics, such as fingerprint or iris patterns, or some aspects of behaviour, such as handwriting or keystroke patterns.” 2
This definition has a physiological and a behavioural aspect. The differences between using physiological and behavioural identifiers are quite significant, especially when considering accuracy, cost and acceptance by the user. These differences will be considered later.
Biometric systems use points of measurable uniqueness to determine identities.3 This technology can act as the front end to a system that requires precise identification of those requesting access before the system may be used. This concept is essentially what password systems attempt to achieve; knowing a password provides access to a system or location. There is, however, one fundamental difference between access systems using passwords and those using biometric methods.
Password systems are identity-nonspecific. They can be stolen, given to other users and, in some cases, guessed, meaning that there is no guarantee that the person logging on is the owner of that password. Put simply, there is no foolproof way to prevent unauthorised intrusion or to determine user identity beyond doubt.4 By contrast, biometric systems use identifiers that are inexorably linked to the user in question. These range from fingerprint and voice scans to iris and retinal pattern recognition. The premise behind using such identifiers is that they are unique, generally not subject to change, and cannot be stolen, lost or forgotten.5 This is not to say that biometric identifiers are infallible. They do, however, represent a useful method of linking identity to specific system users.
How Biometrics Work
Biometric systems generally comprise three basic components:6
- An automated mechanism scans and captures a digital or analogue image of a living individual’s characteristics.
- Another mechanism handles compression, processing, storage and comparison of the collected data with the stored data.
- A third component interfaces with the application system to which the user is attempting to gain access.
Obviously, the configuration of such a system may be altered to suit a particular situation. However, the majority of biometric control systems follow this simple model.
It should be noted that there is one crucial step required in setting up a biometric system: enrolment. The only way to gain access to a biometrically controlled system is to enrol.
Enrolment is required to generate a reference template. The methods of enrolment vary according to the device used but usually involve scanning the required biometric data a number of times to gain an accurate measurement. A template is then created and linked to the user’s identity.7 This template provides the reference for comparison when access attempts are made. It is the storage and risk of misuse of such templates that create the most concern for users. This issue will be discussed later.
Types of Biometrics Systems
Biometric systems fall within two broad categories: physiological and behavioural. Physiological characteristics are stable physical features, such as a fingerprint, hand structure, retinal or iris pattern, or facial feature. They are generally unchangeable, except by surgery or accident, and are constant over time.
In contrast, behavioural characteristics reflect an individual’s psychological state and thus are affected by such factors as stress, fatigue and illness (colds included). Most behavioural characteristics alter over time. For example, the voice print from a user with laryngitis can seriously confuse a voice-based access control system. Hence, systems designed to measure such characteristics often need to redefine their reference templates to reflect these changes. This need to update the reference template reduces the usability and reliability of behavioural-based systems.8 There is a large number of technologies and systems that come under the heading of biometrics. To consider each one in turn would not do them justice within the confines of this article. Consequently, one such technology, fingerprint identification, will be considered in some detail. This article will outline how it works, its relative advantages and disadvantages, and its current and future uses. Then, the ethics of collection and maintenance of repositories of such personal identification information will be considered.
An Example: Fingerprint Identification
With reference to the types of biometric systems discussed above, fingerprint scanning is classified as a physiological system. The human fingerprint is a unique identifier that is intrinsically linked to each individual and thus cannot be lost, stolen or transferred between individuals. Moreover, no two fingerprints are identical, which greatly assists in linking the user’s access key to the user. Finally, barring serious accident or surgery, fingerprints are constant over time.
Although there are variations amongst the fingerprint scanners available on the market, the principle behind how the user is identified is generally the same. A light-sensitive device, either a scanner or camera, takes an analogue image of the fingertip. The image is then digitised and compared with template records that were created during the enrolment process. At the most basic level, these systems work by matching relationships amongst minutiae—the points on fingertips where print ridges end or divide. More complex scanning systems also examine other major features, such as the arch, loop and whorl that appear on the finger.9
Despite popular misconceptions, these systems do not require a perfect, 100 percent match of all identifiers. Through the use of a number of complex mathematical techniques, a scanner requires only a match that is statistically significant. This matching process has a number of advantages, the most obvious of which relates to storage. The actual fingerprint is not recorded; rather, the scanning device performs a reduction of the image into data points that describe the fingerprint layout in a statistical, rather than physical, form. This method greatly assists in reducing the chances of reproducing a fingerprint for fraudulent use.10
Automated Fingerprint Identification System (AFIS)11 technology has been used in law enforcement over the last 25 years, and the use of AFIS technology is rapidly expanding in a number of new applications areas including welfare. However, the rush to capitalize on the benefits of this technology, in advance of appropriate standards and technology validation methods, is likely to result in a widespread failure to achieve the very valuable programmatic expectations over the long term.
For serious large-scale, positive-identification applications, no other available biometric technology comes close to fingerprints. Fingerprint identification technologies are:
- Well established—Fingerprint identification has been used in law enforcement applications over the past 100 years and has become the de facto international standard for positive identification of individuals.
- Proven—AFIS technology has been developed, refined and proven in demanding law enforcement applications over the last two decades.
- Legally accepted—Legal precedents, which have been established in the US court system, make fingerprints the only biometric proof of identification that is readily accepted in legal proceedings.
- Mature—Fingerprint identification technologies are well beyond the research and development stage, as evidenced by the fact that a number of viable manufacturers produce competing products for a widespread and well-established marketplace. In most other biometrics, the technology is available from only a single vendor, making any large-scale, long-term application very risky.
Recent advances in computing and digital imaging technology have led to the introduction of new AFIS methodologies using electronic “live-scan” plain-impression fingerprint images as the basis for identification. The proliferation of plain-impression AFIS systems is rapid and accelerating at the state and national levels (US) in large-scale applications, including welfare, driver’s licenses, border control, immigration and military personnel identification. For more detailed coverage of this area, refer to http://onin.com/fp/afis/afis/html.
Advantages and Disadvantages
As with all biometric systems, there are a number of advantages and disadvantages associated with using fingerprint scanning to confirm an individual’s identity. Often, weighing the various benefits and costs associated with particular biometric methods greatly affects which systems are implemented by an organisation and, in some cases, whether biometric systems are adopted at all. In the case of fingerprint scanning, the relative advantages and disadvantages are reasonably straightforward.
The advantages include:
- Acceptance—As most people are familiar with the use of fingerprinting for identification purposes, it is generally accepted as a technology. Most people understand its applicability to access control.
- Accuracy—By and large, fingerprint technology is accurate. There is a small chance of rejection of a legitimate print, i.e., there is a chance of accepting a false print or a chance of rejecting a legitimate print. The chances of accepting a false print are very low.
- Ease of use—Very little time is required for enrolment with a fingerprint scanning system. Unlike other biometric devices, such as retina scanners, fingerprint scanners do not require concentrated effort on the part of the user. Accordingly, one could consider fingerprint scanning to be relatively nonintrusive.
- Installation—Changes in technology have made fingerprint scanners relatively easy to install and inexpensive. Most fingerprint scanners are now very small and portable.
Plug-and-play technologies have made installation very easy. In many cases, the scanning device has been incorporated into keyboards, mouse buttons and even notebook computers.
- Training—Due to the intuitive nature of scanning fingerprints, such devices require no training to use and little training to support.
- Uniqueness—As noted previously, fingerprints are a unique identifier specific to the individual.
- Security—Fingerprints cannot be lost or stolen, and are difficult to reproduce. Furthermore, storing fingerprint templates as statistical algorithms rather than complete copies ensures that the ability to reproduce these unique identifiers is significantly reduced.12
The disadvantages include:
- Acceptance—Although also an advantage, user acceptance is not guaranteed. Fingerprint scanning crosses the fine line between the impersonal and nonintrusive nature of passwords and personal identification numbers (PINs), and utilising part of an individual’s body to identify him/her. As will be discussed, some people view this as an invasion of privacy13 or worse.
- Injury—Injury, whether temporary or permanent, can interfere with the scanning process. In some cases reenrolment is required. For example, bandaging a finger for a short period of time can impact an individual if fingerprint scanning is used in a wide variety of situations. Something as simple as a burn to the identifying finger could prevent use of an automatic teller machine (ATM).
- Security—As some authors have argued, there is nothing to suggest that the same technology that is used to store fingerprints as statistical algorithms cannot also be used or modified to recreate accurate depiction of the print itself. This raises serious concerns related to how such data should be stored, maintained and protected to prevent fraudulent use.14
Issues With the Use of Fingerprint Identification
Transmission and Storage
The truism that the majority of physiological characteristics are almost impossible to alter, fingerprints being one of them, introduces a major drawback of biometric systems.15 When a user wishes to gain remote access to a device that is controlled by a biometric system, e.g., an ATM, the terminal must transmit the biometric measurements to a host database for comparison. This creates two potential weaknesses in the system. One relates to the security of the transmission method used, and the other relates to the security of and access permissions controlling the database in which the reference template is stored. If the security of these systems is weak, it is conceivable that the biometric measurements could in some way be copied and fraudulently used.
Considering the number of possible applications of this technology, the implications for such fraudulent use could be disastrous. Unlike passwords or PINs, which can be changed if compromise is suspected, fingerprints are unique identifiers that cannot be altered. Furthermore, due to their unique nature and the perceptions this creates, the existence of a fingerprint authorisation for a fraudulent transaction represents a virtual admission of guilt. Consequently, for such authentication techniques to be effective and confidently used, the transmission of biometric data and the storage of biometric templates must attract tight security.16 The large number of potential applications and the consequent variety of individuals, companies and agencies that would require access to stored templates make the physical storage requirements of biometric templates a major issue itself. If the fingerprint scanning example was extended to include the population of Australia, the overhead costs of collecting and storing approximately 20 million unique fingerprints would be enormous. Added to this is the question of who and what agencies would require access to such information. In the case of fingerprint templates, there are two possible storage solutions.
First, biometric templates could be stored in a series of centralised databases. As noted, the overhead becomes quite large when considered in reference to a country’s population. Also, users may be required to interact with a number of databases depending on their access needs. For example, such templates could be kept by the Australia Taxation Office (ATO) for taxation purposes, the Road and Traffic Authority (RTA) for licensing information, on a server controlling access to the user’s home, or on specific devices such as personal digital assistants (PDAs) or even cars. The more places such information is kept, the greater the possibility of unsavoury elements of the community stumbling upon a database with weak security and capturing biometric templates for fraudulent use.
An alternative to database storage is the use of smartcards. Smartcards store the biometric template and are carried by the user. To gain access to a fingerprint-protected system, a user would insert the smartcard containing the fingerprint template and then have a fingerprint scan taken. The results of the scan are then compared with the information on the card to determine authenticity. This process is conducted at the point of access and needs no interaction with additional systems. Consequently, there is no risk of transmission interception and no requirement to hold such information centrally.17
One of the greatest concerns raised in response to the increasing use of biometric authentication systems has been the issue of privacy. Organisations such as Fight the Fingerprint and the Electronic Privacy Information Centre argue that there is great scope for abuse of biometric systems by government agencies and the private sector. Coupled with this, there are very few directives or standards established by legislature or adopted by industry regarding the dissemination of biometric information.
By way of example, an individual is required to provide a fingerprint template to an employer to gain access to a place of employment and the devices required to carry out his/her tasks as an employee. This template is then linked to the employee’s personal records, which outline employment history, salary and financial information, dependant details and residential information. An unscrupulous organisation could then sell this linked biometric data to direct marketing firms, mail-order houses and even government agencies, which would then have access to a ready-made personal profile of each individual. It has been argued that when such cross-matching occurs, the fine line between relevant information tracking and an invasion of privacy is blurred.18
To take a more extreme view, fingerprinting has been described as a “Big Brother” population control method (e.g., by Fight the Fingerprint). Most people readily accept the use of PINs, signatures and photographs as legitimate methods of identification and access control. They are impersonal and not physically connected to the individual. Biometric data, in contrast, are an intrinsic part of the human body. Therefore, a number of organisations and individuals find such methods of identification repulsive and invasive.19
Obviously, the use of biometric systems for identification and access control purposes is a contentious issue. It is one that requires clear and ethical consideration before adoption by any organisation or agency. Furthermore, governments need to develop strict guidelines that restrict the dissemination of biometric data and the information linked to such data to prevent misuse and erosion of individuals’ rights. Information system auditors and security personnel require knowledge of these biometric techniques, as they may be asked to either audit or evaluate them for their clients or organisations.
Useful Web Resources
||Lebihan, R.; “New Passport to Store Facial Biological Information,” The Australian Financial Review, 12 February 2003, p. 52|
||Kim, H.J.; “Biometrics, Is It a Viable Proposition for Identity Authentication and Access Control?” Computers & Security, vol. 14, 1995, p. 205-214|
||Java Card Special Interest Group (JC Sig), www.javacard.org/others/biometrics_intro.htm|
||“Biometrics Explained,” I/O Software, www.iosoftware.com/|
||Op. cit., Kim|
||Op. cit., Java Card Special Interest Group|
||Op. cit., I/O Software|
||Op. cit., Java Card Special Interest Group|
||Automated Fingerprint Identification Systems (AFIS), 2002, www.onin.com/fp/afis/html|
||Op. cit., I/O Software; Op. cit., Java Card Special Interest Group; White, R.; “Face vs. Fingerprint Identification,” 1999, www.zdnet.co.za/|
||Fight the Fingerprint, www.networkusa.org/fingerprint.shtml|
||Op. cit., I/O Software; Op. cit., Java Card Special Interest Group; Op. cit., White|
||Op. cit., Kim|
||Op. cit., I/O Software|
||Op. cit., Kim|
|Schneier, B.; “The Uses and Abuses of Biometrics,” Communications of the ACM, Association for Computing Machinery, August 1999, vol. 42, no. 8, p. 136|
Rodger Jamieson, Ph.D., CA is an associate professor at the School of Information Systems, Technology and Management at the University of New South Wales (Australia), the director of SEAR (Security, E-business and Assurance Research) group, and director of the SAFE (Security, Assurance and Fraud-prevention for E-business) research program for the Securities Industry Research Centre of Asia-Pacific (SIRCA). He serves on international journal editorial boards and is engaged in teaching, research and consulting in the areas of IS assurance and security, risk management, e-crime and identity fraud, computer forensics and electronic commerce. His prior experience includes working as an IS audit manager with Touche Ross & Co. and as a chartered accountant for Coopers & Lybrand. He also has commercial experience with the AMP Society and Honeywell.
Greg Stephens is a lecturer in the School of Information Systems, Technology and Management at the University of New South Wales. His research interests include audit and security concerns, computer-mediated communication and its impact on social networks within organisations, and knowledge-based/expert systems. He has previously worked as an information systems professional and as an IS auditor.
Santhosh Kumar is a researcher with the SEAR group at the University of New South Wales and a member of the Institute of Electrical and Electronics Engineers (IEEE). He has previously worked in networking with Unitafe Networking Co. and TAC-Pacific in Australia, and as an engineer for three organisations in India.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2005