D3.10: Biometrics in identity management

Title: DEFINITIONS AND STATE OF THE ART IN BIOMETRICS

Definitions of biometric terms

The process of involving biometric characteristics in an authentication application is quite complex. A common vocabulary for the components and the functions of a biometric application is currently being discussed and developed which is useful as the terminology used is often very confusing. In Working Group 1 of Subcommittee 37 of the Joint Technical Committee 1 of the International Standardisation Organisation (ISO), work has been done on the harmonisation of terms that parties, whether users or developers, use in the field of biometrics. This process has lead to a public list of terms to be used in the field of biometrics. This process is still ongoing. Other organisations have also suggested and published definitions for terms to be used in biometrics (such as the Biometrics Application Programming Interface standard (BioAPI) consortium). A compact and practical compilation can be found for example on the CESG-Homepage (National Technical Authority for Information Assurance, UK) which has also been adopted by the Common Criteria Biometric Evaluation Methodology Working Group. A few of the proposed terms of the Draft Harmonized Biometric Vocabulary and of the terms found on the CESG-homepage which are relevant for this report are mentioned in the glossary of this deliverable. Some important basic notions of biometrics are further discussed below.

The development of a vocabulary and common definitions for biometric systems is extremely important but also difficult because of the diverse understanding of common terms. From the current draft document of ISO, it should be noted that certain terminology is depreciated. For example, the terms ‘positive identification’ and ‘authentication’ are depreciated. At this time, it is recommended that ‘authentication’ is used with care because it may create confusion as authentication has been used to indicate two completely different biometric functionalities, as explained in the previous chapter, i.e., it has been used to refer to not only the verification function (1:1) (one-to-one) of a biometric application but also to the identification function (1:N or N:1) (one-to-many or many-to-one). While these two functionalities are completely different, including in terms of the place where the references should be stored, there grows a consensus that the appropriate terms for these functionalities should be used, i.e., ‘identification’ for an 1:N comparison and ‘verification’ for a 1:1 comparison, and not the general term ‘authentication’.

‘Positive identification’ is another example of a misleading term, as it refers in principle not to a 1:N comparison, but to a 1:1 verification comparison.

It should be noted that the term ‘identification’ in this proposed ISO vocabulary is limited in its meaning as it (only) refers to a 1:N comparison of the submitted biometric sample against stored biometric reference templates to determine any comparison score or a N:1 comparison of a biometric reference template to multiple samples collected from individuals (mainly in forensic applications). In that sense, it only permits distinguishing a subject amongst a set of other subjects. Identification is hence used not in the sense that it will necessarily also reveal the ‘civil’ identity of the subject (see above). This will only be possible if such other identifying information, such as for example name and birthday, are stored together with or could be linked to the biometric information. The identification function therefore does not necessarily refers to the ‘civil’ identity but it may do so. The proposed terminology was not always clear in that respect. The term ‘verification’ was defined in a previous draft of the Harmonized Biometric Vocabulary document as a ‘one-to-one process of comparing a submitted biometric sample (…) against the biometric reference template (…) of a single enrolee (…) whose identity is being claimed, to determine whether it matches the enrolee’s template’. Contrast with identification (…). Identity in this definition, however, was misleading as it is not necessarily ‘civil’ identity, but could be any other attribute of an individual which identifies him (e.g., being employee of company X who requests access to the premises). This was later clarified in the proposed vocabulary in the ongoing standardisation work by deleting the reference to ‘identity’ in the definition of verification. This will certainly help the public to distinguish the functions of verification and identification of biometrics properly.

It is therefore very important that this work on biometric vocabulary is continued in order to clear out misunderstanding of biometric applications and their functionalities. Agreed terminology should also where possible be used in any discussion on biometrics.  

Reference model of a biometric system

In most cases a biometric system is embedded in the authentication process of an identity management system. Its result is used to decide if the individual that has delivered the biometric data shall be recognised by the identity management system. A biometric system may be used in two modes:  

1. Verification mode: An individual makes a(n identity) claim. The biometric system compares the captured biometric data sample with the biometric reference template that corresponds to the claim(ed identity). The outcome is the acceptance or the refusal of the (identity) claim.

2. Identification mode: The biometric system compares the captured biometric data sample with all available biometric reference templates. All comparisons with a sufficient similarity to a stored reference template are selected and designate a candidate identity. The outcome is a list of identities that may belong to the individual. This list may contain zero, one or more entries. Individuals may be identified in this mode with or without their consent.

All biometric systems have some common main functional components in a typical processing chain. These components are (see below, figure 2):

1. a storage entity with the biometric data samples (reference templates) of the enrolled individuals that is linked to or integrated in a database with the identity information of the corresponding individuals 

2. a sensor device and some pre-processing to capture the biometric data sample from an individual as input data 

3. a comparison process that evaluates the similarity between the reference templates and the captured data sample and that results in a similarity score and 

4. a decision function that decides if a data sample matches to a certain reference template. 

Figure : The main processing components of a biometric system

These components are described in a more detailed form by different standardisation organisations like the Common Criteria BEM Working group (CC-BEM) or the BioAPI Consortium (BioAPI). Although all use slightly different terminologies and description models, a common picture evolves for the description of a reference model of a biometric system. The main functional components are hereunder described and are adopted from CC-BEM:

Delivery – Protocol that an individual follows (knowingly or unknowingly) to provide a signal of a biological and/or behavioural characteristic to the biometric application system

Capture – Acquisition of a biometric sample data from the original biometric characteristics of the individual with appropriate sensors (capture devices)

Extract – Conversion of the captured biometric sample data to an intermediate form that contains the concentrated distinguishing biometric property information of the biometric characteristics.

Create Template – Conversion of the intermediate data into an individual’s template that can be stored (reference template) or that can be used as input (query template from sample data) for a comparison process that uses previously stored reference templates.

Compare – Comparison and matching of the query template with the information in a stored reference template.

Recognise – Mapping of the recognised query templates on the identity data of the individuals that are stored in the system (identification mode) or acceptance of an identity claim of a specific individual and delivery of a corresponding identity credential (verification mode).

All biometric systems run in two separate processing phases. For each individual that shall be recognised by a biometric system first an initialisation, called enrolment, takes place. In this processing phase the individual subject provides samples of a biometric characteristic to establish a new so called reference template. After the enrolment, the subject is known by the biometric system. In the subsequent query phase, the subject provides a new sample called query template that is processed and compared with the saved reference templates of all enrolled subjects (identification) or with the saved template of a specified subject (verification). The output of the system may be a simple yes/no, or an identity credential with identity information about the subject for a system that operates in the verification mode, or a list of identity data that correspond to the best matches (comparison scores) for a system running in an identification mode. 

A schematic model of all processing steps in a biometric system with inputs and outputs is shown in figure 3. The red track represents the enrolment mode and the green track the query phase processing. The two different recognition modes (verification of a biometric sample with claimed identity; identification through a mapping of a biometric sample to potential candidate reference templates) are distinguished by the additional ‘identity claim’ input in the recognition step. 

Figure : Schematic representation of the processing steps of a biometric system. The processing for the two phases (enrolment, comparison) follow two different flow paths.

The reference diagram presents a simplified logical model of a general biometric application system. The biometric data inside the functional chain may be formatted and tagged in a standardised way generically termed as a Biometric Identification Record (BIR) (BioAPI). A real implementation could be complicated by additional factors such as the following: 

1. The requirement for confidentiality and integrity of the biometric and user identity data and of the transmission paths between components and involved systems. These paths may be protected by cryptographic mechanisms or other means, e.g. physical access control. Unique session keys may also be used to counter replay attacks. 

2. The system may be distributed over multiple locations, such as in a client server architecture. 

3. The system may be under the control of different instances such as the user, the operator, a trusted third party or a governmental organisation. Such instances may control different parts of the processing chain in various combinations (see discussion below about the different control types and models, such as central control, divided control with trust and multilateral control). 

Delivery 

The delivery protocol includes all organisational and technical support procedures and all explicit or implicit action steps to enable the biometric capture process. Actions are needed to guarantee that only intended subjects are enrolled in the system and that the deposited biometric characteristic belongs to the subject that is supposed to deliver the physical signal. Part of the delivery setup is dedicated to support the measuring process of the capture device through appropriate supply of technical and formal user guidance. For example, in a fingerprint recognition system the delivery process has to provide the centre part of the fingerprint onto the capture device to ensure the maximum number of characteristic features of the print. For facial recognition systems, some require the subject to be in a standard position directly facing the capture device. For other devices, other criteria and procedures for the delivery must be clearly defined to ensure a standard, repeatable capture process. 

Capture 

This component includes both enrolment capture and recognition capture for comparison. It is defined as the automatic capture or measurement of the physiological or behavioural characteristic(s) of an individual. This component may include processes that enhance the quality of the acquired sample, such as user interface (UI) feedback or using a number of acquisitions to produce the sample. Each capture device type will have certain criteria and procedures defined for a valid delivery process, both for enrolment and for recognition data samples. The capture process includes two steps: the presentation and the attempt. Presentation means that the physical signal is delivered to the capture device. Attempt means that the capture device could record and evaluate the physical signal to generate a raw data sample. The output of the capture component is the raw data biometric sample ready for the processing in the extraction step.

Extract 

This component includes two processing steps. The pre-processing enhances the quality, masks the usable sectors of the biometric sample data, expands and transforms the raw sample data in an appropriate way to allow the subsequent feature extraction step. The feature extraction procedures identify and preserve the distinct and repeatable biometric features from the raw data sample. This component is critical from a security evaluation point of view, since the level of uniqueness inherent in a template will influence the False Match Rate of the system. 

The extract component is generally a proprietary algorithm. Inherent in this algorithm is quality control, wherein through some mechanism, the sample is rated for quality. If the quality is not acceptable, the capture process may be repeated. A failure in one of the two capture or extract steps contribute to the failure to acquire (FTA) rate. The FTA rate is the relative frequency that either the capture or the extract process could not complete its task in a sufficient quality.

Quality standards of the captured biometric are expected to be high during enrolment, since this forms the basis against which all further biometric comparisons are made. Repeated attempts may be required during enrolment to have the best biometric samples as reference. 

The output of the extraction component is the biometric features that serve as building elements for the biometric template.

In figure 4, the change of the transformation of the biometric data through these first three processing steps are illustrated for a fingerprint recognition system. The delivery protocol provides the right biometric characteristics of an individual fingerprint, the capture step provides the captured biometric data of the measurement process and the extraction runs several processing steps to mask useful regions of the captured data, to enhance the quality and to extract the features which will be used in the subsequent template creation step. 

Figure : Illustration of the first three processing steps in a fingerprint recognition system (pictures from BSI-Bericht: Evaluierung biometrischer Systeme, 2005).

Create Template 

This component creates the biometric template from the output of the extraction process. It may include meta-information about the format and the type of the biometric data, encryption of the biometric data, or digital signing of the biometric identification record (BIR) (See the BioAPI and CBEFF standards documents. In the enrolment phase, the output of the create template component is the reference template. During a biometric identification or verification process, the output is the so called sample or query template used for the comparison step. Normally, the reference and the query templates contain a reduced set of distinctive feature data relative to the recorded raw sample data. In general, it is not possible to reconstruct the original biometric raw data sample from the template data. However, the huge data reduction makes templates vulnerable to attacks of impostors who try to find other biometric raw data sets that lead to approximately similar templates. 

Figure 5 below shows the representation of the extracted features within a fingerprint recognition system. On the left side, one sees the extracted features (in this case so called minutia points represented as red points) overlaid on the quality enhanced fingerprint picture. On the right side, these points are represented in their digital form as a list of point data with coordinates, local ridge direction, quality and type information. This list represents the biometric reference template for the specific fingerprint recognition system and illustrates the huge data reduction of a typical feature extraction step.

Figure : Illustration of the feature extraction step of a fingerprint recognition system. On the left side the extracted features (in this case so called minutia points) are overlaid as red points on the quality enhanced fingerprint picture. On the right side these points are listed as feature vector. This list represents the biometric reference template.

Interoperability between different biometric systems that look at the same biometrics may be achieved after the template creation step. The template may be represented in a standardised form that allows the further processing by another biometric system that uses the same feature vector representation conventions. Such a standard form including the according metadata for interoperability, called Biometric Identification Record (BIR), has been defined in the BIOAPI standard. The structure of a BIR record is shown in figure 6 below. The expanded header includes the additional information that allows the use of the templates across different systems.

Figure : Schematic representation of the Biometric Identification Record (BIR) defined in the BIOAPI standard with the expanded header that contains the meta-information to use the biometric data across different systems.

Compare

This component compares the biometric information extracted from the sample (query template) with the biometric information in the reference template. It will typically result in a matching score which is a measure of the correspondence of the two templates. 

The comparison may be against a single template (for verification), or against a list of candidate templates (for identification). The distribution of score parameters coming from comparisons of templates from the same biometric characteristics and the corresponding score parameter distribution coming from comparisons between templates from different characteristics (same or different individuals) defines the separation capability of a biometric system. In the ideal case, the two distributions do not have any overlap region. In reality, most of the biometric systems deliver score parameter distributions for corresponding and non corresponding templates that have a more or less important overlap region. The two distributions then will be separated by the so called score threshold value. The choice of this value determines the security (discrimination against casual impostors) and the conveniences (rejection of enrolee) of the specific biometric system.

Recognise

The recognition step typically includes a comparison of a matching score with a predefined threshold value. The comparison may be against a single template (for verification), or against a list of candidate templates (for identification). The output is a decision about acceptance or rejection of a claimant (verification mode) or a list of candidates (identification mode).

The threshold may be configurable by the administrator, or it may be fixed by the biometric system. Clearly, the security assurances relating to the setting of this value, the protective means within the biometric system to safeguard the threshold setting, and the internal decision process to decide a match are some of the most critical components of a biometric system and their vulnerabilities should be carefully assessed. 

When the biometric verification process is successful, identity credentials and other data may be released from the identity database or the BIR. The decision whether to accept or reject the subject as an authorised individual may need further evidence, e.g. a username, PIN or token. For multimodal biometric systems, decisions may depend on a compound score valuation based on the results of the comparison process for more than one biometric characteristic.