Escolar Documentos
Profissional Documentos
Cultura Documentos
BIOMETRIC
AUTHENTICATION
SYSTEMS:
Applied to Mobile Technology
Bradley Brosig
COSC 316
Purpose and Scope of the Paper:
Access control, according to Raymond Panko, is the “policy-driven control of access to systems,
data, and dialogues.” For any given situation or device, there are a number of methodologies that can
be used to provide access control including physical barriers, passwords, and biometrics (Panko, Pg 149).
As such, it is important for the management faction of security to develop a policy that delivers
oversight and guidance to the application of access control to a given process. This paper will discuss
This paper will begin with a short background and description of biometric security and typical
methods utilized for biometric authentication systems. I will also discuss installation, usage, and
possible errors or issues that may arise with biometric authentication use. The next section of the paper
will be devoted specifically to the employment of biometric authentication systems within mobile
technology such as smart phones. Within that section I will focus on the following three methods: facial
recognition, voice recognition, and fingerprint recognition. This section will also include problems that
may arise as well as a comparison to traditional password authentication systems. Finally, I will reach a
conclusion on which authentication technology, biometric or password, will provide the better security.
authenticating an individual’s identity” (Jangra and Goel, Pg 46). Ultimately, biometric security
measures focus on the examination of unique biological traits and then compare the examined data
against an already compiled database of cleared individuals. The following are all methods that can be
utilized for biometric authentication: DNA Matching, Ear Shape, Iris Recognition, Retina Recognition,
Facial Recognition, Fingerprint Recognition, Finger Geometry Recognition, Gait Recognition, Hand
2
Geometry Recognition, Olfactory Recognition, Signature Recognition, Typing Recognition, Vein
Recognition, and Voice Recognition (Biometric Institute Limited, 2013). Now that that I have briefly
discussed various forms of biometric authentication, I would like to discuss the general process that
The process of installing and utilizing a biometric authentication system for security purposes is
relatively simple. First, the system must be installed and be allowed to scan each individual that will be
allowed access through the security checkpoint to be scanned. This is typically referred to as an
enrollment scan. According to Raymond Panko, author of Corporate Computer and Network Security,
enrollment scans gather an extraordinary amount of data, and this data can and will be different each
time an individual scans their appropriate biological part. The scanner will actually search the data for
specific key features which can be used to consistently and repeatedly identify the user. This
information is then stored in the user’s template. Now that the user has been scanner into the
database, any future entry scan, called a supplicant scan, will once again search the incoming data for
key features which are compared to the key features already stored in the database (Panko, Pg 174-75).
While the process may seem relatively straight forward, in actuality several more steps are generally
performed within the enrollment scanning stage. The key features, or match points as Jangra and Goel
refer to them, are “processed using an algorithm into a value” (Jangra and Goel, Pg 46). This value is
then used to compare with the value created from processing the supplicant scan.
When utilizing any authentication system, there are two errors that must always be weighed
against each other as they are inversely proportional: false acceptance rates and false rejection rates. A
false acceptance occurs when the individual being scanned is incorrectly matched to an existing user’s
template. A false rejection occurs when the individual being scanned is not matched with their existing
3
user template. It is important to understand from a security standpoint, as I stated before, these two
rates are inversely proportional. This means that when one rate drops, the other will rise.
For example, suppose that as the head of security you wish to see an entry point’s false
rejection rate subside due to user complaints of inconvenience. So the authentication system has its
algorithm adjusted. As a result of the adjustment, the false rejection rate has gone down, but because
of the allowance for less exact matches, the false acceptance rate will now increase. This increase will
Panko offers the existence of one additional error that can impact the reliability of a biometric
authentication system; failure to enroll. According to Panko, failure to enroll occurs if the system will
not enroll an individual due to the lack of a unique biological trait. Panko provides the example of
fingerprint authentication system that will not enroll an individual who, for some reason, lacks a well-
defined and unique fingerprint (Panko Pg 177). Like an attempt to adjust the false acceptance rate or
false rejection rate, an error of failure to enroll presents a security threat due to exigent circumstances
that will need to be created for a particular individual to bypass that security mechanism.
As can be seen from the above information, biometric authentication systems offer a unique
method of authenticating users attempting to access both secure areas and devices. While some
methods may not apply to a handheld or portable device such as gait recognition, most are generally
universal in some aspect and can be integrated with nearly any security system.
Mobile devices have nearly become the center point of modern technology and society. On a
daily basis it is impossible to not observe at least one person utilizing some function of mobile
technology. About ten years ago, mobile devices could call, text, and even access some primitive form
4
of internet that allowed users to view sports scores, news, etc. Ultimately though their function was
extremely limited, and the most confidential data on the phone was a list of contacts. Now, however,
phones can access any website, they contain mobile banking applications, and they even have the ability
to process ACH (Automated Clearing House) transactions. Smartphones can track what we eat, where
we go, how long we stay places, and even what other Smartphone users we come across. As such,
security in mobile devices, if it has not already, must become a standpoint. While to some extent it has,
most of these concepts apply to the network side of the device, and not to the physical. Access control
must become the name of the game for mobile technology, or all of our valued, secure, private
In a traditional setting, good access control policy generally dictates the user contribute the
following three items: something you possess, something you know, and something about you (Kay,
2005). For example, these three requirements could be represented with a photo access card, a pin
number, and some biometric trait. This access control policy, however, is representative of only a more
traditional environment such as a security checkpoint at a corporation. These are not as applicable from
Mobile devices offer a number of available security features that the user can activate. These
features include pin numbers, passwords, swipe patterns, and even biometric options like facial
recognition, voice recognition, and fingerprint scanning. Many times though, these methods present an
inconvenience to the user, and, as a result, are not used. This factor of convenience is perhaps much
more threatening to security than any other possibility in terms of mobile devices. Unfortunately, this is
not necessarily a problem that can be fixed by any manufacturer or scientist, but by better education of
mobile device users. Pin numbers, passwords, and swipe patterns represent all that is inconvenient to
mobile access control. These items must be remembered, and if they are to be reliable in terms of
5
security, changed frequently. Above all else, these types of passwords must be quick. Speed is what is
vital to convenience, and speed is often times unobtainable when using complex pins, passwords, and
Biometric authentication systems provide an ease of access that most other mobile
authentication methods do not. Biometrics provides a secure method through which unique physical
traits can identify us without the necessity of complex passwords. While the concept of utilizing these
biometric authentication systems on mobile devices is sound, its feasibility presents issues.
Applying a biometric system to a phone would require the inclusion of five modules, according
to Kai Xi author of Biometric Security System Design: From Mobile to Cloud Computer Environment.
These modules include a biometric sensor module to obtain or scan the identifying information, a
feature extractor module to determine and create a template of the unique features found in the
scanned information, a matching module to compare the template to any stored templates, a decision-
making module to determine the percentage of match between the two templates, and finally a system
database to store and user templates created during enrollment. The identity of the user is then
confirmed using one of two methods. In the first, Verification, the user claims to be a particular person
using a user id and then the scanned information is then compared with that user id’s stored template.
In Identification, the second method, the user’s scanned information is compared with all of the
templates stored in the database until a match is found (Xi, 2012, Pg 40-41). As is expected, the
Verification method is much faster, but the identification method is easier to operate. It is important to
understand that all of these components must be considered when applying them to a mobile device.
Additionally, the number of users will also need to be considered when determining the evaluation
method.
6
Facial Recognition:
Facial Recognition is a fast growing area of interest in the mobile device biometric
authentication system realm due to the ease of use. Nearly every cell phone today features both a front
and screen facing camera that costs relatively little. A Samsung S4 for example boasts a 2MegaPixel
front facing camera which would provide more than enough ability for facial recognition, which my
phone offers.
uses a feature based approach. A camera captures the image of the face and “extracts distinctive facial
feature points,” such as the eyes, lips, nose, etc. (Xi, 2012, Pg 48). An algorithm is then used to calculate
geometric relationships between the distinctive points. 3D recognition uses an algorithm to determine
the face’s surface geometry (Xi, 2012, Pg 50). This amount is then compared to any stored templates.
Unfortunately both methods have their drawbacks. 2D Recognitions suffers from external
factors like background and pose, while 3D Recognition is impacted by facial expression. Xi states that
there are currently three other methods being created but are still in their infant stages; 2D Image
Based, 3D Image Based, and 2D + 3D Based. Each approach utilizes the strengths of both 2D and 3D
Recognition, but is relatively untested outside the lab (Xi, 2012, Pg 51).
Overall Facial Recognition offers an inexpensive method for biometric authentication systems to
be integrated into a mobile device. The downside are the limitations offered by the current facial
recognition algorithms, and this factor is doubled when considering the lower level processing abilities
7
Voice Recognition:
Voice recognition, like facial recognition, is another common feature found on today’s mobile
devices due to the presence of microphones and speakers. Microphones and speakers, like cameras,
offer another low-cost, already onboard solution to aid in the existence of biometric authentication
as Automatic Speaker Recognition (ASR). ASR uses an algorithm to process distinct features in high-level
and low-level portions of the voice patterns. High-level features can determine dialect and speaker
style, while low-level features help determine spectrum. Of the two, low-level features are the most
able in providing consistent recognition because high-level features can change with emotional states
Like facial recognition, voice recognition creates massive amounts of data. ASR also uses huge
amounts of processing power. As a result, the reliability of the algorithms must be decreased in order to
make it function on a mobile platform. Voice recognition, as is the pattern with most biometric
authentication systems, has a limited although possibly still useful ability when coupled with mobile
technology.
Fingerprint Recognition:
Fingerprint biometrics, according to Xi, are the “most widely used biometric feature because of
their [ease] of accessibility, distinctiveness, persistence…” (Xi, 2012, Pg 44). Fingerprint recognition
systems work by examining a finger pressed against a smooth surface. The finger’s ridges and valleys
are scanned and a series of distinct points, where ridges and valleys end or meet, called minutiae. These
minutiae are the points the fingerprint recognition system uses for comparison (Xi,2012, Pg 44).
8
Fingerprint comparisons are extremely difficult to perform because of so many possible
variations. Intra-class similarity can occur between fingers of the same person, while inter-class
similarity can occur when fingers of different individuals appear similar. Coupled, once again, with the
lower level processing power that mobile devices have can restrict the algorithms from being as strict as
they need to be to help prevent false acceptance readings during these situations. Another problem
associated with fingerprint scanning occurs with imaging problems. Distortions in the picture, skin
conditions, or poor enrollment can cause comparison errors possibly leading to false rejections (Xi, 2012,
Pg 45-46).
Fingerprint recognition systems pose one of the more capable biometric authentication systems
that a mobile device could contain; however, the current limitations that their processing power
presents may not allow the authentication system to operate at its fullest extent.
control on a mobile device is the limited operating ability. A biometric scan harvests a massive amount
of data in just one pass, and the consequential comparison between the scanned data and the user’s
preexisting template will require a majority of the device’s RAM. The draw on the device’s ability will be
substantial (Ben-David, et al, 2012). This fact is important for any biometric access control on a mobile
implies using multiple layers of authentication, such as facial recognition and voice recognition. The
speed and ability of the process will be hampered by the layers of security and the amount of data that
Additionally, the algorithms used for biometric scan recognitions and comparisons need to be
simplified to help reduce the level of processing power and memory required. This then creates a
9
security threat because the accuracy of the matches will decrease (Shuo Wang and Jing Liu, 2011).
Unfortunately it is impossible to say whether it will provide more false acceptances or false rejections;
however, regardless of which one it is, it still creates either a security risk or more of an inconvenience
A final thought that must be considered when determining the usefulness of biometric
authentication systems on mobile devices is the security of the biometric system and database itself.
The biometric system protects the phone only so far as the data itself is protected. If the phone utilizes
encryption methodologies on the verification/identification modules and database, then there is some
protection offered. I believe there is a potential solution to this problem, but the technology is relatively
new. Recently, UINT & Mereal Biometrics launched a biometric smart card that utilizes an embedded
fingerprint touch sensor and processor. This essentially ensures that the modules performed during
processing and the data from the scan and database never leave the card (“Uint & Mereal,” 2013). I
believe it would be feasible to implant this within the phone to be utilized in a manner similar to that
which Apple did with the Iphone5s. Ultimately though, the security of the data itself presents a risk
Conclusions:
Mobile devices are clearly the future, and they are already an omniscient presence in our daily
lives. Due to this factor, security is paramount; however, many of the current features that mobile
devices use such as pin numbers, passwords, and swipe patterns present an inconvenience to the users.
This begs the question of how can biometric authentication systems fill that void between security and
10
It is clear to me that biometric authentication systems clearly have many positive traits. Of the
three access control methods, something you have, something you know, and something about you, the
last provides the most logical and convenient factor in security. Biometric authentication searches
already present, physiological features for unique attributes. All three biometric authentication
methods I discussed, facial recognition, voice recognition, and fingerprint scanning, offer a variety of
comparison algorithms to accommodate lesser processing ability of mobile devices though, presents a
significant problem.
Ultimately, like the tradeoff that must be made between false rejection and false acceptance, a
tradeoff between security and ease of use must be made. The power of a secure, strong password will
always, at least as long as mobile device processing power remains low compared to more permanent
devices, remain greater than that of current biometric authentication system ability. Regardless of this
though, users of mobile technology that do not utilize their mobile devices for more sensitive aspects,
should consider the security that a biometric authentication system offers. Its speed and ease of use
compared to pin numbers and passwords will be greater. However, if the user of the mobile device has
either sensitive material or applications on their device, I would suggest utilizing a password over a
11
References:
Ben-David, S., Koved, L., Martino, J., Sign, K., Swart, C., & Trewin, S. (2012). Biometric authentication on
a mobile device: A study of user effort, error and task disruption. IBM Research,
http://researcher.ibm.com/researcher/files/us-kapil/ACSAC12.pdf.
http://www.biometricsinstitute.org/pages/types-of-biometrics.html
Chcikowski, E. (2012, December 11). Mobile biometrics: The next phase of enterprise authentication?.
http://www.networkcomputing.com/security/mobile-biometrics-the-next-phase-of-
ente/240144178?pgno=1
Jangra, A., & Goel, S. (2013). Biometric based Security Solutions for MANET: A Review. International
http://www.computerworld.com/s/article/100772/Biometric_Authentication
Panko, R. (2010). Corporate computer and network security. (2nd ed., pp. 149-183). Prentice Hall.
Shuo Wang and Jing Liu (2011). Biometrics on mobile phone, Recent Application in Biometrics,
Biometrics_on_mobile_phone.pdf
Uint & mereal biometrics launches biometric smart card with embedded fpc fingerprint touch sensor
http://www.darkreading.com/intrusion-prevention/uint-mereal-biometrics-launches-
biometr/240162407
12
Xi, K. (2012). Biometric security system design: From mobile to cloud computer environment. (Doctoral
dissertation) https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=
0CHIQFjAH&url=http://unsworks.unsw.edu.au/fapi/datastream/unsworks:10849/SOURCE01&ei
=RQl2UvzINPHIsASdqoLwAw&usg=AFQjCNEeit_iAJ0Z5st0u7qTJWD5MrWsKQ&bvm=
bv.55819444,d.cWc&cad=rja.
13