Indiana University of Pennsylvania

BIOMETRIC
AUTHENTICATION
SYSTEMS:
Applied to Mobile Technology
Bradley Brosig

COSC 316
Purpose and Scope of the Paper:

Access control, according to Raymond Panko, is the “policy-driven control of access to systems,

data, and dialogues.” For any given situation or device, there are a number of methodologies that can

be used to provide access control including physical barriers, passwords, and biometrics (Panko, Pg 149).

As such, it is important for the management faction of security to develop a policy that delivers

oversight and guidance to the application of access control to a given process. This paper will discuss

the application of biometric authentication systems to mobile devices.

This paper will begin with a short background and description of biometric security and typical

methods utilized for biometric authentication systems. I will also discuss installation, usage, and

possible errors or issues that may arise with biometric authentication use. The next section of the paper

will be devoted specifically to the employment of biometric authentication systems within mobile

technology such as smart phones. Within that section I will focus on the following three methods: facial

recognition, voice recognition, and fingerprint recognition. This section will also include problems that

may arise as well as a comparison to traditional password authentication systems. Finally, I will reach a

conclusion on which authentication technology, biometric or password, will provide the better security.

Background and Description:

Biometric security is the “method of identifying unique human characteristics as a mean of

authenticating an individual’s identity” (Jangra and Goel, Pg 46). Ultimately, biometric security

measures focus on the examination of unique biological traits and then compare the examined data

against an already compiled database of cleared individuals. The following are all methods that can be

utilized for biometric authentication: DNA Matching, Ear Shape, Iris Recognition, Retina Recognition,

Facial Recognition, Fingerprint Recognition, Finger Geometry Recognition, Gait Recognition, Hand

2
Geometry Recognition, Olfactory Recognition, Signature Recognition, Typing Recognition, Vein

Recognition, and Voice Recognition (Biometric Institute Limited, 2013). Now that that I have briefly

discussed various forms of biometric authentication, I would like to discuss the general process that

occurs when a biometric authenticator is activated.

The process of installing and utilizing a biometric authentication system for security purposes is

relatively simple. First, the system must be installed and be allowed to scan each individual that will be

allowed access through the security checkpoint to be scanned. This is typically referred to as an

enrollment scan. According to Raymond Panko, author of Corporate Computer and Network Security,

enrollment scans gather an extraordinary amount of data, and this data can and will be different each

time an individual scans their appropriate biological part. The scanner will actually search the data for

specific key features which can be used to consistently and repeatedly identify the user. This

information is then stored in the user’s template. Now that the user has been scanner into the

database, any future entry scan, called a supplicant scan, will once again search the incoming data for

key features which are compared to the key features already stored in the database (Panko, Pg 174-75).

While the process may seem relatively straight forward, in actuality several more steps are generally

performed within the enrollment scanning stage. The key features, or match points as Jangra and Goel

refer to them, are “processed using an algorithm into a value” (Jangra and Goel, Pg 46). This value is

then used to compare with the value created from processing the supplicant scan.

When utilizing any authentication system, there are two errors that must always be weighed

against each other as they are inversely proportional: false acceptance rates and false rejection rates. A

false acceptance occurs when the individual being scanned is incorrectly matched to an existing user’s

template. A false rejection occurs when the individual being scanned is not matched with their existing

3
user template. It is important to understand from a security standpoint, as I stated before, these two

rates are inversely proportional. This means that when one rate drops, the other will rise.

For example, suppose that as the head of security you wish to see an entry point’s false

rejection rate subside due to user complaints of inconvenience. So the authentication system has its

algorithm adjusted. As a result of the adjustment, the false rejection rate has gone down, but because

of the allowance for less exact matches, the false acceptance rate will now increase. This increase will

potentially compromise the security system.

Panko offers the existence of one additional error that can impact the reliability of a biometric

authentication system; failure to enroll. According to Panko, failure to enroll occurs if the system will

not enroll an individual due to the lack of a unique biological trait. Panko provides the example of

fingerprint authentication system that will not enroll an individual who, for some reason, lacks a well-

defined and unique fingerprint (Panko Pg 177). Like an attempt to adjust the false acceptance rate or

false rejection rate, an error of failure to enroll presents a security threat due to exigent circumstances

that will need to be created for a particular individual to bypass that security mechanism.

As can be seen from the above information, biometric authentication systems offer a unique

method of authenticating users attempting to access both secure areas and devices. While some

methods may not apply to a handheld or portable device such as gait recognition, most are generally

universal in some aspect and can be integrated with nearly any security system.

Analysis of Problems, Choices, Methods, Comparisons, etc.:

Mobile devices have nearly become the center point of modern technology and society. On a

daily basis it is impossible to not observe at least one person utilizing some function of mobile

technology. About ten years ago, mobile devices could call, text, and even access some primitive form

4
of internet that allowed users to view sports scores, news, etc. Ultimately though their function was

extremely limited, and the most confidential data on the phone was a list of contacts. Now, however,

phones can access any website, they contain mobile banking applications, and they even have the ability

to process ACH (Automated Clearing House) transactions. Smartphones can track what we eat, where

we go, how long we stay places, and even what other Smartphone users we come across. As such,

security in mobile devices, if it has not already, must become a standpoint. While to some extent it has,

most of these concepts apply to the network side of the device, and not to the physical. Access control

must become the name of the game for mobile technology, or all of our valued, secure, private

information may not be so private any more.

In a traditional setting, good access control policy generally dictates the user contribute the

following three items: something you possess, something you know, and something about you (Kay,

2005). For example, these three requirements could be represented with a photo access card, a pin

number, and some biometric trait. This access control policy, however, is representative of only a more

traditional environment such as a security checkpoint at a corporation. These are not as applicable from

a mobile device standpoint.

Mobile devices offer a number of available security features that the user can activate. These

features include pin numbers, passwords, swipe patterns, and even biometric options like facial

recognition, voice recognition, and fingerprint scanning. Many times though, these methods present an

inconvenience to the user, and, as a result, are not used. This factor of convenience is perhaps much

more threatening to security than any other possibility in terms of mobile devices. Unfortunately, this is

not necessarily a problem that can be fixed by any manufacturer or scientist, but by better education of

mobile device users. Pin numbers, passwords, and swipe patterns represent all that is inconvenient to

mobile access control. These items must be remembered, and if they are to be reliable in terms of

5
security, changed frequently. Above all else, these types of passwords must be quick. Speed is what is

vital to convenience, and speed is often times unobtainable when using complex pins, passwords, and

patterns. This is where biometric options take center stage.

Biometric authentication systems provide an ease of access that most other mobile

authentication methods do not. Biometrics provides a secure method through which unique physical

traits can identify us without the necessity of complex passwords. While the concept of utilizing these

biometric authentication systems on mobile devices is sound, its feasibility presents issues.

Applying a biometric system to a phone would require the inclusion of five modules, according

to Kai Xi author of Biometric Security System Design: From Mobile to Cloud Computer Environment.

These modules include a biometric sensor module to obtain or scan the identifying information, a

feature extractor module to determine and create a template of the unique features found in the

scanned information, a matching module to compare the template to any stored templates, a decision-

making module to determine the percentage of match between the two templates, and finally a system

database to store and user templates created during enrollment. The identity of the user is then

confirmed using one of two methods. In the first, Verification, the user claims to be a particular person

using a user id and then the scanned information is then compared with that user id’s stored template.

In Identification, the second method, the user’s scanned information is compared with all of the

templates stored in the database until a match is found (Xi, 2012, Pg 40-41). As is expected, the

Verification method is much faster, but the identification method is easier to operate. It is important to

understand that all of these components must be considered when applying them to a mobile device.

Additionally, the number of users will also need to be considered when determining the evaluation

method.

6
Facial Recognition:

Facial Recognition is a fast growing area of interest in the mobile device biometric

authentication system realm due to the ease of use. Nearly every cell phone today features both a front

and screen facing camera that costs relatively little. A Samsung S4 for example boasts a 2MegaPixel

front facing camera which would provide more than enough ability for facial recognition, which my

phone offers.

Facial Recognition is performed using either 2D Recognition or 3D Recognition. 2D Recognition

uses a feature based approach. A camera captures the image of the face and “extracts distinctive facial

feature points,” such as the eyes, lips, nose, etc. (Xi, 2012, Pg 48). An algorithm is then used to calculate

geometric relationships between the distinctive points. 3D recognition uses an algorithm to determine

the face’s surface geometry (Xi, 2012, Pg 50). This amount is then compared to any stored templates.

Unfortunately both methods have their drawbacks. 2D Recognitions suffers from external

factors like background and pose, while 3D Recognition is impacted by facial expression. Xi states that

there are currently three other methods being created but are still in their infant stages; 2D Image

Based, 3D Image Based, and 2D + 3D Based. Each approach utilizes the strengths of both 2D and 3D

Recognition, but is relatively untested outside the lab (Xi, 2012, Pg 51).

Overall Facial Recognition offers an inexpensive method for biometric authentication systems to

be integrated into a mobile device. The downside are the limitations offered by the current facial

recognition algorithms, and this factor is doubled when considering the lower level processing abilities

that mobile devices offer compared to more permanent units.

7
Voice Recognition:

Voice recognition, like facial recognition, is another common feature found on today’s mobile

devices due to the presence of microphones and speakers. Microphones and speakers, like cameras,

offer another low-cost, already onboard solution to aid in the existence of biometric authentication

systems in mobile devices.

Voice recognition examines a number of physiological characteristics through a method known

as Automatic Speaker Recognition (ASR). ASR uses an algorithm to process distinct features in high-level

and low-level portions of the voice patterns. High-level features can determine dialect and speaker

style, while low-level features help determine spectrum. Of the two, low-level features are the most

able in providing consistent recognition because high-level features can change with emotional states

(Shuo Wang and Jing Liu, 2011).

Like facial recognition, voice recognition creates massive amounts of data. ASR also uses huge

amounts of processing power. As a result, the reliability of the algorithms must be decreased in order to

make it function on a mobile platform. Voice recognition, as is the pattern with most biometric

authentication systems, has a limited although possibly still useful ability when coupled with mobile

technology.

Fingerprint Recognition:

Fingerprint biometrics, according to Xi, are the “most widely used biometric feature because of

their [ease] of accessibility, distinctiveness, persistence…” (Xi, 2012, Pg 44). Fingerprint recognition

systems work by examining a finger pressed against a smooth surface. The finger’s ridges and valleys

are scanned and a series of distinct points, where ridges and valleys end or meet, called minutiae. These

minutiae are the points the fingerprint recognition system uses for comparison (Xi,2012, Pg 44).

8
 Fingerprint comparisons are extremely difficult to perform because of so many possible

variations. Intra-class similarity can occur between fingers of the same person, while inter-class

similarity can occur when fingers of different individuals appear similar. Coupled, once again, with the

lower level processing power that mobile devices have can restrict the algorithms from being as strict as

they need to be to help prevent false acceptance readings during these situations. Another problem

associated with fingerprint scanning occurs with imaging problems. Distortions in the picture, skin

conditions, or poor enrollment can cause comparison errors possibly leading to false rejections (Xi, 2012,

Pg 45-46).

Fingerprint recognition systems pose one of the more capable biometric authentication systems

that a mobile device could contain; however, the current limitations that their processing power

presents may not allow the authentication system to operate at its fullest extent.

Issues with Biometric Authentication Methods:

One of the major drawbacks of utilizing a biometric authentication technique as access

control on a mobile device is the limited operating ability. A biometric scan harvests a massive amount

of data in just one pass, and the consequential comparison between the scanned data and the user’s

preexisting template will require a majority of the device’s RAM. The draw on the device’s ability will be

substantial (Ben-David, et al, 2012). This fact is important for any biometric access control on a mobile

device; however, it is doubly important when considering a multi-biometric approach. Multi-biometric

implies using multiple layers of authentication, such as facial recognition and voice recognition. The

speed and ability of the process will be hampered by the layers of security and the amount of data that

must be processed for a given authentication.

Additionally, the algorithms used for biometric scan recognitions and comparisons need to be

simplified to help reduce the level of processing power and memory required. This then creates a

9
security threat because the accuracy of the matches will decrease (Shuo Wang and Jing Liu, 2011).

Unfortunately it is impossible to say whether it will provide more false acceptances or false rejections;

however, regardless of which one it is, it still creates either a security risk or more of an inconvenience

than pins and passwords.

A final thought that must be considered when determining the usefulness of biometric

authentication systems on mobile devices is the security of the biometric system and database itself.

The biometric system protects the phone only so far as the data itself is protected. If the phone utilizes

encryption methodologies on the verification/identification modules and database, then there is some

protection offered. I believe there is a potential solution to this problem, but the technology is relatively

new. Recently, UINT & Mereal Biometrics launched a biometric smart card that utilizes an embedded

fingerprint touch sensor and processor. This essentially ensures that the modules performed during

processing and the data from the scan and database never leave the card (“Uint & Mereal,” 2013). I

believe it would be feasible to implant this within the phone to be utilized in a manner similar to that

which Apple did with the Iphone5s. Ultimately though, the security of the data itself presents a risk

that, while perhaps surmountable, is currently looming large.

Conclusions:

Mobile devices are clearly the future, and they are already an omniscient presence in our daily

lives. Due to this factor, security is paramount; however, many of the current features that mobile

devices use such as pin numbers, passwords, and swipe patterns present an inconvenience to the users.

This begs the question of how can biometric authentication systems fill that void between security and

convenience in mobile technology.

10
 It is clear to me that biometric authentication systems clearly have many positive traits. Of the

three access control methods, something you have, something you know, and something about you, the

last provides the most logical and convenient factor in security. Biometric authentication searches

already present, physiological features for unique attributes. All three biometric authentication

methods I discussed, facial recognition, voice recognition, and fingerprint scanning, offer a variety of

opportunities to be utilized in mobile technology. The drawback in terms of simplification of biometric

comparison algorithms to accommodate lesser processing ability of mobile devices though, presents a

significant problem.

Ultimately, like the tradeoff that must be made between false rejection and false acceptance, a

tradeoff between security and ease of use must be made. The power of a secure, strong password will

always, at least as long as mobile device processing power remains low compared to more permanent

devices, remain greater than that of current biometric authentication system ability. Regardless of this

though, users of mobile technology that do not utilize their mobile devices for more sensitive aspects,

should consider the security that a biometric authentication system offers. Its speed and ease of use

compared to pin numbers and passwords will be greater. However, if the user of the mobile device has

either sensitive material or applications on their device, I would suggest utilizing a password over a

biometric authentication system.

11
 References:

Ben-David, S., Koved, L., Martino, J., Sign, K., Swart, C., & Trewin, S. (2012). Biometric authentication on

a mobile device: A study of user effort, error and task disruption. IBM Research,

http://researcher.ibm.com/researcher/files/us-kapil/ACSAC12.pdf.

Biometric Institute Limited. (2013). Types of biometrics.

http://www.biometricsinstitute.org/pages/types-of-biometrics.html

Chcikowski, E. (2012, December 11). Mobile biometrics: The next phase of enterprise authentication?.

http://www.networkcomputing.com/security/mobile-biometrics-the-next-phase-of-

ente/240144178?pgno=1

Jangra, A., & Goel, S. (2013). Biometric based Security Solutions for MANET: A Review. International

Journal of Computer Network & Information Security, 5(10), 44-50.

Kay, R. (2005, 04 05). Quick study: Biometric authentication.

http://www.computerworld.com/s/article/100772/Biometric_Authentication

Panko, R. (2010). Corporate computer and network security. (2nd ed., pp. 149-183). Prentice Hall.

Shuo Wang and Jing Liu (2011). Biometrics on mobile phone, Recent Application in Biometrics,

Dr. Jucheng Yang (Ed.). http://cdn.intechopen.com/pdfs/17035/InTech-

Biometrics_on_mobile_phone.pdf

Uint & mereal biometrics launches biometric smart card with embedded fpc fingerprint touch sensor

and processor. (2013, October 08). Security Dark Reading.

http://www.darkreading.com/intrusion-prevention/uint-mereal-biometrics-launches-

biometr/240162407

12
Xi, K. (2012). Biometric security system design: From mobile to cloud computer environment. (Doctoral

dissertation) https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=

0CHIQFjAH&url=http://unsworks.unsw.edu.au/fapi/datastream/unsworks:10849/SOURCE01&ei

=RQl2UvzINPHIsASdqoLwAw&usg=AFQjCNEeit_iAJ0Z5st0u7qTJWD5MrWsKQ&bvm=

bv.55819444,d.cWc&cad=rja.

13