May 2009, Access Control & Identity Management
Biometric technologies are being adopted in more situations than ever. Which product and underlying technology one chooses can make a difference in the speed of the system’s performance and its associated accuracy.
Many different fingerprint biometric technologies are available today. The critical decision of which one is right for a particular application is a balancing act between many goals. For example, a highly secure fingerprint biometric may be difficult and time-consuming to use. On the other hand, an easy-to-use fingerprint sensor may enhance user convenience and throughput speed at the expense of security.
The ideal biometric sensor would provide perfect security with zero cost and no burden to the user. It would identify every person on earth perfectly in any kind of environment, including outdoors in the rain, in bright sunlight, in hot and cold weather. This ideal sensor would be small, quick, and easy to use.
I consult with his customers to understand the specific requirements of their applications. Every application is different. We find that as we dig deeper into the customer’s desired application, we are able to design a security system around a biometric sensor technology that will meet all specifications.
Indeed, while it is clear that a perfect sensor does not exist, there are many good choices in sensor technologies. In general, fingerprint technologies are performing much better today than five or ten years ago. Until recently, most of the performance gains were due to vastly improved image processing algorithms. However, no algorithm can compensate for imperfect or missing images, and there are a surprising number of circumstances where image acquisition is a problem. For example, it is extremely difficult or impossible to obtain reliable fingerprint images from a significant percentage of the world population. Additionally, environmental conditions can cause imaging problems. Thus, recent performance gains have been in the area of improved image quality.
In this article, we will investigate some of the commonly used fingerprint biometric technologies available in the marketplace and explore the important factors that influence the choice of a biometric solution for four different types of applications. But first we will begin with a discussion of how to evaluate biometric performance.
Influencing biometric performance
How well does a biometric system meet specific application requirements? One way this question can be answered is by an evaluation of biometric system performance. The two most common metrics for assessing biometric performance are the false accept rate and the false reject rate. The false accept rate (FAR) is the percentage of unauthorised users that are accepted by the system. For example, at an entertainment facility, the FAR would be the percentage of people who get through the turnstile without a ticket. Conversely, the false reject rate (FRR) is the percentage of authorised users who are denied access by the system. Using the same entertainment application as an example, The FRR would be the percentage of people who bought a ticket and still could not get in.
The FAR–FRR relationship is illustrated with a receiver operating characteristic (ROC) curve. An example of an ROC curve is shown in Figure 1. Any point along the curve – called an operating point – has an FAR correlated to an FRR. As the figure demonstrates, the relationship between the FAR and FRR is a tradeoff: as the FRR decreases, the FRR increases, and vice versa. A biometric system can be tuned by selecting a threshold that corresponds to any point along the curve from which to operate the system. The performance requirements of the specific application would inform the choice of operating point.
Figure 1. The ROC curve shows the relationship between the false reject rate and the false accept rate. A biometric system can be tuned by selecting any single operating point along the curve
Every application has a different ROC curve and thus different FAR–FRR tradeoff options. Biometric performance can be affected by many factors, such as operating environment, user population, user habituation, sensor technology chosen, number of authentication factors, etc. Figure 2 illustrates how performance requirements can begin to influence one biometric system design. The performance desired for two different applications is shown by grey areas on the graph. The required performance for one application can be achieved by selecting a threshold that corresponds to an operating point along the system’s ROC curve inside the area. However, the performance required by the second application cannot be achieved with the system design indicated by the ROC curve because the curve and the desired performance do not intersect.
Figure 2. The ROC curve defines and constrains the FAR–FRR tradeoff. The performance desired for Application 1 can be achieved by adjusting the performance threshold. The performance desired for Application 2 can be achieved only by changing the curve – by changing the system design
There are many ways to change the ROC curve, even after a sensor is selected. Moving an application from outdoors to indoors would be an obvious example. But the most cost-effective way to ensure the tradeoffs you can live with is to select the sensor that is right for your application in the first place.
Fingerprint sensor technologies
Different fingerprint sensor technologies perform differently, and those differences are more pronounced the further from the laboratory the applications get. Yet each available sensor technology is well suited to some types of applications. Three classes of fingerprint technologies are presented here: semiconductor, conventional optical and multispectral imaging.
There are several types of semiconductor sensors. The two most common sensors use small silicon arrays to measure the difference in capacitance caused by contact of fingerprint ridges with the sensor or the difference in radio frequency signals returned by the ridges and valleys of the fingerprint. Semiconductor sensors are commonly swipe sensors; the user slides the fingertip over a small sensor area.
Semiconductor swipe sensors are small and inexpensive; they are currently the only reasonable option for portable consumer electronics such as cellphones and laptop computers. However, swipe sensors’ technology inherently limits their suitability for some applications. The silicon array is directly exposed to the environment and is susceptible to damage from mechanical effects, thermal shock, and electrostatic discharge. Capacitive sensors do not work well when the skin is very dry, and both capacitive and radio frequency sensors fail when the sensor surface is wet. Capacitive sensors measure just the surface features of the skin, causing reduced performance when the features are worn or absent; radio frequency sensors measure features very close (tens of microns) to the surface of the skin making the technology almost as susceptible as capacitive sensors to worn or missing skin features.
Capacitive and radio frequency sensors are very susceptible to spoofs. Spoofs are fake fingerprints, often made of common household materials such as glue or gelatin that are used to trick the sensor. The simple measurement of the surface characteristics of the skin causes capacitive sensors to be very vulnerable to spoofing. And although spoofing a radio frequency sensor takes a little more sophistication, spoofing this sensor is easy when the proper materials are used.
Finally, because a semiconductor swipe sensor functions as a fingertip scanner, these sensors require user training and practice to work reliably. These sensors tend to be a poor choice for high-throughput situations or installations that require interactions with unhabituated users.
The size of semiconductor swipe sensors – such an asset in consumer electronics – puts them at a disadvantage in large deployments with many users: they simply do not reliably collect enough unique and identifying data about the fingerprint for high biometric performance. Area sensors, in contrast, have a platen upon which the user places a finger. Because they collect more unique fingerprint data, they are inherently better suited to large applications.
Area sensors can be made from semiconductors. However, due to the high cost of semiconductor wafers, these semiconductor area sensors tend to be quite small and, therefore, have limited performance in comparison to optical area sensors. Since semiconductor area sensors suffer from the same direct exposure of the semiconductor to the environment that swipe sensors have, they are similarly fragile. Although semiconductor area sensors are sometimes used for physical access control, they are mainly selected for moderate-to-low security applications such as time and attendance due to their limited biometric performance.
The second sensor class discussed here, conventional optical sensors, are area sensors. They are configured to look for the presence or absence of total internal reflectance (TIR), which is the phenomenon whereby the interface between glass and air acts like a mirror at certain angles. The points of contact between the skin and the platen are imaged. Under ideal conditions, the points of contact between the finger and the sensor are the fingerprint ridges and the result is a high-quality image.
Conventional optical fingerprint sensors are generally very robust and much less sensitive to adverse environmental effects such as mechanical shocks or electrostatic discharge as compared to semiconductor sensors. However, they are very susceptible to non-ideal skin conditions. In particular, if the skin is too dry or is not making good contact with the sensor, the image is severely degraded. The sensors are sensitive to wetness, which destroys the fundamental phenomenon that gives rise to the imaging. They are susceptible to spoofing because information that would differentiate the material in contact with the sensor is not measured.
Multispectral imaging is the most recently developed fingerprint technology available. It is based upon the principle that different wavelengths of light penetrate the skin to different depths and are absorbed differently by various components of the skin. This sensor collects multiple images of the surface and subsurface of the finger under a variety of optical conditions and combines them to yield high quality and complete fingerprint images. The pre-processed multispectral images are also analysed to ensure that the optical properties of the sample being measured match those expected from a living finger.
The combination of surface and subsurface imaging in these sensors ensures that usable biometric data can be taken across a wide range of environmental and physiological conditions. Bright ambient lighting, wetness, poor contact between the finger and sensor, dry skin, and various topical contaminants present little impediment to collecting usable data. Multispectral sensors are the technology of choice when deploying touch biometrics outdoors. Moreover, the ability of the multispectral imaging sensor to measure the optical characteristics of the skin below the surface allows strong discrimination between living human skin and spoofs. Multispectral imaging sensors are very robust and relatively insensitive to adverse environmental effects such as mechanical shocks or ESD as compared to semiconductor sensors. They are very tolerant of high ambient light levels and are very well suited to industrial and other high-use applications.
Evaluating the biometric application
Just as important as an understanding of the strengths and weaknesses of fingerprint technologies is an analysis of the application. What is the driving factor in the selection of a technology? It is important to understand the security requirements of your application and the level of convenience needed by the users of the biometric system. Further, the number of system users, the environment, and the user population will all impact system performance. To illustrate this analysis, let us consider specific examples and the decision factors that a security analyst would need to consider in each case. Table 1 shows the relationship between these factors and highlights the different application examples presented in this article. Figure 3 plots the relative performance requirements of these example applications. Figure 4 shows relative ROC curves for three sensor technologies.
Table 1. Four applications
Figure 3. Four example applications and their relative performance requirements
Figure 4. Relative ROC curves are shown for three sensor technologies. Each sensor technology can meet the performance requirements of the applications before it, ie, multispectral imaging sensors can meet the performance requirements of applications A and B as well as C and D
Example A: Portable consumer electronic device
When it comes to securing personal electronic devices such as personal computers or mobile telephones, cost is an important consideration. Even more important, however, will be user convenience. If the fingerprint sensor is large or takes a lot of time to use, the end user will not want to purchase the electronic component.
For this application, we can make the following assumptions:
1. The sensor must be small and quick.
2. Very few people will need to use the electronic device (the owner, family members, fellow employees, etc.)
3. The sensor must be very inexpensive.
Semiconductor fingerprint sensors are the best choice for this application, if only because they are currently the only sensors small enough to do the job. Cost is also a major consideration, and semiconductor sensors are very inexpensive. Operating conditions, usually considered a drawback for semiconductor sensors, are not an issue here since most electronic devices only operate indoors and certainly will not get wet. And since only a small number of people will have access to the device, the sensor does not need to work with large populations.
Technically, since this application has a low number of people using each device, a moderate FAR is an acceptable security risk. Because a few number of users will be quickly habituated, and because the sensor can be quickly re-swiped in case of a rejection, a moderate FRR is acceptable.
Example B: Secure building facility
In this type of application, the overriding concern will be security, and not the convenience of the people using the system. We could make these assumptions for this application:
Relatively few, well-trained people are allowed to enter the facility.
1. The sensor must be very accurate.
2. The environment is carefully controlled (office-type environment).
3. The cost of the sensor is not the primary concern.
In a secure building facility application, the environmental and throughput stress on the sensor will be relatively low. The sensor must, however, be able to deliver accurate results. In such an environment, a conventional optical sensor would be a good fit because these sensors provide very accurate images for controlled populations under controlled environments. A multispectral sensor would also be a good choice.
Technically, this type of application requires a very low FAR. Security is very high; it should be statistically very difficult to nearly impossible for someone who is not registered in the system to enter. A very low FAR usually means that the sensor and matching system must be extremely sensitive to variations and it will deny access to authorised users (higher FRR) from time to time. Thus, the trade-off is convenience, because authorised users may have to press the sensor repeatedly or more carefully to gain access.
Example C: Theme park ticketing
Theme parks use biometrics for ticket fraud deterrence – a relatively low-security objective. They need to achieve this aim without inconveniencing the customer in any way. The sensor should work quickly, reliably and not cause long lines. For the theme park application, we can make these assumptions:
1. The sensor will likely be outdoors and must work under various environmental conditions.
2. The sensor must work reliably on a very large population with very different skin conditions.
3. The sensor must work very quickly, even at the expense of accuracy.
4. The people using the sensor are not trained at all and may never have used a fingerprint biometric sensor before.
5. The cost of the sensor is not the primary concern.
This application presents great difficulties to the security specialist because very few types of fingerprint sensors are designed to work outdoors. Semiconductor sensors will have extreme difficulty outdoors with rain, humidity, extreme cold and extreme dryness. They will also not tolerate much contamination of dirt, liquids, grease, etc. Conventional optical sensors do not work well in most outdoor environments either, and they have problems with the high-throughput requirements of this application.
The multispectral imaging technology is currently the sensor of choice at several major theme parks because it is able to function quickly and reliably outdoors under almost any weather conditions. It also works with almost any person in the world. Therefore, for this application, multispectral imaging technology would be the most appropriate.
Technically, this high-convenience application calls for a low FRR because it is important not to reject people very easily. The first time a customer touches the platen, a match should be easily and quickly made. The trade-off is a relatively higher FAR, but that should be acceptable since fraud deterrence is the primary concern.
Example D: Border control
In this application, we are presented with a very difficult problem. Security must be quite high so that criminals and terrorists or other unauthorised people do not cross the border into a country. Additionally, the application must be very convenient to that a large number of people can be processed relatively quickly. Some border applications also call for outside use. This presents the added stress of varied environmental conditions.
For this application, we may make the following assumptions:
1. The sensor must be very accurate.
2. The sensor should detect false fingerprints.
3. The people using the sensor are not trained well and may not use fingerprint sensors frequently.
4. The sensor must work reliably on a very large population with very different skin conditions.
5. The sensor must work very quickly, with high accuracy to prevent lines at the border.
6. The sensor may be outdoors and must work under various environmental conditions.
7. The cost of the sensor is not the primary concern.
Very few sensors in the world can meet these types of requirements. Historically, conventional optical sensors have been used and they function moderately well for some people. However, increasingly multispectral imaging sensors are being deployed at borders to handle the reliability concerns of large populations and varied environmental conditions. Moreover, conventional optical sensors cannot detect false fingerprint images very well, whereas multispectral imaging sensors are extremely good at detecting spoofs. In a border control application in which detecting criminals is very important, this ability to detect false fingerprints is critical.
Technically, the security requirements of this application call for a low FAR, but must also have a moderately low FRR to keep the lines short and moving. This means that the sensor must be very accurate and very reliable in all conditions on all people. In the case of FRR situations, a person will be pulled out of line and reviewed manually by a border control agent.
The game changer
The traditional way of looking at high-security applications is to sacrifice user convenience in order to keep the false accept rate at an acceptable level. The result was a user population that hated biometrics.
Designers of security applications have often underestimated the importance of convenience to system success. In addition to alienating users, high FRR rates can mean that expensive exception handling processes are required. Sometimes the exception handling process is to simply wave someone through if the sensor cannot get a good enough image to perform a match, compromising security. Multispectral imaging is a sensor technology that improves image quality to such a degree that it is possible to have a reasonably low FAR and FRR at the same operating point. Multispectral imaging technology is a game-changer. It pushes that ROC curve in.