printer friendly version

Mathematics at the heart of biometrics

When looking at a PC or a printer we usually just see a piece of equipment without thinking about what makes the system work. There are the physical components that make up a complete PC, such as the CPU, motherboard, screen, hard disk drives, keyboard and mouse, that are essential for us to use the PC. But we rarely think of the operating system that is at the heart of making the different components work together. A PC operating system is a very complex set of logical mathematical equations.

The same principle applies to biometric devices. On most biometric devices we see different hardware components that make up the biometric device as a whole. On a fingerprint biometric device, for instance, there is a fingerprint scanner lens where you place your finger, a screen that informs you if access is granted or denied, and maybe a numerical keypad.

We give very little thought to what makes a biometric device function in either verifying or identifying who we are. The quality of the components used is critical for a feasible and successful biometric device. More importantly, however is the mathematics used to verify or identify the physical biometric attributes of an individual and compare it to what is stored in the system’s database.

Down to the numbers

In biometrics this mathematical equation is known as an algorithm. The specific biometric features of an individual are reduced, via an algorithm, to a mathematical string or a template. This template is stored in some form of database and when the user places their finger on the fingerprint scanner, the algorithm compares the template from the fingerprint scanner to the template stored in the database.

This is true of all biometric devices, whether it be fingerprint, palm, iris or facial recognition systems. The unique features of a face can just as easily be reduced to a mathematical string as the unique features of a fingerprint. I use the word 'easily' very flippantly, there is actually nothing easy about the algorithm that converts these unique features to mathematical strings.

There are two functions involved in either verifying a template or identifying a template. The first is the extraction function and the second is the comparison function. Simply put, the extraction function takes the image presented to it from the scanning device and converts it into a mathematical string or template. The second function then compares the extracted template with the template saved on the database, and if enough points of comparison correspond, the system will verify or identify an individual.

Algorithm basics

Biometric algorithms are complex logical mathematical equations and the complexity of the algorithm ultimately determines the success of the biometric device. To understand why different fingerprint biometric devices use more complex algorithms than others do, we need to understand that different algorithms use different levels and quantities of features on the templates

In fingerprint biometric systems there are three levels for either verification or identification:

Level 1 uses the loops, whorls and arches that are present in 60% to 70% of the population. Level 1 is used mainly for one-to-one verification purposes. In other words, the system just confirms who I am. This is often found in the cheaper variant of biometric devices and can be subverted with properly faked fingerprints manufactured from something as simple as candle wax and household silicon sealant.

Level 2 uses minutiae points such as ridge endings, bifurcations, deltas and ridge dots. Level 2 can give more than 100 reference points for the fingerprint biometric device to use, to either verify or identify a specific fingerprint. When the biometric system identifies a template, it compares the fingerprint presented to the fingerprint scanner (converted to a template) against all the templates in the database. It is more secure, as the algorithm can use more reference points and the possibility of multiple fingerprint templates are negated.

Level 3 uses both of the above but then also uses unique geographical and dimensional characteristics such as the depth of the fingerprint ridge.

Level 1 and 2 are used in commercial applications such as access control and time and attendance, while Level 3 is used in systems such as passport and entry control, law enforcement and military applications and is more commonly known by the name of AFIS.

From the above it is clear that certain biometric algorithms are more complex than others and it becomes a question of how secure the end user wants his biometric system to be.

How secure is secure?

The more complex the algorithm, the more secure the storage of the template is as not only is an image of a fingerprint converted into a mathematical equation that is exceedingly long and complicated, but the more complex algorithms are also encoded in proprietary fashion, thereby almost nullifying the possibility of manually tampering with the template.

Why all the effort in converting an image of a fingerprint into a mathematical equation? Why not just keep an image of the fingerprint on the database and then have the system do a visual comparison?

The answer to this is simple: privacy. In many countries in the world legislation exists that forbids the holding of data that is deemed personal on databases. Nothing can be more personal than a fingerprint. Even in South Africa we have draft legislation that will prohibit the storage of a fingerprint image.

In an opinion piece written for Human Capital Review surrounding the issue of using fingerprint biometrics, Eva Mudely and Lusanda Raphulu of Bowman Gilfillan Attorneys mentioned the Protection of Personal Information Act (POIPA), which has recently passed its last legislative hurdle and is ready to be implemented in the near future.

In the article they make specific reference to the following: “Although POIPA does not have the force and effect of law, employers should be guided by its provisions when dealing with employees’ personal information. Employers can thus make highly effective use of fingerprint biometrics in a manner which is beneficial to the organisation, but which also protects the privacy of the individual employee.”

The next question comes to mind: how simple or how complex is the algorithm that is used in a specific device? How do I make a choice between device A and device B? Is there an independent body that rates biometric algorithms? The answer is yes; there are two, actually.

The first is most commonly known as the FVC (Fingerprint Verification Competition) Ongoing, which is an independent organisation called bioLab, hosted by the University of Bologna (Italy) with inputs from Michigan State University (USA), San Jose State University (USA) and Universidad Autonoma de Madrid (Spain). It is an online facility whereby different algorithms are tested against two ISO standard templates. The first is the ISO standard for commercial applications and the second is ISO Hard for Military/Law Enforcement/Governmental applications.

Putting it to the test

During this test, the speed of the algorithm, transaction time and enrolment time are measured. Most importantly, however, it measures the False Acceptance Rate (FAR – I am not on the system, but it accepts my template) and the False Rejection Rate (FRR – I am on the system, but the system does not accept my template). It is a bit of a seesaw – if the one is high, the other is low.

The best algorithms keep an optimum balance between the two and this is where the Equal Error Rate (EER) comes in. The lower the EER, the more successful and secure the algorithm. An EER of 0.2% is far superior to an EER of 0.8% and translates to the former being 99.8% successful and the latter 99.2%

The second independent body is IAFIS & FBI and this body puts biometric algorithms through the most stringent test. If the algorithm is successful, it either receives a PIV from IAFIS/FBI or is certified as IAFIS/FBI and is deemed to be suitable for use in law enforcement, passport and entry control and military applications. It must however be noted that not only the algorithm is tested but rather the whole biometric device is tested.

Simply put, the mathematical engine powers the biometric device; almost like a car. There are reasons why some cars have expensive but complex engines, and others have inexpensive but DIY engines. Unfortunately, when it comes to security, very few can afford to have the DIY engine.

Share this article:

Further reading: