Can you be absolutely certain that a biometric device will work as claimed? Will it securely keep the bad guys out, while effortlessly letting the good guys in?
In real life, security versus convenience turns out to be pretty much a non-issue, since the combination of biometric identification plus a keypad code provides virtually unbreakable security. Here is why.
Biometric devices can be adjusted to favour security or user convenience. Think of a car alarm. When your car alarm is very sensitive, the probability of the bad guys stealing it is low. Yet the chance of your accidentally setting off the alarm is high. Reduce the sensitivity, and the number of false alarms goes down, but the chance of someone stealing your car increases.
The security requirements of a national defence contractor might demand that the device at the front door be adjusted to keep the bad guys out, for example. On the other hand, if hundreds of employees will clock in using a biometric reader at a low-security facility, you will want to adjust the unit's sensitivity to let the good guys in.
People like things that work. If the biometric does not allow employees effortless access, frustration will quickly rise and the biometric may never be accepted. Fortunately, this is extremely unlikely.
False accept rates
The probability that a biometric device will allow a bad guy to pass is called the 'false accept rate'.
This figure must be sufficiently low to present a real deterrent. False accept rates claimed for today's biometric access systems range from 0,0001% to 0,1%. The biometric hand readers at the front entrances of 60% of the nuclear power plants in the US (for example) have a false accept rate of 0,1%.
It is important to remember that the only way a bad guy can get access is if a bad guy tries. Thus, the false accept rate must be multiplied by the number of attempts by bad guys to determine the number of possible occurrences.
False reject rates
For most applications, letting the good guys in is just as important as keeping the bad guys out. The probability that a biometric device will not recognise a good guy is called the 'false reject rate'.
The false reject rates quoted for current biometric systems range from 0,00066% to 1,0%.
A low false reject rate is very important for most applications, since users will become extremely frustrated if they are denied access by a device that has previously recognised them.
An example may be helpful.
A company with 100 employees has a biometric device at its front door. Each employee uses the door four times a day, yielding 400 transactions per day.
A false reject rate of 1,0% predicts that every day, four good guys (1% of 400) will be denied access. Over a five-day week, that means 20 problems. Reducing the false reject rate to 0,1% results in just two problems per week.
A low false reject rate is very important for most applications, since users will become extremely frustrated if they are denied access by a device that has previously recognised them. As mentioned previously, the combination of a low false reject rate plus a simple keypad code provides virtually unbreakable security.
Equal error rates
Error curves give a graphical representation of a biometric device's 'personality'. The point where false accept and false reject curves cross is called the 'equal error rate'. The equal error rate provides a good indicator of the unit's performance. The smaller the equal error rate, the better.
Validity of test data
Testing biometrics is difficult, because of the extremely low error rates involved. To attain any confidence in the statistical results, thousands of transactions must be examined.
Some error rates cited by manufacturers are based on theoretical calculations. Other rates are obtained from actual field testing. Field data is usually more reliable. In the case of false reject rates, only field test data can be considered accurate, since biometric devices require human interaction. For example, if the device is hard to use, false reject rates will tend to rise. A change in the user's biometric profile could also cause a false reject (a finger is missing, for example).
None of these conditions can be accurately quantified by purely theoretical calculations. On the other hand, false accept rates can be calculated with reasonable accuracy from cross-comparison of templates in large template databases.
Currently, most field test error rates have been generated by various biometric manufacturers using end-user data, though tests have also been conducted by independent laboratories.
It is important to remember that error rates are statistical: they are derived from a series of transactions by a population of users. In general, the larger the population and the greater the number of transactions, the greater the confidence level in the accuracy of the results.
If the error rate is reported at 1:100 000, and only 100 transactions were included in the study, the confidence level in the results should be very low. If the same error rate was reported for 1 million transactions, the confidence level would be much higher.
The magnitude of the reported results affects the size of the sample required for a reasonable confidence level. If the reported error rate is 1:10, then a sample of 100 transactions may provide a sufficient confidence level. Conversely, a 100-transaction sample would be too small if the error rate was reported as 1:100 000.
Conclusion: security and convenience are a fact
Biometric devices are extremely secure, thanks to the combination of low false accept rates at moderate sensitivity settings, combined with a short user keypad code. At the same time, biometrics are extremely convenient and error-free, thanks to low false reject rates.
Source: Recognition Systems
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version