Cryptography Reference
In-Depth Information
concurrently recognizes face, voice, and lip dynamics) serves for admis-
sion control. In this case, it is hardly possible to feed the computer with
stolen data, for you will never get to it.
•
Biometrics can be combined with other controls, e.g., with owning a
smartcard and knowing a PIN. In such a system, biometrics would
strongly reduce the probability that somebody can sneak in with a
stolen smartcard or PIN. In this landscape, biometrics makes classic
authentication more secure. If it is used for authentication, it must not
be the only measure. A computer that let's you log in via fingerprint
only uses the wrong concept. There should always be another (more
cumbersome) authentication control.
•
This knocked off the second point. The thing is, if Alice's digital
thumbprint file was stolen (which hopefully doesn't happen too often),
the fingerprint recognition system could have been combined with a PIN
and/or another method. The proper concept guarantees, here too, that
critical cases can be handled.
In contrast, there are two critical parameters in every biometric system: the
false
accept rate
(
FAR
) and the
false reject rate
(
FRR
). The FAR is the percentage
of unauthorized people passing the control, while the FRR is the percentage of
authorized people who were erroneously rejected by the device.
In the ideal case, both FAR and FRR would both be zero. Unfortunately, the
real world is not ideal; only 1 % for either value are considered excellent. This
number doesn't appear high, but imagine an organization with 1000 employees,
where ten employees stand protesting behind the factory gate yelling for the
security inspector day in day out, while industrial spies hired by the competitor
are admitted.
Biometric systems (or better, their recognition software) can be tuned. Depend-
ing on the purpose, you select either a lower FAR or a lower FRR; keeping
both values very small doesn't normally work. In high-security tracts, one has
to put up with wrongly rejected employees more often than not (low FAR,
higher FRR), while at the main entry there should only be a pre-selection with
low FRR (and higher FAR). The overall concept will decide here, too.
I think the most promising is the concept of
variable biometrics
.Bymy
definition, these are biometric characteristics that users can change themselves.
The two outstanding examples in Figure 6.11 are the BioID system, where the
user can say a spoken word (or an entire sentence) himself, and the analysis of
