Download (direct link):
112 Chapter 5
particular physical characteristic from a particular individual with a high degree of confidence. The size of the templates varies, from small templates for basic fingerprint scanners, to larger templates for 3D hand geometry scanners, for example. The size of the template matters only when storage or transmission bandwidth is an issue. Next, the template is stored in a master database for later retrieval and comparison against a future authentication candidate. Many biometric systems suffer their biggest weakness at this point because capture of the template database allows a hacker to imitate the user or reverse engineer the physical characteristics. Although some algorithms use a hash, it is a one-way function for preventing this security risk and is not implemented for all systems. Finally, when an application or resource needs to be accessed, the candidate authenticates to the biometric device, which takes a snapshot of the characteristics to be compared against its template database. For very large-scale systems (such as government citizen identification projects), speed and database management are major factors.
Many types of biometric devices can be used to authenticate an individual, but the most popular are these (see Table 5.5):
Fingerprint readers. This technique uses an individual's fingerprint to authenticate that person. One or more fingers may be required for the authentication. This method is perhaps the cheapest among all the biometric options. In fact, fingerprint devices are being incorporated into other generic devices such as keyboards. For example, HP (its Compaq division) sells a Biometric Option Kit that includes a biometric keyboard.
Figure 5.1 Process overview of biometric system.
Healthcare Solutions 113
Hand geometry. This method relies on the user to place his or her hand in a device that can measure unique aspects of the hand, including finger length and hand dimensions, among other characteristics. These devices are easier to use among a diverse population because they force the hand to be placed on the device for proper measurement readings. This is in contrast to, say, fingerprint devices, in which the rolling of the finger, the cleanliness of the device or finger, and other factors may slow down the time for authentication. Hand geometry devices can be several hundred dollars per device and usually require custom installation in a secured area.
Voice verification. Although we've seen this method many times in the movies (remember that line "My voice is my passport" from the movie Sneakers?), voice verification is not, perhaps, the best method for authentication (it was, in fact, the point of compromise in Sneakers). Due to changes in voice (for example, from colds), background noise, and other aspects, voice verification is usually limited to verification for specific workstations or a closed environment. Voice verification is perhaps the most convenient because as long as the user can speak, other disabilities do not affect verification.
Iris/retinal scanning. In both of these methods, an aspect of the eye is scanned and verified. Retinal scanning is more intrusive because the eye must be placed directly on top of the measuring device. This slows down the authentication process and brings up hygienic issues if multiple parties are to use the same authentication device. Iris scanning is more practical because authentication can occur from a distance. These systems, though, are not cheap or as easy to use as other devices. Trials have already been done with iris scanning for automated teller machine (ATM) usage (as was done by the Bank United of Texas). The concept of using an ATM card may be a thing of the past!
Facial recognition. Perhaps the most popular in the media, facial recognition has been used for a number of years by various law enforcement agencies to pick out suspects in public places. In London, for example, cameras are mounted throughout the city, and suspects' faces are compared to a known database of felons. If the software detects a possible match, a police officer is sent to investigate. Another example is its use in U.S. casinos for detecting known cheats and ensuring that suspects are not able to enter the casino without the knowledge of security staff. In general, this type of authentication is used for large numbers of people that require nonintrusive authentication. There are a number of questions about the accuracy of this method because these systems are more accurate for verification (for example, in entering a secured facility) than for identification (for example, picking a known criminal out of a crowd).
114 Chapter 5
Table 5.5 Summary of Biometric Devices and Applications
TYPE ACCURACY ERROR FACTORS EASE OF USE COMMENTS
Fingerprint readers High Dirt, oil Easy Excellent for low-cost applications
Hand geometry High Age, injury Easy Ideal for small community, secured installation access
Voice verification High Cold, throat sickness Moderate Good as adjunct security mechanism