Security for Dummies
Safe and simple
Thursday 17 July 2008, 11:21 AM
Biometrics - conserns and answers
First, I would like to distinguish biometric technologies that do not work or must not work. I mean both behavioral (keystroke dynamics, handwriting) and physical (voice, face and palm) recognition systems. Why do I think that these technologies are not working? Simple. The error ratio is too high for real life implementation; it is too easy to trick these systems even for non-experienced hacker.
I am also not going to talk about iris scan and retina scan. These systems are accurate. It is much harder to trick them. But these systems are too expensive. For the same token I will not talk about DNA, odor identification systems and alike.
Let’s talk about biometrics that works in real world conditions – fingerprint.
What are concerns?
1. Accuracy.
Regular fingerprint identification system has standard FAR of 0.001% and FRR of 0.1%. What does it mean for us? FAR (False Accept Ratio), a possibility to accept a wrong finger instead of registered one, of 0.001% mean that if one fingerprint is registered, the system can once in 100,000 attempts the system can wrongly grant access to a impostor. Pretty high accuracy. If 10 fingerprints are registered – the same statistical mistake accumulates resulting to one in 10,000 attempts. That is also fine. But let us imagine a public system with 1,000 registered users (not rare situation). Every user has 10 fingerprints registered. What is the resulting false accept ratio? 10fingerprints*1000users*0.001%=0.1%. That is already alarming. That means that every passer-by may enter the gate from maximum 10 attempts.
For the system with 10,000 registered users the resulting false accept will be “1”, meaning that ANYONE can enter from the first attempt. Scary!
2. Response time, user acceptance and FRR
It was tested and proved that FRR (false reject) rises exponentially with the number of attempts. If the person trying to pass the gate is a bit nervous, the possibility of false reject is 1% at the first attempt, 12% at the second, 48% at the third time. Imagine a huge line of employees trying to get their workplace in time.
3. Psychological resistance
The fingerprint technology has still some criminal “aura”; it is deep in our minds. We do not want to leave our fingerprints somewhere.
Contnue to the full story here
I am also not going to talk about iris scan and retina scan. These systems are accurate. It is much harder to trick them. But these systems are too expensive. For the same token I will not talk about DNA, odor identification systems and alike.
Let’s talk about biometrics that works in real world conditions – fingerprint.
What are concerns?
1. Accuracy.
Regular fingerprint identification system has standard FAR of 0.001% and FRR of 0.1%. What does it mean for us? FAR (False Accept Ratio), a possibility to accept a wrong finger instead of registered one, of 0.001% mean that if one fingerprint is registered, the system can once in 100,000 attempts the system can wrongly grant access to a impostor. Pretty high accuracy. If 10 fingerprints are registered – the same statistical mistake accumulates resulting to one in 10,000 attempts. That is also fine. But let us imagine a public system with 1,000 registered users (not rare situation). Every user has 10 fingerprints registered. What is the resulting false accept ratio? 10fingerprints*1000users*0.001%=0.1%. That is already alarming. That means that every passer-by may enter the gate from maximum 10 attempts.
For the system with 10,000 registered users the resulting false accept will be “1”, meaning that ANYONE can enter from the first attempt. Scary!
2. Response time, user acceptance and FRR
It was tested and proved that FRR (false reject) rises exponentially with the number of attempts. If the person trying to pass the gate is a bit nervous, the possibility of false reject is 1% at the first attempt, 12% at the second, 48% at the third time. Imagine a huge line of employees trying to get their workplace in time.
3. Psychological resistance
The fingerprint technology has still some criminal “aura”; it is deep in our minds. We do not want to leave our fingerprints somewhere.
Contnue to the full story here
Previous
