Six Biometric Devices Point The Finger At Security
June 1, 1998

Biometrics Under Our Thumb
Because the vendors of fingerprint-recognition systems are not shipping software for a common platform, we chose to evaluate these devices based on the best software available. American Biometric Corp. (ABC), National Registry Inc. (NRI) and Sony all provided Microsoft Corp. Windows NT logon products. We had to use simple test applications from Biometric Access Corp, Digital Persona and Identix. When device sensitivity was adjustable, we used system defaults, believing this setting was one a typical administrator would use.

In our first round of tests, we assessed the device's FRR (false rejection rate). We enrolled 20 people in each system, recording the number of retries, if any, that were necessary for a successful enrollment. Next, we asked users to authenticate to the system. Because many fingerprint-recognition systems have difficulty reading very dry hands, we applied alcohol to users' fingertips for the final authentication test. As expected, this drove the FRR up for most devices--except for Sony's Fingerprint Identification Unit (FIU), which actually performed better for dry fingers.

Our user population consisted of an equal mix of men and women from a variety of ethnic backgrounds. Overall, men's fingerprints had a higher success rate than women's fingerprints by about 18.5 percent. As expected, people with poor ridge definition--women and Asians in particular--had more difficulty using these devices. Several people could not authenticate at all to some systems. All devices, except Digital Persona's U.are.U, rejected at least one user after five valid attempts to log in.

In our next round of tests, we attempted to get past these scanners using latent prints lifted from a table. Using a fine brush and dry toner from a laser printer cartridge, we were able to see fingerprints and lift them with adhesive tape. Next, we transferred those images to transparency material on a photocopier. By wetting the ink side of the transparency and placing it on the platen, we were able to break into two of these devices.

Finally, we built rubber fingers using wax finger imprints (admittedly, difficult--but not impossible--to do without user cooperation). By pouring a thin layer of silicone into the wax mold, we created fakes that four of the six scanners couldn't distinguish from our own fingers.



The Software Battle Has Just Begun
Managing authentication with biometrics involves four major functions--feature capture, data extraction, storage and comparison--and the device is principally responsible for the capture step only. We designed these tests to compare the fingerprint-recognition devices themselves, using the best software available. We may have obtained different results with different applications because good software can make up for deficiencies in the reader hardware.

After capturing the image, fingerprint-recognition software creates a digital representation of the fingerprint--a one-way transformation that won't allow the fingerprint to be reconstructed from the data, but must ensure that two different fingers cannot result in the same digital representation. The software may gather data points from the fingerprint, known as minutiae, which are the coordinates where ridges terminate or bifurcate and loops converge, for example. Minutiae may have up to seven unique characteristics. Because the typical finger has an average of 70 minutiae points, about 490 data elements can be extracted using this method. That's a lot of data from a small area of skin, but it may not be enough to ensure absolute verification.

Some algorithms get more data by combining minutiae points with vectors that indicate relationships between minutiae, and still others use entire sections of the image itself. Ultimately, this data, often referred to as a template, is stored as a 1-KB record. Whatever its composition, there's no standardization of template data nor are extraction algorithms published; it's all vendor-specific. Therefore, higher layers of software are required to abstract the details of the biometric device and shield the programmer from the, pardon us, minutiae.

The other obvious limitation here is platform support. Only two of the six fingerprint-recognition systems we tested support Unix, and the general-purpose APIs emerging focus primarily on Windows environments.

ˇBattleground No. 1: APIs Proprietary APIs are stunting the growth of biometrics. An application vendor can't be expected to write to every device on the market--there are simply too many and they're not widely deployed.

For this kind of hands-off authentication, National Registry Inc.'s (NRI) Human Authentication Application Program Interface, or HA-API (pronounced "happy"), is a good fit. Developed under contract to a Defense Department agency and backed by the U.S. Biometric Consortium, it's the most talked about generalized API in the biometric community. Unfortunately, some vendors feel that HA-API is an oversimplified device interface. For example, HA-API answers a simple "yes" or "no" to an application requesting verification. But exact matches don't always occur. After all, we're talking about physiological details that can change slightly under different conditions. It may be better to return a confidence level instead of a simple binary answer, and let the application decide if it needs additional authentication.

In answer to HA-API's limitations, I/O Software has developed BAPI (Biometric API). BAPI has three levels, with the highest one comparable to HA-API. It can return a confidence score to the programmer instead of a simple yes or no, control the storage of biometric data, such as storing templates on a smartcard, and has many more functions.

ˇ Battleground No. 2: Operating Systems The typical demonstration application is a Windows95 screen saver, which by itself doesn't enhance a system's security at all--unless access-control software is included to address the operating system's shortcomings. As a more practical application, most vendors are struggling to get their Windows NT logon software out the door. So far, American Biometric Corp., I/O Software and NRI have a jump on the competition with software shipping. However, all vendors in this roundup are promising domain-based Windows NT authentication soon.

Within a Windows NT environment, the first step is to replace the logon screens with a user screen that recognizes fingers instead of (or, in addition to) passwords. This is done by substituting the GINA.DLL (Graphical Identification and Authentication DLL) with an alternative mechanism.

Next, to ensure that you don't have to enroll fingers at every workstation, templates should be stored centrally at the Primary Domain Controller, allowing users to log in from any fingerprint-capable workstation within the domain. Most vendors build a database of templates, or at a minimum, keep individual template files for every user within the NT file system.

Digital Persona is taking a new approach with its upcoming Windows NT authentication service. By using a little-known and poorly documented Microsoft Corp. interface, the MSV1_0 SubAuthentication DLL, it will be able to store templates directly into the NT SAM (Security Account Manager) database, eliminating the need for external databases and providing for tight integration with Windows NT 4.0. Like all of the devices we tested, an NT 5.0-specific version is planned using Active Directory for template storage.