The Software Battle Has Just Begun
Managing authentication with biometrics involves four major
functions--feature capture, data extraction, storage and
comparison--and the device is principally responsible for the capture
step only. We designed these tests to compare the
fingerprint-recognition devices themselves, using the best software
available. We may have obtained different results with different
applications because good software can make up for deficiencies in the
reader hardware.
After capturing the image, fingerprint-recognition software creates a
digital representation of the fingerprint--a one-way transformation
that won't allow the fingerprint to be reconstructed from the data, but
must ensure that two different fingers cannot result in the same
digital representation. The software may gather data points from the
fingerprint, known as minutiae, which are the coordinates where ridges
terminate or bifurcate and loops converge, for example. Minutiae may
have up to seven unique characteristics. Because the typical finger has
an average of 70 minutiae points, about 490 data elements can be
extracted using this method. That's a lot of data from a small area of
skin, but it may not be enough to ensure absolute verification.
Some algorithms get more data by combining minutiae points with vectors
that indicate relationships between minutiae, and still others use
entire sections of the image itself. Ultimately, this data, often
referred to as a template, is stored as a 1-KB record. Whatever its
composition, there's no standardization of template data nor are
extraction algorithms published; it's all vendor-specific. Therefore,
higher layers of software are required to abstract the details of the
biometric device and shield the programmer from the, pardon us,
minutiae.
The other obvious limitation here is platform support. Only two of the
six fingerprint-recognition systems we tested support Unix, and the
general-purpose APIs emerging focus primarily on Windows environments.
ˇBattleground No. 1: APIs Proprietary APIs are stunting the growth of
biometrics. An application vendor can't be expected to write to every
device on the market--there are simply too many and they're not widely
deployed.
For this kind of hands-off authentication, National Registry Inc.'s
(NRI) Human Authentication Application Program Interface, or HA-API
(pronounced "happy"), is a good fit. Developed under contract to a
Defense Department agency and backed by the U.S. Biometric Consortium,
it's the most talked about generalized API in the biometric community.
Unfortunately, some vendors feel that HA-API is an oversimplified
device interface. For example, HA-API answers a simple "yes" or "no" to
an application requesting verification. But exact matches don't always
occur. After all, we're talking about physiological details that can
change slightly under different conditions. It may be better to return
a confidence level instead of a simple binary answer, and let the
application decide if it needs additional authentication.
In answer to HA-API's limitations, I/O Software has developed BAPI
(Biometric API). BAPI has three levels, with the highest one comparable
to HA-API. It can return a confidence score to the programmer instead
of a simple yes or no, control the storage of biometric data, such as
storing templates on a smartcard, and has many more functions.
ˇ Battleground No. 2: Operating Systems The typical demonstration
application is a Windows95 screen saver, which by itself doesn't
enhance a system's security at all--unless access-control software is
included to address the operating system's shortcomings. As a more
practical application, most vendors are struggling to get their Windows
NT logon software out the door. So far, American Biometric Corp., I/O
Software and NRI have a jump on the competition with software shipping.
However, all vendors in this roundup are promising domain-based Windows
NT authentication soon.
Within a Windows NT environment, the first step is to replace the logon
screens with a user screen that recognizes fingers instead of (or, in
addition to) passwords. This is done by substituting the GINA.DLL
(Graphical Identification and Authentication DLL) with an alternative
mechanism.
Next, to ensure that you don't have to enroll fingers at every
workstation, templates should be stored centrally at the Primary Domain
Controller, allowing users to log in from any fingerprint-capable
workstation within the domain. Most vendors build a database of
templates, or at a minimum, keep individual template files for every
user within the NT file system.
Digital Persona is taking a new approach with its upcoming Windows NT
authentication service. By using a little-known and poorly documented
Microsoft Corp. interface, the MSV1_0 SubAuthentication DLL, it will be
able to store templates directly into the NT SAM (Security Account
Manager) database, eliminating the need for external databases and
providing for tight integration with Windows NT 4.0. Like all of the
devices we tested, an NT 5.0-specific version is planned using Active
Directory for template storage.
|
In
our first round of tests, we assessed the device's FRR (false rejection
rate). We enrolled 20 people in each system, recording the number of
retries, if any, that were necessary for a successful enrollment. Next,
we asked users to authenticate to the system. Because many
fingerprint-recognition systems have difficulty reading very dry hands,
we applied alcohol to users' fingertips for the final authentication
test. As expected, this drove the FRR up for most devices--except for
Sony's Fingerprint Identification Unit (FIU), which actually performed
better for dry fingers.