Research > Biometrics

Need for reliable identity management

The increasing amount of electronic transactions that are being sent across wired and wireless networks has created a strong need for more reliable identity management. In an identity management system, establishing the identity of a person is a critical task. Existing possession-based identification methods (an ID card, a token or a key) or knowledge-based methods (a PIN, or a password) can be forgotten, lost, shared or stolen, resulting in identity theft or abuse.

Every 3 seconds there will be a new victim of identity theft in the US and the total damage of identity theft is estimated at a $53 billion a year. The need for more reliable identity verification has resulted in an increased interest in biometrics. The additional security that is obtained by validating certain physical properties of the human body extends the conventional possession and knowledge-based methods. There exists a wide variety of biometric modalities that are suitable for verification, such as iris scans, fingerprints, optical and acoustical ear biometrics, hand geometry, voice or vein patterns. These biometric modalities have different tradeoffs between their reliability, convenience, persistence, uniqueness, collectability and acceptability.

Enhanced convenience

Besides the prevention of identity theft, biometrics also gained interest from a convenience point of view. For example, biometric verification can replace the use of a PIN or password in some applications, resulting in a more convenient verification process for logical access control to workstations, networks, or data storage devices. Phone-based customer service desks can verify the caller’s identity using voice biometrics, eliminating the need for knowledge-based verification. Customer account management can be tightly integrated with identity verification resulting in improved customer service. Biometrically-enabled fast lane check-in facilities at airports can speed up the access-control process.

Cost reduction

A third reason for the increased interest for biometrics is its potential to save cost. Self-service kiosks with secure client identification can reduce costs associated with services. Efficient verification in places where a significant amount of identities have to be verified (such as airports, concerts, football matches) also reduces cost. Furthermore, biometrics can result in reduced administration support costs associated with password management.

Is privacy at risk?

The deployment of biometrics for verification has also raised concerns. For example, the tight coupling of a biometric verification method and the physical attributes of a person may jeopardize someone’s privacy. Concerns focus on the extent of the individual’s authority to control how biometric information is used, by whom, and for what purpose. More specifically, the concerns encompass:

  • Unauthorized collection: collection without the subject’s knowledge (e.g., fingerprints, facial images, and alike).
  • Unnecessary collection: biometrics employed in situations where there exists no or little benefit for strong user verification.
  • Unauthorized use: forensic usage, usage as unique identifier to link databases, and usage to monitor, link, and track an individual’s daily activity.
  • Unauthorized disclosure: unauthorized disclosure underpins unauthorized use.
  • Function creep: expansion of a system into areas for which it was not originally intended (for example as occurred for national identity numbers).

    • Renewability

    Another strong concern relates to renewability and revocability of biometric reference data. Individuals have a limited number of irises and fingers; identity theft renders corresponding biometric references as unusable for future use. Due to the persistence of biometric characteristics, a biometric reference that is compromised once is compromised forever. Hence biometrics require adequate privacy protection as well as a template format that is renewable. The goal of so-called template protection schemes is to provide privacy protection as well as renewability.

    Biometric template protection

    Biometric template protection comprises the generation of protected and renewable templates from biometric data. So-called protected templates are often referred to as 'Pseudo Identities'. Pseudo Identities are protected identity verification strings within a predefined context. A Pseudo Identity (PI) does not contain any information that allows retrieval of the original biometric measurement data, biometric template or true identity of its owner. Within a protected biometric ecosystem, Pseudo Identities follow 4 distinct phases that are depicted in Figure 1.

    Pseudo Identity life cycle
    Figure 1. Pseudo Identity life cycle



    More information

  • Pseudo identities based on fingerprint characteristics
    IEEE 4th international conference on intelligent information hiding and multimedia signal processing (IIH-MSP 2008), Harbin, China.


    (c) 2008 www.jeroenbreebaart.com