[Next] [Up] [Previous]
Next: Tokens and Badges Up: Access Control and Previous: Passwords

Biometric user authentication

In recent years the field of biometric identification has developed into an acceptable alternative for user authentication. Simply stated, a biometric identification technique is a measurement or observation of a feature or action of a human, for the purposes of uniquely identifying the human. Biometric identification systems have been built based on a variety of techniques, including fingerprints, handwritten signature dynamics, voice print analysis, the pattern of blood vessels in the retina, hand geometry measurements, and facial characteristics.

A biometric identification technique can fail in one of two ways: it can either reject the identification of a legitimate user, or else it can incorrectly admit an illegitimate user. Most biometric identification systems allow adjustments to the technology in order to control these error probabilities to some degree. Set the systems to be too sensitive, and many legitimate users will fail to be identified. Set the systems to be too lax, and too many illegitimate users will be accepted. There is usually a tradeoff between these settings, where reducing the false rejection rate will simultaneously raise the false acceptance rate. The time for verification may also be affected. Sandia National Laboratories has for some time engaged in testing of biometric identification devices, in support of their mission of securing nuclear facilities for the U.S. government. At the time of their last announced results, the hand geometry devices were found to be quite reliable and surprisingly accurate (these are now in use in the San Francisco airport). The voice recognition devices were found to be the least reliable, but they have the nice feature that the measurements can be taken remotely using only a telephone or microphone. In general, none were found to be accurate enough to be used alone in high security applications. This is a rapidly evolving technological area, and new methods can be expected to be developed in the future. Sandia expects to continue testing devices as they become available.

From a security standpoint, some forms of biometric identification suffer from one of the major problems with passwords: they can be vulnerable to replay attacks. If an adversary records your voice then they can later use it to impersonate you unless the system is designed to counter this (for example, with a challenge-reponse protocols 3.1).


[Next] [Up] [Previous]
Next: Tokens and Badges Up: Access Control and Previous: Passwords
Kevin S. McCurley
Sat Mar 11 16:00:15 MST 1995