Why authentication expertise matters when selecting a biometric security vendor
The majority of biometrics vendors today concentrate on law enforcement, surveillance and forensic applications. Is such a vendor the best choice when it comes to authentication applications, such as virtual and physical access control or transaction authorization? To answer that question, we need to understand what these applications have in common and how they differ.
All of these applications share some characteristics. They all need capture of biometric information in order to compare it with information from one or more previously captured samples. They all are typically implemented in large scale with high performance requirements. And they all require a fair degree of accuracy. However, there are some very important differences between the two groups of applications.
Comparison biometric authentication vs. law enforcement applications
Law enforcement applications of biometrics fall into two major categories: surveillance / forensics and guided capture. The conditions under which these applications are used have a profound impact on system design and optimization:
Authentication | Surveillance / Forensics | Guided capture | |
---|---|---|---|
Typical Applications | Login, physical access control | Watchlist screening, suspect identification | Mug shots |
Typical user | Cooperative, unsupervised | Uncooperative, unsupervised | Cooperative, supervised |
Sample quality | Moderate (wide range) | Poor | Excellent |
Recognition form | Verification (1:1) | Identification (1:N) | Identification (1:N) |
Liveness detection | Required | Not applicable | Not applicable |
Privacy | High priority | Low priority | Low priority |
Accuracy
Authentication solutions are designed primarily for authentication of cooperative users for virtual (online and mobile) as well as physical access control. Law enforcement and surveillance applications, on the other hand, typically include large-scale identification such as watch list surveillance, forensics and suspect identification. These two types of applications see significant differences in environment and user behavior, which in turn affect image quality, and naturally each solution is optimized for its respective conditions and requirements.
In particular, in law enforcement applications the subject often does not want to be recognized. There are two main scenarios:
- Surveillance / forensics (e.g. surveillance cameras, latent fingerprints): the subject is either not aware that biometrics are being captured or does not want to be identified, resulting in poor-quality samples (e.g. partial face, poor lighting)
- Guided capture (e.g. mug shots): the subject is supervised in controlled conditions, leading to very high-quality samples
In authentication applications, on the other hand, the user wants to be recognized in order to gain access and so has an incentive to present a good sample, but image quality can vary widely due to lighting and other factors.
Furthermore, accuracy requirements are not the same. In law enforcement a false match may result in some extra investigative efforts or inconvenience but rarely has serious consequences. In authentication, on the other hand, a false match can mean that an attacker gets access to sensitive systems and confidential data.
These factors greatly impact the accuracy, image quality and variability for which the system should be optimized, and thus the issues on which a vendor focuses development efforts.
Liveness detection
In authentication applications the user is typically not supervised and so the system must be able to detect and block fraud. In the case of face recognition, for example, an attacker may use photos or recordings of the authorized user. A number of techniques collectively known as liveness detection are used to block such attempts and ensure the samples are taken from a live user. With most services moving online, liveness detection or presentation attack detection (PAD) gains more and more attention: How are automated systems supposed to guarantee user presence?
Since photo / video fakes are not really an issue when the subject is either unaware or supervised, it is understandable that biometric vendors focused on law enforcement and surveillance have not concentrated on liveness detection. However, this technology is essential to an unsupervised virtual or physical access control system, so biometric authentication vendors put great effort into developing a reliable and robust liveness detection. As discussed on our site for liveness detection several techniques are possible, such as the following for face recognition:
- Capturing multiple face images and checking for changes and natural motion: 3D motion analysis
- Guiding the user to turn their head a certain way & verifying that the head was turned as specified
- Analyzing texture of the presented face: An artefact or display is automatically rejected due to it’s skin unlike texture
Privacy
Finally, law enforcement applications typically use a central biometric database controlled by the authorities. Because the main purpose is to recognize a person’s legal identity, the biometric data must be linked to a name and other personally identifiable information (PII); privacy takes a back seat to security.
In most enterprise and consumer authentication applications, on the other hand, privacy is key. Biometric authentication technologies should be designed with privacy first. Some vendors handle this by keeping the biometric data on the end user’s device. Other authentication vendors concentrate on a robust security architecture to protect centrally stored user data. At BioID, in addition to following industry best practices for secure transmission and storage of data, biometric data is transmitted and stored anonymously with no personally identifiable information (PII), only an anonymous identifier generated by BioID. We never receive any PII other than biometrics, so we never know who is being recognized. No photos are stored, only a template – an irreversible mathematical representation from which a photo cannot be reverse engineered. For more information, take a look at our biometric data handling.
In biometrics, authentication expertise matters!
Clearly, different biometric applications have different requirements, especially regarding accuracy and system optimization, fraud handling and liveness detection, and data privacy. As a result, when selecting a vendor for biometric authentication it is important to choose one who specializes in authentication. This way it is ensured that the special requirements of authentication applications can be met. Most importantly, authentication providers have to stand out with balancing user experience, security and privacy for unsupervised authentication applications. In times of a constantly growing number of identity thefts and fraud, strong & reliable liveness detection finally is the key for choosing a biometric authentication vendor.
Contact
Ann-Kathrin Schmitt
+49 911 9999 898 0
press@bioid.com