BIOIDENTIFICATION Frequently Asked Questions Last Change: 2010-08-07
Fingerprint	Deutsch English   Biometrics Fingerprint

Three types of features are available for biometric identification:

• Coarse features (loops, arch, whorls, ...)
• Fine features (minutia)
• Pore structure

Coarse features have strong genotypic contributions and are suited for presorting during an identification with a very large data base.  The minutia are predominantly randotypic in nature and cause most of the uniqueness in a fingerprint.  Therefore, either directly or indirectly (in picture correlation procedures), almost all fingerprint systems examine minutia.  Pore structure is seldom used, due to large fluctuations in the quality of the scanning procedure.

In principle, yes.  Indeed, individual fingers can be damaged permanently (e.g. with rare skin diseases) or temporarily (e.g., dirty or worn down from abrasion), which can hinder or render impossible the recording and analysis of a fingerprint. Even rare genetic disorders such as dermatopathia pigmentosa reticularis are known which may already prevent the formation of finger- and footprints. With good sensors and analysis software, the failure to enroll rate is around 5% for everyone.  If office workers are exclusively considered, the failure to enroll rate falls to under 1%.

Static capacitive Type 1

Static capacitive Type 2

Dynamic capacitive

Luminescent capacitive

Optical reflexive

Optical scattering

Optical transmissive with fiber optic plate

Optical contactless

Acoustic (ultrasound)

Pressure sensitive

Thermal line

Capacitive and optical line

All fingerprint sensors try to generate a digital picture of the finger surface.  This picture normally has a pixel resolution of 500 dpi.  The picture generation can be different for every type of sensor.

Static Capacitive Sensor Type 1

Here, one electrode is responsible for each pixel and measures the capacity compared to the neighbor electrode/pixel (inter pixel measurement).  The capacity, in turn, is dependent on the dielectric.  If a pixel is on a groove (i.e. air), the capacity is substantially smaller than on a finger line (ridge).  In this case, the dielectric is water, which is distinguished by a very high dielectric constant.  The measurement of capacity is static in the sense that charging happens with fixed charge units and then voltage is measured. Practical systems are always a mix of type 1 and type 2.

Static Capacitive Sensor Type 2

Also here one electrode per pixel is used, but the capacity is measured between pixel and ground, whereby the conductivity of the fingers does not play an insignificant role.  The capacity measurement is in principle the same as in type 1. Practical systems are always a mix between type 1 and type 2.

Dynamic Capacitive Sensor

Here the capacity is measured by AC voltage.  Inter pixel and pixel to ground measures can also be used here.

Luminescent Capacitive Sensor

An electroluminescent foil with a transparent back electrode uses the finger at its front side as counter electrode. At the points where the finger ridges touch the foil surface, the field strength is largest, and, as a result, the light emission brightest. That way a glowing image of the ridge structure develops at the back side of the foil. This image may be acquired by a image sensor chip.

Optical Reflexive Sensor

The finger lies on a prism surface for example.  Where the finger ridges touch the glass, a total reflection of light inside of the glass is disturbed.  This will supply a picture of the finger lines to a camera chip.

Optical scattering Sensor

Similar to the optical reflexive sensor the finger touches one surface of the prism. However, due to a changed light guidance and camera chip placement only the light scattered by the contacting finger ridges is received by the camera while all other light is absorbed by passing through the glass surface instead of being totally reflected. This way, a, inverse image with bright finger ridges and dark valleys is created.

Optical Transmissive Sensors with fiber optical plate

Here a suitable light source illuminates through the finger.  The finger lies directly on a fiber optical plate, which, in turn is directly connected to a camera chip.  The fiber optical plate ensures that the finger does not touch the camera chip, nevertheless the light arrives at the camera chip without losing focus.

Optical Contactless Sensor

The finger surface is directly acquired by a camera chip. The fingerprint area needs no contact to a plate.

Acoustic (Ultrasound) Sensors

Here a picture of the finger surface on the glass is recorded by very high frequency ultrasound (e.g., 50 MHz).

Pressure Sensitive Sensors

With pressure sensors, the pressure per pixel of the finger is measured.

Thermal Line Sensors

With these sensors, the finger is moved linearly over a narrow array of thermal sensors, similar to sensors for opening automatic doors on a larger scale.  The thermal sensors register temperature differences over time, which vary between the finger lines and grooves.

Capacitive and Optical Line Sensors

These sensor arrays work similar to thermal line sensors. Instead of temperature differences of time, the single sensors cells measure the capacity or the light, respectively, to build the image.

This question unfortunately offers no definitive answer, as every application has different requirements and each type of sensor has its specific advantages and disadvantages.  The following criteria can assist in reaching an answer:

• Costs
• Degree of maturity
• Image quality in sub optimal conditions
• indoor/outdoor
• personal/public use
• normal/abnormal fingers
• dry/moist fingers
• Size
• Sensitivity against vandalism
• Temperature resistance
• Sensitivity against forgery
• ESD (electrostatic discharge) sensitivity

How do stripe and area sensors differ in practice?

With area sensors, the finger to be recognized has to be placed on the sensor statically while for merchantable stripe sensors, also known as strip, swipe, or slide sensors, the same finger area has to be moved (swiped) actively over the sensor stripe.

• Since semiconductor stripe sensors need significantly less sensor cells than area sensors, their chip area and hence their price can be correspondingly lower.
• Although state-of-the-art stripe sensors are insensitive to slow, fast, or uneven finger motion, more training is needed than for area sensor to reach familiar low false rejection rates. For that reason, stripe sensors are recommended for applications with regular sensor use.
• Most area sensors allow a faster authentication as stripe sensors, if the whole process is considered.
• Due to their functional principle, stripe sensors are unsusceptible to latent image attacks and thus don't need software countermeasures which may increase false rejection rate.
• Area sensors generally have a lower current consumption than stripe sensors due to their significantly lower reading speed.
• Together with a suitable mechanical finger guide, stripe sensors, in comparison to area sensors, require a higher spoofing effort for attacks based on mechanical fingerprint copies.
• Stripe sensors expect an active cooperation of the user. In certain applications this may reduce the danger of accidental authentications, e.g., by unintentionally touching the sensor.
• Because of their low space requirement, stripe sensors are especially suited to very small devices.
• Stripe sensors are self-cleaning to a higher extent than area sensors.

The decision whether the properties of a sensor type are favorable or unfavorable thus mostly depends on the requirements of a dedicated application. As a result, it cannot be fixed globally. As a rule, one may assume that swipe sensors rather offer security while area sensors tend to ease of use.

The finger should be clean (free of sticky residue and grease), and depending on the sensor, should not be too damp or too dry (breathe on it!).  The finger should always be applied on the sensor in the same manner (same position, same direction) and with uniform pressure  (e.g., avoid pressing while twisting). The more finger area the sensor "sees", the better (i.e., don't use the finger tip!).

With older stripe sensors swipe the finger even and consistently over the sensor with the correct speed (try it!) without lifting your finger.

Especially stripe sensors need some practice. For that reason it may pay to repeat enrolment. If the enrolment was insufficient, normal recognition cannot be optimal!

If a wound is not too deep, the finger lines will fully regenerate to their original state.  Deep cuts leave line forming scars, and should be recognized as such by good identification algorithms, thereby barely impairing the identification performance.  Most systems offer the possibility to record a "substitute finger" in enrollment, so that a fingerprint authentication can still take place during the healing process.

Yes. Almost all biometric features can be copied at varying expense.  Fingerprints can be copied in the form of data sets, paper prints, wax molds, etc.  It is possible with criminal technical methods to observe, analyze, and copy latent fingerprints unwittingly left behind on beer glasses or door handles. One of the oldest descriptions of a high tech copy procedure has been given in a novel from R. Austin Freeman [Freeman]: Take a plate of chromate gelatin, expose this plate with the slide of the fingerprint and wash out the surface. Thereby those locations which have not been hardened by light are removed, thus leaving a fingerprint relief. Whether the copy is recognized as such or is accepted as the original depends on the fingerprint sensor and the analysis algorithm.  Ultimately, however, the specific use dictates whether copying is worth while at all and whether it can be harmful.  In most applications, it helps very little if a forger can make an exact copy of his own finger.  From optimized protection systems, one can expect that a copy will cause no damage.

It is relatively easy and inexpensive to copy the own fingerprint (may be compared with the manufacturing of a duplicate key). This may be done in the form of a rubber stamp which may be delivered by a stamp manufacturer on the basis of an electronic fingerprint template. Mechanical copies require as interim step a negative. Paper copies are made using a stamp pad. Copies from the own finger are a risk for systems for which the feint of an authentication by a complice can result in a damage (e.g., attendance system: feint of attendance by abandoning a suitable fingerprint copy to a colleague).

Much more complicated is the manufacturing of a finger image copy from a non-cooperative person (feature theft). Here one has to get access to a fitting fingerprint of the foreign person. One way is to find latent fingerprints. However, latent prints often

• are difficult to find
• have a quality which in fact allow a dactyloscopic analysis, but which are inapplicable to electronic fingerprint verification systems
• belong to the wrong finger
• show the false area
• cannot be gathered without leaving significant traces (e.g., graphite powder)

In security considerations often (but misleadingly) "cooperative victims" are supposed. To acquire the own latent print or that of a conscious contributor is relatively easy. It depends from the assurance requirement of an application whether a fingerprint authentication system must be able to distinguish between copied prints and authentic prints or if the fingerprint may be considered as a secret.

Compromisation here signifies the stealing of a fingerprint's data set which is subsequently misused.  When an application is based on keeping a fingerprint secret, it can naturally have serious consequences, as every finger is one of a kind, but (unlike a password) is not changeable.  Fingers previously compromised can eventually no longer be used.

No, provided that the system is soundly laid out.  A system's release of its own fingerprints is not a problem, when for example the application does not receive a fingerprint data set from just anywhere, instead the data can arrive exclusively via the sensor which is secure.  Appropriate measures can be added to the sensor to reject mechanical fingerprint copies from a released data set, e.g., through a liveness detection.
A personal pass provides a nice example for the possibility of reliable verification even for public biometric characteristics (here the face).  It suffices if the personal pass is forgery proof, i.e. forgeries are relatively easy to recognize.

The possibility to copy is no problem in many applications, because of high cost, long processing time, or because registered users can control access themselves (fingerprint mobile phone, gun trigger safety).  In high-security applications, extra measures have to be taken, to ensure that the authorized user's real fingerprint is used.  Here are a few examples:

• Addition of extra biometric features including prints of additional fingers to increase forgery expense
• Fake detection by checking material and structure of finger tissue
• Liveness detection as protection against simple copies
• measuring of levels of blood oxygen by determining the hemoglobin concentration based on the varying absorption of infrared light wavelengths.
• testing the finger reaction to sensor stimuli
• temperature measurements
• skin resistance measures
• pulse measures
• blood flow measure
• Limiting the size of analysis area

The area of analysis is limited to a special part of the fingerprint, in order to ensure that remnants of fingerprints left behind by chance cannot be processed and misused. The probability then that the copied fingerprint matches this small part is minimal.  This technique presumes that the finger can be repeatedly accurately positioned (e.g., with a finger guide) and that the number of authentication trials is limited.
• Use of a fingerprint smart card

If the entire fingerprint processing, including the sensor and feature storage, is combined with a unique key pair (consisting of private and public keys), one obtains a unique combination of property, secret knowledge and biometrics, which can identify a user for any application or service.  A forgery requires that the card falls into the wrong hands.  In this case, the unchangeable key on the card can be blocked in the application.  The card is then useless to the forger.  If lost, the user must obtain a new card containing a new unique key, save the fingerprint again, and re-register for all applications and services.  Of course one can avoid this process by simply having a back-up card with different keys.

No.  In practice, forgers must overcome further hurdles beyond the biometric authentication.  The following examples should illustrate:

• At home, one uses fingerprint authentication for access to the internet, so remembering or writing down a password is not necessary.  A burglar will not have enough time to copy the appropriate finger.  Naturally, he could take the entire PC including the authentication setting mode, and at his leisure make copies of the collected fingerprints (although searching for passwords would be much easier).  In the meantime, however, the victim would notice the theft and change the password for internet access activated by fingerprint.
• Again, take the case of fingerprint authentication for internet access.  Further family members could gain access to an online account (e.g., a bank) via a finger copy.  "Unfortunately" all transactions are documented and the foul play would be discovered, rendering this type of unauthorized access not worth while.  Essentially more critical would be the stealing a password, because access to an account would be possible from computers other than the home PC, increasing the number of possible perpetrators.

Successively recorded fingerprints are never identical, rather are at best highly 'similar' due to differences in finger position, application pressure, finger angle, dirtiness, and the physiological constitution of the user.  The measure of similarity is given a score.  The higher this score, the more similar the fingerprint, and vice versa.  During the matching process in minutia based systems, one tries to minimize the influence of positioning and angle discrepancy, and incidentally size variations (in order to calculate out the effects of growth until around 18 years).  The actual picture is adjusted and rotated with respect to the reference picture until the distance between minutia is minimized.  The resulting similarity score, then depends on the following:

• Number of minutia in agreement
• Exactness of the positioning agreement
• Degree of agreement of the minutia directions
• Type of minutia agreement (line ending versus branching)
• All values will be weighted with the picture quality near a minutia

Basically one can say that few, but very strongly matching minutia can receive a similar score as a case with many, but weakly matching minutia.

In China since at least 700 AD, fingerprints were used to officially certify contracts.  In Europe in 1858, fingerprint use in fighting crime was proposed and was implemented in Germany in 1903.  [Heindl 1922, pps. 1-108]

There are two extreme cases:

1. All N (N<11) fingers must be recognized
2. For N>1, at least 1 Finger must be recognized

In Case 1, the false acceptance rate FAR improves (provided that the fingers n (0 < n < N+1) are statistically independent) according to:
 

FAR = FAR1FAR2FAR3···FARN

where FARn is the FAR of finger n

 

=>

FAR = FAR1N

if all FARn equal FAR1

while the false rejection rate gets worse:
 

FRR = 1 - (1 - FRR1)(1 - FRR2)(1 - FRR3)···(1 - FRRN)

 

=>

FRR = 1 - (1 - FRR1)N

if all FRRn equal FRR1

 

=>

FRR ~  N·FRR1

if additionally N·FRR1 << 1

In Case 2 it is exactly the opposite:
 

FAR = 1 - (1 - FAR1)(1 - FAR2)(1 - FAR3)···(1 - FARN)

 

=>

FAR = 1 - (1 - FAR1)N

if all FARn equal FAR1, n = 2,...,N

 

=>

FAR ~  N·FAR1

if additionally N·FAR1 << 1

and for the FRR:
 

FRR = FRR1FRR2FRR3···FRRN

 

=>

FRR = FRR1N

if all FRRn equal FRR1, n = 2,...,N

Note that the assumption of statistic independence appears justifiable based on the hypothesis of uniqueness. Imperfections such as a dirty finger generally, however, often coincide with other fingers, so that a certain statistical dependence cannot be avoided.  For the Case 2, this means a reduced improvement of FRR.  Furthermore, in practice it is rare that the performance data FAR and FRR are the same for every finger n.

Cases 1 and 2 are extreme cases.  With suitable systems, the information fusion allows 'intermediate levels' to exist.  In principle, every set recognition threshold should have a way, which by combining multiple fingerprints makes a simultaneous improvement of FAR and FRR possible.

The uniqueness of a fingerprint is a working hypothesis which in the mathematical sense is difficult (if not impossible) to prove.  The opposite is more provable, namely finding two identical fingers.  Until now, no two fingerprints from different fingers have been found which are identical. This holds true even for identical twins, between right and left fingers and can be anticipated also for clones.

In a scientific sense, the term uniqueness has to be replaced by the probability to find two identical fingerprints from different fingers. This probability may be determined empirically by comparing all fingerprints of a forensic data base against each other. For example, if such a collection contains 100 million fingerprints, a probability of nearly 10^-14 should be provable (due to inter-dependencies this probability is assumed to be higher but should lie below 10^-6). However, such a large trial has not yet been undertaken until today. Furthermore, the probability for misnaming fingerprints (fingerprints from the same person/finger are filed under different names) is supposed to be much higher. This experience is well known from experiments with much smaller collections. As a result, the outcome of such a trial may become quite questionable.

A scientific investigation of the individuality of fingerprints has been published by [Pankant et al. 2001].

Minutiae are the endings and the branchings of the finger lines.  Because these follow a strong random pattern, they are the carriers of "uniqueness".

• PC access
• PC network access (internet, intranet, ...)
• Access to rooms (key replacement)
• Safety on weapons: no access for children and other unauthorized users
• Mobile phones: network access, theft protection, mobile financial transactions, ...
• ID: company pass, personal identification, club ID, ...
• Credit cards, bank cards, EC cards
• Automobile: Seats, mirrors, temperature, and other personal settings
• Automation of hotels (e.g., check-in and room access)
• Company vending machines (soft drinks, ...)
• Participation in sporting events
• Memberships (discotheques, tanning salons, slot machines, video stores, ...)
• Personal access to patient records
• ...

In principle, every finger is suitable to give prints for authentication purposes.  However, there are differences between the 10 fingers, which are expressed in different performance for FAR, FRR and FTE.  These differences are based on:

• different finger qualities (use, moisture, ...)
• different sizes
• different ergonomics (e.g., systems ergonomically optimized for the thumb are only usable by other fingers with contortion)

whereby the type of sensor also reacts in specific ways to these differences.  In most cases one can assume that the index finger obtains the best performance regarding FAR and FRR.

The size of a fingerprint generally determines the cost of a fingerprint sensor, the size of the reference trait's saved data file, and last but not least, the processing time.  Therefore it can be advantageous to process only part of the fingerprint.  But how does this reduction affect performance?

A rough estimation is possible, if one simply assumes that different areas of the fingerprint are statistically independent of each other with respect to the analyzed features. In this case, the same treatment as for multiple fingers applies, only that the number of fingers is replaced by a size factor.  Also here, the two same extreme cases are treated, whereby the "conjunctions" AND or OR depend on the algorithms used and thus generally lie outside of the area of influence of the system integrator.  In principle however, a reduction in the area of a fingerprint results in a reduction of overall performance.  (This treatment does not apply for different prints from different fingers.  Here, by all means, smaller fingerprints may achieve better performance than large fingerprints!)

Modern cost effective fingerprint sensors are generally smaller than a complete fingerprint, and therefore process only part of the fingerprint. Suitable mechanical finger guides nevertheless may lead to a good recognition performance. A good finger guide has the following characteristics:

• it will always record nearly the same part of the fingerprint
• it is suitable for both large and small fingers
• it also works with long fingernails
• it is comfortable
• it ensures that the fingers covers the entire sensor surface
• users can intuitively and correctly use it
• it allows use with all fingers from both the right and left hand
• it makes the application of fingerprint fakes more difficult

If the fingerprint recognition is a part of a security concept, one has to expect specialized attacks. The application determines quality and quantity of the security requirement. The bandwidth extends from sole convenience applications up to high security applications with its corresponding high potential of damage. But even with the same potential of damage, not every kind of attack is evenly meaningful. Therefore, for each application scenario the expected attacks and their probability has to be determined to be able to find out which is the expense for countermeasures against each kind of attack.

Another procedure may become inevitable, if a planned security concept turns out to be impracticable for a certain application. This concerns questions like "identification or verification", "local or central reference data bases", employment of chipcard with or without cryptoprocessor, or public versus non-public access to the fingerprint system. By a suitable choice of the security concept the requirements for the protection of the biometric component sometimes may be reduced considerably. In other cases, the result of the security analysis may directly lead the way to other biometric features than fingerprint!

The following list compiles the most important attacks to biometric security components. It depends on the actual application, against which attacks security measures are necessary.

Brute force attack

A brute force attack is an attack which offers a large number of different biometric features to the authentication system, anticipating a coincidence with the stored reference feature. The probability for success is given by the False Acceptance Rate (FAR). Note that the number of references in an identification system greatly influences the FAR!

When specifying an FAR for fingerprint systems, it should be taken into consideration that every non-authorized person has ten fingers with completely different features. Ten trials with different fingerprints will increase the probability for a false acceptance by nearly a factor of 10!

Latent print attacks

In fingerprint systems, a latent print recognition is necessary, depending upon the sensor type. This is because traces from the last fingerprint remain on the sensor and may be activated, e.g., by breathing upon the sensor surface. There are several measures against latent print acceptance available. Q.v. "How dangerous are latent prints on the sensor?".

Replay attacks

Depending on application and mechanical realization, replay attacks between sensor and processing unit may pose problems or not. An USB sensing device, e.g., needs special USB equipment to carry out replay attacks, however most attacks may be blocked by software which is able to detect succeeding features which differ too little. In office applications, replay attacks are much more difficult to perform than via keyboard when using passwords.

Trojan horse attacks

Theoretically, trojan horses may serve to perform replay attacks or to change the security adjustments of the PC's registry without user perception. This has to be prevented by up-to-date virus scanners. A better method is to perform all biometric processing in a separate hardware outside the PC.

Fake feature attacks

In biometric systems, it might be possible to make mechanical copies of the feature to fool the sensor device (spoofing). While a liveness detection is suited to prevent attacks from dead body parts, a fake feature detection generally has to be much more sophisticated.

Dead feature attacks

In biometric systems, it might be possible to obtain a positive identification with cut or dead body parts. If the application is susceptible to such attacks, a liveness detection will help. Examples are optical blood oxygen measurement or measurement of the response to controlled stimulation.

Hill climbing attacks

To prevent hill climbing attacks, the score values must not be shown to the user (at least in too fine intervals). [Soutar 2002]

Software leaks

The most relevant security risk when designing security systems is that erroneous code or system faults may open security holes. This has to be prevented by extensive testing by security experts.

Use of force

An authorized person can forced to carry out an authentication with his own features to grant access to another person. Even the state of unconsciousness may be abused for that purpose.

Other attacks

All interfaces within the whole system have to be secured, if necessary. The reference archive has to be protected against manipulation.

Unknown attacks

It is most unlikely that all possible kind of attacks are known in advance.

In test reports about fingerprint sensor devices occasionally is criticized that residuals of the fingerprint of an authorized person remaining on the sensor might be activated by an attacker to gain unauthorized access (e.g., by breathing on the sensor). This effect indeed can be demonstrated with a couple of sensor types (e.g., capacitive and optical surface sensors). However, this effect requires the sensor to be clean or cleansed (which is often not even notified by the testers!). Touching the sensor surface several times degrades the quality of the latent prints in such a way that a false acceptance becomes very unlikely. Since in practice a cleaning of the sensor is hardly ever necessary, latent prints on a sensor are a much smaller risk than generally supposed.

The remaining risk might be further reduced by software, if fingerprints are refused whose position coincide too much with the last positively verified fingerprint. This may be attained by storing the position coordinates. Precondition for this method to work is, however, that the authorized person only touches the sensor if an authentication is requested. If the authorized person leaves a latent print on an inactive (and cleansed!) sensor, this way of latent print detection has no chance!

A further software method to prevent reactivations of latent prints, is to slightly shift the finger during authentication such that a double recognition becomes possible at different sensor coordinates.

Text