Q. What is authentication, identification, and verification?

Here we define authentication as the process of determining the identity of a person and confirming his or her authenticity. In multi-user systems, authentication regularly accomplishes an identification and a verification. The identification part confirms that the identity, usually given by a unique identifier such as a user name, is known to the system. If identification was successful, in a next step the identity is verified using a verifier such as something like a secret, shared between the person to be authenticated and the authenticating system. Usually, identifiers are considered as public whereas verifiers are secrets like a key pattern or a password. Authentication often is combined with authorization. Authorization is the process of assigning certain rights or permissions to a person.

Q. What is biometric authentication?

Authentication may take advantage of biometrics by using a biometric characteristic as identifier or as verifier. When using biometrics as an identifier, uniqueness (very low FAR) is an essential requirement especially for large user numbers. When using biometrics as a verifier, the biometric characteristic may be either viewed as a secret or as public. In the latter case, it is essential that a fake detection is provided against mechanical copies of the biometric characteristic.

Q. What are the fundamental methods of authentication?

Biometrics "Who I am"
Biometrics uses nature's oldest system to identify people -- via unforgettable and unchanging physical characteristics. From time immemorial, humans have had to perform recognition tasks themselves. Today, technology is advanced enough to assist us or even relieve us of recognition tasks.
Secret Knowledge "What I know"
Here authentication takes the form of secret PINs and passwords, which the user has to keep track of. The person to be authenticated has to share the secret knowledge with the authenticator. Previously, this was the simplest method of authentication for machines. Secret knowledge can be applied also where several persons have to be authenticated in a simple way without distinction.
Personal Possession "What I have"
Examples for authentication are having a key, ID card, passport (with or without a chip), or more generally a token, which allows entrance, for example, into a private room. Essential for this method is the existence of secret features which are to be shared between token and the authenticator (or at least the inability to get the token copied combined with a copy detection).

Q. Combination Systems

For security reasons, often two or all three of the above methods are combined, e.g., a bank card with a PIN. Only combined systems are able to fulfill the requirements of "strong" authentication.

Q. What are the advantages of biometric systems for authentication?

Advancing automation and the development of new technological systems, such as the internet and cellular phones, have led users to more frequent use of technical means rather than human beings in receiving authentication. Personal identification has taken the form of secret passwords and PINs. Everyday examples requiring a password include the ATM, the cellular phone, or internet access on a personal computer. In order that a password cannot be guessed, it should be as long as possible, not appear in a dictionary, and include special symbols such as +, -, & percnt;, or #. Moreover, for security purposes, a password should never be written down, never be given to another person, and should be changed at least every three months. When one considers that many people today need up to 30 passwords, most of which are rarely used, and that the expense and annoyance of a forgotten password is enormous, it is clear that users are forced to sacrifice security due to memory limitations. While the password is very machine friendly, it is far from user-friendly.

There is a solution that returns to the ways of nature. In order to identify an individual, humans differentiate between physical characteristics such as facial structure or sound of the voice. Biometrics, as the science of measuring and compiling distinguishing physical characteristics, now recognizes many further features as ideal for the definite identification of even an identical twin. Examples include a fingerprint, the iris, and vein structure. In order to perform recognition tasks at the level of the human brain (assuming that the brain would only use one single biometric characteristic), 100 million computations per second are required. Only recently have standard PCs reached this speed, and at the same time, the sensors required to measure characteristics are becoming cheaper and cheaper. Therefore, the time has come to complement the password with a more user friendly solution - biometric authentication.

Q. What are the characteristics of the various authentication methods?

Secret Knowledge

Personal Possession

Biometrics

Examples

Password, PIN

Key, ID card/ pass

Fingerprint, Face, DNA

Copied

"Software"

easy to very difficult*

easy to difficult*

Lost

"forgotten"

easy

very difficult

Stolen

spied

possible

difficult

Circulated

easy

easy

easy to difficult

Changed

easy

easy

easy to very difficult

* also depends on the quality of a copy detection within the authenticator

Q. What is the difference between biometric identification and biometric verification?

  • In a biometric identification, the recognition biometric features are compared to many or all biometric references stored in the system.
  • In a biometric verification, the recognition biometric features are only compared to one biometric reference stored in the system.
  • If a system has only one saved biometric reference, identification is similar to verification. Otherwise, biometric verification is a limit case of biometric identification.

Q. What are the advantages of biometric verification over biometric identification?

  • Biometric verification is much faster than biometric identification when the number of biometric references is very high.
  • Biometric verification shows a better biometric performance than biometric identification when the number of biometric references is very high.

Q. What is the difference between positive and negative identification?

In a positive identification the user is interested to be identified, in the negative case the user tries to avoid successful identification. For example, the thief is not interested in being identified by comparing the latent prints from the scene of crime with his fingerprints. This is a negative identification. If I am authorized to get access to my office, I am strongly interested to be identified, e.g., by iris recognition. This is a positive identification.

The main impact of positive versus negative identification regards user cooperation. In the negative case the user is not willing to cooperate (even if he is "innocent") at the stage of feature acquisition. Therefore, a negative identification often needs observation. Even the sensor may be affected by the type of identification: For example, negative fingerprint identification needs full size sensors and ten-print treatment at least for the enrolment process.

Q. What are the main uses of biometric identification and biometric verification?

Fighting Crime Comparing evidence from a crime scene with previously or subsequently recorded biometric data Examples: fingerprint, DNA Security
  • Authentication for computer, network, and physical access and rights management
  • Example: logon to PCs by user name and smartcard
Comfort
  • Identifying a person and changing personal settings accordingly
  • For example, setting the seat, mirrors, etc. in a multi-user car by facial recognition

Tags: , , ,