At the Otay Mesa, California/Mexico border crossing, a select group of drivers soon will be identified for passage based on an automated device that recognizes their faces, much as a human agent would do. Entering a dedicated lane, the driver pauses, looks into a camera, and is invited to proceed or not, as the system executes continuous facial recognition at 30 frames per second, making a decision even before the driver fully turns his or her head to face the camera. Five thousand "frequent crossers" are currently enrolled in the system, which in this evaluation period runs as an advisory to border-control agents. Ultimately, though, the automated sentry will run unattended, and may even include voice verification as well in a dual-identification mode. Continuous face recognition at border crossings is but one of a panoply of current and proposed applications for biometrics, using characteristics of the human body or behavior to identify or verify identification of individuals. Although the basic science has been around for years--for example, fingerprinting--only in the 1990s have automated devices become largely available in commercial applications. Now this one-time Hollywood scene-stealer stands poised to become a technology we encounter every day. For example:
- The Japanese Racing Assn. is now identifying some 10,000 thoroughbreds by iris recognition.
- Patrons at a bar in Ukraine reportedly can buy a drink with a PIN number verified by the geometry of their hand, which initiates a direct debit to their bank accounts.
- House-bound inmates can verify their presence by speaking a password into a phone.
- Fingerprint identification is gaining acceptance for access to computers, buildings, and welfare payments.
- Face recognition is in evaluation for access to ATM machines, as is signature-dynamics verification for financial transactions.
- Hand-geometry has found a home in time-and-attendance verification at manufacturing facilities.
- Entry into some Walt Disney facilities by season-pass holders is confirmed by finger geometry.
All biometric technologies convert some sort of input measurement into a stream of data. A software algorithm then compares the data to an original or enrollment template. For instance:
- Face recognition may evaluate the shadow pattern on the face when illuminated in a specific way or take multiple measurements at particular points around the eyes and cheekbones.
- Retina recognition looks at the pattern of light reflected off the retina.
- Iris recognition converts a picture of the flecks, crater-like circles, and halo around the iris--but not the color--into a bar code-like identifier.
- Thermal face recognition relies on the pattern of heat emanating from areas around the eyes and cheeks, as recorded by an infrared camera.
- Signature verification quantifies speed, pressure, angle-of-attack, and stroke characteristics.
- Voice verification examines tonal wave patterns, which cannot be impersonated.
Driving the growth and increasing application of biometrics is a combination of decreasing cost of the devices, increasing sophistication of the technology, development of biometrics as a peripheral to common platforms such as Windows, and action by the U.S. government. "Legislation in Congress--covering welfare reform, immigration control, and the truck-and-bus regulatory-reform act for identification of commercial drivers--is a major incentive in the growth of biometrics," says Jim Wayman, director of the Dept. of Defense's National Biometrics Test Center at San Jose State University. "Where legislation calls for use of best available technology,' the point is being interpreted as meaning biometrics. For instance, twenty-some states are already actively involved in fingerprint identification for welfare eligibility." In the last seven years, the cost of basic identity-verification devices has dropped 70%, according to primary research by CardTech/SecurTech Inc., Bethesda, Md., biometrics-industry consultants and sponsors of one of the industry's leading trade shows. In 1990 the average end-user price for a standalone physical security device used for identity verification [fingerprint, hand geometry, voice verification], without installation, was $5,100," says Ben Miller, president. "In 1996 it was $1,900, and in 1997 we estimate it was $1,600 to $1,700." Estimated units sold of all kinds of biometric devices have grown from 2,000 in 1992 to 13,500 in 1997, with 1999 estimated at 50,000, according to the group. Fingerprint biometrics received a shot in the arm in 1997 with the introduction of a stamp-sized fingerprint reader on a chip by Veridicom Inc., Santa Clara, Calif. The chip and software should ship for about $300 and could drop as low as $100, says CEO Tom Rowley. "The holy grail of fingerprint biometrics has been about $50," says Wayman. "Once you get the price down low enough, people will find ways and reasons to use it." For instance, fingerprint verification could easily be built into keyboards, mouses, and laptops. Even now Oracle Corp. is shipping a version of its Oracle 7 database equipped with a fingerprint ID system. The question of biometrics performance is one of the trickiest to answer. Results in pristine, highly controlled laboratory evaluations can vary considerably from real-life results, where users bring dirt and grime to fingerprint readers and fragile fingerprints themselves can be altered by cuts, scrapes, even guitar playing. Outdoors, shadows, moisture/dryness, and ambient noise can affect fingerprint, face recognition, and voice verification, while stress can affect signatures, which tend to change over time. "Anytime you are not in an office, in a hostile environment as far as biometrics goes, and that has the potential to affect performance considerably," says Wayman. Performance of all biometric devices can be tuned, however, and positions taken on either side of a compromise. For instance, when is a match a match? In signature dynamics, perhaps 100 elements of speed, pressure, and stroke elements are used to characterize an individual. Do we accept at 10 matches or 80? "For someone logging onto a home computer, we want it very natural, so we set acceptance at low levels," says Russ Davis, technical sales engineer, Communication Intelligence Corp., Redwood Shores, Calif., makers of signature-verification input devices. "For someone signing for large sums of money we would verify at very high levels." There are two basic types of errors in biometric recognition:
- A false nonmatch, where the device does not recognize you as you.
- A false match, where it accepts you as someone you are not, which is the more important factor for security reasons.
Here again, performance can be balanced to favor accuracy with one at the expense of the other. Some device manufacturers will report performance in terms of "crossover rate," that is, the point at which the false nonmatch rate equals the false match rate at certain levels of acceptance. Where the biometric algorithm to evaluate input in one method may not be as strong or the technology more affected by hostile environments, shortcomings can be overcome by device engineering. "For instance, facial recognition shows a lot of promise, but the technology is brand new," says Wayman. "To make up for inaccuracies, manufacturers do very clever system things, like store several pictures of you and compare your image to that group of images. [Or vice versa, take multiple pictures of you when requesting acceptance and compare this group to the original image, as in continuous face recognition.] Or give you three tries to get accepted. Or in fingerprint recognition, you can enroll a second finger, or biometrics can be used in combination, like face and voice together as at the Otay Mesa application." Rule of thumb
While an overall biometric performance rule of thumb is an error rate of 2%, cost, specifics of the application, and convenience will likely dictate which biometric finds a home where. "The accuracy of the biometrics . . . can be tuned to something in the area of 2%," says Joseph Attick, Visionics Corp., Jersey City, N.J., makers of the FaceIt continuous facial-recognition technology used at Otay Mesa. "At the end of the day, it's going to boil down to ease of use and compatibility issues. Is the customer comfortable putting his finger into a reader or standing in front of a camera? If you are on the phone you'll probably use voice verification, not hand geometry. It will be dictated by factors other than the basic technology." With one caveat. There is a significant difference between verification and identification. Verification--A claimant, such as in a time-and-attendance application, first enters a PIN number or swipes a card, followed by the biometric (be it fingerprint, hand geometry, voice, etc.). In effect the scenario plays out: "I am Mr. Jones. Here is my PIN number and biometric. Do they agree?" In this case the computer brings up your template and compares your biometric one-to-one with what's on file. Identification--A claimant presents his or her biometric, as in the border-crossing application, and asks: "Who am I?" The computer checks all enrolled persons, which can be thousands, looks for a match and then may say, "Aha! You are Mr. Jones. You are O.K. to pass." "Systems that can do identification are much more powerful because they don't require a PIN number or a card," says Attick. "Systems that can only do verification are limited in their usability, though they can be fine in specific applications. I would qualify them this way. Intrinsically accurate are iris, face, and finger--these are good human identifiers. Intrinsically not as accurate are hand and voice. Signature could be intrinsically high accuracy, but acquisition is the challenging problem. Also there is no clear evidence in population studies of how discriminating is the signature. For verification purposes, of course, it may be sufficient, but for identification purposes it is definitely not."