Biometric methods
The steadily increasing use of passwords and PINs is producing a steadily increasing level of user resistance to this type of identification. Fewpeople find it particularly difficult to remember a few frequently used combinations of numbers or letters. However, if a card-specific PIN code is used only rarely, such as every two months to obtain money from a cash dispenser, most people find it difficult to remember the PIN. Matters are only made worse by the unconscious fear that the machine will confiscate the card if the PIN is entered incorrectly three times in a row. This is certainly one of the main reasons why biometric methods are finding increasing favor in many areas. They are not necessarily faster or more secure than PIN entry, but they can make things much easier for users. If the level of security provided by biometric methods is equivalent to that provided by PIN codes, system operators will also be prepared to use them. After all, biometric features cannot be transferred to another person as easily as PINs. This means that the actual person is identified, rather than a secret shared by the user and the system operator.

Basic principles
A biometric identification method is a method that can unambiguously identify a person by means of unique, individual biological features. Here a distinction can be made between physiological and behavioral features. If the features tested by the method are directly related to the person’s body and are fully independent of conscious behavior patterns, they are called physiological biometric features. Biometric methods based on behavioral features, by contrast, utilize certain features that can be consciously changed within certain limits, but that are still characteristic of a particular person. An essential aspect of biometric feature testing is the question of user acceptance. If the method used is similar to existing, well-known methods, users will be more willing to accept and use it. A typical example is a handwritten signature, which has been used for generations in almost all cultures for identification and indicating agreement or consent. Social aspects also play an important role. In many countries, fingerprinting is primarily used by the police and security forces. This could adversely affect the acceptance of biometric methods based on fingerprints. Another point that must be considered is the concerns that users may have regarding medical and hygienic aspects. For instance, users may be afraid of acquiring a disease from optical scanning of their retinas, or that the laser light will damage their eyes. Even though such fears may be fully subjective and lack any scientific basis, they can still strongly affect user behavior, and above all user acceptance of the method. Before any biometric identification method is employed, such aspects should be fully understood. There is yet another difference between biometric and knowledge-based identification methods, which can be considered to be either an advantage or a disadvantage according to one’s point of view. This is that biological features cannot be transferred to another person. With a system that uses biometric methods for identification, this means, for example, that it is not possible to give your card and your PIN to a trusted person who can then use the card in the intended manner. System operators naturally find such actions absolutely shocking, since revealing a PIN is prohibited in almost all systems. However, nearly everyone knows how loosely such prohibitions are observed in practice. Biometric features are usually not modifiable, which is precisely what makes them attractive for the unambiguous identification of persons. However, this non-modifiability can certainly lead to major complications if a system is compromised. In addition, this non-modifiability in combination with the fact that some biometric features can also be measured with a reasonable amount of effort and cost without the consent of the person involved can lead to serious problems. This can be clearly illustrated using our fingerprint example. Suppose the fingerprints of a person are illicitly taken by means of suitable analysis of an object that this person held in his or her hand while eating in a restaurant, and the data are then made public on the Internet so they can be copied by anyone who wants to do so and has suitable equipment. In such a situation, for the rest of this person’s life it would effectively be impossible to unambiguously identify him or her using fingerprints as a biometric feature, since it would never be possible to be sure that he or she actually produced a particular fingerprint.

Biometric features can also be classified according to the ease with which they can be acquired. The classifications that are used are ‘open’, ‘slightly concealed’,‘concealed’ and ‘strongly concealed’. This classification relates to how easily the biometric feature can be acquired by a third party without the consent of the person in question. Open features, such as a person’s facial features, can be recorded by simple observation. An example of a slightly concealed feature is a fingerprint, which can be acquired using simple equipment without the awareness of the person in question. A significant amount of equipment is required to acquire a retinal scan, and it is practically impossible to do so without the awareness of the person in question, so retinal patterns belong to the category of concealed features. Strongly concealed features are frequently behavioral features, since in most cases they must be consciously revealed. Entering a PIN not only tests whether the user knows a secret code, it is also a legally binding equivalent of saying, ‘I consent’. This relationship is very important if some other method is to be used in place of a PIN. A test based on a retinal scan performed at a distance of three meters, which happens to not be technically possible at present, could certainly not be considered to indicate the consent of the person in question to any sort of action. In almost all countries, only an intentional manual action of the user can be interpreted as an indication of consent. For instance, breaking the seal of a cardboard box containing software is an unambiguous indication that the user agrees with the printed license conditions. Biometric methods involving fully passive testing of the person in question must therefore be augmented by appropriate user instructions together with something that provides the element of consent. Naturally, not all biological features are suitable for personal identification. A feature must satisfy at least the following criteria before it can be reasonably used:
–it can be measured effectively (in terms of the measuring method, time and costs)
–it must be capable of being uniquely associated with a particular individual
–it must be widely distributed within the population
–it must not be possible to alter the feature with fraudulent intent
–the amount of reference data generated must be small (a few hundred bytes to at most several thousand bytes)
–natural changes to the feature over time must be so small that correct measurement of the feature is always possible
–the measurement method and the feature must be acceptable to users.

With any type of measurement, the result is not always the same, but instead varies from instance to instance. This occurs even with the simplest measurements. For example, if you measure the length of a sheet of paper several times, each result will be slightly different. There are many reasons for this, but it does not create difficulties in practice, since the average value of the measurements will be close to the true value. Experience shows that the amount of variation among individual measurements depends on the difficulty of making the measurement. For instance, there is a significant technical difference between measuring the weight of a bar of chocolate and measuring the distance between the earth and the moon. Measurements performed on human beings are always difficult and are subject to a wide range of variation. Figure 8.6 shows an example of the results of measuring a biological feature, such as the length of a finger. The range of variation in the measurement is plotted on the horizontal axis, while the vertical axis indicates the probability of correct identification based on the measured biometric feature. With an ideal biometric feature and an ideal measurement method, there would be no variation, and the curve would be reduced to a vertical line. However, a real feature together in combination with a real method results in the Gaussian ‘bell curve’ shown in the figure. If the measurement result deviates from the reference value, it is not possible to be absolutely sure that the person to be identified has been correctly recognized. Before a biological feature can be tested, the feature of the person in question must first be acquired. This can be done by making repeated measurements and computing the average value. This yields a reference value, which is then stored in the smart card. After this, the smart card can as necessary test whether an actual measurement value sent to it matches the reference value. Depending on the biometric method used, it may be necessary to use a powerful computer to process the actual measurement data into a form that the card can use for comparison. Since identification cannot be established with absolute certainty, a threshold level is needed in order to decide whether the person in question should be recognized as genuine. This threshold level must be set separately for each method and application. If we take our probability distribution diagram and add a curve for a second person to it, we obtain the diagram shown in Figure 8.7. The additional curve represents an arbitrary person whose measurement curve is close enough to that of the first person for it to affect the identity decision. Since both curves approach the horizontal axis asymptotically, they have an intersection point. At this point, there is an equal probability that the person being tested is genuine or not genuine. Consequently, biometric identification systems use an adjustable threshold level that marks the probability above which the identification is assumed to be correct. The threshold level shown in Figure 8.7 divides the two curves into four regions. These indicate the decision to be taken regarding the identity of the person as deduced from the biometric feature. What this diagram essentially demonstrates is that there is no such thing as absolutely positive identification. It is only possible to assume, with a high degree of probability, that the person has been correctly identified. The level of this probability can be adjusted using the threshold value.

However, in practice the threshold value cannot be set arbitrarily high, since an excessively strict criterion for correct identification produces a large number of false rejections. The two basic parameters for judging a biometric method are its false acceptance rate (FAR) and its false rejection rate (FRR). The FAR is the probability of incorrect acceptance of the wrong person, while the FRR is the probability of incorrect rejection of the right person. Naturally, these two probabilities cannot be freely chosen, since they are primarily properties of the biometric method being used and can be modified only within certain limits. In addition, the FAR and FRR are mutually dependent, since a low FRR produces a high FAR and vice versa. For the user, a high FRR means that he or she may be rejected in spite of presenting a legitimate feature, which naturally affects user acceptance of the system. The system operator wants to have not only a low FRR but also a low FAR, in order to prevent false positive identifications. PIN testing does not require complicated algorithms in the smart card, since it only involves comparing received and stored PIN values. Unfortunately, things are not this easy with biometric features. The reference value is of course stored in the card, but the comparison with the measurement in question normally cannot be performed in the card. This is due to the large amount of processing capacity needed to evaluate biometric features. Since smart cards usually do not have adequate processing capacity for this, the computer-intensive preprocessing of the measurement values is performed externally. The result is then sent to the card, which evaluates the preprocessed data using special algorithms that do not require a lot of memory or processing capacity and then makes a yes/no decision based on the stored reference value. This method is called ‘oncard matching’ or ‘matching on chip’ (MOC). The amount of time required for matching depends on many factors, such as the biometric method used and whether the data have been preprocessed. For example, it takes approximately two seconds to test fingerprint data in a smart card with an 8-bit processor using data that have been preprocessed in the terminal. Biometric features are personal data and thus should be appropriately protected. This represents a very good application for smart cards, since the reference data needed for testing never have to leave the card, which makes attacks significantly more difficult. However, if the reference data are stored in a non-secure environment, they can be manipulated and read as desired. In such a situation, a biometric identification method does not provide any significant benefit. The steadily increasing processing capacity of microcontrollers and the possibility of integrating sensors for biometric data acquisition into cards may allow smart cards to be used in new application areas.