Biometrics. Duane M. Blackburn Federal Bureau of Investigation

Transcription

1 0 3 / 0 4 Biometrics Duane M. Blackburn Federal Bureau of Investigation 101 V e r s i o n 3. 1

2 Biometrics Version 3.1 March 2004 Duane M. Blackburn 2 Federal Bureau of Investigation Introduction Biometric technology represents a convergence of related disciplines into a common analytic field. Government and industry have long used individual biometric modalities to enhance operations and customer service, but mainstream awareness of the technology is a more recent occurrence. As interest in the technology grows, so too will the debate on its merits and drawbacks. This paper provides an overview of biometric technology so that these discussions are based on facts rather than perception. Biometrics are automated methods of recognizing an individual based on their physical or behavioral characteristics. Some common commercial examples are fingerprint, face, iris, hand geometry, voice and dynamic signature. These, as well as many others, are in various stages of development and/or deployment. The type of biometric that is best will vary significantly from one application to another. An outline of questions to ask is shown later in this paper to begin to determine which biometric is best for a given application. 2.0 Overview of Biometric Systems At its most simple level, biometric systems operate on a three-step process. First, a sensor takes an observation. The type of sensor and its observation will vary by biometric type. For face recognition, the sensor is usually a camera and the observation is a picture of an individual s face. Second, the biometric system develops a way to describe the observation mathematically; a biometric signature. The method will again vary by biometric type, but also from vendor to vendor. Third, the computer system inputs the biometric signature into a comparison algorithm and compares it to one or more biometric signatures previously stored in its database. Other system components, or human operator, then use these result(s) for other actions such as allowing computer access, sounding an alarm, etc. Although understanding the three-step biometric process is sufficient for most users, biometric systems are in reality much more complicated. In 1999, Dr. Jim Wayman at 1 This document, or future revisions, is available in the Introduction to Biometrics section of the Biometrics Catalog, 2 The author extends his thanks to the following individuals for reviewing this document: Mr. Chris Miles and Mr. Scott McCauley, National Institute of Justice Mr. Ed Cogswell, FBI Office of Public Affairs 3 The views expressed in this document are those of the author and are not necessarily the views or regulations of the Federal Bureau of Investigation.

3 San Jose State University produced a chart outlining five subsystems of a generic biometric system, Figure 1. Figure 1 - Generic Biometric System 4 Large-scale federal systems could become even more complex with the addition of distributed databases and social/fiscal/security concerns, Figure 2. 4 Taken from Fundamentals of Biometric Authentication Technologies, James L. Wayman, 1999.

4 Federal Biometrics Model Figure 2 - Federal Biometrics Model Figure 1 and Figure 2 are very involved, yet generic, models. Specific implementations of biometric technology could vary significantly. However, the generic models provide a rough understanding of the complexity of potential systems. 3.0 Biometrics Tasks In practice, biometric systems operate in one of three tasks: Verification: Is the person who they claim to be? Watchlist 5 : Is this person in the database? If so, who are they? Identification: This person is in the database. How soon can s/he be found? This chapter 6 provides in-depth, clearly defined, descriptions of these terms. Prior to continuing, however, remove any preconceived notions you may have about biometric operation (such as 1:1, 1N, open set identification versus closed set identification, recognition, false alarm, false match rate, etc.). 5 Some sources call the watchlist task open set identification and the identification task closed set identification. 6 A glossary of terms is also provided in Appendix A.

5 Prior usage of these terms 7 has been ambiguous at best and incorrect in many cases. Even the most trivial notion, that 1:1 is verification and vice versa, is not correct anymore for most advanced systems. Proper usage of these terms1 by all parties will help end the confusion that has marked biometric discussions for some time. To help explain the three tasks, we must first introduce a demonstration face recognition system. This demonstration face recognition can compare one image to another and provide scores (entitled similarity scores) for each comparison. For our demonstration face recognition system, the similarity scores range from 0.0 to 1.0, with a 1.0 score being an exact match. Although the examples in section 3 use face recognition, the tasks and associated performance measures are the same for other biometric types. 3.1 Verification In the verification task, a user first makes a claim as to their identity (e.g., I am John Q. Public). The biometric system then determines if the user s claim is correct or not. A good example is verifying a user s identity prior to providing the user access to their account on a computer system. Figure 3 gives us a visual example, where the woman on the left makes a claim that she is the woman on the right. Unless this woman has a twin that she shares her wardrobe with, we can easily assume that this is indeed the same individual. For this example, we will say that this assumption is correct these are pictures of the same individual. Figure 3 8 Correct Verification Claim Let us pretend that our demonstration face recognition system produces a similarity score of 0.93 for this verification trial (remember that our demonstration face recognition system works on a 0 to 1 scale with 1 being an exact match). Let us also assume that the system s verification threshold was set at As 0.93 is higher than 0.90, the demonstration face recognition system has correctly determined that the woman in the left picture is the same as the woman in the right picture. We call this a correct verification. 7 The term recognition is generic (e.g. face recognition or iris recognition ) and should not be directly associated with a specific task. 8 Face images used in this paper are from the publicly-available FERET database. Please see for more information.

6 Now let us look at the case where the same individual in Figure 3 makes the same claim, except this time the demonstration face recognition system s verification threshold is set at In this case, the demonstration face recognition system did not make a correct verification as 0.93 is not higher than If we run many trials with this woman, as well as other correct matches, we will know how often the system will return a correct verification. We call this the probability of correct verification, or probability of verification for short. Figure 4 shows a different verification claim. In this example, the gentleman on the left claims to be the woman on the right. Obviously, this is not the case. Let us assume that the demonstration face recognition system returns a similarity score of 0.86 (their facial features are somewhat similar, after all). Let us also assume that the system s verification threshold was set at 0.9. In this example, the demonstration face recognition system determines that the gentleman on the left is not the woman on the right (as 0.86 is not higher than 0.9). Figure 4 - False Verification Claim Now let us look at the case where the same individual in Figure 4 makes the same claim, but the demonstration face recognition system s verification threshold is set at In this case the demonstration face recognition system incorrectly verifies the gentleman as the woman (as 0.86 is higher than 0.85). We call this error a false accept. If we run many trials with incorrect claims, we will know how often the system will allow an incorrect individual access. This is called the false accept rate. Ideally, we would like to be able to set our threshold so that the probability of verification is 100% and the false accept rate is 0%. Unfortunately, that is not possible, so we must compromise. This compromise is a bit difficult, because the probability of verification and the false accept rate are not separated entities; rather they are connected entities. If we raise the verification threshold in our example face recognition system, the probability of correct verification decreases, but our false accept rate also decreases. If we lower the verification threshold in our example face recognition system, the probability of correct verification increases, but our false accept rate also increases. Plotting numerous probability of correct verifications and their associated false accept rates can help us see this give-take relationship. This plot is called a Verification Receiver Operating 9 This is referred to as a false reject.

7 Characteristic, or Verification ROC. Figure 5 is an example Verification ROC (with fabricated numbers for example purposes). Figure 5 - Example Verification ROC 3.2 Watchlist In the watchlist task, the biometric system determines if the individual s biometric signature matches a biometric signature of someone on the watchlist. The individual does not make an identity claim, and in some cases does not personally interact with the system whatsoever. Examples of the watchlist task could be comparing visitors to Congress against a terrorist database, or comparing John Doe in a hospital to a missing persons database. To begin studying the watchlist case, consider Figure 6, when an image (a probe) of a woman is an input to our demonstration face recognition system.

8 Figure 6 - Watchlist Example 1 The demonstration face recognition system first compares the probe image (the image of the woman in the upper left portion of the graphic that is the input to the system) to each image in the database (the gallery). Going from left to right, let us assume that the similarity score for each comparison is 0.9, 0.86, 0.6 and 0.4. Let us also assume that the system s watchlist threshold is set at In this example, the demonstration face recognition system sounds an alarm as one or more of the similarity scores are higher than the threshold. Since an alarm sounded, we look more closely at the similarity scores and see that the woman on the left has the highest score. This is the demonstration biometric system s best guess at the identity of the woman in the probe image. We can easily see that this is correct. (The fact that a second comparison also had a similarity score higher than the threshold is irrelevant since we only look at the top match.) This example produced what is called a correct detect and identify. Consider again the example shown in Figure 6, except this time the watchlist threshold is In this case, the demonstration face recognition system does not alarm because none of the similarity scores (0.9, 0.86, 0.6 and 0.4) are above the system s threshold. Since there was no alarm, there would be no reason to look further at the similarity scores. Thus, for this example, the demonstration face recognition system did NOT produce a correct detect and identify. Let us take a final look at the example shown in Figure 6. This time we will assume that the similarity score for each comparison (left to right) is 0.8, 0.86, 0.6 and 0.4, and the watchlist threshold is In this example, the demonstration face recognition system sounds an alarm as one or more of the similarity scores are higher than the threshold. Since an alarm sounded, we look more closely at the similarity scores and see that the gentleman in the second image has the highest score. In this example an alarm correctly

9 sounded (as the woman is in the database), but the demonstration face recognition system did not correctly choose the identity of the woman (someone else had a higher similarity score). Thus, the demonstration face recognition system did NOT produce a correct detect and identify. If we run many trials with this woman, as well as others that are in the database, we will know how often the system will return a correct result. A correct result occurs when an alarm correctly sounds (the individual in the probe image is also in the database) AND the correct individual has the highest similarity score. This is called the correct detect and identify rate. Let us look at an alternative setup where the probe does not have a corresponding match in the database, Figure 7. In this example, an image (probe) of a gentleman is the input to our demonstration face recognition system. The demonstration face recognition system must determine if this individual is in the database, and to guess his identity if he is. Figure 7 - Watchlist Example 2 The demonstration face recognition system first compares the probe image to each image in the database. Going from left to right, let us assume that the similarity score for each comparison is 0.7, 0.8, 0.6 and 0.4. Let us also assume that the system s watchlist threshold is set at In this example, an alarm will not sound, as none of the similarity scores are higher than the threshold. Now consider the same example with a threshold set at In this case, an alarm sounds because one of the similarity scores is higher than the threshold. This is an incorrect alarm, because the gentleman in the probe image is not in the database. This is

10 called a false alarm. If we run many trials with this gentleman, as well as others that are not in the database, we will know how often the system will return an incorrect alarm: the false alarm rate. Ideally, we would like to be able to set our threshold so that the detect and identify rate is 100%, and the false alarm rate is 0%. Unfortunately, that is not possible so we must compromise. This compromise is a bit difficult, because the two measures are not separated entities; rather they are connected entities. If we raise the watchlist threshold in our demonstration face recognition system, the detect and identify rate decreases, but our false alarm rate also decreases. If we lower the watchlist threshold in our example face recognition system, the detect and identify rate increases, but our false alarm rate also increases. Plotting numerous detect and identify rates and their associated false alarm rates can help us see this give-take relationship. This plot is called a Watchlist Receiver Operating Characteristic, or Watchlist ROC. Figure 8 is an example Watchlist ROC (with fabricated numbers for example purposes). Figure 8 Example Watchlist ROC Selection of a watchlist threshold (which will select the operating point on the curve in Figure 8) will depend on what is trying to be accomplished. In practice, most applications that operate in the watchlist task can be grouped into five operational areas: a) Extremely low false alarm. In this application, any alarm requires immediate action. This could lead to public disturbance and confusion. An alarm and subsequent action may give away the fact that surveillance is being performed and how, and may minimize the possibility of catching a future suspect. b) Extremely high probability of detect and identify. In this application, we are mostly concerned with detecting someone on the watchlist; false alarms are a secondary concern and will be dealt with according to pre-defined procedures.

11 c) Low false alarm and detect/identify. In this application we are more concerned with lower false alarms and can deal with low detect/identify. d) High false alarm and detect/identify. In this application we are more concerned with higher detect/identify performance and can deal with a high false alarm rate as well. e) No threshold. User wants all results with confidence measures on each for investigation case building. This is important as it would be incorrect to compare performance results from one of these five operational areas to an application that operates in a different area. Choosing an operating point depends on technical, application and social issues. One other item, database size, is important when discussing watchlist performance. The size of the database directly impacts watchlist performance. From FRVT we know that watchlist performance decreases as the size of the database increases for face recognition systems. (Effectively, the curve in Figure 8 will go lower as the size of the database increases). We presume other biometric types follow this same trend, but evaluations have not been performed to support or refute this theory. Therefore, when quoting watchlist performance we must also remember to state the database size. In practice, the watchlist task is much more difficult for biometric systems (and presumably, human operators) than the verification task. When discussing a specific application, it is critical to think in terms of the proper task, and their associated statistics. Failure to do so will lead to significant confusion and errors. 3.3 Identification Identification is a special case of the watchlist task where we KNOW that every single probe image has a corresponding match in the database. In other words, every single person that is an input into the system is in the system s database. So the first question of the watchlist task (is this person in the database) is answered. Identification therefore falls to one question How soon can s/he be found? In practice, there are very few applications that operate under the identification task even the FBI s Integrated Automated Fingerprint Identification System (IAFIS) actually operates as a watchlist, not identification, task. In the identification task, a biometric signature of an individual is presented to the biometric system, Figure 9. Again, we already know the person is in the database, we are 10 Face Recognition Vendor Test 2002,

12 just trying to find them. The demonstration face recognition system first compares the probe image to each image in the database. Going from left to right, let us assume that the similarity score for each comparison is 0.9, 0.86, 0.6 and 0.4. In this example, the correct match has the top similarity score. If we run many trials with this woman, as well as others, we will know how often the system will return a correct result with the top match. This is termed the probability of identification at rank 1. Figure 9 - Identification Example Let us again look at the example shown in Figure 9. This time we will assume that the similarity score for each comparison (left to right) is 0.8, 0.4, 0.6 and In this case, the correct match (the left) is the second highest similarity score. If we run many trials with this woman, as well as others, we will know how often the system will return a correct result with either the top or second similarity score (we do not necessarily care if they are in the top or second, just that they are in one of those positions). This is termed the probability of identification at rank 2. These two examples show a trend for how to show identification performance statistically. The probability of correct identification at rank 20 means: what is the probability that the correct match is somewhere in the top 20 similarity scores? A Cumulative Match Characteristic (CMC) shows the probability of identification for numerous (inclusive) ranks. Figure 10 is an example CMC (with fabricated numbers for example purposes).

13 Figure 10 - Example Cumulative Match Characteristic One key feature of a CMC is that a plot that includes all possible ranks (e.g. if the database has 150 people, and the CMC goes through rank 150), the probability of identification is 100% at the highest (150 in this example) rank. It has to be because we know that every probe is in the database (otherwise this is a watchlist task instead of identification), and we are showing the probability of identification for the entire database. Just as in the watchlist task, it is important to state the size of the database when showing a CMC curve. The probability of correct identification at rank 10 for a 100-person database would be much better than the probability of correct identification at rank 10 for a 10,000-person database (all other issues being the same). 4.0 Biometric Lifecycle The typical federal biometrics lifecycle consists of several steps: Definition of Mission Need Technology Development Evaluation Selection Implementation Planning Deployment & Operation Maintenance & Upgrade

14 The lifecycle is typically cyclical, rather than linear. Program planners will probably have to stop at some point and restart the process (Definition of Mission Need) several times before they are able to have an operational system. Even at that point, however, they will still need to redefine their mission need to take advantage of future capabilities. The following sections provide an overview of each of these steps and their most common issues. 4.1 Definition of Mission Need Definition of mission need is the most critical step in planning for a biometric system. Program planners must have a full understanding of what they are trying to accomplish and how their system is going to operate. To accomplish this, planners may need to run through the various steps in the biometric system lifecycle several times in their head. The remainder of this section outlines some questions that may help planners accomplish this important task. The first step is to define the application of interest. This definition needs to be as specific as possible because even a small variance can sometimes significantly alter anticipated performance. Questions to ask when defining an application include: Verification or watchlist (or identification) mode of operation. The size of the database for identification or watchlist. Demographics of the anticipated users (age, sex, etc.). Conditions indoor/outdoor? Supplemental lighting? Dirty environment? Will the system be installed overtly, covertly or super-covertly? What is the anticipated user behavior (cooperative, indifferent, non-cooperative or uncooperative)? How long has it been since the user/image was enrolled? What is the required throughput rate? How many exception handling cases can users handle for a given period of time? For each task, which parameter (verification: false accept or probability of verification; watch list: false alarm or correct detect and identify; identification: rank or identification rate) is most vital? How will the inaccuracies impact users and other individuals? Using the answers from the last three bullets, what are the minimum accuracy requirements? 4.2 Technology Research and Development There are many types of biometrics, each of which is at different points in its maturity. Technology research and development also has varying levels of maturity. It is important to recognize the various

15 levels so that information concerning ongoing development activities is understood in the proper context. The first level is basic research. At this level, innovative research is being performed that pushes scientist s understanding of what is possible. There are typically more failures than discoveries at this stage. When successful, the product is usually a series of technical papers outlining the failures and successes in the research. The second level, applied research, usually takes the knowledge from previous technical papers and tries to utilize it to solve specific problems. There is typically the same number of failures as successes at this level. When successful, the product is usually working prototypes. These rarely look like anything somebody would want to purchase or use, as they typically have wires hanging all over the place, aren t ruggedized, and operators must be experts in one or more computer programming languages. The third level, development, generally takes successes from the second level and makes it user-friendly for one or more specific applications. Most projects at this level are successful and become commercial products that solve practical problems. Research and development in biometric technologies currently occurs at all three levels. For example, one can purchase face recognition technology for many applications today. This technology has been through all three levels of research and development, and third-level research continues today to optimize performance for specific installations. However, we also know from FRVT 2002 that face recognition performance decreases significantly when taking the systems outdoors. Overcoming this obstacle first requires the community to understand why this phenomenon occurs, and how to overcome it. This is an applied research problem. Some have also discussed using DNA as a biometric. This is completely basic research, and it will probably be awhile before we even know if that could be feasible. 4.3 Evaluation The key to understanding if a technology could be beneficial for a given application is properly performed evaluations that measure performance, vulnerability, anticipated benefits and perceptions. Improper evaluations could lead someone to select a technology or implementation that the technology is not ready for, or could doom feasible implementations because the evaluations are approached in the wrong way Performance Evaluations As we saw earlier, different biometric tasks require different performance statistics. How we obtain these statistics, and how relevant they are, can vary based on what we are trying to measure. Performance evaluations of biometric technology are divided into three categories: technology, scenario, and operational. 11 Each category of evaluation takes a different approach and studies different aspects of the system. A thorough 11 An Introduction to Evaluating Biometric Systems (2000). Philips, Martin, Wilson and Przybocki. Available at

16 evaluation of a system for a specific purpose starts with a technology evaluation, followed by a scenario evaluation and finally an operational evaluation. The goal of a technology evaluation is to determine the underlying technical capabilities for a particular technology. The testing is performed in laboratories using a standard set of data collected by a universal sensor. Technology evaluations are always completely repeatable. Technology evaluations typically take a short time to complete. Results from a technology evaluation typically show specific areas that require future research and development, as well as provide performance data that is useful when selecting algorithm(s) for scenario evaluations. Scenario evaluations aim to evaluate the overall capabilities of the entire system for a specific application. In face recognition, a technology evaluation would study the face recognition algorithms only but the scenario evaluation studies the entire system, including camera and camera-algorithm interface, for a specific application. Each tested system would normally have its own acquisition sensor and would thus receive slightly different data. Scenario evaluations are not always completely repeatable for this reason, but the approach used can always be completely repeatable. Scenario evaluations typically take a few weeks to complete because multiple trials, and for some scenario evaluations, multiple trials of multiple subjects/areas, must be completed. Results from a scenario evaluation typically show areas that require additional system integration, as well as provide performance data on systems for a specific application. At first glance, an operation evaluation appears very similar to a scenario evaluation, except that the test is at the actual site and uses actual subjects. Rather than testing for performance, however, operational evaluations aim to study the workflow impact of specific systems installed for a specific purpose. Operational Evaluations are not very repeatable unless the actual operational environment naturally creates repeatable data. Operational Evaluations typically last from several weeks to several months. The evaluation team must first examine workflow performance prior to technology insertion, and again after users are familiar with the technology. Accurate analysis of the benefit of the new technology requires a comparison of the workflow performance before and after the technology insertion. It is very difficult, if not altogether impossible, to obtain performance statistics (such as those found in Section 2 of this paper) from an operational evaluation. It is simply too difficult to accurately record every individual every time they are presented to a biometric system. This is a difficult task for a controlled scenario evaluation and next to impossible in a real-life operational evaluation. Keep this in mind when analyzing so-called performance results from operational evaluations. In an ideal three-step evaluation process, technology evaluations are performed on all applicable technologies that could conceivably meet requirements. The technical community will use the results to plan future R&D activities, while potential end-users will use the results to select promising systems for application-specific scenario evaluations. Results from the scenario evaluation will enable end-users to find the best system for their specific application and have a good understanding of how it will operate

17 at the proposed location. This performance data, combined with workflow impact data from subsequent operational evaluations, will enable decision makers to develop a solid business case for a large-scale installation Failure to Acquire Section 3 of this paper outlined the three biometric tasks and their associated performance measures. There is another measure that may also be of interest that affects all three biometric tasks. The Failure to Acquire rate is the percentage of attempts that a biometric system is unable to capture an observation that is of good enough quality to generate a signature. Numerous issues, including device/software malfunction, environmental concerns and human issues (e.g. amputees not able to use hand geometry system, bricklayers that have lost most of their fingerprint, etc.), can cause a failure to acquire. For some biometric systems, or for certain applications, the failure to acquire rate could be quite high. Different evaluations deal with this issue in different ways. Some force systems to produce similarity scores, even if there was a failure to acquire. This, of course, produces lower performance measures. Others only show performance on properly acquired signatures and show the failure to acquire rate separately. This, of course, raises the performance measures. There is debate in the biometrics community over which approach is correct. When reviewing others evaluations, first determine which approach they used. When performing your own evaluations, select the approach that provides data that best answers your needs Vulnerability The ease by which a biometric system can be defeated or spoofed determines its vulnerability. This encompasses a number of different considerations, including: Liveness Examples include spoofing a face recognition device using a picture of an authorized person, or a tape recording of an authorized person s voice on a speaker recognition system. Deception Examples include an imposter attempting numerous hand geometry pin numbers until he finds one for which his hand is a sufficient match, or a latex glove with the fingerprints of an authorized person molded into them. Data Security The template information of some networked biometric sensors is transmitted to a processor for analysis. Data security in this context refers to the interception and subsequent misuse of this data to circumvent the system. Physical The manner in which an unattended device is installed may render it vulnerable to a physical attack in an effort to defeat it. Some devices used in access control applications have built in relays that unlock portals, so opening the device and shorting these contacts would be one way to defeat it.

18 It is difficult to quantify device vulnerabilities although there are some efforts in the US and UK governments to do so. The (US) Department of Defense s Biometrics Management Office has been analyzing this area for DoD and federal agencies. They have published a draft report, Department of Defense & Federal Biometric System Protection Profile for Medium Robustness Environments in March It was based partly on the UK Government Biometrics Working Group s Biometric Device Protection Profile. Both documents are available for download in the Government Documents area of the Biometrics Catalog Non-biometric systems One area that is regularly ignored when discussing biometric performance is human performance (or alternative technology performance) doing the same task. We tend to be caught searching for the 100% answer when a 20% answer, in some applications, could be much better than what is possible otherwise. Before deciding if a biometric system is beneficial, we must first understand how well current systems perform. Comparing current capabilities to new capabilities is correct. Comparing new capabilities to idealized capabilities, while ignoring current capabilities, is incorrect Perception The perception caused by adding biometric technology is another key evaluation area that the biometrics community, and potential users of the technology, does not fully understand. Understanding biometric technology is not a trivial matter. People generally do not like or trust things they do not understand or are unfamiliar with. It is important to determine how a biometric system will be perceived by those using it and outsiders that are affected by it (and sometimes outsiders that are not affected by it). Methods of measuring this perception have not yet been developed. Hopefully, this will be an area of significant research in the future, and one that capitalizes on previous biometric implementations. Issues for research include: Privacy impacts for each application Social Acceptance Physical (e.g. hygiene of touching fingerprint sensors) Religious (e.g. reluctance to be photographed) Philosophical (e.g. mistrust of government use of data) Informational (e.g. involvement of community groups) 4.4 Selection Properly performed evaluations will significantly help in selecting a biometric technology and implementation approach for a given application. Evaluations are, of course, just one item to consider. Others include: 12 Biometrics Catalog

19 Total system cost Availability Compliance with existing interoperability standards Ease of maintenance Utilization of legacy equipment Impacts on required staffing Vendor support User acceptance Ergonomics Aesthetics 4.5 Implementation Planning As mentioned earlier, people generally do not like or trust things they do not understand or are unfamiliar with. Biometrics falls into this category for most individuals. Surprising individuals by suddenly rolling out a biometrics implementation will only exacerbate the problem. Instead, program planners should gradually bring everyone that will be impacted up to speed on what they are planning (and are not planning) to do with the technology. As part of this activity, program planners should provide some general training on biometric capabilities and limitations, as well as their anticipated standard operating procedures and planned oversights. The approaches used to perform this task will vary from one implementation to another. 4.6 Deployment & Operation Deployment and operation are very application-specific issues, and are thus beyond the scope of this paper. Everyone, however, will need to determine who has responsibility and oversight for: Network Databases Service Reporting Training Coordination between Federal, State and Local agencies and other entities 4.7 Maintenance & Upgrade Four conditions can drive the need to upgrade an existing system: Cost of maintaining an aging system is no longer justifiable A new technology emerges that is a better solution

20 System proves to be inadequate, perhaps through a security breach Alteration of the mission need. If any of these conditions occur, it may be necessary to return to the beginning of the life cycle. Periodic assessments of the implementation and available technologies can speed selection of alternative approaches. 5. Closing Thoughts Government and industry continue to analyze biometric technology to enhance their operations and customer service. Biometrics, however, is a complex subject with technical and policy issues that are oftentimes misunderstood or misrepresented. Being knowledgeable and considerate of these issues throughout the system lifecycle will lead to successful implementations. Biometric applications must: make a fundamental contribution to the overall effectiveness of systems be operationally realistic be economically viable (cost-effective) not violate the constitutional rights of individuals be considerate of religious and cultural concerns protect information from inappropriate or unlawful uses be evaluated by unbiased organizations with expertise in testing biometric systems System architectures must: not be biometric-type specific be open to allow for: o multiple vendors of biometric devices and ID media o growth into new and emerging technologies Standards should be: used, where possible, to assure effective performance developed, where needed, to assure interoperability established for equipment performance and acceptability crafted to suit each particular application written to evolve as biometric technology improves

21 Appendix A - Glossary Algorithm A sequence of instructions/steps that tells a computer system what to do. API (Application Program Interface) Formatting instructions used by an application developer to link hardware/software to other hardware/software. Biometrics Automated method of recognizing a person based on physiological or behavioral characteristics. Common examples include Fingerprint, Hand Geometry, Iris, Face Recognition, Speaker and Dynamic Signature. Biometric signature (biometric template) A digital representation of an individual s distinct characteristics. Comparison The process of comparing a biometric signature with a previously stored signature(s). Cooperative User An individual that attempts to assist the biometric system capture their biometric signature. See indifferent, non-cooperative and uncooperative users. Correct detect and identify rate A statistic used to measure biometric performance when operating in the watchlist task. The percentage of times a biometric system will alarm and properly identify an individual when that individual is in the database. Correct verification A statistic used to measure biometric performance when operating in the verification task. This occurs when a biometric system positively affirms a correct identity claim. Covert Biometric signatures are being collected at a location that is not known to bystanders. They may or may not know that the collection is taking place. See overt and super-covert. Cumulative match characteristic (CMC) A graph used to show performance of a biometric system operating in the identification task. The x-axis is usually the rank, and the y-axis is usually the probability of identification. Database Any storage of biometric templates and related end user information. Even if only one biometric template or record is stored, the database will simply be a database of one. Generally speaking, however, a database will contain a number of biometric records and associated metadata.

22 Difference score A numerical description returned by a biometric algorithm that describes the measured difference of a probe and gallery signature. Biometric systems use either a similarity or difference score in comparisons. Enrollment The process of obtaining an observation of an individual, converting it into a biometric signature and storing it in the biometric system s database. Equal Error Rate A statistic used to measure biometric performance when operating in the verification task. The operating point in a biometric system where the false accept rate and false reject rate are equal. Failure to Acquire Percentage of attempts that a biometric system is unable to capture an observation that is of good enough quality to generate a template. False accept rate A statistic used to measure biometric performance when operating in the verification task. Percentage of times an invalid user is incorrectly verified as another individual. False alarm rate A statistic used to measure biometric performance when operating in the watchlist task. This is the percentage of times an alarm is incorrectly sounded on an individual that is not in the biometric system s database. False reject rate (FRR) A statistic used to measure biometric performance when operating in the verification task. The percentage of valid users wrongly rejected. Gallery The biometric system s database for a specific implementation or evaluation experiment. Identification task One of the three tasks that biometric systems perform. Answers the question: This person is in the database. How soon can s/he be found? A full description is given in Section 3. See verification and watchlist. Indifferent user An individual that knows their biometric signature is being collected and does not attempt to help nor hinder the collection of their signature. See uncooperative, non-cooperative and cooperative user. Impostor A person who submits a biometric sample in either an intentional or inadvertent attempt to pass him/herself off as another person to a biometric system operating in the verification task.

23 Non-cooperative user An individual that does not know their biometric signature is being collected. See uncooperative, cooperative and indifferent user. Operational Evaluation One of the three types of performance evaluations. The primary goal of an operational evaluation is to determine the workflow impact seen by the addition of a biometric system. See technology evaluation and scenario evaluation. Overt Biometric signature collection where users/bystanders know they are being collected and at what location. See covert and super-covert. Probability of (correct) verification A statistic used to measure biometric performance when operating in the verification task. Percentage of times a biometric system positively affirms a correct identity claim. Probability of identification A statistic used to measure biometric performance when operating in the identification task. For a given rank, n, the percentage of times that the correct individual is located in the top 1-n ranked list of similarity/difference scores. Probe Rank The biometric signature that is submitted to the biometric system to compare against one or more signatures in the gallery. A statistic used to measure biometric performance when operating in the identification task. A probe is compared against all signatures in the gallery. Similarity/Difference measures are developed for each comparison and listed in descending/ascending order. The rank is the location in this descending/ascending order. Recognition A generic term used in the description of biometric systems (e.g. face recognition or iris recognition). The term recognition does not inherently imply the verification, watchlist or the identification task. Scenario evaluation One of the three types of performance evaluations. The primary goal of a scenario evaluation is to measure performance of a biometric system operating in a specific application. See technology evaluation and operational evaluation. Similarity score A numerical description returned by a biometric algorithm that describes the measured similarity of a probe and gallery signature. Biometric systems use either a similarity or difference score in comparisons.

24 Super-covert Biometric Signatures are being collected at a location that is not known to bystanders. They do not know that the collection is taking place. The collection itself could be classified. See covert and overt. Technology evaluation One of the three types of performance evaluations. The primary goal of a technology evaluation is to measure performance of biometric systems in general tasks. See technology evaluation and scenario evaluation. Threshold/Decision Threshold A user setting for biometric systems operating in the verification or watchlist tasks. The threshold is adjustable so that the biometric system can be more or less strict, depending on the requirements of any given biometric application. Uncooperative user An individual that tries to hinder the biometric system s capture of their biometric signature. See cooperative, non-cooperative and indifferent user. User A person who interacts with, or controls other s interactions with, a biometric system. Verification Task One of the three tasks that biometric systems perform. Answers the question: Is the person who they claim to be? A full description is given in Section 3. See identification and watchlist. Verification Receiver Operating Characteristic A graph used to show performance of a biometric system operating in the verification task. The x-axis is usually the False Accept Rate. The y-axis is usually the Probability of (Correct) Verification. Watchlist Task One of the three tasks that biometric systems perform. Answers the questions: Is this person in the database? If so, who are they? A full description is given in Section 3. See identification and verification. Watchlist Receiver Operating Characteristic A graph used to show performance of a biometric system operating in the watchlist task. The x-axis is usually the False Alarm Rate. The y-axis is usually the Probability of Correct Detect and Identify.