Biometric security glossary
Acquisition device – The hardware used to acquire biometric samples. The following acquisition devices are associated with each biometric technology.
Active imposter acceptance – Acceptance of a biometric sample submitted by someone attempting to gain illegal entry to a biometric system.
AFIS – Automated Fingerprint Identification System. A system originally developed for use by law enforcement agencies, which compares a single fingerprint with a database of fingerprint images. Subsequent developments have seen its use in commercial applications, where a client or customer has their finger image compared with existing personal data by placing a finger on a scanner, or by the scanning of inked paper impressions.
API - Application Program Interface. A computer code which is a set of instructions or services used to standardize an application. Any system compatible with the API can then be added or interchanged by the application developer.
ASIC - Application Specific Integrated Circuit. An integrated circuit developed for specific applications to improve performance.
Asynchronous multimodality - systems that require that a user verify through more than one biometric in sequence. Asynchronous multimodal solutions are comprised of one, two, or three distinct authentication processes. A typical user interaction will consist of a verification on finger scan, then face if finger is successful.
Audit trail - In computer/network systems: Record of events (protocols, written documents, and other evidence) which can be used to trace the activities and usage of a system. Such material is crucial when tracking down successful attacks/attackers, determining how the attacks happened, and being able to use this evidence in a court of law.
The process of establishing the validity of the user attempting to gain access to a system. Primary authentication methods are:
* Access tokens (something the user owns)
* Geography (a workstation, for example)
BioAPI - BioAPI V1.0, developed by the BioAPI consortium, and released in March 2000. Designed to produce a standard biometric API aiding developers and consumers.
Biometric (noun) - one of various technologies that utilize behavioral or physiological characteristics to determine or verify identity. “Finger-scan is a commonly used biometric.” Plural form also acceptable: “Retina-scan and iris-scan are eye-based biometrics."
Biometrics (noun) – Field relating to biometric identification. EG: “What is the future of biometrics?”
Biometric (adjective) – Of or pertaining to technologies that utilize behavioral or physiological characteristics to determine or verify identity. EG: “Do you plan to use biometric identification or older types of identification?”
Biometric sample - The identifiable, unprocessed image or recording of a physiological or behavioral characteristic, acquired during submission, used to generate biometric templates. Also referred to as biometric data.
Biometric system - The integrated biometric hardware and software used to conduct biometric identification or verification.
Buffer overflow - Most common cause of current security vulnerabilities. A buffer overflow occurs when more data is put into a temporary data storage area (buffer) than the buffer can hold. Because buffers can only hold a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the data in them. Programming errors are the one of the most frequent causes of buffer overflow problems. In attacks which exploit buffer vulnerabilities, extra data is sent to the buffer with code designed to trigger specific actions, and which can damage files, change data, or disclose confidential information. Buffer overflow attacks may have arisen from poor use of the C programming language.
Contact/Contactless - In regard to chip cards: whether the card is read by direct contact with a reader or has a transmitter/receiver system which allows it to be read using radio frequency technology (up to a certain distance).
Crossover error rate (CER) - A comparison metric for different biometric devices and technologies; the error rate at which FAR equals FRR. The lower the CER, the more accurate and reliable the biometric device.
Data vaulting - The process of sending data off site, where it can be protected from hardware failures, theft, and other threats. Several companies now offer Web backup services that compress, encrypt, and periodically transmit a customer's data to a remote vault. In most cases, the vaults have auxiliary power supplies, powerful computers, and manned security. Also referred to as a remote backup service (RBS).
Decision – The result of the comparison between the score and the threshold. The decisions a biometric system can make include match, non-match, and inconclusive, although varying degrees of strong matches and non-matches are possible. Either/or multimodality describes systems that offer multiple biometric technologies, but only require verification through a single technology.
Digital certificate - In the PKI environment, the data, equivalent to an identity card, issued to a user by a CA (Certificate authority), which he/she uses during business transactions to prove his/her identity.
Digital signature - The number derived by performing cryptographic operations on the text to be signed. This operation, or hash function (also called hash algorithm), is performed on the binary code of the text. The result is known as the message digest, and always has a fixed length. A signature algorithm is applied to the message digest, resulting in the digital signature.
DSA - Digital Signature Algorithm. Presented in 1991 by the NIST and patented in 1993. A publicly available one-way algorithm used to generate or verify digital signatures of a text to be signed (not to encrypt/decrypt information). As input, DSA needs
DSS - Digital Signature Standard. Developed by FIPS (U.S. Federal Information Processing Standard). Adopted the DSA in the early 1990s.
Encryption - The scrambling of data so that it becomes difficult to unscramble or decipher. Scrambled data is called ciphertext, as opposed to unscrambled data, which is called plaintext. Unscrambling ciphertext is called decryption. Data encryption is done by the use of an algorithm and a key. The key is used by the algorithm to scramble and unscramble the data. The algorithm can be public (for scrutinization and analysis by the cryptographic community), but the key must be kept private. Encryption does not make unauthorized decryption impossible, but merely difficult. Time, and the power (ever increasing) of computers are the factors involved in the feasibility of decryption.
Enrollment - The initial process of collecting biometric data from a user and then storing it in a template for later comparison.
Feature extraction - The automated process of locating and encoding distinctive characteristics from a biometric sample in order to generate a template.
False-acceptance rate (FAR) - The percentage of imposters incorrectly matched to a valid user's biometric.
False-rejection rate (FRR) - The percentage of incorrectly rejected valid users.
Identification - The process by which the biometric system identifies a person by performing a one-to-many (1:n) search against the entire enrolled population.
Identification (1:N, one-to-many, recognition) – The process of determining a person’s identity by performing matches against multiple biometric templates. Identification systems are designed to determine identity based solely on biometric information. There are two types of identification systems: positive identification and negative identification. Positive identification systems are designed to find a match for a user’s biometric information in a database of biometric information.
Matching - The comparison of biometric templates to determine their degree of similarity or correlation. A match attempt results in a score that, in most systems, is compared against a threshold. If the score exceeds the threshold, the result is a match; if the score falls below the threshold, the result is a non-match.
Minutiae Points - Local ridge characteristics that occur at either a ridge bifurcation or a ridge ending.
Privacy-Protective - A privacy-protective system is one used to protect or limit access to personal information, or which provide a means for an individual to establish a trusted identity.
Privacy-Sympathetic - A privacy-sympathetic system is one that limits access to and usage of personal data and in which decisions regarding design issues such as storage and transmission of biometric data are informed, if not driven, by privacy concerns.
Privacy-Invasive - A privacy-invasive system facilitates or enables the usage of personal data in a fashion inconsistent with generally accepted privacy principles.
Score – A number indicating the degree of similarity or correlation of a biometric match. Traditional authentication methods – passwords, PINs, keys, and tokens - are binary, offering only a strict yes/no response. This is not the case with most biometric systems. Nearly all biometric systems are based on matching algorithms that generate a score subsequent to a match attempt. This score represents the degree of correlation between the verification template and the enrollment template. There is no standard scale used for biometric scoring: for some vendors a scale of 1-100 might be used, others might use a scale of –1 to 1; some vendors may use a logarithmic scale and others a linear scale. Regardless of the scale employed, this verification score is compared to the system’s threshold to determine how successful a verification attempt has been.
Single Error Rates - Error rates state the likelihood of an error (false match, false non-match, or failure to enroll) for a single comparison of two biometric templates or for a single enrollment attempt. This can be thought of as a "single" error rate.
Submission - The process whereby a user provides behavioral or physiological data in the form of biometric samples to a biometric system. A submission may require looking in the direction of a camera or placing a finger on a platen. Depending on the biometric system, a user may have to remove eyeglasses, remain still for a number of seconds, or recite a pass phrase in order to provide a biometric sample.
Template - A mathematical representation of biometric data. A template can vary in size from 9 bytes for hand geometry to several thousand bytes for facial recognition.
Threshold - A predefined number, often controlled by a biometric system administrator, which establishes the degree of correlation necessary for a comparison to be deemed a match.
Verification (1:1, matching, authentication) – The process of establishing the validity of a claimed identity by comparing a verification template to an enrollment template. Verification requires that an identity be claimed, after which the individual’s enrollment template is located and compared with the verification template. Verification answers the question, “Am I who I claim to be?” Some verification systems perform very limited searches against multiple enrollee records. For example, a user with three enrolled finger-scan templates may be able to place any of the three fingers to verify, and the system performs 1:1 matches against the user’s enrolled templates until a match is found. One-to-few. There is a middle ground between identification and verification referred to as one-to-few (1:few). This type of application involves identification of a user from a very small database of enrollees. While there is no exact number that differentiates a 1:N from a 1:few system, any system involving a search of more than 500 records is likely to be classified as 1:N. A typical use of a 1:few system would be access control to sensitive rooms at a 50-employee company, where users place their finger on a device and are located from a small database.
Reprinted with permission from www.findbiometrics.com