General security

Chapter 12 – Applications of Biometrics

Tom Olzak
November 12, 2012 by
Tom Olzak

Passwords are not secure and are useless as an access control… at least that is what many vendors and security consultants try to tell managers today. Instead, these purveyors of change claim that biometrics solves all password issues and improves productivity. While this is partially true, it falls short of reality.

Like all controls, whether or not you implement biometrics is a business decision. It is a decision based on data classifications, operating environments, available budget, and opportunity costs. In this chapter, we see how to meet these challenges by understanding the advantages and disadvantages of biometrics in general. We also look at these same characteristics associated with specific types of biometrics solutions; no one solution fits all implementations across businesses or across all operations in a single business.

Why Biometrics: The Business Case

An organization typically implements biometrics for one or both of two reasons: to strengthen access control for one or more systems or to improve employee productivity (Olzak, 2011). If you cannot make a business case for either of these outcomes, you should probably just stick with passwords.

Strengthening Authentication

To review, authentication is the process of verifying and accepting an identity; it provides an acceptable level of probability that a subject is who or what it says it is. The level of acceptability depends on external and internal concerns.

External concerns

External concerns include regulatory mandates, ethical perceptions, and the direction the courts are moving in assigning liability. Regulations that affect your decision about biometrics include HIPAA, GLBA, and other federal, state, and local legislation that either provides exact standards or strong recommendations for authentication strength. More information about relevant regulations is covered in Chapter 1.

Ethics is a moving target: one that differs between time, place, target market, and organization. In general, however, ethics is concerned with "values relating to human conduct, with respect to the rightness and wrongness of certain actions and to the goodness and badness of the motives and ends of such actions" ("Ethics," 2012). Because ethics vary across affected entities, an organization must "tune in" to what its investors, customers, and the public consider good-enough security, including access control.

Finally, court decisions tend to determine or reflect social norms (Cooter, 1998). Organizations should understand how the courts and juries, and therefore the public, tend to view what is and is not enough security. For example, an organization might implement RBAC and enforce separation of duties, least privilege, and need-to-know with user IDs and passwords. However, management might find after the inevitable breach that its customers feel more access control measures should have been used.

Internal concerns

Once we understand the external forces affecting access control decisions, we apply those when performing our access control risk analysis. In Chapter 2, I described the risk analysis process. Analysis outcomes include levels of risk associated with your network, systems, and endpoint devices. When attempting to mitigate identified risks, we use attack trees to locate points of control. In some cases, the best way to block an attack path is to lock systems and data behind strong authentication.

Problems with Passwords

We looked at problems with passwords in Chapter 11. We also assessed the value of adding biometrics to existing password solutions. As we explore in this chapter, biometrics are not always stronger than passwords. Rather, they tend to strengthen overall human access controls. Selecting the right biometrics solution requires understanding the strengths and weaknesses of each technology and whether it provides more, less, or the same protection as the under-siege password.

Biometrics Defined

Biometrics is used to verify, at an acceptable level of probability, that a subject is who or what it claims to be. It uses something you are, and requires the same outcome we expect from solutions that use what you know or what you have. The difference is the expectation that a criminal cannot steal or copy physical characteristics of human subjects used in biometrics technology. As we see later, this is sometimes a misplaced expectation.


Biometrics solutions use a variety of physical characteristics: some are more secure than others. In the following sections, we explore solutions that focus on recognizing the following physical characteristics:

  • Fingerprints
  • Facial structure
  • Iris patterns
  • Vein patterns
  • Voice
  • Typing behavior

This is not a complete list of all characteristics used by all available solutions. For example, retinal scans are noticeably absent. However, what you learn as we examine the challenges facing implementation of the listed technologies also apply to those I do not address.

How it Works

The process of using biometrics includes enrollment, enrollment storage and management, scanning, verification, and object integration. See Figure 12-1 (Olzak, 2011, p. 6).

Step 1: When an employee reports on day one, the biometrics system administrator completes his enrollment in the biometrics solution. This begins with the administrator supervising collection of one or more biological characteristics, using a sensor connected to the biometrics enrollment application.

Step 2: The enrollment application creates a reference template. This consists of a numeric representation of the characteristics collected.

Step 3: The reference template is connected to the user's ID and stored in a database.

Figure 12- 1: Biometrics Enrollment

After initial orientation, when the user sits at his desk to begin work, the biometrics authentication application requires him to provide the characteristics collected during enrollment. See Figure 12-2 (Olzak, 2011, p. 6).

Figure 12- 2: Biometrics Verification

Step 1: User uses biometrics sensor to supply the measured physical characteristic.

Step 2: The biometrics software translates the collected user characteristics into a trial template.

Step 3: The trial template and user ID is sent to the verification algorithm.

Step 4: The verification algorithm sends a request to the database for the stored reference template associated with the provided user ID.

Step 5: Once the reference template is returned, it is compared with the trial template.

Step 6: If the templates match within a reasonable margin of probability (as defined by the organization and set by the administrator), access is granted to all applications integrated with the sign-on solution used.

Evaluating Biometrics

All biometrics are not the same. Each approach has advantages and disadvantages that make careful analysis necessary to select the right solution for each access control challenge. Before examining selected biometrics technology, let us look at the biometrics challenges facing your implementation decision, including:

  • Forgery
  • Enrollment risks
  • Data store contamination
  • Business continuity
  • Accuracy
  • Environmental conditions
  • User acceptance


Forging biological characteristics is easy for some body parts and difficult for others. For example, it is relatively easy to obtain a fingerprint impression that works in many fingerprint recognition systems. This makes fingerprint authentication a good candidate for only one part of a multi-factor authentication approach. Other characteristics are not so easy to forge. Vein scans are very difficult to forge. As we step through the various approaches, it becomes clear that the level of risk you define in your risk assessment
dictates your selection of what physical characteristic you use for identity verification.

Enrollment Risks

"Enrollment is both a management issue and a security risk" (Olzak, 2011, p. 7). When new employees report for work, managers expect them quickly to be productive. This does not happen if it takes a day or two to enroll users in one or more biometrics systems. It frustrates users and alienates management: something we try to avoid if we expect successful biometrics projects.

Security risks include errors from poor enrollment processes or poor vendor solutions. Remember, the physical characteristic measured is converted into a reference template. If the reference template is faulty, even marginally so, the error rates at time of login increase. Again, this frustrates users and managers and negatively affects productivity. Further, information is often more vulnerable at the point of input. Consequently, use

…least privilege to ensure the administrator is allowed only to perform enrollment actions; need-to-know to allow access only to see what is absolutely necessary for enrollment; and segregation of duties to validate that the documented process is followed and logs do not contain evidence of questionable behavior (Olzak, 2011, p. 7).

Data Store Contamination

Once the reference templates reach a database, the context in which the database operates, how software accesses the templates, and other attack surface considerations determine the risk of attackers stealing or replacing stored templates. Attackers in possession of stolen reference templates, for example, can compromise a system in one of two ways: replaying the template to the verification algorithm to gain access or by possibly creating physical forgery of the characteristic measured (Bindha & Natarajan, 2012). We reviewed attack surface mitigation in previous chapters. In addition to taking reasonable appropriate steps to eliminate gaps in your overall security framework, follow vendor-supplied security configurations to hardened template data stores.

Business Continuity

Imagine running an enterprise on a single Active Directory domain controller. If that DC fails, no one can authenticate; the business stops. So no responsible administrator center configures just one DC. Biometrics solutions require the same redundancy if they play a mandatory role in authentication. However, redundancy of all components is not usually possible.

What happens if a fingerprint sensor fails at a nurse's station? If the only way nurses can authenticate is via the sensor, health care is significantly affected. Relying on a single sensor to authenticate is not a good idea when critical business processes are involved. Consider having workarounds to support the sensors or spare sensors on the shelf for quick replacement. Whether you choose a workaround or equipment swap approach depends on the business impact resulting from locking users out.


Not all biometrics sensors are made the same, causing identity verification error rates to vary. We measure sensor errors in two ways: false acceptance rate (FAR) and false rejection rate (FRR). When a person who did not go through enrollment presents the measured characteristic to a sensor, and the sensor verifies the person as an authorized user, this is a false acceptance error. On the other hand, if an enrolled employee characteristic is scanned and the biometrics system fails to verify her identity, this is a false rejection error. We want both FAR and FRR as low as possible.

Balancing FAR and FRR is not always a simple process. Figure 12-3 shows how they relate to each other. It also introduces a new measure of biometrics accuracy: crossover error rate (CER). As FAR increases, FRR decreases, and the reverse is true. The point at which they are both equal is the CER. For many organizations, setting a system to meet the CER is a good idea. It is a balance between false acceptance and false rejection. However, conditions sometimes exist that require setting one error rate higher than the other.

For example, an organization might install time clocks requiring a fingerprint scan to clock in or out. In many cases, the sensor's rejection rate is far too high to enable managing a line of employees coming in at the last minute. In these cases, management will likely tune the sensor/system to result in a high FRR. This allows fast movement of the employee line, with increased risk of an unauthorized person clocking in. In my experience, the improved results are worth the risk in this situation. In other situations, FAR might be unacceptable due to the value of protected assets. Consequently, FAR is turned as low as possible and FRR increases significantly. The loss in speed of accessibility is traded for increased security. How you adjust your sensors/systems depends on the risks identified during risk assessments.

Figure 12- 3: Biometrics Error Rate Relationships (Olzak, 2011)

Environmental Conditions

Error rates are not just caused by inherent characteristics of a vendor's sensor and algorithm designs; environmental factors also play a role. For example, placing a fingerprint reader on the manufacturing floor, where soiled fingers and airborne contaminants settle on everything, significantly affects error rates. It could be that the environment you assess is unsuitable for any biometrics solution. Trying to fit the proverbial round peg into a square hole will not achieve the results you expect.

User and Management Acceptance

Biometrics projects can fail for any of the reasons listed here, but two of the biggest reasons they fail are user rejection and loss of management support. Selection of the right solutions combined with user education is critical for success.

User fear/frustration

Four user acceptance challenges face biometrics implementers (Brandel, 2010):

  • Users often believe the company is collecting and storing information about one or more of their physical characteristics. Management must explain what is collected, how it is used, and provide sufficient evidence that appropriate steps are taken to protect reference templates. Otherwise, users might refuse to use the system. This can be a huge challenge if, for example, their labor union steps in.
  • Cultural norms vary from country to country. They strongly affect what individuals or groups see as acceptable. Organizations must ensure employees have no norms conflicting with body part scanning. A little research and care in selecting a solution helps meet this challenge.
  • People still commonly believe companies might use scans of certain physical characteristics to determine whether an employee is insurable, employable long-term, etc. The same management activities described in the first bullet apply here. The worst thing management can do is ignore concerns and force compliance with, "You have to because I said so."
  • High levels of frustration arise when the solution selected hinders productivity or causes more work for employees. It is not just management who will storm your office if you deploy additional hindrances to daily processes. In some cases, you can even streamline the identity verification process.

O'Leary (2008) writes, "User acceptance of the access control device is one of the most critical factors in the success of a biometric-based implementation" (p. 52). Keep this in mind as you design your biometrics solutions, or you are sure to face a high risk of project failure.

Management acceptance

Obviously, C-level management wants the system installed to work as expected. It wants security commensurate with that necessary to reduce risk to levels they expect. However, they do not have to live with the daily operational impact of a biometrics solution. This falls on the shoulders of first line managers.

Biometrics can hinder, aid, or do neither of these. For example, a biometrics device unsuited for the environment in which IT places it can cause decreased production due to login time increases. Or the proper device placed at a nurse's station can enable quick access to health care stations, eliminating the need to enter a password. The impact on productivity or customer/patient experience plays a large role in management acceptance. Anything that helps a manager reach business objectives is enthusiastically received. That which hinders reaching objectives is strongly resisted. Without management support, getting overall employee support is nearly impossible (Heathfield, 2012).

Selecting the Right Solution

The rest of this chapter describes various types of biometrics solutions. No one solution fits all access control challenges. In fact, you might find yourself implementing one type in the office and another in the warehouse. The previous section provides enough information to know what questions to ask. Your budget, risk assessment results, and operating environments determine the answers.

Fingerprint Recognition

When most people hear the term biometrics, they immediately envision finger scan. This makes sense considering how many times we run into these sensors. For example, I gain access to my gym by entering my phone number and presenting one of my index fingers to a fingerprint sensor. In addition, an increasing number of organizations use fingerprint scans to enable users to clock in and clock out. But while fingerprint biometrics is ubiquitous, it is not always a good choice.

How it works

When my finger is scanned at the gym, the sensor picks up a set of characteristics like those shown in Figure 12-4. Although what is scanned and how it is scanned might differ between vendors, the basic process is the same. An algorithm converts the scanned information into a value—the reference or trial template. Consequently, no actual print is stored, only a numeric value representing the print.

Figure 12- 4: Common Fingerprint Characteristics (Rosistem, n.d.)


Probably the biggest advantage is the number of solutions available. Fingerprint scanning has been around for years, and users commonly encounter them. The cost of fingerprint sensors is relatively low when compared to other types of biometrics. However, the negatives can quickly overwhelm the positives.


Two big disadvantages haunt fingerprint biometrics: ease of forgery and sensitivity to environmental factors. Fingerprint forgery can be very easy, depending on the access control system used. Congdon (2010) writes,

Fingerprints are something everyone leaves behind, and they can be copied by forgers using simple household items like scotch tape or gummy bears. In fact, tests have shown that fingerprints left on gummy bears are effective at fooling many fingerprint scanners (Types of Biometric Technologies, para. 1).

No, attackers do not go around with bags of gummy bears just waiting to pounce on latent prints. This is simply an example of what is possible.

In addition to forgery, many (if not all) fingerprint solutions are particularly sensitive to environmental conditions. Soiled hands, surgical gloves, and airborne contaminants are examples of workplace challenges facing IT project teams as they look for the right product.

Facial Recognition

Many computers today ship with software that uses a laptop or other camera to capture an image of the user's face. This image is converted into a reference template during enrollment. It is fast, relatively inexpensive, and very difficult to forge.

How it works

Capturing characteristics requires the algorithm to recognize a face in the camera image. Current solutions typically use a database of general face shapes to separate a face from other objects in the camera's view. Once a face is located, the system identifies and measures nodal points. Figure 12-5 shows some of these points.

Figure 12- 5: Facial Points of Measurement (

The human face possesses about 80 nodal points (Bonsor & Johnson, 2012, p. 2), including:

  • Distance between the eyes
  • Width of the nose
  • Depth of the eye sockets
  • The shape of the cheekbones
  • The length of the jaw line


Since users do not come into contact with the sensor, facial recognition is often a more acceptable approach than contact-based biometrics. And unlike retinal scans, no beams of light enter the eyes. In fact, facial recognition without employee action is possible. Further, the cost is often much lower than solutions requiring a separate sensor for collection of physical characteristics because many computers and laptops today come with cameras. For those that do not, the cost of a camera is usually much less than that of other types of sensors. Finally, it is very difficult to forge a face. Photos do not work.


But while it is difficult to forge a face, it is not impossible. Latex masks have been shown to produce false acceptance (Xiao, 2010). Another issue is lighting. If lighting is not sufficient to accurately capture nodal points, verification failure rates increase. Some vendors resolve this by making the computer screen go white, illuminating the face in front of the camera (Sensible Vision). Finally, racial differences can cause errors (Eye Tracking Update, 2010). Improvements in lighting sensitivity should help remove this obstacle to implementation, but consider workforce diversity when deciding whether a low-cost solution meets your requirements.

Next generation facial technology

So far, we have looked at what is known as 2-dimensional (2-D) facial recognition. However, 3-D systems help eliminate problems listed above. Instead of using 2-D nodes, they measure unchangeable features such as the contour of the eyes, nose, and chin. "The advantages of 3-D facial recognition are that is it not affected by lighting, and it can identify a face from a variety of angles, including profile view" (findBiometrics, 2012, para. 7).

Facial recognition can provide low error rates when used under the right conditions. Consider 2-D or 3-D facial recognition if you require a low CER.

Iris Recognition

If you are looking for accuracy with very low probability of forgery, an iris scanning solution might be the answer. In addition, the technological characteristics of iris scans provide scanning from a distance with little or no user interaction. Finally, employee complaints about the perceived intrusiveness associated with retinal scans are eliminated.

How it works

Figure 12-6 depicts the human eye. Retinal scans require shining light into the back of the eye to read retina patterns. However, the iris is located at the front of the eye. An iris scan starts from the outer edge of the iris and records distinguishing features (see Figure 12-7). As with other biometrics solutions, the collected data is converted into a template for identity verification.

Figure 12- 6: Human Eye

Figure 12- 7: Iris Scan Process (BBC News, 2009)


Again, employees presenting themselves for identity verification do not have to touch the scanner. Figure 12-8 shows one type of iris sensor. In some cases, organizations can place sensors out of the path of entering employees, scanning from as far away as 30 feet (SarniffCorp., 2010). In addition to its flexibility, "A key advantage of iris recognition, besides its speed of matching and its extreme resistance to False Matches, is the stability of the iris as an internal, protected, yet externally visible organ of the eye" ("Iris recognition," 2012). Although the iris is harder to forge than fingerprints, it is still not invulnerable to attempts by motivated criminals.

Figure 12- 8: Iris Scanner (Grigsby, 2011)


Unlike ubiquitous fingerprint sensors, iris scanners are expensive; placing one at every desk is likely not something you want to propose for next year's budget. Units like the one shown in Figure 12-8, for example, can cost two- or three-thousand dollars. Desktop units are entering the market, but still significantly raise the cost of user-based biometrics access control beyond the reach of most organizations. Finally, the advantage of iris scanning's resistance to forgery is disappearing, gradually mitigating advantages gained for the additional cost.

When iris scanners first appeared on the market, forgery was nearly impossible. However, following the adage, "if you build it, they will crack it," this is no longer true. Like fingerprint templates, researchers demonstrated that they could reverse engineer iris templates in less then 10 minutes (Zetter, 2012). All that is needed is access to the right algorithm and a reference template: either stolen during a database breach or via social engineering.

Vein Recognition

Lying below the surface of our hands are networks of veins. The patterns they form are unique for each individual. Using near infrared, the palm pattern can be captured to create a reference template for biometrics access control. One of the first vein scanners is shown in Figure 12-9 (Hanlon, 2005).

Figure 12- 9: Hand Vein Scanner, 2005

How it works

Contactless vein recognition technology, originally engineered by Fujitsu, relies on a specific characteristic of blood in veins: deoxidized hemoglobin. Veins carry blood back to the lungs after the body's cells remove oxygen from the hemoglobin. Deoxidized hemoglobin absorbs light at a near infrared wave length, making them look black, as shown on the left in Figure 12-10.

Figure 12- 10: Hand Vein Patterns (Hanlon, 2005)


Vein scans, like iris scans, do not require contact with the sensor, have a very low error rate (as low as FRR of 0.01 percent and FAR of 0.00008 percent (Ridden, 2012)), and are nearly impossible to forge. In addition, scanners less than 2 inches across are in testing and facilitate embedding vein-based access control in user devices. See Figure 12-11.

Figure 12- 11: Embedded Vein Scanner (Ridden, 2012)


The technology is still evolving, with no real standard. This should not stop you from considering it as a viable alternative for fingerprint and facial recognition end-user authentication. This issue may disappear as large companies, like Intel, move to integrate palm scanning into consumer devices (Randewich, 2012).

Voice and Typing

I am providing detail only on the most common, or most promising, biometrics technologies. In addition, two less popular technologies to watch are voice recognition and keystroke dynamics.

Voice recognition

Voice recognition is easy for users, but it is subject to easy forgery (Olzak, 2011). Algorithms make reference templates using voiceprints. This approach works well for telephone-based authentication, but it is very weak authentication when expecting users to speak into microphones. It is not as accurate as other forms of biometrics, and voice tracks are subject to theft via recording devices. Voice authentication is not secure in public or cubicle-dense areas.

Keystroke dynamics

Keystroke dynamics uses the speed and rhythm of a user's typing. It is not very accurate, but it can be a very easy biometrics solution to implement. It requires no special hardware: just an agent residing on the end-user device. Users do not have to take time to enroll; enrollment is done in the background as users work. Further, administrators can tune FRR/FAR by application. Keystroke biometrics is a good choice if you need something easy to implement, relatively inexpensive, and part of a multi-factor authentication effort. See for more information about this technology.


Biometrics is not a panacea. Implementation should be the result of cost/benefit analysis stemming from a risk assessment. However, regulatory constraints sometimes make our decision easy. The only thing possible at that point is to select the solution that makes sense.

Making sense, or the reasonable and appropriate implementation of biometrics, includes consideration of several factors.

  • Understand the limitations of the target operating environments
  • Ensure the overall security context supports reference template safety
  • Understand the probability of forgery and match it to the importance of that which you are trying to protect
  • Do not implement a biometrics solution that exposes business processes to a potential business continuity event in the form of sensor or backend authentication server loss
  • Ask each vendor to provide reasonable proof of error rates for the products proposed
  • Always consider how users might receive the new systems

Although not covered in the chapter, I want to close with a very strong recommendation to pilot any biometrics solution before signing a final vendor agreement. This is the best way to ensure management and user acceptance, operational suitability, and the impact of environmental conditions.


BBC News. (2009). Biometric Technology. Retrieved November 3, 2012, from BBC News:

Bindha, V. E., & Natarajan, A. M. (2012). Multi-Modal Biometric Template Security: Fingerprint and Palmprint Based Fuzzy Vault. Retrieved October 31, 2012, from OMICS Publishing Group:

Bonsor, K., & Johnson, R. (2012). How facial recocognition systems work. Retrieved November 3, 2012, from HowStuffWorks:

Brandel, M. (2010). Using Biometric Access Systems: Dos and don'ts. Retrieved November 1, 2012, from CIO Magazine Online:

Congdon, K. (2010, May 20). Are Biometrics The Key To Health IT Security? Retrieved November 2, 2012, from Healthcare Technology Online:

Cooter, R. D. (1998, February). Punitive Damages, Social Norms, and Economic Analysis. Retrieved October 3, 2012, from

Ethics. (2012). In Retrieved from

Eye Tracking Update. (2010, January 22). Retrieved November 3, 2012, from Race Presents Challenge for Facial and Eye Tracking Technology:

findBiometrics. (2012). Facial Recognition. Retrieved November 3, 2012, from findbiometrics:

Grigsby, J. (2011, May 1). Iris Recognition. Retrieved November 5, 2012, from Biology - Block D:

Hanlon, M. (2005, June 29). Contactless Palm Vein Authentiation Technology targets defacto standard in biometric security markets. Retrieved November 5, 2012, from Gizmag:

Heathfield, S. M. (2012). Build Support for Effective Change Management. Retrieved November 2, 2012, from Human Resources:

Iris recognition. (2012). In Retrieved from

O'Leary, T. (2008, February). Acceptance and Accuracy in Biometrics. Security Dealer and Integrator

, 30 (2), p. 52.

Olzak, T. (2011). Practical Application of Biometrics. Retrieved September 2, 2012, from TechRepublic:

Randewich, N. (2012, September 13). With the ware of a hand, Intel wants to do away with passwords. Retrieved November 5, 2012, from Reuters:

Ridden, P. (2012, May 10). Fujitsu develops smallest Palm Vein Biometric Authentication Sensor yet. Retrieved November 5, 2012, from Gizmag:

Rosistem. (n.d.). Biometric Education: Fingerprint. Retrieved November 2, 2012, from

SarniffCorp. (2010, February 24). Iris on the move [video file]. Retrieved November 5, 2012, from

Xiao, Q. (2010). Applying Biometrics. Retrieved 2011, from Defense Research and Development Canada:

Zetter, K. (2012, July 25). Rverse-Engineered Irises Look So Real, They Fool Eye Scanners. Retrieved November 5, 2012, from Wired:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Tom Olzak
Tom Olzak

Tom Olzak is a security researcher for the InfoSec Institute and an IT professional with over 37 years of experience in programming, network engineering, and security. He has an MBA and is a CISSP.  He is currently an online instructor for the University of Phoenix.

He has held positions as an IS director, director of infrastructure engineering, director of information security, and programming manager at a variety of manufacturing, health care, and distribution companies. Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator.

He has written four books, "Just Enough Security", "Microsoft Virtualization", "Introduction to Enterprise Security", and "Incident Management and Response."  He is also the author of various papers on security management and a blogger for, TechRepublic,, and Tom Olzak on Security.