General security

An Introduction to Biometric Key Performance Indicators and Standards

Ravi Das
September 21, 2016 by
Ravi Das

Overview of the Last Article

In all of the articles we have covered thus far, we have covered a wide range of Biometric technologies. These have ranged from the "Ultimate Biometric of All" (Retinal Recognition) to the "Oldest Biometric of All" (Hand Geometry Recognition) to now the "Most Controversial Biometrics of All" (Facial Recognition). Why does this modality deserve such a title?

The primary reason for this is that it can be used in a very covert fashion-unbeknown to the public. As a result, there have been many cries of Civil Liberties and Privacy Rights Violations, thus triggering its very low acceptance rate. Also, unlike the other Biometric Technologies, Facial Recognition still has some ways to go to be deemed as 100% reliable.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

There are many factors which can have a drastic impact on the performance of a Facial Recognition system. As it was reviewed, these includes such variables as weight loss and weight gain, the addition and subsequent removal of any extraneous objects such as glasses/contacts, hats, earrings, sunglasses, hearing aids, etc. Also, fluctuations from the external environment can also have a pronounced effect.

But, Facial Recognition does possess one major advantage: It can be used in very large scale Identification based scenarios. This includes such applications as covert surveillance in the major international airports, confirming the identity of passengers via the use of an e-Passport infrastructure, and even using it in conjunction with CCTV Cameras at major sporting events.

Because of the degree of variability which Facial Recognition possesses, various standards were reviewed which have been designed to promote a sense of a consistent level of effectiveness.

The various techniques of Facial Recognition were also examined in detail, which are PCA; Linear Discriminant Analysis (LDA); and Elastic Bunch Graph Matching (EBGM). Also, the types of unique features which get extracted from a Facial Recognition were also covered.

In this article, we continue onto a greater level of examination of the standards which have been established and implemented by the Biometrics Industry.

An Overview of the Key Performance Indicators (KPIs) and Standards

Biometrics, just like any other technological tool, must be evaluated against a set of standards and KPIs to determine its true effectiveness. This term can have a wide variety of meanings.

For example, to a potential customer who is considering deploying a Biometric system, effectiveness will mean which modality will best suit the needs of the business or corporation.

Or to a software developer, effectiveness will mean following a strict set of best practices to create the most robust application for a particular Biometric system.

Even to the Federal Government, effectiveness will mean selecting the right Biometrics Vendor based upon a pre-established list of KPIs which can be used as a baseline for comparison.

The existing KPIs of today are merely statistical metrics, and the standards include the following:

  1. The Biometric Data Interchange Formats
  2. The Common Biometric Exchange Format Framework
  3. The Biometric Technical Interface Standards.

A Review of the Biometric KPIs

These include the following:

  1. The False Acceptance Rate also known as the "FAR" or Type II Errors
  2. The False Rejection Rate, also known as the "FRR," or Type I Errors;
  3. The Equal Error Rate, also known as the "ERR."
  4. The Ability to Verify Rate also known as the "AVR."
  5. The Failure to Enroll Rate also known as the "FER."

With regards to the FAR, this KPI reflects the probability of an illegitimate user, or even an impostor, being fully verified by the Biometric system.

For example, this can happen when John Doe, whom is not officially registered into any Biometric system is actually given access to highly confidential network files for some reason or another (this could be because of some sort of tampering with the Biometric device, such as a very sophisticated Cyber-attack, or even in the extreme resort, using latent fingerprints in order to spoof the optical sensor).

The above scenario does happen from time to time, and it is important to keep in mind that Biometrics are not infallible. They too are prone to faults and errors, just like any other security-based technology.

On the FRR, this KPI reflects the statistical probability of an individual (such as an employee) who is legitimately enrolled into the Biometric system actually being denied by it. In other words, although the identity of the person in question is legitimate, the Biometric modality cannot confirm it. Take the example of John Doe once again.

Regarding the ERR, this is the KPI where the FAR and the FRR equal each other, and this is the ideal or optimal setting for any Biometric system to be at.

Regarding the AVR, this KPI describes the overall percentage of a particular end user population (not just an individual) which can be enrolled in any kind of Biometric system. It does not matter what the specific composition of this population is, all that matters are the total number of people who can successfully complete the enrollment process.

The AVR can de described mathematically as follows:

AVR = [(1 – FER) * (1 – FRR)]

where:

The FER is the Failure to Enroll Rate (which is discussed next)

The FRR is the False Rejection Rate.

Finally, the FER is a KPI which statistically describes that percentage of the end user population that cannot be legitimately accepted, or enrolled into a Biometric system. This can also be thought of as the converse, or the mirror image of the AVR.

There are a number of reasons why people may not be able to enroll into a Biometric system successfully. These include physical ailments (such as skin discoloration or blindness), and the sheer lack of either unique physiological or behavioral traits.

The Biometric Data Interchange Formats

These types of standards permit for the specific interaction of the differing Biometric Templates which are used by the same Biometric modality.

For example, there are many Fingerprint Recognition vendors which essentially make one thing: The Fingerprint Scanner. But, all of these vendors have used their own algorithms in creating the Enrollment and Verification Templates. Thus, the primary objective here is to make sure that all of these templates can be recognized by all of the Fingerprint Scanners which are manufactured.

The specific goals of these standards are as follows:

  1. Adopting a common format for the representation of the differing Biometric Templates.
  2. Providing a clear guidance for what types of headers the Biometric Templates can contain (this specifically deals with the metadata of the templates).
  3. Promoting new techniques with regards to the research and development of the Biometric sensor types, and their raw image extraction features.
  4. Allowing for the successful exchange (incoming and outgoing) of Biometric information and data in a Client-Server setting, which can be measured by these variables: seamlessness, correctness, and effectiveness.
  5. Developing and implementing an Open Source model in which each of the differing Biometric modalities can communicate and interoperate with each other (for example, a Retinal Recognition device linking up and communicating its information and data to a Fingerprint Recognition Device).

Also, there are various Federal Government subgroups which are involved in this process which include:

  1. The ISO/IEC JTC 1 SC 37 WG 3-19794:

    This subgroup develops the Biometric Template interchange format standards. These have also been adopted by the International Civil Aviation Organization (ICAO) in the development of the e-Passport infrastructure.

  2. The ANSI/NIST ITL for Law Enforcement:

    This subgroup has developed the protocols primarily for the law enforcement sector. An example of this is the standards which have been established for the grayscale fingerprint images which are stored and utilized in the AFIS databases of the FBI and Interpol.

The Common Biometric Exchange Format Framework

With the use of logical data structures, the Biometric Templates are placed into a "virtual wrapper." This converts the data fields into a universal language that the modalities can understand amongst one another.

The group that is responsible for developing the standards which make this possible is known as the "Common Biometric Exchange Formats Framework," or "CBEFF" for short.

The standards include:

  1. Data Elements:

    A list of the metadata elements has been developed so that the Biometric templates can be exchanged with multivendor hardware, software applications, systems, and subsystems.

  2. Common File Format:

    With this, one Biometric modality (such as Fingerprint Recognition) can interoperate with another technology (such as Iris Recognition) so that they can "understand" each other's Enrollment and Verification templates which have been created.

  3. Extensibility:

    This allows for the quick development of new data file formats and also provides identification markers for these specific files.

  4. Data Formats:

    Any Enrollment or Verification template which registers new data file types will be issued a timestamp, a version history number, and an expiry date. In other words, each Biometric modality will have its own Version Control system for the templates that they create.

  5. Biometric Information Records (also known as BIRs):

    A record must be created for each and every Biometric template which possess new data file types. This allows for the metadata about the templates to be communicated with various systems and subsystems.

The Biometric Technical Interface Standards

This third major grouping of standards falls under the consortium known as the "BioAPI." The standards created by this group specifies the level of interchange which can take place between the Biometric hardware, the software, and the middleware.

The BioAPI standards deal with:

  1. The integration and not the interaction of the Biometric modalities. This simply means how quickly can a Biometric device be installed and configured in case of failure of another Biometric device in the network.
  2. The software code which is designed for any type of Biometric modality must be Open Source in nature. This helps to facilitate the QA process amongst development teams.

Other standards set forth by the BioAPI are:

  1. The ANSI INCITS BioAPI:

    This specifies the subcomponents of the BioAPI which are:

  • Biometric Modality fusion
  • Establishing the requirements for a ten fingerprint capture system
  • Creation of the requirements so that a non-Biometric solution can be easily integrated into a Biometric-based one.
    1. The ISO/IEC 19784:

    This specifies:

    • How the Biometric based Graphical User Interfaces (GUIs) should be created and designed;
    • The use and exchange of security based certificates within any Biometric system (the principles of BioCryptography are used extensively here)
    • How the Biometric Template metadata will be archived for later uses (such as for audit purposes and other compliance reasons)
    • The operations of a multiuse interface for Biometric Sensor communications and interoperability.
    • It should be noted that the latest version of these standards is known as the "BioAPI 2.0". The upgrades it contains over the previous version (BioAPI 1.1) are:

      1. The inclusion of software component and subcomponent calls
      2. A set of high-level software functions
      3. A set of primitive level software functions
      4. Specifying how the remote management services will be established and secured to the Biometrics databases which contain the templates.

      Conclusions

      In summary, this article has examined some of the key standards and KPIs which are relevant to all entities that are involved in both the procurement and the design of a Biometric system. For example, from the standpoint of a potential customer, evaluating any Biometric modalities should be done using the KPIs as described.

      The Biometric vendors will have their own set of KPIs for each device they manufacture. But, these should be compared to a baseline to see how truly effective they are in meeting the security needs of the business or corporation.

      The standards establish a common framework from which Biometric software applications should be developed. They also specify how the Enrollment and Verification Templates should be created and stored so that they can be easily accessed, and shared with differing modalities.

      A key component which is often ignored in a Biometric system is that of the sensor. The standards also address this crucial functionality, as it is the sensor which captures the raw images of our physiological or behavioral traits.

      Sources

      https://biometricperformancemonitoring.files.wordpress.com/2011/07/bestpracticesinbiometricsperformancemonitoringprograms.pdf

      https://www.dhs.gov/xlibrary/assets/usvisit/usvisit_biometric_standards.pdf

      http://www.nws-sa.com/biometrics/Biometric_Standards_White_Paper_March2009.pdf

      http://www.smartcardalliance.org/secure/events/20030715/BusinessTrack/WB03b_Tilton.pdf

      https://www.nist.gov/sites/default/files/documents/standardsgov/Biometric_Standards_Registry_Version_1_June_5_2008.pdf

      https://www.nist.gov/sites/default/files/documents/standardsgov/NSTC_Policy_Bio_Standards_Final_091307_1.pdf

      http://biometrics.nist.gov/cs_links/standard/archived/workshops/workshop1/presentations/Podio-M1-SC37.pdf

      http://biometrics.nist.gov/cs_links/fingerprint/NIST%20Fingerprint%20Testing%20Standards%20V2%2002282013.pdf

      https://danishbiometrics.files.wordpress.com/2009/08/bio_stds_ctilton.pdf

      https://uidai.gov.in/UID_PDF/Committees/Biometrics_Standards_Committee_report.pdf

      What should you learn next?

      What should you learn next?

      From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

      https://fas.org/irp/eprint/btf.pdf

      Ravi Das
      Ravi Das

      Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

      You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.