8.4.5

BIOMETRICS

This control restricts computer access based on a
physical or behavioral characteristic of the user.

best means of authenticating a user’s identity based on a unique, measurable attribute or trait for verifying the identity of a human being.

involves use of a reader device that interprets the
individual’s biometric features before permitting authorized access.

Errors identification mechanism

the false-rejection
rate (FRR), or type-I error rate

number of times an individual granted
authority to use the system is falsely rejected by the system.

the failure-to-enroll rate (FER),

aggregate measure of type-I error rates

the proportion of people who fail to be enrolled successfully.

false-acceptance rate (FAR), or type-II error rate

is the number of times an individual not granted authority to use a system is falsely accepted by the system.

equal error rate (EER)

which is the percent showing when false rejection and acceptance are equal.

is an adjustment point where the two errors are equal

Physically Oriented Biometrics

Palm-based biometric

devices analyze physical characteristics associated
with the palm such as ridges and valleys.

hand geometry measures the physical characteristics of the users’ hands and fingers from a threedimensional perspective

main disadvantage

compared to other biometrics methods is the lack of uniqueness of hand geometry data

injury to the hand may cause the measurements to change,
resulting in recognition problems.

Iris based

associated with the colored portions surrounding the pupils, is unique for every individual and, therefore, a viable method for user identification.

To capture this information, the user is asked to center his/her eye onto a device by seeing the reflection of their iris in the device

After it is aligned, a camera takes a picture of the user’s iris and compares it with a stored image

key advantage

Disadvantages

the high cost of the system, as compared to other biometric technologies,

and the high amount of storage requirements needed to uniquely identify a user

to iris identification is that contact with the device is not needed, which contrasts with other forms of identification, such as fingerprint and retinal scans.

retina

scan uses optical technology to map the capillary pattern of the eye’s retina.

Advantage

lowest FAR among the current biometric
methods.

Disadvantage

retinal scanning include

the need for fairly close physical contact with the scanning device, which impairs user acceptance,

and the high cost.

Fingerprint

the user places his/her finger on an optical device or silicon surface to get his/her fingerprint scanned

template generated for the fingerprint, named “minutiae,” measures bifurcations, divergences, enclosures, endings and valleys in the ridge pattern.

Advantages of fingerprint scanning are ,

low cost,

small size of the device

ability to physically interface into existing client-server–based systems

and ease of integration into existing access control methods.

Disadvantages include and .

the need for physical contact with the device

the possibility of poor-quality images due to residues, such as dirt and body oils, on the finger

Additionally, fingerprint biometrics are not as effective as other technique

face-recognition biometric devices,

biometric reader processes an
image captured by a video camera,

Advantage

it is acceptable to users because it is fast and easy to use.

disadvantage of face recognition is the lack of uniqueness, which means that people who look alike may fool the device.

Behavior-oriented Biometrics

signature recognition

referred to as signature dynamics, the information from the reader is used to analyze two different areas of an individual’s signature:

the specific features of the signature and

the specific features of the signing process.

Advantages

it is fast, easy to use and has a low
implementation cost.

even though a person might be able to duplicate the visual image of someone else’s signature, it is difficult if not impossible to duplicate the dynamics

(e.g., time duration in signing, pen-pressure, how often pen leaves signing block, etc.).

disadvantage

capturing the uniqueness of a signature particularly when a user does not sign their name in a consistent manner

users’ signing behavior may change when signing onto signature identification and authentication

Voice recognition

involves taking the acoustic signal of a person’s voice, saying a “passphrase,” and converting it to a unique digital code that can then be stored in a template

incorporates several variables or parameters to recognize one’s voice/speech pattern including pitch, dynamics and waveform.

Disadvantages

• The large volume of storage requirements

Changes to people’s voices

• The possibility of misspoken phrases

• A clandestine recording of the user’s voice saying the passphrase could be made and played back to gain access.

• Background noises can interfere with the system.

Management of Biometrics covers

Data integrity, authenticity and nonrepudiation

• Management of biometric data across its life cycle—comprised of the enrollment, transmission, storage, verification, identification and termination processes

• Use of biometric technology, including one-to-one and one-to-many matching, for the identification and authentication of its users

• Application of biometric technology for internal and external, as well as logical and physical, access control

• Encapsulation of biometric data

• Techniques for the secure transmission and storage of biometric data

Security of the physical hardware used throughout the biometric data life cycle

Techniques for integrity and privacy protection of biometric data

BIMS

Management should develop and approve a biometric information management and security (BIMS) policy.

to gain a better understanding of the biometric systems in use.

the auditor should make sure this policy has been developed and the biometric information is being secured appropriately

With any critical information system, logical and physical controls, including BCPs, should address this area.

Life cycle controls for the development of biometric solutions should be in place to #

to cover the enrollment request,

the template creation and storage

and the verification and identification procedures

identification and authentication procedures for individual enrollment and template creation should be specified in the BIMS policy

biometric device malfunctions or is inoperable, backup authentication methods should also be developed.

Controls should also be in place to protect the sample data as well as the template from modification during transmission.

“tablets” versus writing the signature in ink onto a piece of paper.