Banks like veins

Banks drawn to vein pattern recognition biometrics (Electronics News)

Vein recognition technology is restricted to checking vein patterns of living body tissues and offers reliable reading. Moreover, vein patterns are nearly impossible to counterfeit. Many banks worldwide consequently have incorporated this technology into their ATMs to improve the user authentication procedure of these machines.

While the ease of duplicating fingerprints to hack biometric systems is regularly overstated, it is a possibility. I’ve never even heard of anyone trying to spoof a finger- or palm vein biometric system.

The trade-off for vascular biometrics is that the sensors are typically larger and more expensive than fingerprint readers and there are fewer vendors offering vein technology. Nevertheless, certain deployments recommend themselves well to vein biometrics.

Vascular biometrics have a lot to offer

Hitachi finger vein scanner could secure large venues (Network World)

The scanner is able to confirm a person’s identity by detecting finger vein patterns, which are unique to each person. It works regardless of the number of fingers used or their orientation above the scanner surface, allowing it to process about 70 users per minute.

Vascular biometrics have a lot to offer. There’s no latency (i.e. no prints left behind). They’re contactless, and they’re getting faster.

Veins are great, but that doesn’t mean fingerprints are a “gimmick”

Vein-scanning technology may trump fingerprint scanning for payments (Sydney Morning Herald) But even if the headline is true, it doesn’t follow that

“Using our fingerprint is not a secure way to do [authentication],” Professor Susilo said. “It’s just like a gimmick.”

One of the main benefits of vein and iris scanning is that you don’t tend to leave behind iris or vein prints, he said.

As most vein scanner sensors coming out this year require no physical contact, it means there are no residual biometric patterns that could be copied, preventing fraudulent use.

Fingerprints are notoriously easy to lift from surfaces and are not secure, he said, which has been demonstrated by researchers for more than a decade.

In 2002, Japanese researchers showed that fingerprint scanners could be fooled with about $10 worth of household supplies. They also found many fingerprint systems did not detect if someone was “live and well”.

Vein scanners are, in fact “more secure” in the sense that there is no latency. You can’t leave vein prints behind. But that doesn’t mean that fingerprints are a gimmick.

To take the professor in his own terms, how much money worth of household supplies are required to access an unsecured mobile device? How much money worth of household supplies are required to access a device secured by a password? How easy is it to apply the $10 worth of household supplies to cracking the phone? The answers: None, None, Not very. It really isn’t that easy to spoof fingerprints without the participation of the person whose fingerprint is enrolled.

Vascular biometrics, on the other hand, have no latency. Nobody leaves behind vein prints. But hardware cost (too expensive) and form factor (too large) disqualify vein sensors’ use in mass market mobile devices*. Until about 6 months ago this was true even for fingerprint readers.

*In mobile devices, power consumption is also a big concern. I don’t really know if vein readers are power hogs or not. Perhaps the likely infrequency of vein sensor use compared to the screen or audio output means power requirements won’t end up being the determining factor for vein reader deployment anyway.

Face veins

ID got you, under the skin (Phys.org)

Ayan Seal and colleagues have developed a computer algorithm that can analyze the minutiae of the blood vessels revealed by an infra-red scan of a person’s face. The thermogram readily reveals the pattern of blood vessels almost down to the smallest capillary with an accuracy of more than 97%. Such a degree of precision would suffice even for high-security applications provided the thermogram scan was tied to second or third forms of identity, such as photo ID, security card, PIN number etc.

A biometric modality depending of the vasculation of the face is an interesting idea because unlike most novel biometric modalities, face biometrics and vascular biometrics are fairly well understood.

Seeing a lot more about finger veins lately…

Poland’s Getin Bank deploys Hitachi finger vein biometric tech in branches

Nowadays, biometrics is considered to be the best method of authentication in the banking sector with a wide range of applications, including at ATMs, branches and internet banking payments. “Within the framework of Getin Up project we want to offer our customers the package of technical innovations that will facilitate them day-by-day using of banking services. Our long-term objective is to implement biometrics in all bank branches.” – said Karol Karolkiewicz, member of the Management Board of Getin Noble Bank.

Biometric technology is used to authenticate a person based on unique human physical or behavioural characteristics such as iris, fingerprint, voice or finger vein patterns. Getin Bank chose finger vein biometrics based on it being safe and secure via the use of the unique structure of blood vessels inside fingers.

Why some might prefer finger vein to fingerprint

‘Finger vein recognition system’ promises security (Times of India)

[…C]opying and hacking fingerprints to breach security can be stopped by mapping people’s veins to verify their identity. This model can be used to make up for errors and loopholes in the biometric system, where finger prints can be copied easily.

“Using the blueprint of our veins, areas like credit card security and other time attendance systems can be strengthened.

Even shorter answer: there’s no latency.

The challenges confronting any new biometric modality

[ed. This post reflects a substantial rewrite of an earlier post of January 24, 2013: Not the bee’s knees]

Every once in a while a version of the following paragraph finds itself in the news…

Biometrics Using Internal Body Parts: Knobbly Knees in Competition With Fingerprints (Science Daily)

Forget digital fingerprints, iris recognition and voice identification, the next big thing in biometrics could be your knobbly knees. Just as a fingerprints and other body parts are unique to us as individuals and so can be used to prove who we are, so too are our kneecaps. Computer scientist Lior Shamir of Lawrence Technological University in Southfield, Michigan, has now demonstrated how a knee scan could be used to single us out.

Forget digital fingerprints, iris recognition and voice identification, the next big thing in biometrics could be your ______________.

Examples are numerous and fecund:

Heartbeat?
Rear-end?
Ear?
Bone structure or electric conductivity?
Footsteps?
Nose? (ed. Link added later. I forgot about that one.)
Body odor?
Brain prints?
Lip movements?
Kneecap?

While I suspect that any definable aspect of the human anatomy could be used as a biometric identifier — in instances where teeth are all that is known about an individual, they are used for high confidence identification — I’m afraid that, for the foreseeable future, the cards are stacked against any new biometric modality catching on in any big way.

The reasons for this are both scientific (research based) and economic (market based).

On the science side, a good biometric modality must be: unique, durable, and easily measurable. If any of these are missing, widespread use for ID management isn’t in the cards. If something is unique and durable but isn’t easily measurable, it can still be useful but it isn’t going to become ubiquitous in automated (or semi-automated) technology. Teeth and DNA fit this model. Teeth have been used to determine the identity of dead bodies with a high degree of certainty for a long time, but we aren’t going to be biting any sensors to get into our computers any time soon — or ever. Likewise with DNA.

There is also the challenge of proving that a modality is in fact unique, durable and easily measurable which requires a whole lot of experimental data and (especially regarding uniqueness) a healthy dose of statistical analysis. I’m no statistician, and from what I understand, the statistical rules for proving biometric uniqueness aren’t fully developed yet anyway, so let’s just leave things in layman’s terms and say that if you’re wanting to invent a new biometric modality and someone asks you how big a data set of samples of the relevant body part you need, your best answer is “how many can you get me?”

In order to ascertain uniqueness you need samples from as many different people as you can get. For durability you need biometric samples for the same person taken over a period of time and multiplied by a lot of people.

Ease of measure is more experiential and will be discovered during the experimentation process. The scientists charged with collecting the samples from real people will quickly get a feel for the likelihood that people would adapt to a given ID protocol.

For two common biometric modalities, face and fingerprint, huge data repositories have existed since well before there was any such thing as a biometric algorithm. Jails (among others) had been collecting this information for a hundred years and the nature of the jail business means you’ll get several samples from the same subject often enough to test durability, too, over their criminal life. For face, other records such as school year books exist and were readily available to researchers who sought to test the uniqueness and durability of the human face.

The first hurdle for a novel biometric modality is the competition for the attention of scientists and researchers. Getting the attention of science and technology journalists by making a pronouncement that the space between the shoulder blades is the next big thing in biometrics is one thing. Getting academic peers to dedicate the time and research dollars to building the huge database of interscapular scans required for algorithm development is quite another. Any new modality has to offer out-sized advantages over established modaities in order to justify the R&D outlay required to “catch up”. This is highly unlikely.

On the market side, in order to displace established (finger/hand and face/eye) biometric modalities in wide scale deployments, the academic work must be complete and the new technology must produce a return on investment (ROI) in excess of that offered by existing technologies designed to accomplish the same function.

That’s not to say that modalities that didn’t have the advantage of a 100 year head start on data collection are impossible to bring to market. Iris, voice, and the vascular biometrics of the hand (palm, finger) have joined face and fingerprint biometrics in achieving commercial viability despite the lack of historic data repositories. But there were several things recommending them. They either occupy prime real estate on the head and the end of the arm (Iris, vein) making them easy to get at, or they are the only biometric that can be used over a ubiquitous infrastructure that simply isn’t going anywhere (voice/phone), or they offer advantages over similar established modalities. With hand vascular biometrics: they’re harder to spoof than fingerprints; no latency; avoidance of the “fingerprinting = criminality” stigma; can work with gloves; users can avoid touching the sensor, etc. With iris: harder to copy than the face; harder to spoof; easier to measure than retina vasculation; and extremely low/no latency. Yet even despite gaining the required academic attention, iris and voice have had great difficulty overcoming the market (ROI) hurdle, which brings us back to knees.

Is there any database of kneecaps of significant size to allow researchers to skip the time-consuming task of building such a database themselves reducing the cost of development? Is there any deeply embedded ubiquitous infrastructure that is already an ideally suited knee-sensor? Is there any objection to modalities that have a head start on knees that knee biometrics would overcome? Is there any conceivable, repeatable, scalable deployment where a potential end user could save a whole lot of money by being able to identify people by their knees? I’m at a loss but these are exactly the kind of questions any new biometric modality must be able to answer in the affirmative in order to have any hope for wide-scale deployment.

So, it’s pretty clear that knee biometrics are not something the average person will ever come into contact. Does that mean there is no value in exploring the idea of the kneecap as a feature of the human anatomy capable of being used to uniquely identify an individual? Not necessarily.

In order to thrive as high value-added tools in highly specialized deployments a novel modality just needs to help solve a high value problem. This has heretofore been the case with teeth & DNA. The analysis of teeth and DNA is expensive, slow, requires expert interpretation, and is difficult to completely automate, but has been around for a long, long time and isn’t going anywhere anytime soon. That’s because the number of instances where teeth and DNA are the only pieces of identifying information available are frequent enough, the value of making the identification is high enough, and the confidence level of the identification is high enough that people are willing to bear the costs associated with the analysis of teeth and DNA.

Beyond teeth and DNA, any biometric modality can be useful, especially when it is the only piece if information available. The CIA and FBI even invented a completely novel biometric approach in an attempt to link Khalid Shaikh Mohammed to the murder of Daniel Pearl using arm veins. But how likely is something like that ever to be the case for any of these novel modalities, knees included? It’s possible that the situation could arise where a knee bone is discovered and there is an existing x-ray or MRI of a known person’s knee and a comparison would be useful. That, however, is not enough to make anyone forget about any already-deployed biometric modality.

South Florida: Baptist Health hospitals adopt biometrics for patient ID

New hand scanners being used in local hospital to identify patients (First Coast News)

You used to have to give your name, a form of ID, often a social security number when you checked into hospitals, but now all you may need is your palm.

Baptist Health is using new technology now that identifies each patient by the vein pattern in their hand. The technology is called the Palm Vein Biometric Identification System.

The computer stores the patient’s vein pattern as a binary number connected to your file, so anywhere you go within the Baptist Health system, you can be identified and your records pulled up by simply scanning your hand.

The Director of Information Services, Jim Bilsky, says the motives behind this new technology is to stop identity theft and ID Card sharing. Also to help identify patients that are brought in unconscious during emergency situations.

This one happens t be about patient ID, but it’s hard to think of an identity management challenge hospitals don’t have.

Eye biometrics with a mobile phone camera

Mobile technology is crying out for better user authentication. Fingerprints would seem like a good match, but there’s a hardware chicken-and-egg problem: no fingerprint sensor hardware means no apps and no apps means no manufacturer has decided (long-term) to drive up the cost of their handset to provide a feature few may use.

That means biometric app developers interested in verification using mobile devices have concentrated on modalities that can use the sensors that are already ubiquitous in mobile hardware.

A phone without a microphone isn’t a phone anymore so the developers of voice biometrics are in pretty good shape. And though a camera isn’t a strictly necessary feature on a mobile device, they all seem to have them. That invites facial recognition, and eye-based biometrics developers into the mobile world.

All three (face, eye, voice) face challenges.

Scan Eyes to unlock spartphones (PSFK)
If I’m reading this article correctly, or more accurately making the correct inference from the picture that accompanies it*, EyeVerify seems to be side-stepping the challenges associated with iris biometrics and camera resolution by switching to an analysis of sclera vasculation — the veins on the white part — for mobile verification.

That’s pretty cool.

See also:
Mobile Devices and Biometric Modalities

* According to the EyeVerify site, that was the correct inference.

We just love it. No one wants to go back.

Palm scanners get thumbs up in schools, hospitals (USA Today)

Palm-scanning technology is popping up nationwide as a bona fide biometric tracker of identities, and it appears poised to make the jump from schools and hospitals to other sectors of the economy including ATM usage and retail. It also has applications as a secure identifier for cloud computing.

Here’s how it works: Using the same near-infrared technology that comes in a TV remote control or Nintendo Wii video game, the device takes a super high-resolution infrared photograph of the vein pattern just below a person’s skin. That image, between 1.5 and 2.5 square inches, is recorded and digitized.

It’s not hard to see why palm vein scanners are attractive in many applications. Users don’t have to touch anything, they’re fast, and the biometric is more difficult than some others to spoof.

Pro Tip to Journalists: Keep Your Eye on Iris v. Retina

What is it about journalists and the human retina? I’d estimate that at least 95% of the time a journalist uses the term “retina” in association with biometric identity management modalities, they actually mean “iris”. Does anybody know why this is?

After decades, ATMs still play key role in banking (Eagle Tribune – North Andover, MA)

He said tests are being conducted in Brazil on using biometric identification — scanning retinas or fingerprints — for ATMs. In Europe, he said, there are ATMs where customers can apply and be approved for a loan during their ATM sessions. “So the technology is there to do that,” Kerstein said.

You will never see a retina scanner in an ATM. As far as ATM deployments go retina is too expensive, and it takes too much time for people to get used to using it properly. Then there’s the fact that if vascular biometrics are the answer, the hand/finger is cheaper and easier and if eye biometrics are the answer, iris is cheaper and easier. For ATM’s the vascular/eye combo is overkill.

Iris (left) vs. Retina (right)

The iris (left), which gives people “eye color,” controls how much light enters the eyeball. The retina (right) is the structure laying along the inside, back surface of the eyeball that translates light into nervous impulses for the optic nerve to send to the brain.

In a camera analogy, the iris would be, well, the iris, since cameras have them, too. The retina would be the film, or in an even better digital analogy, the charge-coupled device (CCD) that translates light into ones and zeros for computer chips.

Both iris and retina are used as biometric modalities in identity management applications.

Iris biometrics match the iris’s unique surface features (similar to fingerprints). Retina biometrics use eye’s vascular network for matching.

Retinas have been in use as a biometric identifiers for far longer than iris (1984 vs 1995), but using the iris is far more common today. This is because using the iris makes for cheaper and easier identifications.

For more on the subject, I recommend this (If you’re a journalist, I can’t recommend it enough!). It was written in 2006. Both technologies will have improved since then, but iris technologies have improved faster.