Security Access Using Biometric Fingerprint Technology

By Robert C. Smallback, Jr.

May 28, 2002

(This is the second article in a series about Robert Smallback’s evaluations of various types of biometric technologies for Southwest International Airport (RSW) in Fort Myers, FL.)

My initial thoughts about using a fingerprint or hand geometry solution for security access were filtered by my experiences in law enforcement -- ink-rolled prints that were time consuming and messy. Recently, my observations of optical fingerprint systems for positive identification still required rolling all 10 fingers until the print passed the systems’ test for acceptability for use in the FBI’s Positive Identification system. It was obvious these processes were not acceptable for security access.

Hand scanning uses optical technology to filter variations in a person’s hand into an algorithm key. The resulting keys are derived from major variations in the whole hand, including the subject’s fingers. The device is used to enroll pre-qualified persons into the host database. When a person wishes entry, they place a hand on a platen, and if their handprint matches the database key, they are allowed entry. This technology eliminates the time-consuming process of rolling fingerprints and allows the optical scanning devices to provide unattended access.

The problem with the whole hand or two-finger optical algorithm technologies is the requirement for enrollment into the local database, and the level of accuracy the system has. False negatives and false positives could be compensated for by the use of an assigned code entered by the pre-enrolled person or by operator intervention. In essence, the biometric device has to use the old keypad code entry to validate a biometric rejection. So, the technology requires human intervention to permit access, or it requires a pass/fail logic (if both are passed then allow access, or if one or the other is passed then allow access). Why invest in a biometric device that simply adds cost to a key entry security access system and still requires human interaction when the code or print fails to open the door?

DEFINING THE NEED
The real purpose of using biometrics is to be assured only a previously enrolled person is allowed access and the technology has a high level of confidence that it will provide reliable, unattended security access. The primary objectives of using biometric technology are lost when either it’s recommended to use two biometric systems to allow access (both are required or one is required to allow access), or an operator is required to make the final decision when denials occur.

Although whole-hand algorithm devices have been working with an enrolled database, it may not be suitable if used in a national database for the airline industry. It would require the whole industry to have the same technology to enroll their employees and submit the enrollment into a common database. As the enrollment database grew, so would the opportunity for duplications and error.

A common database of unique biometric keys that could be used for security access could be available in the near future. Since the events of September 11, airports have been required to submit employee and contract employee fingerprints to the FBI for positive identification and criminal history checks. The result of this requirement could provide a national fingerprint database of airport, airline, and contract employees.

AN OVERVIEW OF FINGERPRINT TECHNOLOGIES
There are several technologies that work with fingerprints:

Optical Fingerprint Scanners. The fundamental limiting factor has been how these devices capture an image of the finger. The process, referred to as Frustrated Total Internal Reflection, a form of spectroscopy, essentially takes a picture of the finger. It also takes a picture of the dirt, greases, and contamination found on the finger. An individual who smokes, uses hand creams or suntan lotions, or whose fingers are contaminated through everyday exposure to contaminants such as ink from a freshly printed newspaper cannot effectively use these systems.

Digital Fingerprint Scanners. Variations on the optical scanners have been given a new name, digital scanners. These scanners scan the finger using the same principles of Frustrated Total Internal Reflection, and thus have all of the same limitations.

Capacitance Fingerprint Scanners. Supporters of this technology claim it has higher image quality than optical scanners due to its ability to image beyond the surface contamination found on the finger. It too, however, has very serious limitations including a small image scan area. The scan area of these devices is approximately 0.5” x 0.5”. That is not enough image area of the finger to accurately identify an individual. The devices also have a sensitivity to electrostatic discharge.

Thermal Fingerprint Scanners. This technology uses infrared to sense the temperature differences between the ridges and valleys of the finger to create a fingerprint image. To date, the performance has been quite poor with these devices.

Ultrasonic Fingerprint Scanner. This method scans the finger ultrasonically, using high frequency sound waves, to capture an image of the finger. Ultrasound can penetrate through many mediums, and thus can image through the contamination that is found on the finger or that builds up on the fingerprint platen to get a consistently high-quality image of the finger each and every time. The improved image quality results in accuracy rates approximately a factor of 10 (an order of magnitude) better than any other fingerprint system on the market today. The images are completely compatible with existing fingerprint databases, should cross matching to existing databases be an application requirement.

The concern from a security access perspective is assuring quality, unattended access to secure areas. When a keypad is used as an offset entry for a hand geometry logarithm-based system, there could be an opportunity for defeating the system; for example, a person observes a keypad entry, then at a later date they put their finger in the reader, they’re rejected, and then they enter in the previously observed keypad number and the override allows access.

The following images identify problems someone may have in their normal work that may cause an optical system to reject them. If this occurs with some frequency, it could provide the opportunity of observing a keypad override entry and allow unauthorized people entry.

Figure 1. A worker gets a mark on their finger or a worker has some other contaminant on their finger. 

Figure 2 is an example of newsprint ink distorting the fingerprint.

Over 80 fingerprint companies were selected in one Internet search for biometric fingerprint systems. The fingerprint system based on ultrasonic scanning instead of optical scanning seems to have a lot of promise for airport security. The ultrasonic system scans the print using ultrasound, develops a 270-KB key to access the database, and compares the actual, total print consisting of 270,000 bytes to 300,000 bytes to validate the person against the pre-enrolled database.

Each organization seeking a biometric solution must make the best choice for their installation. It’s very important to consider the test data in detail to determine if the tests and the promise of a system meet your individual operating characteristics and environmental challenges:

1. Is space a problem for setting the biometric device at the access point?
2. Will the device connect to your network or require a network of its own?
3. Will the devices be subjected to weather?

• Direct sun/heat
• Rain
• Snow/cold to extreme cold
• Ice

4. Will the persons using the system be refused access because they are/have:

• Elderly, wrinkles in the fingers may affect the print
• Petite, small print reduces the matrix
• Subjected to chemicals
• Have unusual wear and tear on the fingers, like construction workers
• Grease or oil
• Dirt and grime

5. Do you expect to interface with other databases or a single master database?

• Key size is important
• The potential of duplicate keys is critical

6. Will you need intervention to resolve denial of access?

Another whole area of study to consider when looking at biometrics is the ease in which someone with intent to cause harm can defeat the system. One example of ingenuity can be found on the Internet, I’ve extracted a small bit of the article, but you’ll get the picture, the whole article can be found on the Web.

Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. Matsumoto, along with his students at the Yokohama National University, showed that they could be reliably fooled with a little ingenuity and $10 worth of household supplies. He took a fingerprint left on a piece of glass, enhanced it with a cyanoacrylate adhesive, and then photographed it with a digital camera. Using Photoshop, he improved the contrast and printed the fingerprint onto a transparency sheet. Then, he took a photo-sensitive printed-circuit board (PCB) and used the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he made a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80 percent of the time.

Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.