-Turnstile
-Biometric
-Proximity Reader and Card
-Phone Entry System

1. Introduction

1.1 The principle
1.2 History

2. Technological Assumptions

2.1 Enrolment and verification
2.2 Evaluation of biometric systems
2.3 Capture of biometric characteristics (Sensors)
2.4 Calculation of templates
2.5 Verification security

3. Equipment to use physiological properties

3.1 Hand and finger geometry
3.2 Vein checking
3.3 Retina checking
3.4 Iris checking
3.5 Face recognition
3.6 Fingerprint recognition
3.7 Other physiological properties

4. Equipment to use behavioural properties

4.1 Signature
4.2 Voice recognition
4.3 Key stroke
4.4 Summary

5. Applications

5.1 Access control
5.2 Time & attendance
5.3 Boarder control, identity cards and passports
5.4 Payment of social benefits
5.5 Security of computers and data networks
5.6 Other verification applications

6. Economic considerations

7. Future

7.1 Market development
7.2 Standardisation of biometric systems
7.3 Privacy

8. Biometric Glossary

1.1 The principle

The need to identify persons correctly and irrevocably has existed for a very long time. The authorisation to enter a building, to open a cupboard, to cross a border, to get money from a bank etc. is always connected to the identity of a person. It is therefore necessary to prove this identity in one way or the other. We call this procedure Verification. A person claims to be authorised or to have a certain identity, and this must then be verified.

The problem is known to the police e.g. persons presenting an ID card which is doubtful. However the police are frequently confronted with another problem: Who is the person who has left a certain trace, e.g. a fingerprint, or who is this dead body. In this case we ask for the identity of an unknown person, we do an Identification.

Biometrics specialists use the expression one-to-one in case of a verification, or one-to-many in case of an identification. The following text is dealing mostly with verification which is the more important case in non-law enforcement environments.

1.2 History

Probably the oldest proof of identity and authorisation based on technical means, and not on personal recognition, is the mechanical key. Here the proof of identity is based on possession. All readable plastic cards (with magnetic, electrical or optical storage systems) are examples of the same category. These methods of proof of authorisation have reached a high technical level and some of them are very difficult to copy or falsify. However there is an inherent disadvantage: The technical system is able to verify the identity and hence the authorisation of the card or key, but not the identity of the bearer. In other words: Possession may be stolen, lost or given to unauthorised persons.

Systems based on knowledge instead of possession try to avoid this problem. Passwords are the oldest form of this type of identification. Recently these methods have been automated in the form of access passwords for computers or ID codes. Misuse through theft is impossible, but not abuse by non-authorised persons somehow acquiring this information. Despite all the warnings quite a number of users write down their ID code to e.g. credit cards, and this reduces the security value of this code to zero.

Combinations of possession and knowledge systems reduce the probability of misuse further, but do not eliminate the principal problem that the bearer is not irrevocably identified.

The sole means of identifying a person irrevocably is to automatically recognise their personal characteristics. These are called biometric characteristics and the technology of this identification is called Biometrics.

There are many biometric characteristics that may be captured. Some of these you can find in written form in any passport. However automated capturing and automated comparison with previously stored data requires the following properties of biometric characteristics:

• Invariance of properties. They should be constant over a long period of time
• Measurability. The properties should be suitable for capture without waiting time and other complications
• Singularity. The characteristics should have sufficient unique properties to distinguish one person from any other
• Acceptance. The capturing should be possible in a way acceptable to a large percentage of the population. Excluded are particularly invasive technologies, i.e. technologies which require a part of the human body to be taken or which (apparently) impair the human body
• Reducibility. The captured data should be capable of being reduced to a file which is easy to handle
• Reliability. The process should ensure high reliability and reproducibility
• Privacy. The process should not violate the privacy of the person

Given these properties the number of usable biometrics characteristics is reduced to a few, which have been tested in the past. The following table gives an overview.

For a detailed discussion of the pros and cons of these technologies and the state of the art see the following chapter. Other characteristics, as for example weight, size, colour of eyes and of hair and special properties, which you may find in passports, cannot be used since they do not fulfil criteria like singularity, measurability or invariance.

2. Technological assumptions

2.1 Enrolment and verification

Assumptions to verify a person are:

The person must be enrolled into the system as XY, and a file has to be stored which includes the biometric characteristics.

Each verification starts with an enrolment, for example in fingerprint verifications:

• Selection of an ID code
• Presentation of the finger
• Calculation of fingerprint template
• Further presentations of the finger
• Test

Now the comparison can take place, which shows if the person claiming to be XY has the same biometrics characteristics. This requires:

• Entry of the claimed identity of the person
• Calling the file of this person from the memory
• Capturing the biometric properties
• Comparison of captured properties with stored data
• Display and/or use of the result

Important factors are:

• Clean and reproducible capture
• Speed and precision of the comparison

Modern electronics cope easily with these requirements. The design of these units is based on microprocessor technology, miniaturised cameras, up-to-date light technology and more. The continuous price reduction of electronic components has enabled miniaturisationand has made the units cheaper and more efficient. Some units on the market are the result of more than 15 years development.

We can definitely say that Biometric technology today is mature.

2.2 Evaluation of biometrics systems

Four values are important in the evaluation of biometrics systems:

• Time to enrol
• Time to verify
• False Acceptance (False Acceptance Rate, FAR, or errors type 2), the verification of a person who is not enrolled
• False Reject (False Reject Rate FRR, or error type 1), non-verification of an enrolled person
• Equal Error Rate (EER), the point where the value of False Acceptance and False Rejects are equal

Although these values have been improved considerably during the development of all known systems, there are still significant differences from system to system, part of which is based upon the chosen identification method. So far no test standards exist. There are various efforts to standardise but these meet many difficulties because of the difference in nature of the systems.

The most difficult value to judge is false rejection. False rejects are, to a high degree dependent upon user behaviour, therefore a standardisation would be particularly helpful.

2.3 Capturing of biometrics characteristics (Sensors)

The most common capturing process in biometrics today is optical . In most cases miniaturised CCD cameras are used, which capture either visible or infrared light. The optical set-up is dependent on the biometric property captured.

• Fingerprint capturing requires the positioning of the finger on a prism (platen), whereby the illumination is arranged in a way to reflect the light in its entirety on the positioning surface with the exception of the spots where the skin touches the platen (frustrated reflection).
• Hand geometry uses two cameras in order to capture the dimensions of the fingers and the hand, which is positioned on a metal plate and illuminated properly.
• Retina capturing uses a light beam scanning the retina. The beam reflection gives an intensity picture of the captured retina structure.
• Iris capturing works similar to retina capturing.
• Face recognition captures a picture of the face with a camera, either of visible light or infrared, and processes the image to gain certain criteria.

More recent methods, particularly in fingerprint capturing, try to get away from the optical capture which requires an optical path and therefore restricts miniaturisation. These methods use temperature, pressure and/or capacitance. Capacitance particularly seems to be promising since it can be measured with a miniaturised silicon chip. As soon as these methods attain precision, stability, and low pricing, they will probably complement, if not replace, the existing optical methods.

Signature capture uses either a pressure sensitive tablet, or captures the position of the pencil with ultrasonic or electrical methods.

Voice recognition requires simply a microphone of sufficient quality.

2.4 Calculation of templates

An important step in the enrolment process is the calculation of the template. The template is used subsequently in the comparison process during verification, it is a data reduction of the original biometric characteristics, and should:

• Be as small as possible, but with enough distinguishing properties
• Provide rapid calculation
• Provide singularity
• Be suitable for rapid verification

The better the algorithm is fulfilling these partly contradictory requirements, the higher the quality of the selected procedure. Enrolment and verification algorithms are therefore the most important elements in biometric.

Available microprocessors 15 years ago, at the beginning of biometrics, made it relatively difficult to find algorithms which were sufficiently rapid and precise. Even today, many units are connected to a high-speed PC running the actual comparison operation. Stand alone units, i.e. units independent from a PC as required in physical access control, were in the past equipped with ASICS (application specific integrated circuits) in which the algorithm was implemented.

Recent microprocessors however, small with low power consumption, are powerful enough to run these algorithms. Therefore it is now possible to design stand-alone units without the expense of integration into an ASIC.

2.5 Verification security

Some applications are not very critical with respect to verification security (false acceptance), either because they combine several verification processes, or by their nature not having a high security requirement.

Other applications, particularly in Government use, require very high security.

Testing the security of an algorithm is a difficult task. Usually a single user is unable to test the value of False Acceptance of a certain unit, since he is not in the possession of thousands of samples (persons) to obtain results of any statistical value.

Renowned biometric suppliers use huge databases of templates and sometimes publish their results. Unfortunately not many independent institutes exist which are able to perform valid security tests.

3. Equipment to use physiological properties

3.1 Hand and finger geometry

Hand geometry was one of the first methods that came to market. The unit called ID3D from Recognition Systems in the USA requires the presentation of the right hand, and the fingers are positioned by guides. The dimension of the hand is registered with camera and mirrors, and a template of 9 bytes is calculated. This template is stored together with a PIN code or name of the person.

The unit can be run in stand-alone mode and stores up to 20,000 templates. Verification consists of announcing the identity of the person (e.g. entry of a PIN) and presentation of the hand, whereby the dimensions are compared to the stored template.

The main advantages of this unit are speed of operation, a short template ,good acceptance by the users and not affecting privacy in the slightest. However some hygienic concerns have been raised (positioning of the full hand on a plate).

These are the characteristics of the unit:

• Enrolment time: A few seconds
• Verification time: One second
• False Acceptance: 1: 1,000
• False Rejects: 1%

Being the first with a very short verification time, the unit has been sold into many applications. However the high False Acceptance Rate (although refuted by the manufacturer) makes the unit unsuitable for certain applications. The unit accepts only the right hand.

Engineers participating in the development of the hand geometry unit have developed a unit comparing the geometry of two fingers. Its name is Digi-2, and it is manufactured in Switzerland. Of course this unit is not checking the fingerprint, but the dimensions of the fingers. The use of this unit is not yet widespread, and characteristics beyond those given by the manufacturer are yet unknown.

3.2 Vein checking

It is known that a group is working on checking the vein pattern of the back of the hand. Veins are recognised with an infrared camera and a template is calculated. No further characteristics are known.

3.3 Retina checking

A unit called Eyedentify has been around for more than 10 years. It scans the retina of the user by means of a light beam, and calculates a template of 256 bytes, which is used for verification. The unit has the following characteristics:

• Enrolment time: 30 seconds
• Verification time: 0.5 seconds
• False Acceptance: 1:1 Million
• False Rejects: 1%

Verification requires a distance between unit and eye of approx. 10 cm; therefore positioning of the eye plays an important role. Glasses and contact lenses are said not to influence the function of the unit. Security against fakes is very high.

Nevertheless the unit is not very popular, since the process is not very acceptable to users.

3.4 Iris checking

The Iris of the human eye is captured with a camera. The iris includes about 6 times the amount of differentiating properties compared to the retina or the fingerprint. The procedure therefore can be made highly secure. The positioning of the eye is mostly achieved by a mirror, i.e. the user has to position the eye in a correct way. The use of this technology so far has been limited, as it is comparatively expensive to secure a door with such a unit. The technology has the advantage of working without physical contact between the user and the unit.

3.5 Face recognition

Two possibilities are known:

• Recognition of the relative position of face properties (eye, nose, mouth, etc.).
• Recognition of the infrared pattern of the face.

Today some applications are available on the mamrketplace. Since their FAR is rather high, they are less suitable for access control purpose. Most frequent use is the search for unwanted persons (blacklist comparison).

Various universities are working to improve this process.

3.6 Fingerprint recognition

In most cases up to today capturing fingerprints was achieved by optical scanning. The finger is positioned on a prism (platen). Where the skin touches the glass, light is diffused instead of reflected (frustrated reflection) and the resulting picture is captured by a CCD camera.

Other capturing devices have been developed, like thermal/pressure or capacitance capturing using semiconductor sensors, or ultra sound. Ultra sound has not been used up to now because of its high price. The semiconductor sensors are interesting because of the possibility of integration, but are often rejected because of their sensitivity towards static electricity.

Image processing and verification after the capture may be done in two ways:

• The first method consists (much the same as in police work) of searching so called minutiae (ending valleys, bifurcations, sweat glands). Tehir relative position is measured and the result forms the template. At verification the same process is used, and the result is compared to the stored template (minutiae matching).
• The second method stores selected picture elements as the template. At verification these picture elements are used to check for similar picture elements of the presented finger and if they match with the template (pattern matching).

Both methods result in similar security values, the first methods however may take somewhat longer at verification.

• Enrolment time: 3 to 10 seconds depending on type of unit
• Verification time: less than 0.5 seconds
• False Acceptance: 1:100,000 to 1: 1 Million or better
• False Rejects: 1% or better

Several units of this type are known. The earliest unit of this kind is probably the equipment of Identix Inc., California, which is to date presenting the fifth generation of their units. The algorithm of these units is running in a  microprocessor which makes them independent from connected PCs. Other systems are  Sagem (France), Startek (Taiwan), Dermoprint (Hungary), Dermalog (Germany), etc. Most of these systems have their algorithm implemented on a PC.

Not many manufacturers offer a so-called live finger detection. The purpose of this is to inhibit the verification of a finger copy (e.g. a silicon fake) or in an extreme case a cut off finger from an enrolled person. Various properties may differentiate a live from a dead or fake finger, but not all are practical because

• they are not safe enough or
• capturing is too expensive or
• the technical impact is too important or
• they take too much time or
• the detection is not significant enough.

Known effects so far are colour of the human skin, their electrical properties and their optical reflection properties. As with the introduction of higher security through live finger detection the FRR increases, the use of this property in practice is very limited.

3.7 Other physiological properties

Many efforts have been undertaken with sometimes very exotic properties. The following have been made known:

• Form of the outer ear: Presents difficulties whenever the ear is covered by hair
• Smell of the human body (!)
• Structure of the palm: This is a property that is often used by police, but for different reasons presents problems: The inside of the hand is curved and therefore difficult to capture, and it has a lot of information which makes selection difficult
• These properties are not represented so far in commercially available products nor are their characteristics known

4. Equipment to use behavioural properties

The main problem in capturing and using behavioural properties is the distinction between variable and invariant characteristics. Therefore these properties are less exact then physiological properties and are useful only in very particular applications.

4.1 Signature

The attraction of this method lies in the fact that the financial world uses the signature as its preferred method of identification. Biometric signature verifiers however not only check the image of a finished signature, but in addition the dynamics of the movements during signing.

There are several such units known. False acceptance is rather high (up to 10%), which is acceptable for applications e.g. in the banking sectors, where in parallel other means of identification are used. Many applications are unsuitable, since the process takes time and space and is useless in the case of illiterate persons (developing countries).

4.2 Voice recognition

The main advantage of voice recognition systems lies in the fact that the sensor is very simple and ubiquitous: A telephone receiver is sufficient. False acceptance rate and false reject rate however are relatively high, which means the method is only useful if other means of verification are used simultaneously. The units analyse the energy flow and spectral development of speech, in most cases a particular word. The units have either a high tolerance (hence relatively low security) or high false reject rates.

4.3 Key stroke

Various attempts have been made to use key strokes on PC keyboards as a distinguishing property. Two problems make this approach difficult:

• Keyboards of different makes have different characteristics.
• Persons not used to keyboards usually do not have reproducible characteristics of keystroke.

According to information we have at this time no marketable products with this approach exist.

4.4 Summary

Reviewing the market of the last 10 years, the following products have been most successful:

Hand geometry and fingerprint verification have been used most. It looks as if the use of the hand as a means of verification is accepted by a broader public.

Retina verification has only be used in very high security environments and therefore has not been spread widely.

Serious attempts to test face and iris recognition have been made, no bigger applications are known today.

All other methods, although interesting in particular cases, have not had significant market success.

5. Applications

Generally speaking there are a lot of possible applications for biometric systems. Their main advantage is manifest in all cases where the requirement is to undoubtedly check the identity of a person. Why has this kind of identification not yet made its market breakthrough? There are several possible reasons:

• The technology is relatively new. Although first units have appeared in the market 15 years ago, they were very big, slow and excessively expensive.
• The transition of existing major systems (e.g. verification of a user of an ATM) requires major investment which means that these systems take time to be implemented.
• The price of a biometric unit is still considerably higher than that of a magnetic stripe reader, although the prices are falling rapidly.
• One frequently heard argument is lack of acceptance at the user side. Experience however shows that this problem is much less prominent than most managers expect.
• Lack of standardisation has forced major corporations to delay implementing such systems, since they do not want to be tied to a single manufacturer with a proprietary product.

Nevertheless in the past years some major applications have been introduced. Here are a few examples:

5.1 Access control

The very first users of biometric systems as access control means to buildings and installations were various army organisations and customers with high security levels, like banks and nuclear power stations.

More and more people realise that biometrics has advantages not only for high security applications. Ease of use (‘the key is always with you’) makes these systems very attractive to other applications as well. We know of several industries and service organisations that have introduced biometrics to control access not only of their employees, but even of customers and visitors.

We expect the number of applications in this field to grow rapidly in the next few years. This will however never be a high volume market, since the number of units is usually limited to the number of entries.

Examples

A jewellery centre with approximately 5'500 employees and over 7'000 visitors per annum uses fingerprint verification at their mantraps. More than 30 mantraps as well as the reception desk are equipped with units.

Several nuclear power stations combine their existing badge-based access control system with biometrics to protect critical inner zones.

Access of trucks to an important port is secured by hand geometry, and at an important airport, truck access requires verifying the driver by fingerprint.

Safe deposit boxes in banks have frequently been secured with fingerprint or face recognition. Thus the customer is able to open his safe deposit box without the assistance of a bank clerk. Access to heavy vault doors by fingerprint has just started in several banks.

5.2 Time & attendance

Specialists assume that fraud in time & attendance installations (‘buddy punching’) amounts to approximately a loss of 1 working hour per employee per week. Many managers won’t accept this high figure, but fraud is taking place nevertheless. Particularly exposed to this type of fraud are companies with frequently changing, temporary and seasonal employees.

Biometrics in time & attendance eliminates this type of fraud completely. We have calculated examples which show that time fraud elimination has resulted in paying off the whole biometric installation within 6 months. There are estimates in the USA that in the near future some 10% of all time & attendance systems will be equipped with biometrics.

Example

A supermarket chain with 450 outlets monitors working time of their approx. 7,500 employees with a fingerprint system. This is particularly recommended for this type of seasonal and quickly changing personnel. The fingerprint units are requested to send their information via dial-up modem connection. The unions, which first started to complain, were quickly convinced of the advantages of the system, since fraud through the managers (no registration of effectively worked hours) disappeared as well. The State Privacy Committee ruled that there was no infringement of privacy.

5.3 Boarder control, identity cards and passports

These applications are difficult because of the enrolment of a huge number of persons. On the other hand the compatibility of systems on different state boarders is difficult to achieve with the lack of standardisation in biometrics.

Examples

Schipohl Airport in Amsterdam was the first pilot to secure and also speed up border crossing. Frequent flyers could buy a smartcard containing the fingerprint template of the owner, which would allow them to bypass police border control at arrival. The system was limited to citizens of the country and was taken out of service after a (technically successful) pilot phase, as far as we know for commercial reasons.

Other pilots were conducted in various airports of USA and Canada, some of them with hand geometry, others with fingerprint. No decisions have been made so far as to the final introduction of these systems.

Various countries discuss projects to secure passports and/or identity cards biometrically. No country has taken final decisions so far, but pilots are in use and project work is going on.

5.4 Payment of social benefits

The fraud rate in paying social benefits and state pensionsis considerably high in a number of countries. Payments are made to dead persons, to non-authorised, and double payments are frequent. Thus the state is exposed to a high loss, which in certain cases has reached the size of the total money to pay out.

However we have to observe that verification systems of the above type (one-to-one) do not help to eliminate multiple enrolment of a single person. Therefore the verification method one-to-one should always be combined with a search (one-to-many) at enrolment to the system. Solutions have been developed recently that are much simpler and cheaper than the so-called AFIS (Automatic Fingerprint Identification Systems) which have been conceived for police work, but they are also less demanding since they do not have to deliver forensic quality comparisons.

The same problems have to be solved with identity cards and passports.

Examples

The first country to secure social welfare payments with biometric systems was South Africa. In this country illiteracy has also played a role. Other such systems are in introductory phases in Spain and Colombia. All three systems are fingerprint based.

5.5 Security of computers and data networks

Specialists know that securing data with passwords, which is the most frequently used method today, is problematic. If not prevented from doing so, most people would use trivial passwords like their own birthday, first name and so on. If the use of trivial combinations is excluded by software, and the system asks for password changes too frequently, people develop the tendency to write down their passwords, and they can frequently be found on the underside of the keyboard or in the first drawer of the desk. This reduces the security value of a password to near zero.

Be honest with yourself: Have you ever given your password over the phone to your colleag%e or secretary do enable them to look up something on your PC?

We know of examples in non-European countries where passwords in banking systems have given raise to massive fraud. This is potentially possible in the Western world as well.

Card based systems give a little more security, and have therefore been introduced in a number of cases, not least because of the low price of card readers. Security systems based on possession have, as has been explained before, inherent disadvantages.

Recently fingerprint systems have been made known in connection with data security in computers. This could open up a high volume market for biometric systems.

There are three main application fields:

• Access control to the computer. These systems secure either booting of the computer, or access to the installed operating system (like Windows NT), or access to some directories of the hard disk.
• Access control for databases and software on servers, accessed by clients. Security of these systems also require security of the transmission between client and server.
• Electronic signature. Biometric systems are particularly suitable to secure and check financial transactions on computer networks. Another target is security for certain transactions over the highly insecure Internet.

Examples

The following applications have been made known as of today:

The database provider Oracle offers a fingerprint system to secure biometrically a database server. The biometric verification terminal is installed at the client side, the biometric information of the users however is stored in a special server database. At login the user is asked to verify with his finger. Biometric information exchange between client and server is secured by hash algorithm.

A fingerprint systems company offers an add-on to any Windows NT logon with biometrics. The unit is installed locally with matching software.

A large Asian bank secures transactions of their tellers, who have to ask for authorisation from their supervisor every time the transaction exceeds certain limits. This authorisation is given by a fingerprint system. This at the time seems to be the biggest closed biometric verification system world-wide: more than 2000 units are installed. An Egyptian bank is in the process of introducing a similar system.

5.6 Other verification applications

Many new application have appeared du2ing the last couple of years. Biometric systems are useful in every case where a reliable verification of a person should be achieved.

Examples

In a country which for political reasons cannot be named, Asylum seekers are in physically secured camps and these people have been provided with smart cards containing their fingerprint template. They are requested present themselves, to weekly or even daily at a registration office to prove their presence with card and fingerprint verification.

Several European prisons are equipped with biometric systems (hand geometry and fingerprint), in order to identify visitors when they leave, or to verify prisoners when they leave the buildings for any reason, particularly with ethnic groups where Europeans have problems in identifying them by face.

A European Parliament with more than 500 delegates has installed a voting system which reuqets fingerprint verification for every vote. This means high security against fraud within the voting result.

6. Economic considerations

Are biometric systems expensive?

The use of biometric properties in order to verify identities of persons will always be more expensive than purely reading badges with a magnetic stripe or other physical storage media. This can be derived from the complexity of this task. It is clear that cost comparisons can only be drawn with similar manufacturing volumes, and in this respect biometric units today have still a clear disadvantage.

Comparison of the unit costs of this technology however does not tell you the whole story. Other factors should be included in the calculation as well, such as:

• Installation costs
• Introduction costs
• Running costs
• Lifetime
• Savings through elimination of fraud

Installation costs are generally neither higher nor lower than conventional systems.

Introduction costs probably are higher, because all users have been enrolled first, and users are not familar with this type of system. However do not forget that e.g. with the introduction of magnetic stripe cards there was an introductory period as well with a lot of false rejects, which nobody mentions today since now the bigger part of the population is used to these systems. We expect the same to happen with the wider spread of biometric systems.

Contrary to possession based systems running costs of biometric systems are much smaller. There is no more replacement, new edition or administration of cards. Biometric properties are stored digitally and can easily be validated, devaluated or cancelled.

Biometric systems are cheaper compared to password systems since there is no password administration required.

Lifetime and reliability of these systems are similar to conventional systems. Both kinds are subject to wear and dirt, both use electronics with its limited, but long lifetime.

A difficult subject is the estimation of savings by elimination of fraud. With credit cards, the size of fraud is usually known to the banks (although rarely discussed in public). On the other hand fraud with time and attendance systems is difficult to estimate and usually not known exactly. It is possible to calculate elimination of theft with biometric access control. A large software house calculated theft of PCs from their offices and justified the introduction of a biometric access control system.

A calculation example:

Take the already discussed case of a supermarket chain with 7,500 employees, and assume that per employee and week one hour is registered in excess due to fraud. With mean costs of a working hour of US$ 80 the payback period of this installation should not exceed 6 months. This means the total investment including introduction costs should not exceed the amount of 15 M US$. Divided by the 500 supermarket sites this means a possible investment of US$ 30'000 per site, which is more than enough a modern biometric system.

7. Future

7.1 Market development

Without prophetic gifts it is possible to foresee a rapid increase of the biometric market. The availability of cheaper, smaller, easier to handle systems enables these technologies to not entirely replace, but certainly augment existing possession and knowledge based systems. In the same way the user has become familiar with passwords, magnetic stripe cards and smart cards, he will get used to biometric systems which still today have a touch of science fiction. Comfort and security of these systems will certainly convince sceptical people that this is a natural way to automatically verify the identity of a person.

Capturing biometric properties always presents some technological problems. This means a high investment in technology in order to work reliably. But this is not inhibiting widespread use, since the price decrease of electronics and miniaturisation will go on and thus continually create new application fields.

7.2 Standardisation of biometric systems

Standardisation is a difficult problem. First of all the important quality criteria (false acceptance, false reject, speed of enrolment and verification) should be standardised in a way to make the data of different manufacturers comparable. This seems to be easier than the standardisation of verification algorithms that is necessary to introduce such technology internationally (passport security, front access of ATMs). It is easy to understand that no manufacturer is willing to publish his verification algorithm, since this

• offers unique sales advantages
• includes sensitive information with regards to security

We doubt that a standardisation of algorithms on a higher level would be possible given the differences between today’s systems. A solution could be that a manufacturer, chosen by a careful selection process, would licence the algorithm and thus make it accessible to other manufacturers. This issue presents some unsolved problems.

7.3 Privacy

Storing of the biometric properties of a person may infringe human rights and has to be looked at in this respect. This is particularly true for fingerprint systems which raise this question due to their apparent similarity to police work. Systems not based on fingerprints are less suspicious, although the same questions can be asked.

This is what we have been made aware of:

According to Privacy commissions and specialists the storage of a biometric template does not raise concerns as long as it is done out of the free will of the person, and as long as the organisation doing this tells openly what happens to the provided information. Not all systems fulfil these requirements to the full extent. Particularly touchless systems (eye iris, face recognition) raise discussions, since they can work without the knowledge of the person verified.

With regards to fingerprint based methods, which are sometimes criticised, we can say that the stored fingerprint template should not allow reconstruction of the full fingerprint image. As soon as this is provided, the template can not be used for police work of any kind and the system therefore keeps privacy rules perfectly well, since it can only be used in co-operation with the person who is enrolled.

Particularly clean are systems where the biometric template is not held in a database, but on a badge which the user carries (e.g. a credit card).

For systems that are able to do a search (one to many) in a database the situation is different. Here we come to the limit of use of biometrics by private organisations. Those questions however depend on local laws; in this particular field the USA givesmore freedom to private organisations than for example European countries.

8. Biometric Glossary

Word Explanation