H ELSINKI U NIVERSITY OF T ECHNOLOGY

Department of Electrical and Communications Engineering

Signal Processing Laboratory

Sampo Ojala

Biometric Authentication in
Real-Time Large-Scale Applications

Thesis submitted for examination for the degree of Master of Science in

Engineering in Espoo on April 5, 2005

Supervisor: Professor Jorma Skyttä

Instructor: Lic.Sc. (Tech.) Matti Tommiska
H ELSINKI U NIVERSITY OF T ECHNOLOGY
A BSTRACT OF THE M ASTER ’ S T HESIS
Author: Sampo Ojala
Name of the thesis: Biometric Authentication in Real-Time
Large-Scale Applications
Date: April 5, 2005 Number of pages: 91
Faculty: Department of Electrical and Communications
Engineering
Professorship: S-88 Signal Processing
Supervisor: Professor Jorma Skyttä
Instructor: Lic.Sc. (Tech.) Matti Tommiska

Biometric recognition is an addition to the traditional authentication methods e.g.

keys and passwords, which are based on tokens and knowledge, respectively. Bio-
metric recognition is based on the physiological and behavioral characteristics of a
person, which are impossible to lose and difficult to duplicate. In addition, biomet-
ric recognition is the only authentication method that can be used for identification
applications.

In large-scale applications the number of users varies from tens of thousands to

several millions. The large number of users sets certain demands for the perfor-
mance of a biometric system. This is especially true in the large-scale identifica-
tion applications, where many matches must be conducted.

In this thesis, the different biometric technologies are discussed, concentrating on

the fingerprint and the iris recognition in more detail. Large-scale applications
and their specific performance demands are discussed also. The social and legal
aspects of biometrics are briefly introduced, as well as the pattern recognition in
general.

In addition, two fingerprint recognition softwares are compared and studied in

detail. Their performance in terms of error rates and execution times are measured
and analyzed. The objective was to identify the processing tasks, which take up a
lot of time. In addition, the applicability of the softwares into a large-scale system
is discussed.
Keywords: biometrics, fingerprint, iris, recognition, large-scale
T EKNILLINEN KORKEAKOULU
D IPLOMITYÖN TIIVISTELMÄ
Tekijä: Sampo Ojala
Työn nimi: Biometrinen autentikointi
suurissa reaaliaikaisissa sovelluksissa
Päivämäärä: 5.4.2005 Sivumäärä: 91
Osasto: Sähkö- ja tietoliikennetekniikan osasto
Professuuri: S-88 Signaalinkäsittelytekniikka
Työn valvoja: Professori Jorma Skyttä
Työn ohjaaja: TkL Matti Tommiska

Biometrinen tunnistus on voidaan nähdä perinteisten tunnistusmenetelmien, kuten

avaimien ja salasanojen lisänä, jotka perustuvat vastaavasti joko omistukseen tai
tietoon. Biometrinen tunnistus perustuu henkilön fysiologisten tai käyttäytymisen
ominaisuuksiin, jotka on mahdoton hukata ja vaikea kopioida. Biometrinen tun-
nistus on myös ainoa autentikointi menetelmä, jota voidaan käyttää identifikaa-
tiosovelluksissa.

Suurimittaisissa sovelluksissa käyttäjien määrä vaihtelee kymmenistä tuhansista

useisiin miljooniin. Käyttäjien suuri määrä asettaa tietyt vaatimukset biometrisen
sovelluksen suoritusarvoille. Tämä korostuu etenkin suurimittaisissa identifikaa-
tiosovelluksissa, joissa vertailuja joudutaan tekemään useita.

Tässä työssä on käsitelty erilaisia biometrisiä tunnistusmenetelmiä, keskittyen

etenkin sormenjälki- ja iiristunnistukseen. Suurimittaiset sovellukset ja niiden
vaatimukset suoritusarvoille on myös käsitelty. Hahmontunnistuksen perusteet
sekä biometrisen tunnistuksen sosiaaliset ja juridiset näkökulmat on esitelty ly-
hyesti.

Työssä on verrattu kahta sormenjälkitunnistukseen tarkoitettua ohjelmaa yksi-

tyiskohtaisesti. Niiden suorituskyky, etenkin suoritusaikojen ja tunnistusvirheiden
määrän osalta, on mitattu. Tavoitteena oli selvittää ne yksittäiset toiminnot, jot-
ka vievät eniten aikaa sormenjälkitunnistuksessa. Lisäksi on käsitelty ohjelmien
soveltuvuutta suurimittaisiin järjestelmiin.

Avainsanat: biometriikka, sormenjälki, iiris, tunnistus, suurimittainen

Acknowledgements

This Master’s Thesis was done in Signal Processing Laboratory at the Helsinki
University of Technology and a great deal of people have supported me to reach
this goal.

First of all, I would like to thank the supervisor of this thesis professor Jorma
Skyttä for his advice and comments. I am very grateful to him also for giving
me an opportunity to work with this very interesting subject. I would also like to
thank my instructor Lic. Tech. Matti Tommiska for his valuable comments on this
work and also for helping me on the writing of this thesis.

As this thesis was carried out, many unexpected practical problems occurred in
the way. Therefore, I want to express my gratitude to M.Sc. Juha Forstén, whose
help with these practical things was essential to complete this thesis. I would also
like to thank all the volunteers who have had their fingers on this thesis.

I want to thank also the current and former staff of Signal Processing Laboratory,
especially Antti Hämäläinen, Kimmo Järvinen, Jaakko Kairus, Esa Korpela, Jarno
Martikainen, Matti Rintamäki and Kati Tenhonen, for many fruitful conversations
and for creating an inspirational working environment.

I want to thank my parents, Hannele and Kari, for all the encouragement and sup-
port that I have received throughout my studies. I want to also thank my brother
Vesa and all my friends for all the cheerful moments spent together.

Finally, I want to thank my lovely wife Susanna, who has always been there en-
couraging me and helping me to see also the other important things in life.

i
Contents

List of Figures vii

List of Tables viii

List of Abbreviations ix

1 Introduction 1

1.1 Outline of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Pattern Recognition 4

2.1 Features and Templates . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 Classifiers and Classification . . . . . . . . . . . . . . . . . . . . 6

2.2.1 Different Classifiers . . . . . . . . . . . . . . . . . . . . 6

2.2.2 Classification Result . . . . . . . . . . . . . . . . . . . . 7

2.3 Performance Figures of a Classification System . . . . . . . . . . 8

2.3.1 False Match Rate and False Non Match Rate . . . . . . . 8

2.3.2 Receiver Operating Characteristics and Equal Error Rate . 10

3 Biometric Technologies 13

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

ii
 3.2 Fingerprint Recognition . . . . . . . . . . . . . . . . . . . . . . . 14

3.2.1 Image Acquisition . . . . . . . . . . . . . . . . . . . . . 16

3.2.2 Fingerprint Features . . . . . . . . . . . . . . . . . . . . 19

3.2.3 Image Processing and Template Generation . . . . . . . . 21

3.2.4 Individuality . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2.5 Countermeasures Against Spoofing . . . . . . . . . . . . 24

3.2.6 Advantages and Disadvantages . . . . . . . . . . . . . . . 25

3.3 Iris Recognition . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.3.1 Image Acquisition . . . . . . . . . . . . . . . . . . . . . 26

3.3.2 Feature Extraction and Template Generation . . . . . . . 27

3.3.3 Individuality . . . . . . . . . . . . . . . . . . . . . . . . 27

3.3.4 Countermeasures Against Spoofing . . . . . . . . . . . . 28

3.3.5 Advantages and Disadvantages . . . . . . . . . . . . . . . 29

3.4 Other Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.4.1 Physiological Characteristics . . . . . . . . . . . . . . . . 29

3.4.2 Behavioral Characteristics . . . . . . . . . . . . . . . . . 31

3.4.3 Technologies in the Development Stage . . . . . . . . . . 31

3.5 Comparison Between Different Methods . . . . . . . . . . . . . . 33

3.5.1 Attributes of the Biometrics . . . . . . . . . . . . . . . . 33

4 Large-Scale Systems 36

4.1 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . 36

4.2 Performance of Large-Scale Systems . . . . . . . . . . . . . . . . 38

4.2.1 Scaling of Error Rates . . . . . . . . . . . . . . . . . . . 38

iii
 4.2.2 Calculation Time . . . . . . . . . . . . . . . . . . . . . . 44

4.2.3 Rank Probability Mass and Cumulative Match Curve . . . 47

4.3 Large-Scale Applications . . . . . . . . . . . . . . . . . . . . . . 48

5 Usability, Political and Legal Aspects 52

5.1 Social Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.1.1 Loss of Privacy . . . . . . . . . . . . . . . . . . . . . . . 52

5.1.2 Other Objections To Biometrics . . . . . . . . . . . . . . 53

5.1.3 Commercial Potential of Biometric Recognition . . . . . . 54

5.1.4 Biometric Standards . . . . . . . . . . . . . . . . . . . . 55

5.2 Legal Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

5.3 Political Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6 Comparison of Two Fingerprint Recognition Software Programs 59

6.1 Hardware Description . . . . . . . . . . . . . . . . . . . . . . . . 59

6.2 Description of the Software Programs . . . . . . . . . . . . . . . 62

6.2.1 Bergdata Fingerprint Identification System . . . . . . . . 62

6.2.2 NIST Fingerprint Image Software 2 . . . . . . . . . . . . 62

6.3 Conducted Measurements . . . . . . . . . . . . . . . . . . . . . . 69

6.4 Fingerprint Recognition . . . . . . . . . . . . . . . . . . . . . . . 72

6.4.1 Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . 72

6.4.2 Feature Extraction . . . . . . . . . . . . . . . . . . . . . 72

6.4.3 Fingerprint Matching . . . . . . . . . . . . . . . . . . . . 79

6.4.4 Applicability to Identification . . . . . . . . . . . . . . . 83

iv
7 Conclusions 86

Bibliography 88

v
List of Figures

1 A multilayer neural network . . . . . . . . . . . . . . . . . . . . 7

2 Genuine and impostor probability density functions in two differ-

ent cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3 The performance figures of a recognition system . . . . . . . . . . 11

4 Receiver operating characteristic of two recognition methods . . . 12

5 A typical fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . 16

6 FTIR-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

7 Five different major classes of fingerprints . . . . . . . . . . . . . 20

8 The singularity points loop and delta . . . . . . . . . . . . . . . . 20

9 The two kind of minutiae . . . . . . . . . . . . . . . . . . . . . . 21

10 The very-fine level of fingerprint . . . . . . . . . . . . . . . . . . 22

11 The anatomy of an eye . . . . . . . . . . . . . . . . . . . . . . . 26

12 The picture of an iris and the resulting IrisCode . . . . . . . . . . 28

13 Probabilities in an identification system with different number of

users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

14 An example of a rank probability mass function for two biometric

templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

vi
15 An example of a cumulative match curve . . . . . . . . . . . . . . 48

16 Total annual global biometric revenues with projections and 2004

Comparative Market Share by Technology . . . . . . . . . . . . . 55

17 FCAT-100 fingerprint scanner . . . . . . . . . . . . . . . . . . . 60

18 Fingerprint image reconstruction . . . . . . . . . . . . . . . . . . 61

19 An example fingerprint acquired with FCAT-100 fingerprint scanner 61

20 Structure of BDFIS fingerprint recognition software . . . . . . . . 63

21 Structure of NFIS2 fingerprint recognition software . . . . . . . . 64

22 Different maps . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

23 Quality map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

24 Pixel patterns used for minutiae detection . . . . . . . . . . . . . 67

25 Minutiae found in the feature extraction stage of BDFIS software . 74

26 Minutiae with directions found in feature extraction stage of NFIS2

software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

27 Minutiae found in feature extraction stage of BDFIS and NFIS2

softwares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

28 False match rate and false non-match rate for NFIS2 and BDFIS
software programs . . . . . . . . . . . . . . . . . . . . . . . . . 84

vii
List of Tables

1 Comparison of different biometric technologies . . . . . . . . . . 35

2 Error rates for common biometrics in different large-scale authen-

tication scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3 Average verification times in two different applications . . . . . . 45

4 Scaling of throughput time in large-scale systems . . . . . . . . . 46

5 Different biometric large-scale applications . . . . . . . . . . . . 49

6 Global biometrics revenues by application in million USD . . . . 55

7 Characteristics of FCAT-100 fingerprint scanner . . . . . . . . . . 60

8 Feature extraction results in BDFIS software . . . . . . . . . . . . 74

9 Feature extraction results in NFIS2 software . . . . . . . . . . . . 77

10 Fingerprint matching results in BDFIS software . . . . . . . . . . 81

11 Fingerprint matching results in NFIS2 software . . . . . . . . . . 83

viii
List of Abbreviations

AFIS Automatic Fingerprint Identification Systems

ANSI American National Standards Institute
API Application Programming Interface
ATM Automatic Teller Machine
BDFIS Bergdata Fingerprint Identification System
CBEFF Common Biometric Exchange File Format
CCD Charge Coupled Device
CDSA Common Data Security Architecture
CPU Central Processing Unit
DHS Department of Homeland Security
DNA Deoxyribonucleic Acid
DoD Department of Defense
dpi dots per inch
EER Equal Error Rate
ESD Electro-Static Discharge
FAR False Acceptance Rate
FBI Federal Bureau of Investigation
FMR False Match Rate
FNMR False Non Match Rate
FNR False Negative Rate
FPR False Positive Rate
FRR False Rejection Rate
FTA Failure to Acquire
FTE Failure to Enroll

ix
FTIR Frustrated Total Internal Reflection
GB Gigabyte (230 bytes)
ICAO International Civil Aviation Organization
INS Immigration and Naturalization Service
kB kilobyte (1024 bytes)
NFIS2 NIST Fingerprint Image Software 2
NIST National Institute of Standards and Technology
NN Nearest neighbor
pdf probability density function
PC Personal Computer
PIN Personal Identification Number
RAM Random Access Memory
RDTSC Read-Time Stamp Counter
ROC Receiver Operating Characteristic
SDK Software Development Kit
USB Universal Serial Bus
WSQ Wavelet Scalar Quantization

x
Chapter 1

Introduction

Biometric recognition is in extensive use in our normal everyday life. We rec-

ognize our friends and other people by seeing their faces or hearing their voices
and this way actually recognizing them. So biometrics is a way to recognize an
individual by a characteristic which stems from the person herself.

After the terrorist attack on the World Trade Center on the 11th September 2001,
interest into security has increased throughout the world. Today, the USA scans
fingerprints from everyone arriving into to the country by airplane. At the same
time the EU is planning to add face recognition as part of their passport system.
The reason for the growth of biometric systems is that the price of biometric de-
vices has fallen and the performance of the devices has improved a lot over the
years, and this trend seems to continue also in the future. Therefore biometric
recognition is a feasible alternative in security issues, but it can also be used in
payment applications on the Internet, on money withdrawal at an automatic teller
machine (ATM), and to prevent the abuse of social benefits.

Biometric identifiers are an addition to knowledge and token based authentication

methods. Traditionally the division is made into three following categories:

Something you have: These are keys, magnetic cards and similar to-
kens.

1
 Something you know: These are passwords and personal identifica-
tion numbers (PINs)
Something you are: These are physiological or behavioral traits which
are automatically measured.

The problem with the traditional passwords and PINs is that they can be forgotten
by a legitimate user or guessed by an intruder because they are often compro-
mised, as they should be hard to guess but at the same time easy to remember.
Keys and other physical tokens can be lost or duplicated. In addition the keys
and the passwords can both be shared with other people. A great advantage when
using biometrics as an identifier, is that a biometric identifier cannot be forgotten
and it is not easily stolen like different physical tokens. It is also not compro-
mised like passwords. In addition, biometric recognition is the only recognition
capable of negative authentication used e.g in screening applications (cf. Section
4.3) However, not even biometric systems are 100 percent accurate, and the best
security level is probably reached by combining some or all of the above methods.

1.1 Outline of the Thesis

Once the biometric data has been captured e.g. as an image, feature extraction
and pattern recognition are applied to this data. Pattern recognition is basically a
comparison of the distinctive details, which are extracted from the input data, with
the details of a previously stored counterpart. Based on the similarities of these
two datasets, the actual decision will then be made. Chapter 2 explains some basic
concepts of pattern recognition in biometrics in more detail.

There are many different biometric technologies available, e.g. fingerprints, iris
and voice. These different methods all have their advantages and disadvantages
and thus the choice for the best biometric depends on the application at issue.
Chapter 3 introduces the most common biometrics and summarizes their proper-
ties into one table.

There are many different authentication scenarios with biometrics. Some of these
involve a large amount of users and a a large database. In such systems the perfor-

2
mance is critical. This includes different error rates and calculation time, which
both scale up in large scale systems and must be approximated from a more sim-
ple case. These are the topics in Chapter 4 and the chapter is concluded with a
review of implemented large scale systems in different applications.

The extended use of biometric recognition involves many different social, legal
and political aspects. These are introduced in Chapter 5. Also the commercial
potential and biometric standards are briefly discussed in the chapter.

In Chapter 6, two different fingerprint recognition softwares, are compared with

each other. The chapter gives a detailed description of the hardware and the soft-
wares. In addition, the description of the measurements are given, the obtained
results are analyzed and finally, the applicability to identification is discussed. the
conclusions are presented in Chapter 7.

3
Chapter 2

Pattern Recognition

Pattern recognition process is classifying an object into one specific class out of
two or more classes (ω1 , . . . , ωn ) by using the information available as an input.
The information consists of distinctive features that describe the object. However,
in biometric recognition the aim of the recognition process is somewhat different
from a traditional classification scheme.

This chapter presents a brief introduction into pattern recognition. The concepts of
a feature and a template are described. Different performance measures of a recog-
nition system are also explained. There are many different classification methods,
because the application field of pattern recognition is very diverse. Therefore dif-
ferent classification methods are only briefly mentioned.

2.1 Features and Templates

Features are characteristics, which describe an object in a certain way, and their
actual type and number depend on the application in question (see Chapter 3).
Since the final classification is based on these features, the selection of distinctive
features is crucial for a good recognition result. Features are usually represented
as a feature vector, whose dimension depends on the number of the selected fea-
tures (see equation (1)).

4
 x = [x1 , x2 , . . . , xn ]T (1)

The values of a good feature are more or less the same inside a certain class,
but there is a significant difference in the values between two different classes
(cf. Section 2.3). In some applications, the features should also be invariant to
e.g. rotation, translation or scale. This means that the features are unaffected
by the angle, location and size of an input (image) [Dud01]. Sometimes it is
necessary for classification purposes, that the original features are mapped into
another feature space (often of a lower dimension), and these features are then
used with a better success [The89].

The total number of features used is not theoretically limited in anyway. Up to

a certain point, the recognition process gets easier, when more features are used.
However, there is usually a practical upper bound for the number of features used,
after which the performance of the system starts to degrade. Also the computa-
tional complexity increases, when the number of features increases. In addition,
some of the features may be redundant with each other, i.e. they do not provide
any additional information and some may be unmeasurable due to e.g. excessive
danger or cost [The03].

Templates are created from input samples given by a user, who enrolls himself
to a biometric recognition system. The templates contain all the important in-
formation about the input sample from the pattern recognition point of view, and
they serve as the reference data, which subsequent input samples are compared
to. Reconstructing a biometric input sample from a template is usually consid-
ered impossible, although some studies suggest that this is not the case with ev-
ery biometric recognition method [Adl03]. In the enrollment procedure, many
high-quality input samples must be taken from the user, or otherwise both the
security and the convenience of the system are compromised. The requirement
of high-quality templates leads to a failure to enroll (FTE)-percentage, which is
the fraction of the users who cannot use the biometric recognition device due to
enrollment problems. [Mal03].

5
2.2 Classifiers and Classification

In pattern recognition problems, there are many different ways to perform the
classification by using the selected features. Like the number of features, the
number of different classes is not limited either, but the classifier may need more
distinctive features as the number of possible classes increases.

2.2.1 Different Classifiers

Bayesian classifiers are based on a statistical approach. The object in question

is classified into the class, whose conditional probability P(ωi |x) has the largest
value. The conditional probability can be calculated by using the Bayes rule
[The03]

p(x|ωi )P(ωi )
P(ωi |x) = (2)
p(x)

In the equation (2), P(ωi ) is the a priori probability of class ωi , p(x) is the prob-
ability density function of the feature vector x and the term p(x|ωi ) is the proba-
bility of the feature vector x in a class ωi .

Nearest neighbor classifiers, or a k-NN classifier, are based on a nonparametric

approach. In this scheme, the k nearest neighbors of an input feature vector are
examined. The k nearest neighbors have already been classified and the input
feature vector is classified into the class, which is the majority class of the k nearest
neighbors.

Neural networks consist of several inputs and two or more layers of intercon-
nected neurons. The neurons are also weighted differently.

A two-layer network is a linear classifier, that defines a straight line or a hyper-

plane into a feature space, which divides the feature space into separate classes.
On the other hand, a multilayer neural network is used in cases, where the problem
cannot be solved with linear classification. By using a multilayer neural network,

6
it is possible to define regions of classes into the feature space, that are not linear
nor simply connected to each other [Dud01]. The actual classification of an input
feature vector is done by plotting the feature vector into the feature space and ex-
amining the corresponding class. An example of a multilayer neural network is
shown in Figure 1

Figure 1: A multilayer neural network

Decision trees are a nonmetric method of classification. In this method, there are
series of yes/no or true/false questions posed for the input feature vector and a
final classification is based on the progressions in the decision tree.

In a syntactic (or structural) approach, an object is expressed as a composition

of its components called primitives and subpatterns [Fu86]. The primitives can be
combined to form subpatterns, which in turn can be combined into bigger entities
by using certain syntax rules defined by a grammar. In other words, the rules of
a grammar contain information about the different parts of an object (primitives)
and the relationships between them (subpatterns). The rules of a grammar are
applied one by one, until the object is classified.

2.2.2 Classification Result

Usually the outcome of a pattern recognition problem is the specific class, which
the object in question is classified into. However, in biometric recognition prob-
lems, the outcome of a recognition process is either accept/reject or best n matches

7
depending on the application (cf. Section 4.1). In a biometric recognition process,
an input sample1 is compared to one or more templates. After this, the decision is
made based on a similarity measure between the input sample and the templates.
In other words, the goal of a biometric recognition process is not to solve, into
which specific class the input features belong, but whether the input features are
similar enough with a pre-specified template or alternatively, which templates are
the nearest n templates (i.e. the best n matches).

When an input sample of a genuine user is compared to the template of the same
legitimate user, the result can never be a perfect 100 % match. Instead, if the
resulting match is a perfect 100 %, the input sample and the template are identical
and the situation should be considered as a replay attack, i.e. an attempt to spoof
the system (cf. Sections 3.2.5 and 3.3.4).

2.3 Performance Figures of a Classification System

A probability density function (pdf) is the probability, that a specific feature with a
specific value is encountered. A genuine and an impostor pdfs are shown in Figure
2a. The properties of a good feature are also shown in Figure 2a, where a pdf dis-
tribution with the shape of a narrow spike means a small intra-class variance (i.e.
many similar values). Additionally, the genuine and the impostor distributions are
far apart, which means a large inter-class distance (i.e. values are different).

In Figure 2b, the situation is not as good as in Figure 2a, as the distributions
overlap more and gray areas are the sources of classification errors, namely the
false match (FM) and the false non match (FNM).

2.3.1 False Match Rate and False Non Match Rate

False match means, that a match is declared between an input sample and a tem-
plate, even though they both come from different objects and should not match.
1 In this section, input samples and templates consist of a feature vector, even when not explic-
itly stated.

8
Figure 2: Genuine and impostor probability density functions in two different
cases

The rate of how often this occurs is the false match rate (FMR). Respectively, a
false non match is an event, where an input sample and a template should match,
but erroneously they do not. The false non match rate (FNMR) is derived similarly
as the FMR. [Bol04]

In a positive authentication scenario, where a genuine user should be granted an

access, the two aforementioned terms are called the false acceptance rate (FAR)
and the false rejection rate (FRR), respectively. In a positive authentication sce-
nario, an impostor tries to break into a system by pretending to be someone else
who is enrolled in the system.

On the contrary to the positive authentication scenario, in a negative authentication

scenario the legitimate users are not found in the database. The purpose of the
negative authentication is to find a specific person (e.g. a criminal) from a larger
group of subjects and therefore all subjects are screened (cf. Section 4.1). In a
negative authentication scenario an impostor pretends to be a legitimate person,
so that he could not be detected by the authentication system. If he succeeds to
avoid the detection, a system error called a false negative occurs. Then again, if a
legitimate person is erroneously thought to be a searched person, the system error
is called a false positive or a false alarm. In a negative authentication scenario the
system error rates are called the false negative rate (FNR) and the false positive

9
rate (FPR), respectively [Bol04].

In Figure 3, all the four aforementioned system error rates are shown. The error
rates in dark gray circles stem from the FNMR and the error rates in light gray
circles stem from the FMR, respectively. The actual values of system error rates
are always only estimates for a particular biometric recognition method, since
they are obtained with a specific database and the values are not the same when
the recognition method is used in a real-world application [Bol04], [Nan02]. The
equal error rate (EER) point (cf. Section 2.3.2) and the important tradeoff between
system security and convenience are also shown in Figure 3.

When implementing a biometric recognition, a suitable balance between system

security and user inconvenience (and the FMR and FNMR levels), must be found
by setting the system threshold. The other extreme means maximal security with
maximal inconvenience for users. This kind of a system is very secure, but also the
vast majority of legitimate users are rejected. The other extreme is a complete op-
posite. Usually, there are costs included in the decision about a suitable threshold
level, since every false accept or false negative is a security risk. The severity of a
security risk depends solely on the application. On the other hand, false rejections
or false positives also increase the system costs, because there must be a protocol
to handle these situations as well. Usually this means further investigations and
more manual labour.

2.3.2 Receiver Operating Characteristics and Equal Error Rate

Since the system threshold level specifies both the FMR and the FNMR, two dif-
ferent biometric recognition methods (cf. 3) are comparable only on this specific
operating point. In addition, when a comparison is done between two different
implementations of the same biometric technology, the database used should also
be the same in both implementations. For the reasons above, a receiver operating
characteristic (ROC)-curve is defined.

The FNMR level is depicted at each different FMR level on a ROC curve and thus
the ROC curve combines the two error rates into the same figure. By using a ROC
curve, it is possible to compare the performance of different recognition methods,

10
 Figure 3: The performance figures of a recognition system

although the aforementioned problem with the database integrity between differ-
ent implementations still remains. Two typical ROC curves are shown in Figure 4.
The closer the ROC curve is to the lower left corner, the better is the performance
of the recognition method.

The effect of selecting a system operating point is evident in Figure 4. If a certain

FNMR level y3 is required from the system, recognition method a would be a
better choice than recognition method b, because the FMR level x1 is lower than
the FMR level x2 . On the other hand, if a larger FMR level x3 can be tolerated,
recognition method b outperforms recognition method a with a lower FNMR level
y1 .

11
 Figure 4: Receiver operating characteristic of two recognition methods

The equal error rate (EER) is a system figure of merit, which is often used to
distinguish which of the recognition methods is better. The EER is a system op-
erating point, where the FMR level equals the FNMR level, as shown in Figure 4.
However, it is a common situation, that the ROC curves of two different methods
cross each other at some point. This means, that it cannot be stated unambiguously
which one of the two methods is better, as this depends on the selected operating
point of a system. Therefore, the EER value can be used only around a very nar-
row range of operating points. In addition, the EER presumes equal costs for the
FMR and the FNMR, which typically is not a valid assumption [Bol04].

12
Chapter 3

Biometric Technologies

3.1 Introduction

Biometric is defined as an automatically measurable, distinctive physical or be-

havioral characteristic which is unique between individuals [Woo03].

There are many different biometric technologies available and the most suitable
technology depends always on the particular application. For example, the size of
the template varies between different biometrics, as do the accuracy and usability
of the biometric as well.

Usually there are two main classes, physiological and behavioral, distinguished
in biometric technologies according to how the characteristics are formed.

Physiological characteristics, e.g fingerprint and iris, cannot be influenced by an

individual and thus they are very stable characteristics. The properties of geno-
typic physiological characteristics are inherited from parents and they depend
strongly on genetics. Physiological characteristics which are phenotypic are de-
veloped in early embryonic stage and the genetics do not affect them very much.
The measurement of physiological characteristics are based directly on a certain
part of the human body. [Woo03], [Nan02].

Behavioral characteristics, e.g. signature and gait, depend on a person’s behavior.

These characteristics are learned and they may change over a long time period, or

13
a person can alter the characteristic by relearning, although this becomes more
and more difficult after reaching an adult age. These characteristics are indirectly
based on human body, since they depend on subject’s actions. [Woo03], [Nan02].

It has been suggested, that drawing a line between these two groups is artificial
and should not be done since all biometrics are (to a certain extent) a combination
of physiological and behavioral characteristics. For example, a person’s voice is
affected by the way the person wants to speak but the voice is also limited by
his/her physiology of vocal tract. On the other hand, identical twins look alike
when they are newborn but e.g. lifestyle differences between the identical twins
may lead to different bodyweight between them. [Mal03]

From a technical point of view, a good biometric is such that it is stable (does
not change during a long time period), everyone has the characteristic which is
unique between different individuals, and it can be collected and measured quan-
titatively. In practice, there are also other demands for a good biometric, such as
performance (i.e. identification accuracy, speed etc.), how well it is accepted by
users, and how easy it is to fool the system. [Jai99].

There are mainly two different authentication events with biometrics: verification
and identification, which are also known as one-to-one matching and one-to-many
matching. In addition to these there is also one-to few matching. (cf. Chapter 4)

This chapter concentrates on fingerprint and iris scan technologies, and other com-
mon and evolving technologies are introduced briefly. A table which summarizes
the properties of these different methods is presented in Chapter 3.5.

3.2 Fingerprint Recognition

Fingerprint recognition is the oldest recognition method of all biometrics. It has

been used for several centuries, and dates back to ancient China where the finger-
prints were used as a "signature" on a clay seal [Mal03]. The fingerprint classi-
fication system (cf. Chapter 3.2.2) which has also been adopted by the Federal
Bureau of Investigation (FBI) among others, is based on the "Henry system". The
"Henry system" is in turn based on observations by sir Francis Galton, who also

14
identified the minutiae (cf. Section 3.2.2). [Bol04], [Fer04]

The development of Automatic Fingerprint Identification Systems (AFIS) began

in the early 1960’s when the number of fingerprint queries made and the size of
the fingerprint databank grew too big to be handled manually, as more and more
fingerprints were collected. Today the AFIS technology has grown beyond the
forensic applications into the civilian applications. [Mal03]

The long history and the maturity of fingerprint recognition is one reason for the
popularity of this method. However, because fingerprints have been used by law
enforcement and they have been accepted as an evidence in courts of law for a
long time, some people do not want to use fingerprints as biometrics because they
feel like being criminals. [Chi03], [Rei04]

The fingerprints remain unchanged throughout the life [OGo99]. They are also
believed to be unique between all individuals and between different fingers of one
individual (see Section 3.2.4). Fingerprints are formed in embryonic period and
they are a phenotypic feature as their development depends on the position of the
fetus in the uterus and the flow of amniotic fluids around the fetus [Ric04]. Thus
fingerprints are only weakly determined by the genetics and this is the reason why
the fingerprints of identical twins differ from each other. [Bol04]

The actual fingerprint consists of different flowlike patterns of ridges (higher

parts) and valleys (lower parts) of papillary lines whose width varies from 100
µm to 300 µm [Mal03]. A typical fingerprint is depicted in Figure 5. Biologically
there are many purposes for this special skin structure. Fingerprint patterns make
perspiration easier by adding the surface (compared to smooth skin), they enhance
the touching sensation and provide a better gripping surface. [Bol04]

Latent fingerprints are created when somebody touches a smooth surface with a
finger. The grease and moisture is left from the finger in the shape of a fingerprint.
These are usually important traces of evidence on a crime scene. They may also be
lifted from surfaces and used to create an artificial fingerprint. [Mal03], [San04]

15
 Figure 5: A typical fingerprint [Mal03]

3.2.1 Image Acquisition

In off-line methods the fingerprints are imaged using the traditional ink method,
where the finger is smeared with ink and then rolled from one side of the finger to
another (nail-to-nail) on a piece of paper [Mal03], [Woo03]. Afterwards the paper
may be imaged with digital camera and the subsequent processing stages can also
be digital. In live-scan methods, the image of fingerprint (dab impression) is
formed when the user’s fingerprint is scanned with a specific fingerprint scanner.
There are numerous different scanners which can be used for this purpose, and
their operation is based on different characteristics of the finger.

General Remarks on Acquisition Devices

The resolution of a scanner is the figure, which tells us how tiny details can be
observed from an image. The resolution of 500 dpi is the common standard
[OGo99]. If the resolution is good enough (625 dpi) one can even see the sweat
pores on the ridges (Figure 10). With a poor resolution scanner (200 - 300 dpi),
the only possible matching is the optical correlation, where the input fingerprint
is compared to reference fingerprint by placing them in different positions and
rotations on top of each other (cf. Section 3.2.3). [Mal03]

The area which can be captured from the finger is affected by the size of the
scanner. Therefore also recognition accuracy is affected because if the area is
large, more information can be gathered from the fingerprint. On the other hand,
larger scanner size increases the cost of the device. The 1"x1" is regarded as the
standard size for scanners [OGo99].

16
The color of the finger is not used in recognition and thus the scanners capture
8-bit grayscale images only. It it still partly unclear how the dynamic range
(the number of bits used for representation) in the image affects the recognition.
[Mal03]

Optical Scanners

The frustrated total internal reflection (FTIR) method is the oldest and most widely
used method today. [Mal03]. In this method the scanning is done by using a
light source which is typically an array of light emitting diodes (LEDs) and a
camera (see Figure 6) [Bol04]. The light illuminates the finger, which is pressed
on a glass or a plastic platen. Then the camera acquires a picture, where ridges
and valleys are shown in different shades, dark and light respectively, because
the ridges scatter and absorb the light whereas the valleys suffer a total internal
reflection [Mal03].

Figure 6: Frustrated total internal reflection method [Mal03, p.60]

Thermal Scanners

The sensor of a thermal scanner is fabricated by using a pyroelectric material,

which generates a current based on the temperature differentials between the fin-
ger and the scanner surface [Mal03].

17
When using thermal scanners, the valleys of the fingerprint remain more distant
to the sensor’s surface than the ridges. The ridges which are in contact with the
sensor’s surface conduct the body’s own heat from a finger to the sensor (or vice
versa) more easily than the air between valleys and the sensor’s surface does. The
temperature differentials are measured between the nominal temperature of the
sensor and the temperature measured in the presence of the finger. [Rei04]

Capacitive Scanners

This is the most common method used within the silicon based scanners [Mai00].
The capacitive scanner consists of numerous small conductive plates and a dielec-
tric coating covering them. The scanner forms one side of the capacitor array,
and the skin of a pressed finger forms the other side. The capacitance across each
of the tiny capacitors depends on the distance of the two aforementioned capac-
itor plates, which is different depending on whether there is a ridge or a valley
as the other plate of the capacitor, since the valleys remain more distant to the
scanner surface than ridges. The image of a fingerprint is formed based on the
capacitances measured on each capacitor. [OGo99]

Ultrasound Scanners

This is the least frequently utilized of the primary technologies described in this
chapter [Nan02]. Ultrasound scanners use sound waves whose frequency ranges
from 20 kHz to several GHz, for imaging [San04]. A transducer sends short acous-
tic pulses and then receives the reflected echoes. The time elapsed between the
sent and the received pulse is measured. Therefore the operating principle of the
scanner is somewhat similar to an active sonar. There is a small time difference
between ridges and valleys since their distance is different from the transducer.

Pressure Scanners

The idea of pressure scanners is one of the oldest [Mai00]. The top layer is elastic
piezoelectric material which generates electric current due a shape transforma-

18
tion which occurs when the surface of the scanner is pressed mechanically with a
finger. The ridges and valleys present a different pressure on the scanner which
results in different currents and the image can be formed based on these differ-
ences.

3.2.2 Fingerprint Features

Usually there is a division made into three different levels in the examination level
of the fingerprints. The different characteristics in each three levels of examina-
tion make the fingerprint unique, and they are used as features in the fingerprint
recognition process (cf. Section 3.2.3).

Global Level

The fingerprints are classified according to their global patterns into five different
major classes: left loop, right loop, whorl, arch and tented arch. These major
classes are represented in Figure 7. The percentages of population in each class are
17, 37, 33, 6 and 8 respectively, so that the majority of people belong only to two
of these classes [Rei04]. This classification is based on the Henry classification.
[Hen02]

The classification into these major classes can be made by using special singular-
ity points, called delta and core (or loop). Actually, core is the center point in the
north most loop, and delta is a point where ridges flow into three different direc-
tions in a triangular shape [Mal03]. The loop and the delta points are both shown
in Figure 8, respectively. However, these singularity points are not sufficient for
accurate matching, even though they are very important for fingerprint classifica-
tion [San04]. A subject may also have a fingerprint which is a combination of two
classes. On the other hand, there may be a situation where no singular points are
available at all. [OGo99]

In addition to singularity points, also the number of ridges between these points
are calculated and used as an additional feature. The use of scars as a feature is
unusual, since they may be artificially introduced or temporary [OGo99].

19
 Figure 7: Five different major classes of fingerprints. [Mal03]

Figure 8: The singularity points loop and delta. [Mal03]

Local Level

When the fingerprint patterns are examined in more detail small distinctive points
are observed. These points are called minutiae details or Galton’s details, and
they are made of ridge bifurcations and ridge endings. Approximately 80 percent
of finger-scan technologies are based on these details [Nan02].

The ridge bifurcation is a point, where one ridge is split into two separate ridges
at a Y-junction or alternatively two ridges combine into one. The ridge ending is
a point where a single ridge simply terminates or alternatively begins [OGo99],
[Tic01]. These two minutiae types are shown in Figure 9 and they form all other
types of minutiae, e.g.independent ridge, spur or lake [Hen02], [San04]. The
features from minutiae points include the position (x- and y-coordinates) of the
minutia where the core or the delta point of the fingerprint is usually used as the
reference point for minutia location [Rei04]. The other two features are the angle

20
of tangent of ridge line with respect to the horizontal axis at the minutia point and
the actual type of the minutia.

Figure 9: The two kind of minutiae a) ending and b) bifurcation [Mal03]

Some matching algorithms do not distinguish between the two types of minutiae,
because the type may change to another during the image acquisition or image
processing steps [Bol04].

Very-Fine Level

The finest details in fingerprints consist of sweat pores whose size ranges from
60 µm to 250 µm . These are shown in Figure 10. The number, the position and
the shape of these sweat pores are very distinctive but since the pores are so small
details, a very high resolution scanner and good quality pictures are required.
[Mal03]

3.2.3 Image Processing and Template Generation

Before the aforementioned features (cf. Section 3.2.2) can be extracted, rather
time consuming image processing steps must be performed. Therefore one must
balance between the time spent on image processing versus the quality of the
images, which reflects on the number of successful recognitions [Hen02].

Usually the process begins by normalizing the gray values of the image. Then
the actual fingerprint is extracted from the background. [Hen02]. After this the

21
Figure 10: The very-fine level of fingerprint. The white dots in the middle of the
ridges are sweat pores [Mal03].

image is enhanced with e.g lowpass or bandpass filtering [Mal03]. Finally the
image is binarized and the ridges of the image are thinned from 5 to 8 pixels
down to one pixel [Nan02]. Subsequently the pattern recognition algorithms can
be used on the outcome of the image processing stages described above, but post-
processing might still be needed since the binarization and thinning may introduce
false minutiae or lose genuine minutiae [Mal03].

The size of the template is very big if the whole uncompressed fingerprint image
is stored from the scanner. For example, when considering an 8-bit grayscale
fingerprint image with a size of 1"x1" and a resolution of 500 dpi, the size of the
image is 500x500x8 ≈ 250 kB.

However, the whole 8-bit grayscale fingerprint must be stored if the recognition
is to be made by optical correlation, where the template and input fingerprints
are convoluted with each other i.e. they are put on top of each other, in various
displacements and rotations [Mai00], [Mal03]. In the case of storing the whole
fingerprint, it must be compressed preferably in a lossless way, because important
information should not be lost. The wavelet scalar quantization (WSQ) method
is used in this case, and it is the standard used by the FBI even though it is lossy
[Mal03]. This method compresses the images by a factor of 10 [Mai00].

Usually the whole fingerprint image is not stored, but only a template generated
from the image. The original fingerprint cannot be adequately reconstructed from

22
the template, but there is enough information for effective searches and recog-
nition to be made. A fingerprint template consists of 30 to 40 different minutiae
points on the average. In this way, the size of the template ranges from 200 to 1000
bytes. [Nan02]. The template includes the features of minutiae points (position
and angle) and proprietary information is also added to the template, which may
be e.g the type of the minutia, the ridge count between minutiae and the curvature
of the ridge where the minutia lies [Woo03].

If the fingerprint image is of poor quality, then the template and thus the matching
can be based on macro features of the fingerprint, e.g. location of the singular
points and ridge counts between them [Mal03].

3.2.4 Individuality

The fingerprints are a very distinctive biometric. As pointed out in Section 3.2,
even identical twins can be differentiated from each other.

Different probabilistic models for fingerprint individuality have been designed.

The model given in [Rat01] is based on the idea that the scanning area is divided
into separate equal size blocks. Each minutiae in this model has d possible di-
rections and one of K different locations. The total number of different possible
locations is the same as the number of separate blocks. The probability that m of
Q random minutiae points to match the reference R minutiae is calculated with
this model.

The second model given in [Pan02] is quite similar to the previous model. How-
ever, the system doesn’t have to be discrete as in the previous model i.e. the
minutiae point can be located anywhere on the ridges (which occupy half of the
fingerprint area) and at any angle with the exception that two minutiae points can-
not be very close to each other. If the input minutiae are sufficiently close to the
reference minutiae, a match is declared. This means that there is a certain toler-
ance area and angle. The probability that m of Q random input minutiae points
fall inside the tolerances of the reference R minutiae is calculated with this model.

If there are at least 25 of 40 minutiae needed to declare a match between two fin-
gerprints, the probabilities calculated using these two models are P(1) =2,24×10−26

23
and P(2) =2,5×10−19 [Bol04]. These both models are theoretical and they give an
order of a figure as an outcome. There are several details which are not included
in these models, e.g. the type of the minutia since they cannot be distinguished
with a high level of accuracy. [Pan02]

Many countries use a 12-point rule in courts of law, which means that at least
12 minutiae are needed to determine that two fingerprints are similar. Then in
the best case where all 12 minutiae are found and they all match, the probability
of false association of two fingerprints is P=1,55×10−16 [Bol04]. However, this
probability gets worse when only 12 minutiae are needed to declare a match and
if there are more than 12 minutiae present in both the template and in the input
fingerprint [Pan02].

3.2.5 Countermeasures Against Spoofing

There are many different scenarios to spoof a fingerprint scanner. One obvious
threat is a fake finger. These can be manufactured from latent fingerprints left on a
smooth surface [Rei04]. However the use of fake finger requires the knowledge of
the subject in verification scenarios (cf. Chapter 4) and a good quality fingerprint
left on a proper surface where it can be lifted from.

Fake fingers (or dead fingers) can be detected to some extent by measuring e.g.
the temperature, perspiration, electrical characteristics, blood oxygen level and
the pulse of the finger [Mai00], [Rei04], [Woo03].

Security can be increased by using multiple fingers, possibly in a specific se-

quence for recognition [Mai00]. Also by using a stimulus in a challenge-response
scenario or by demanding a token from the user could be combined with finger-
print recognition to further increase the security [Rei04]. In [Mal03] there is a
suggestion that in addition to normal fingerprint also a side impression of a finger
should be scanned, because it is not typically found in latent fingerprints.

The inherent problems in liveness testing are that the time of recognition process
increases, the price of the hardware gets higher, and the false reject rate increases
[Mal03].

24
3.2.6 Advantages and Disadvantages

Fingerprints have been used for a long time to good effect and they have proven
to be a very accurate way to identify people, although the accuracy is not as high
as with e.g. iris recognition systems (cf. Section 3.3.3). Fingerprints are also very
stable traits since small cuts, abrasions or superficial burn injuries do not affect
the fingerprint structure, and the fingerprint grows with new skin back after an
aforementioned incident [Mal03]. The size and the costs of fingerprint scanners
are quite small and the use of the scanners is also easy. For increased security,
multiple fingers (up to 10) can be enrolled. [Nan02]

The problems in fingerprint recognition are difficulties with the image quality if
the skin of the fingertip is too dry of too wet. In addition, there is a non-linear
transformation due to the pressure applied to the finger when using the scanner.
Usually people associate the fingerprint scanning with forensic applications, and
therefore do not want to use fingerprints as a biometric [Nan02].

3.3 Iris Recognition

Although the history of iris recognition traces back to 1936, this biometric is still
quite new compared to e.g. fingerprint. Iris recognition is based on the com-
plex patterns of the iris (see Figure 12). All commercial applications currently
implement J.G. Daugman’s patented techniques, which are described in the next
sections. The Iridian Technologies Inc. is the only company, which owns a pro-
prietary licence to these techniques. [Chi03], [Woo03]

The iris is the colored portion located in the eyeball, between the pupil and the
sclera. It consists of circular and radial smooth fibers, because the function of iris
is to control the amount of the light entering the pupil [Tor03]. The anatomy of an
eye is depicted in Figure 11.

The appearance of the iris depends on the initial conditions in the embryonic pe-
riod, and the development is completed by the eighth month of pregnancy. In
normal conditions, the iris patterns remain the same throughout the life making

25
 Figure 11: The anatomy of an eye [DFE99].

them a very unique and stable trait. [Rei04], [Woo03]. Like fingerprints, the iris
is also a phenotypic feature. Iris patterns are not dictated by genetics, and this
results in different iris patterns in different eyes, and also between identical twins
who are genetically same [Dau93].

3.3.1 Image Acquisition

Usually iris recognition requires a lot of user co-operation. First the subject looks
into the image acquisition device from a distance ranging from 3 inches (∼ 8
cm) to 1 meter from the imaging device. However, this positioning stage can
be difficult and may lead to a failure of using the device, especially when image
acquisition is made from a long distance [Woo03]. The iris is then illuminated
with a near infrared light (λ = 700 - 900 nm) and a picture is taken with a CCD-
camera, whose resolution is normally 480 x 640. This means, that the iris radius is
about 100 - 140 pixels. [Rei04]. Currently, the pictures taken are 8-bit grayscale

26
and the color of the iris is not used in recognition. [Nan02]

When compared to fingerprints, there is no elastic distortion in an iris scan be-

cause the iris is protected by the cornea of the eye. However, different imaging
conditions affect the recognition result, e.g. ambient lightning, tilt of the head,
size of the pupil, eye movement etc. [Chi03], [Bol04]. Also contact lenses affect
the recognition result but not so much than in the early days of iris recognition.

3.3.2 Feature Extraction and Template Generation

The first task is to locate the iris from the picture. The location of the center of the
pupil is estimated for this purpose. This may be difficult, if the subject has very
dark irises. [Nan02] After this, the size and contrast corrections are made and the
outcome is a size-invariant representation of the iris [Woo03]. The iris patterns are
then isolated from the picture, and they are demodulated by 2D-Gabor wavelets,
which represent the texture of the iris by phasors [Dau93]. The phase information
is used because it is more discriminating than amplitude and it doesn’t depend
on the contrast of the image. The features used in the recognition are spatial
frequency and the position of distinctive areas. The upper and lower portions of
the iris are left unused, because of the possible occlusion caused by the eyelids.
Finally, the "IrisCode", which is a 256-byte binary code representing the iris, is
computed (see Figure 12). [Bol04], [Nan02]

3.3.3 Individuality

Biometric individuality is sometimes measured in degrees of freedom. The more

degrees of freedom there are, the smaller the probability to find two exactly sim-
ilar traits. There are 266 degrees of freedom in iris recognition, compared to
fingerprints whose degree of freedom is 35 [Chi03], [Dau99]. In the 256-byte
"IrisCode", there are 173 independent bits between different irises. The probabil-
ity of two irises being similar is thus 2−173 ≈ 10−52 [Dau93]. This is a theoretical
figure and in practice the probability of false accept ranges from 1:133000 to
1:1013 , depending on the security level applied. [Dau04]

27
Figure 12: The picture of an iris and the resulting IrisCode in the top left [Dau04].

Iris recognition is considered to be the most accurate biometric method, although

in some studies the retinal scan is stated to be even more accurate. There is no
similar classification with iris patterns as with fingerprints, since the iris patterns
are so unique. [Chi03]

3.3.4 Countermeasures Against Spoofing

There are many ways to be sure that a live iris is being imaged and not a fake one.
Changing the illumination level causes the pupil to constrict or dilate depending
on the illumination change. There is also a phenomena called hippus, which is
small oscillation (about 0,5 Hz) of the pupil in constant illumination. In addition,
a real eye reflects light from the moist surface of the cornea and the amount of
reflected light can be measured in both constant and changing illumination. Fake
irises printed on contact lenses can be detected from a 2D-Fourier spectrum of the
image. [Dau93]

28
A user can be enrolled into the system with both eyes, and in a verification situ-
ation the user can be asked to show the iris in a particular eye or both eyes in a
particular order.[Chi03]

3.3.5 Advantages and Disadvantages

The advantages of iris recognition are its extremely high accuracy and simple tem-
plate. This allows using the iris recognition in identification applications, where
the biometric needs to be more accurate than in verification application. Since the
iris is an internal trait, it is very difficult to tamper with.

The disadvantages of iris recognition are expensive and big image acquisition
devices, compared to fingerprint devices. Also the usability is worse than in fin-
gerprint devices, since the user has to be in a specific position to be recognized.
There is a fair percentage of people who cannot use iris recognition, because they
can’t provide adequate images. There is also strong belief among people that light
(infrared as well as any) used for illumination is harmful to the eye [Nan02]. Due
to the reasons above, iris recognition should probably be used only when extreme
accuracy is needed.

3.4 Other Methods

3.4.1 Physiological Characteristics

Face Recognition

Face recognition is not the most distinctive method, but it is one of the most ac-
ceptable biometrics, because it is used in our everyday life [Mal03]. The image
acquisition is done using live scan, a photograph or a video clip, and the acqui-
sition process can also be a covert one. The image acquisition conditions (e.g.
lighting) influence the success of recognition. [Bol04]

29
The recognition is based on the macro features of the face (e.g. mouth, eyes, nose)
and the distances between them or on the facial image as a whole. [Rei04]. The
size of a template is from less than 100 bytes to 3 kB [Woo03], [Nan02].

Voice Recognition

Voice recognition (which is also a behavioral characteristic) is comprised of two

separate technologies: voice-scan and speech recognition. It is considered as dis-
tinctive as face recognition technology [Chi03]. The success of recognition is
affected by ambient noise from the environment, surrounding acoustics and the
quality of the microphones used [Rei04]. Voice recognition may be the only bio-
metric recognition method for certain specific applications, such as remote authen-
tication in telephone banking and in commerce over the mobile phone [Bol04].
Another application could be searching for a person from an archive of broadcast
news [Woo03].

In voice recognition characteristics such as frequencies (fundamental and for-

mant), intensity and cepstral coefficients are used as features. The size of a tem-
plate is usually about 2-5 kB but it can be up to 10 kB. [Woo03], [Nan02]

Hand-Scan Recognition

The features in hand-scan recognition include the length, the width and the thick-
ness of the palm and the fingers. The limited accuracy of hand-scan recognition
allows its usage only for 1:1 verification and the method is not suitable for high se-
curity applications either. [Chi03]. However, the method is widespread because its
ease of use. It can also be integrated with fingerprint recognition for improvement
in security. [Bol04]. Typical template size is only from 9 to 50 bytes. [Chi03]

Retina Recognition

In retina recognition the choroidal vasculature is used for the recognition. These
blood vessels form unique pattern in the back of the eye, immediately behind

30
the retina (see Figure 11). [Bol04], [Hil99]. Even identical twins can be distin-
guished from each other with this method. The drawbacks of the method are that
the equipment is very difficult to use and some subjects have complained of a
headache after using the recognition device. The template size is only 96 bytes.
[Nan02], [Hil99]

3.4.2 Behavioral Characteristics

Signature Recognition

In dynamic signature recognition the distinctive features are e.g. shape of the sig-
nature, the signing speed, the applied pen pressure and pauses [Chi03]. Therefore
this method requires special hardware. In static signature recognition the signa-
ture is scanned from the paper, but it lacks information and is thus more easily
forged. [Bol04]. Signature is a changeable biometric, which can be considered
an advantage. The writing environment affects the outcome of recognition. The
template size in signature recognition is from slightly over 1 kB to approximately
3 kB. [Nan02]

Keystroke Recognition

This method is inexpensive since it needs only a standard keyboard. The user
types a password and the time that the individual keys are pressed, the time be-
tween these key presses and the total typing speed are measured. Currently this
method is used as an addition to PIN or password based authentication and thus it
still has the same problems as all password (knowledge) based systems (cf. Chap-
ter 1. [Chi03]. A problem is also that the keystrokes of a user differ from one
login to the next quite substantially. [Nan02]

3.4.3 Technologies in the Development Stage

The following technologies are experimental and still evolving ones. They may
appear as mainstream technologies within the next two to four 4 years. [Nan02]

31
Vein Patterns and Thermal Scan Recognition use infrared cameras to acquire
pictures. The image can be taken from the back of the hand (vein patterns) or
from the face and it is not affected by ambient lightning in any way. However,
equipment which is needed is still very expensive. [Woo03]

In Gait Recognition the subject is recognized by the way he/she walks, and a
video clip is usually needed. People can be recognized at a distance, but the
subject’s clothing and properties of the ground create problems. [Bol04]

Odor Recognition is based on the fact that each subject has an individual odor.
Currently sensors do not have the same range or sensitivity than the human nose.
People are also using deodorants and perfumes which affect the recognition.
[Bol04]

Ear Recognition is not a very accurate method, but it can be combined with e.g.
face recognition. The ear recognition is based on the shape and different distances
of the ear. If the ear is covered with e.g. hair, an infrared picture is needed.
[Bol04]

Deoxyribonucleic acid (DNA) recognition is a very accurate method. However,

it is still slow (on the order of days or weeks) and expensive as well. In addition,
identical twins cannot be distinguished from each other since they have similar
DNAs. Currently, a DNA recognition is used by forensic sciences only. The actual
recognition requires a physical sample and not just a picture or some other external
measurement. Such a physical sample can be blood, semen or other bodily sample
for example. Less obtrusive techniques, which use e.g. hair of skin for extracting
DNA, are being developed. Great care must be taken to avoid the contamination of
the sample. Also stealing a DNA sample for future use is easy [Woo03], [Mal03].

There have been discussions about DNA databanks, where the information from
samples of criminals have been collected. When used properly, DNA databank
can be a very powerful tool. On the other hand, DNA databanks raise the concern
about individuality, since the information gathered from DNA samples can re-
veal susceptibilities to some genetic diseases, which may result in discrimination
[Mal03].

32
3.5 Comparison Between Different Methods

A summary of the most popular biometrics is presented in the Table 1. The table
is constructed by comparing several different sources. A higher rate is better with
the exception of issues concerning covert operation, cost and template size.

3.5.1 Attributes of the Biometrics

Universality: Does everyone have the biometric at issue? Ideally everyone should
have the biometric, but sometimes e.g. fingers can be missing. This eventually
leads to a failure to acquire (FTA) for some people.

Uniqueness: Is the biometric unique? The biometric should be unique between

people especially in identification applications. If this is not the case, something
else is needed for authentication as well for example another biometric, a token or
a password.

Permanence: Is the biometric stable over a long time period? If it is not, it can
be expected that recognition is not as successful after a long time, because the
biometric has changed. Also the template needs to be updated regularly.

Collectability: Can the biometric be collected and measured in a reasonable time?

If it cannot be measured in situ, no recognition can be done in real time. This fig-
ure of merit also reflects the difficulty of acquiring the biometric, which depends
on various factors e.g. distortions from the environment.

Acceptability: Is the biometric well accepted by people in general? If the ac-

ceptability is low, the subjects must be forced to use the biometric for recognition,
since no one wants to use this kind of a biometric voluntarily.

Circumvention: Is it hard to spoof or somehow circumvent the biometric at is-

sue? It has been stated, that given enough time and resources every biometric can
be circumvented, but the effort required for this varies [Bol04, p.215].

Covert: Is it possible to collect the biometric even without the subject’s knowl-
edge? This property can be used in screening applications where a potential threat

33
is searched among all people but it raises concerns of a "Big Brother"-scenario.
Higher rate in Table 1 means easier covert operation.

Cost: How much does the biometric device cost? The lower the cost in Table 1
the better.

Ease of Use: How easy the biometric is to use. The higher the rate in Table 1 the
easier is the usage. This might important aspect e.g. in large-scale applications.

Template: What is the size of the template in bytes? The lower the figure in
Table 1 the better. This is especially important in smartcard applications, where
the amount of memory is limited.

34
 Table 1: Comparison of different biometric technologies [OGo99], [Rei04], [Nan02], [Chi03], [Bio03], [Per03] and [Mal03]
Fingerprint Iris Face Voice Hand Retina Signature Keystroke DNA
Universality Medium High High Medium Medium High Low Low High
Uniqueness High Very high Medium Low Medium High Low Low Very high
Permanence High High Medium Low Medium High Low Low High
Collectability Quite high Medium Quite high Medium High Low Quite high Quite high Quite low
Performance High High Quite low Low Medium High Low Quite low High

35
Acceptability Medium Low High High Medium Low High Quite high Low
Circumvention High High Low Low Medium High Low Medium Low
Covert Medium Low High High Low Low Low Medium Low
Cost Low Medium Low Low Low Medium Medium Low High
Ease of use High Quite low Quite high High High Low High N/A N/A
Template (bytes) 250-1200 256-512 85-2000 2000-10000 9-100 96 500-1500 512-2176 N/A
Chapter 4

Large-Scale Systems

Biometric authentication systems differ from each other by the size of their data-
bases and the number of input-template comparison processes. Therefore, also
the system performance figures, i.e. the calculation time (cf. Section 4.2.2) and
error rates (cf. Section 2.3), differ from each other.

This chapter introduces different authentication methods. The inevitable changes

in the performance figures of a system, which take place when a small-scale sys-
tem is enlarged into a large-scale system, are also considered here. Different real
world large-scale applications either planned or already in use are introduced at
the end of this chapter.

4.1 Authentication Methods

The division into different authentication methods is based on the number of

matching operations.

Verification (1:1 or one-to-one matching) is the simplest case of all authentication

methods. Verification answers to the question, "Am I the one who I claim to be?".
In this authentication method, the user claims to be a legitimate person by giving
e.g. a PIN or introducing a smartcard to a reader. Then the user gives his/her
biometric input sample, which is compared only to the template of the claimed

36
person. The answer of a system is simply accept or reject based on the matching
score. [Bol04]

The one-to-few(1:few) matching is almost as simple authentication procedure as

verification. This authentication method answers to the question, "Am I on the
database and if I am, who am I?". In this case the user doesn’t have to exclusively
identify herself like in a verification system. Instead, the user introduces a biomet-
ric sample as an input, which is then compared with every template in the system.
In one-to-few systems, the number of these templates is usually between 5 to 10
i.e. there is a quite small user group, although in some one-to-few systems there
may be even 100 templates in the database [Nan02].

Also in the watchlist (or screening) applications, the biometric input sample of a
subject is compared with every template in the whole database. The templates in
watchlist applications represent e.g. "the most wanted criminals" and the number
of these templates is few hundred [Bol04]. However, the system performance
(e.g. the FMR) of a watchlist application degrades when the number of templates
increases. The relationship between the number of the templates and the FMR
is still a poorly understood issue. Another problem is, that the input samples are
often of poor quality, since they are taken involuntarily. [Jai04]

Identification(1:N or one-to-many matching), which is the most ambitious sce-

nario for biometric applications, answers to the question "Who am I?" [Bol04].
In this case the user does not claim anything about his/her identity in advance.
Instead, the user only introduces a biometric input sample, which is then com-
pared with different templates in the database. The result of the comparison is
e.g the top 10 matches, of which a human operator can make the final decision
about the user’s true identity. Alternatively, a second biometric can be used to
narrow down the number of matches. There is also a possibility that no match
occurs, which means that there is no identity corresponding to the input sample.
Like in the 1:few systems, the identification system can also be used in negative
authentication scenario (i.e. screening) [Nan02].

The identification process requires a very accurate biometric or otherwise there

will be too many (false) matches, which in turn increase the amount of human
intervention. Identification is also very time consuming, because in the worst case

37
the input sample has to be compared with every single template in the database.

4.2 Performance of Large-Scale Systems

A biometric system can be considered a large-scale system if it is used from many

different places by many different users and it contains templates of at least 100
000 users [Nan02]. For example, currently the automatic fingerprint identifica-
tion system (AFIS) used by the Federal Bureau of Investigation (FBI) contains
approximately 46 million so-called "ten prints", which are sets of 10 fingerprints
taken from a certain subject. There are approximately 50 000 daily queries to this
database [Jai04].

The change of the system performance figures, when moving into a large-scale
systems is considered next. This affects mostly the identification process. In the
case of a verification process, the total size of the database doesn’t have much ef-
fect, since the input is always compared with the template of a one single subject.
The actual acquisition of a biometric, with the subsequent image enhancement
and feature extraction stages, take majority of the verification time. [Woo03]

In large-scale applications, problems may also arise from using different authen-
tication devices (e.g. optical or thermal fingerprint scanners) in many different
environments, where the ambient conditions (e.g. temperature, humidity etc.)
vary.

4.2.1 Scaling of Error Rates

There are different models developed for the scaling of the error rates. In the
following sections two representative models are explained in more detail. To
emphasize the difference between small- and large-scale system in these models,
the error rates in the former systems are denoted as FMR(1) and FNMR(1), or
alternatively FMR(i) and FNMR(i) if there are many biometrics. Again, the per-
formance figures of large-scale systems are denoted as FMR(m) and FNMR(m).

38
Simple Model

The model for approximating the FMR(m) and the FNMR(m), given in [Ger99]
and in [Way99], is a simplified model. It doesn’t take into account that there may
be multiple templates in the database which match with the one input sample in a
large-scale identification application [Bol04]. In this model, an impostor is falsely
matched if an input sample matches to one or more templates in the database. On
the other hand, a user is correctly identified if an input sample matches with a
certain template, regardless of what happens with the other templates.

The derivation of the FMR(m) is given in equations (3)-(7). It is further assumed

in equation (5), that every biometric input sample i has the same FMR value, i.e.
FMR(i) = FMR.

FMR(m) = 1 − P(correct reject) (3)

m
= 1 − ∏(1 − FMR(i)) (4)
i=1
= 1 − (1 − FMR)m (5)

If the FMR value is small, the following approximation is valid,

(1 − FMR)m ≈ 1 − m × FMR (6)

Thus the FMR(m) is approximated as,

FMR(m) ≈ m × FMR (7)

It can be seen from equation (7), that the increase in the false match rate is ap-
proximately linear as the the size of the database increases.

According to this simple model, the false non match rate remains the same in a
large-scale systems as it is in small-scale systems. This can also be seen from
equations (8)-(10).

39
 FNMR(m) = 1 − P(correct identification) (8)
= 1 − (1 − FNMR(i)) (9)
= FNMR (10)

Complex Model

The more complex model for approximating the FMR(m) and the FNMR(m), is
given in [Bol04]. The difference to the simple model given above is, that if there is
an input sample matching with many templates, the matching result is considered
as an ambiguous and the subsequent handling depends on the system policy. The
result can be considered as an accept or reject, which in turn affects the FMR(m)
and the FNMR(m) of the system. Alternatively, a second biometric or a human
intervention can be used.

When a system is used by an impostor, who does not have a template in the
database of the system, there are three different probabilities for the system out-
put. The user may be falsely matched with exactly one template, he/she may be
correctly rejected (i.e the input sample does not match with any of the templates
in the database) or the answer may be ambiguous, in which case the input sample
matches with many different templates suggesting many different identities.

The false match rate in the case of an impostor user is,

 
m
FMR(m) = FMR(i) × (1 − FMR(i))m−1 (11)
1
= m × FMR(i) × (1 − FMR(i))m−1 (12)

If FMR(i) × m  1, equation (12) reduces to equation (5).

The probability, that the input sample of an impostor user is correctly rejected is;

P(correct reject) = (1 − FMR(i))m (13)

40
After the two cases above, the remaining probability, is the probability of an am-
biguous answer. This can be calculated by using equations (12) and (13) as fol-
lows,

P(ambiguous impostor) = 1 − P(correct reject) − FMR(m) (14)

m−1
= 1 − [1 − (m + 1)FMR(i)](1 − FMR(i)) (15)

In an identification system, the input sample of a genuine user, who has a template
stored in the database, should correctly match with exactly the one template of
the user. However, there is a possibility, that erroneously no match is declared
between the input sample and any of the templates in the database. In addition,
a misidentification may occur, where the input sample of a user is incorrectly
matched with exactly one template, but the matched template belongs to a wrong
person. There may also be an ambiguous answer, where the input sample matches
with several templates, which either include the correct template or not.

The probability, that an input sample of a genuine user is correctly matched with
his/her own template, is

P(correct identification) = (1 − FNMR(i)) × (1 − FMR(i))m−1 (16)

Respectively, the false non match rate is,

FNMR(m) = 1 − P(correct identification) (17)

= 1 − (1 − FNMR(i)) × (1 − FMR(i))m−1 (18)

Again, if it is assumed here that FMR(i) × m  1, equation (18) reduces to

equation (10).

The probability, that an input sample of a genuine user is falsely matched with a
template of somebody else, is

41
  
m−1
P(mis-id) = FNMR(i) × FMR(i) × (1 − FNMR(i))m−2 (19)
1
= (m − 1) × FNMR(i) × FMR(i) × (1 − FMR(i))m−2 (20)

Finally, the remaining probability after the correct identification and the misiden-
tification is the probability of an ambiguous case. To calculate this probability,
equations (16) and (20) are used as follows,

P(ambiguous genuine)
= 1 − P(correct identification) − P(mis-id) (21)
= 1 − [1 − FNMR(i) − FMR(i) + m × FNMR(i) × FMR(i)](1 − FMR(i))m−2 (22)

The error rates given by Equations (12)-(22) are depicted in Figure 13 using typ-
ical accuracy rates for fingerprint recognition (FMR(i) = 0.01 % and FNMR(i) =
2,5 %) [Jai04]. According to the equations, as the size of the database in a system
increases, the false match rate (Figure 13a) , or alternatively the probability of
misidentification (Figure 13f), increases in the beginning. However, after a cer-
tain number of templates these probabilities start to decrease because the number
of ambiguous answers starts to increase very rapidly (Figures 13c and 13g). The
bigger the database of a large-scale system is, the smaller the FMR(i) value of a
selected biometric should be. In Table 2, basic error rates for common biometrics
in different authentication scenarios are given.

For large-scale applications, fingerprint is considered to be a very good biometric,

since it has been used successfully in systems with tens of millions of templates
[Woo03]. Although the FMR of the fingerprint recognition is somewhat higher
than the FMR of the iris recognition, the failure to enroll (FTE) percentage is
lower when using the fingerprint recognition. This is also an important point
when implementing wide-spread large-scale systems.

As already stated, a biometric with a poor FMR can be used for verification ap-
plications by itself, or it can be used for identification applications in conjunction

42
Figure 13: Probabilities in an identification system with different number of users.
FMR(i) = 0.01 % and FNMR(i) = 2,5 %
43
with another (more accurate) biometric, as is the case in multimodal biometric
systems.

Table 2: Error rates for common biometrics in different large-scale authentication

scenarios [Jai04]

FTE% FNMR% FMR% (1:1) FMR% (1:few) FMR% (1:N)

500 identities 1 million identities
Face N/A 4 10 12 40
Fingerprint 4 2,5 < 0,01 <1 0,1
Hand 2 1,5 1,5 N/A N/A
Iris 7 6 < 0,001 N/A N/A
Voice 1 15 3 N/A N/A

4.2.2 Calculation Time

The total response time of a system is directly affected by the calculation time,
which is the time that elapses when enhancing the image of an input sample,
extracting features and matching an input sample with a template. The factors
affecting the calculation time of a system are the processing speed of hardware
when comparing a sample to a template (1:1 comparison rate), the number of
collected input samples, the number of stored templates in the database and the
actual data structure of a system, i.e. how the templates in a database are organized
[Jai04].

Verification Applications

The response time of a verification system, even in large-scale applications, is not

limited by the processing speed of the hardware or the structure of the database,
like in large-scale identification systems. Instead, the limiting factor in this case
is the presentation of an input sample [Jai04]. Average verification times for dif-
ferent biometrics in two experiments are represented in Table 3. In these exper-
iments, the users identified themselves by using a PIN [Man01] or a smartcard

44
[Nav02], before introducing a biometric input sample for verification. However,
the verification times obtained in Table 3 seem to be quite long for some reason.

Table 3: Average verification times in two different applications [Man01],

[Nav02]
PIN Smartcard
Avg. time (seconds) Avg. time (seconds)
[Man01] [Nav02]
Face 15 15
Fingerprint (optical) 9 N/A
Fingerprint (chip) 19 26
Hand 10* 15
Iris 12* 16
Voice 12 26
* Time includes
entry of a PIN

There are small differences in the verification times between different biometrics.
Since different biometric devices are used in both experiments, the verification
times also differ between the same biometrics.

As a comparison of a biometric authentication with traditional authentication

methods, password authentication takes about three to five seconds and smartcard
authentication about one second [Woo03].

Screening and Identification Applications

System throughput is the number of users that a system can handle in a certain
time. In large-scale identification systems, throughput is mainly limited by the
computational speed of a system. [Jai04]

Table 4 presents throughput times, that are believed to be order of magnitude es-
timate of the performance of the state of the art systems. The presenting of a bio-
metric, the subsequent image enhancement and feature extraction are not included
in the throughput times. In addition, the fingerprint screening assumes use of 2

45
fingers and the performance of fingerprint identification reflects the state of the
art AFIS performance based on 10 fingers [Jai04]. Therefore, the screening and
identification times for fingerprints are longer and the throughputs consequently
lower when compared with face and iris recognition.

The calculation time can be reduced by making a coarse classification in the begin-
ning of the recognition process. For example, in fingerprint recognition systems,
the minutiae method is a time consuming process. Therefore pre-classification
can be used, which is based on macro features and different classes of the finger-
print [Mal03]. Also multiple special hardware units, and an "exogenous" data e.g.
gender, age etc. can be used to reduce the calculation time.

The problem in a coarse classification is that the process may introduce an error.
The pre-classification is difficult because of the large intra-class variability which
is common to many biometrics. However, if there is no pre-classification before
an extensive search, the search time increases linearly as the size of the database
increases [Ger97]. Also other approaches, used to reduce the calculation time,
suffer from problems. The use of multiple special hardware units as the database
increases is expensive, and the extensive use of "exogenous" data may also lead
to an error, since a user may intentionally change this data when trying to avoid
identification, e.g. appearing older. [Jai04]

Table 4: Scaling of throughput time in large-scale systems [Jai04]

Verification time Screening Identification
time throughput throughput
(one identity) (500 identities) (1 million identities)
µsec users / sec users / min
Face 90 22 0,66
Fingerprint 10000 >1 1
Iris <1 > 2000 > 60

46
4.2.3 Rank Probability Mass and Cumulative Match Curve

In addition to FMR and FNMR in Section 4.2.1, also rank probability mass func-
tion (RPM), cumulative match curve (CMC) and penetration coefficient are im-
portant figures of merit for large-scale identification systems.

An identification system usually returns the top K identities, instead of returning

exactly one single identity. These identities are the K best matches with an identity
represented by an input biometric sample and they are ranked from rank 1 to
rank K starting from the best matching identity. The rank is different from a
similarity measure, since there may be big difference in the similarity measure
(i.e. a matching score) between two consecutive ranked identities. In addition,
identities used in ranking, may include more than one template per user. [Bol04]

The RPM consists of probabilities, that a correct identity is ranked to a certain

rank r. The RPM, which describes the ranking behavior of the system, can be
used to evaluate an identification system since an effective system should always
have low rank with high probabilities (ideally r = 1 with the probability of 1). The
RPMs for a good and poor biometric templates are depicted in Figure 14. [Bol04]

Figure 14:
An example of a rank probability mass function for two biometric templates:
a) a good template and b) a poor template

The cumulative match curve (CMC) is the cumulative sum of RPM. In other
words, it gives the (cumulative) probability that a correct template corresponding
to an input sample is found. The more rapidly CMC rises towards the probabil-

47
ity PCMC = 1, the better the performance of an identification system. The CMC
can be used to determine the length of a list, which is given as an outcome of an
identification system. An example of a CMC is shown in Figure 15. [Bol04]

Figure 15:
An example of a cumulative match curve

The penetration coefficient is the percentage of the system database that has to be
searched before a correct match is found. It can be reduced by binning, which
means limiting the search by some criteria to only the relevant portion of the
database. Binning can be done using e.g. the global level characteristics in finger-
print recognition (cf. Section 3.2.2). In the worst case the penetration coefficient
Pi = 1, which means that the whole database has to searched through. The pene-
tration coefficient is closely related with the calculation time of a system.

4.3 Large-Scale Applications

Large-scale biometric authentication includes a wide range of civilian applica-

tions, which are briefly introduced below. Some of these applications are already
in everyday use in different countries and they include both verification and iden-
tification applications. Common to all these applications are the large amount
of users and consequently the large database in identification applications. Also
many different points of access and fast authentication are needed.

48
Certain large-scale applications are described in Table 5 with their size, location
and the biometric used for authentication. The information has been collected
from several sources.

Table 5: Different biometric large-scale applications [Abr04], [Dre04], [Fin03],

[IBGa04], [OSu97], [San02], [Wil03] and [Zal02]
Application Application Size Location Biometric
Banking
ATM security 1400 ATMs Australia Fingerprint
Information Sec.
User password 500 branch offices Indonesia Fingerprint
Physical Access
Access to MasterCard HQ 25000 each year New York, USA Fingerprint
Major federal agencies 4,3 - 4,4 million USA Fingerprint
Customs and Immigration
Border Control 10 airports UK Iris
Border Control 8 airports - 100 000 users Canada Iris
Government
Welfare distribution 5 states USA Fingerprint
Healthcare Industry > 850 000 South Africa Fingerprint
Identification
Civil ID > 40 million Argentina Fingerprint,
face and others
Civil ID 2 million El Salvador Fingerprint
Civil ID / Drivers License 25 - 30 million California, USA Fingerprint

Banking security includes automatic teller machine (ATM) security, check cash-
ing, credit card transactions and phone banking. For example, ATM applications
in Australia and in Japan use fingerprint and retina for user authentication, re-
spectively. The Chase Manhattan Bank in the USA uses dynamic signature in
check cashing and voice recognition in phone banking applications [OSu97]. In
addition, there are several banks in Europe, the USA and Japan, which use iris
recognition for authentication [Wil03].

49
In information system security applications the username and the corresponding
password are replaced with biometric authentication methods. The main objec-
tive is that, only valid persons are granted with access to sensitive data and the
password cannot be shared or forgotten. For example, the Bank of Central Asia in
Indonesia has replaced the employees’ passwords with fingerprint recognition in
their branch offices. On the other hand, the Pentagon (the US Department of De-
fense), uses face recognition to secure the computer network [OSu97]. The hand
geometry is used e.g. in San Jose State University and iris recognition is used
e.g in KPN Telecom in Netherlands and in the U.S. House of Representatives,
Legislative Counsel [Wil03]

Physical access control is used in different locations to restrict unauthorized per-

sons for accessing certain areas. It can be used e.g. in airports, bank vaults,
stadiums etc. Currently, there are many airports around the world, which use
biometric recognition, with fingerprints, face and iris recognition being probably
the most common ones. Also two major American federal agencies, including
the Department of Defense (DoD), have been replacing the existing ID badges of
their employees with a fingerprint recognition [Zal02]. In the summer 2003, about
2,8 million ID badges had already been replaced in the DoD and four million ID
badge replacements was expected to be exceeded in the next two years. [Dix03],
[Saf03]

Government benefits distribution includes e.g. welfare distribution and health-

care industry. The use of fingerprint recognition is tested in five states in the USA
to prevent so-called double dipping, where a person is enrolled into the system
with several names, and can thus receive certain benefits several times [OSu97].
Fingerprint recognition is also piloted in South Africa in the healthcare industry
[Dre04].

In customs and immigration applications biometrics is used to allow e.g. faster

handling of immigrants. For example at the border between USA and Mexico,
machine-readable visas are used. The visas have optical memory cards, which
contain one ore more biometrics [Zal02]. Also in the UK and Canada automated
border control is used at certain airports. They are based on fingerprint and iris
recognition, respectively.

50
National identification systems are probably the largest single application area
in large-scale systems. They contain several million users and a massive databank
of user templates. National ID systems are used e.g. in El Salvador and in several
states in the USA. All these ID systems use fingerprint as a biometric [IBGa04],
[Wil03]. The largest national identification system is used in Argentina with more
than 40 million users and unlike the other systems, described above, the Argen-
tinian system relies not only on fingerprints but also on face recognition and other
biometrics as well. [San02]

These national identification systems can be used in conjunction with voter and
drivers’ license registration, which is done in the ID system of California [IBGa04].

51
Chapter 5

Usability, Political and Legal

Aspects

After the terrorist attack on the World Trade Center on the 11th September 2001,
the need for security has increased considerably throughout the world, and to-
day people are willing to accept more intrusive actions in the name of security
[Woo03]. Over the past few years, as the need for security has increased, the total
biometric market has also grown. However, there are also objections to the ex-
tended use of biometrics, which might have an effect on the adaptation and, in this
way, also to the commercial potential of biometric recognition. The legislation and
standards concerning biometric recognition are currently being developed. This
chapter gives a brief overview of the aforementioned topics.

5.1 Social Aspects

5.1.1 Loss of Privacy

Every time a person enrolls into a system, he gives up a biometric identifier, which
is a unique piece of information about him. After the biometric identifier has
been captured, it can be easily sold to a third party, and it can also be used to
search additional information related to the person, by combining data from other

52
databases. This data might be e.g. financial history, medical history, employment
history or purchasing habits of the person [Nan02]. In addition, the search can
be done without the knowledge of the user and therefore it is common to link the
biometrics to a "Big Brother"-scenario, where the state can observe the actions and
the behaviour of its citizens. Some people fear that this happens little by little, as
the limited use of biometrics gradually enter everyday life (a phenomenon called
function creep). [Woo03]

By using biometrics, it may be also possible to obtain invasive information about

the health of the user. For example, the onset of diabetes or pregnancy may be
observable from the retinal scan and some special fingerprint patterns may have a
connection to certain medical disorders. However, more research on this area is
still needed. [Woo03]

In order to reduce the fear of losing privacy, a clear reason is always needed when
using biometric recognition [Woo03]. Unfortunately, it seems to be quite com-
mon to appeal to the lack of security in general. In many applications biometric
recognition could be used for authentication, but the usage is not actually justified
and other information should be used instead. For example when consumer habits
are examined, the age, the sex and the residence of the customer should be more
important than the personal data and identity of the customer. [Per03]

The biggest threat to privacy is sloppiness in database management [Woo03].

Therefore it is necessary to store biometric information into systems, which are
secure enough. In addition, raw biometric data should not be stored at all but
rather only a template, which might also be encrypted [Nan02].

5.1.2 Other Objections To Biometrics

There are also other objections to biometrics than the fear of losing privacy. These
objections originate from the cultural, philosophical and religious beliefs and they
are difficult to disprove, since they are based on personal opinions of each indi-
vidual. [Nan02], [Woo03]

The cultural objections are due to the stigma of less fortunate elements of society,
which are closely attached to biometric recognition. People do not want to be

53
equated with e.g. criminals, and therefore they refuse to use biometric recognition.
[Woo03]

People objecting to biometrics for philosophical reasons may say, that a biometric
identifier is only a high-tech way of tattooing and classifying people the same
way as people have been classified into slaves or into concentration camp victims.
[Woo03]

In addition, some may object to biometric recognition for religious reasons. For
example, some Christians may interpret biometrics as "the mark of the Beast",
described in "the Book of Revelation". [Woo03]

There is also a common fear that the biometric readers may cause physical harm to
the user, e.g. the retina scan would damage the vision or the hand scanners would
dry the hand. Another common concern is the hygiene of biometric readers, since
people have to use devices which have been touched by many strangers. This is
despite the fact, that the hygiene of e.g. fingerprint sensors has been compared to
the hygiene of money, which is handled by many on a daily basis. [Woo03]

5.1.3 Commercial Potential of Biometric Recognition

The biometric markets have been growing after the terrorist attack in September
2001, and the growth is expected to continue even further in the future. This is
despite the fact, that the adoption of biometric technology has been slower than
anticipated, partly due to the lack of industrywide standards [Sec04], [Nan02].
The predicted growth of the biometric industry is shown in Figure 16a and the
comparative market shares between different biometric technologies are shown in
Figure 16b. Even though fingerprint recognition has currently the greatest mar-
ket share, it is very unlikely that a single biometric will monopolize the whole
biometric recognition field. Instead, all the different technologies are going to be
used side by side [Woo03].

Because of the political actions concerning border control taking place in the EU
and in the USA, the biggest growth is expected from the civil identification appli-
cations [Sec04]. Table 6 shows the predicted biometric revenues by application
on a global scale.

54
 Figure 16:
a) Total annual global biometric revenues with projections [Sec04], b) 2004
Comparative market share by technology [IBGb04]

Table 6: Global biometrics revenues by application in million USD [Sec04]

Application 2003 2008
Device Access $ 14,9 $ 252,8
Criminal Identification $ 241,7 $ 765,9
e-Commerce / Telephony $ 17,9 $ 197,3
Retail/ATM/Point of Sale $ 16,1 $ 243,5
PC/Network Access $ 116,4 $ 800,1
Access Control / Time & Attendance $ 152,4 $ 940,2
Civil Identification $ 150,7 $ 1316,8
Surveillance $9 $ 122,9

5.1.4 Biometric Standards

A standard, which may define e.g. policies, practices, technical and mechani-
cal requirements, is usually developed and published by a recognized authority
[Woo03]. Standardization can be regarded as a sign of maturity in technology and
it has been stated, that the lack of common standards could be a pitfall of biomet-
rics, since the inter-operability between different biometric systems is a necessity

55
in large-scale deployments [Sec04], [Nan02],[Bol04].

The biometric standards, completed or still under development, concern for ex-
ample common file formats (e.g. Common Biometric Exchange File Format, CB-
EFF [CBE05]), application programming interfaces (e.g. BioAPI [BAC05] and
BAPI [IO05]), template encryption, device inter-operability and information secu-
rity (e.g. X9.84-2000 [ASC05] and Common Data Security Architecture, CDSA
[Int05]). However, the hardware and software of different vendors are usually pro-
prietary and it is unlikely that the core algorithms will ever become standardized,
since they form the basis of intellectual property of the companies. Therefore,
standardization does not remove the need for re-enrollment when replacing a bio-
metric device with a new one by a different vendor [Nan02].

On the hardware level, standards concerning devices could define e.g. the electri-
cal interface and the drivers of a biometric sensor. The standards, which concern
file formats are developed so that the format of a template would be the same in
different biometric applications. The header of the template might include e.g.
the creation date and the biometric type. The application programming interface
(API) standards are for ensuring that an application developer may use different
biometric devices in a standardized way, which is independent of the operating
system and the biometric type. [Nan02], [Bol04].

5.2 Legal Aspects

Many legal questions are related to the use of biometric recognition, e.g. who
can collect biometric data, how much and for what purposes? If biometric recog-
nition is going to be used extensively, it is important to have a clear legislation
on the subject [Mön04]. Reasons for the need of regulation are the permanence,
irreversibility, uniqueness and possible covert use of a biometric [Per03].

Legislation is somewhat different in each country, and since biometric recognition

can be used also in international applications, e.g. in e-commerce or travelling,
organizations facing this situation need to be certain, that their operation is in full
compliance with the laws of a foreign state as well as with the laws of their native
country [Woo03].

56
Currently, only few legal limits exist in the USA on the use of biometrics. On
the other hand, there is a comprehensive privacy protection framework in the EU,
since according to the EU Directive 96/46/EC, all EU member states were required
to enact a comprehensive privacy law in October 1998 [Woo03]. In Finland, the
privacy law (523/1999) is based on the EU Directive and it regulates the gen-
eral principles of personal data management, i.e. the collection, storing, usage,
maintenance, information security and transfer of any register, which contains in-
formation about personal data and where the data of a certain person can be found
with ease and without excessive costs [Fin99]. The word biometrics is not cited in
the privacy law specifically, but the law can be applied also to biometric recogni-
tion since a biometric trait, which individualizes a person, is a personal data item
described in the privacy law [Per03].

Recently, the public administration in the city of Vaasa, considered using finger-
print recognition in pharmacies to prevent abuse of entitlements. Even though
there was no intention to collect a fingerprint database, the Data Protection Om-
budsman stated that the authorities had no right to collect fingerprints from cus-
tomers [Rii04]. The incident was also widely noted by the media, and there-
fore the project was never realized and other options were investigated instead
[Mön04]. However, it has been stated that the public sector in Finland will proba-
bly use fingerprint recognition to identify people in the future at least as commonly
as the driver’s licence is used for identification today. [Rii04]

5.3 Political Aspects

The security issues have been emphasized in the USA after the terrorist attack in
September 2001, and therefore the USA demands a machine-readable passport
containing a biometric identifier, after October 2005 from all people arriving in
the country. The deadline has been postponed already once from October 2004,
since the original timetable was too tight [Kar04]. The European Union, for its
part, has tried to accelerate the transition to biometric passports, and in the next
couple of years biometric passports will be introduced in the whole EU region
[Rii04], [Myl04]. The passports will be first based on face recognition and later

57
on fingerprint recognition [Kar04].

In Finland, the issuing of biometric passports was supposed to begin in May 2005.
In this way, Finland would have been the first country in the world to issue bio-
metric passports, which are made according to the standards of the International
Civil Aviation Organization (ICAO) [Sdu04]. However, the acquisition of bio-
metric passports is currently barred, since a complaint has been filed about the
competitive bidding of biometric passports, and therefore it currently seems that
Finland will be late from the original deadline of October 2005. [Nyk05]

58
Chapter 6

Comparison of Two Fingerprint

Recognition Software Programs

The performance of fingerprint recognition software programs varies from vendor

to vendor. In this Chapter, the feature extraction and matching stages of two
fingerprint recognition software programs are compared. In order to examine,
which are the most slowest tasks in a fingerprint recognition process and how the
performance figures differ between the software programs, the execution times
for different tasks and the error rates were measured. Finally, the scaling into a
large-scale system is considered.

6.1 Hardware Description

A fingerprint scanner was bought so that the fingerprints needed in performance

analysis could be acquired. When choosing the vendor, it was considered im-
portant that a software development kit (SDK) was available for the fingerprint
scanner. Using the library functions included in the SDK, the example code could
be modified to suit the performance measurements. Another important issue was
that a plain bitmap fingerprint image was obtained from the scanner instead of an
encrypted fingerprint code or template generated from the fingerprint image. The
unencrypted and unenhanced image could be further processed with both software

59
programs. Several fingerprint scanners from different vendors were investigated,
and finally a fingerprint scanner FCAT-100 from the Bergdata Biometrics GmbH
was chosen. The FCAT-100 scanner is shown in Figure 17 and the technical char-
acteristics are listed in Table 7.

Figure 17:
FCAT-100 fingerprint scanner

Table 7: Characteristics of FCAT-100 fingerprint scanner [Atm02]

Fingerprint Scanner FCAT-100
Image Size (pixels) 280 x 440
Resolution (dots per inch) 500
Dynamic Range of the Image (bits) 8
Drivers Windows, Linux and OS/2
Connector USB
Sensor type Thermal
Image zone (mm) 0,4 x 14
Max. frames per second 1780

The FCAT-100 fingerprint scanner is based on Atmel FingerChipTM temperature

sensor [BerB03]. An image of a fingerprint is obtained by sweeping the finger
across the sensor. Provided that the finger is swept over the sensor at a reasonable
rate, the successive frames overlap and a fingerprint image can be reconstructed

60
from the frames (see Figure 18) [Atm02]. The reconstructing is performed auto-
matically by the fingerprint scanner, and an example fingerprint acquired from the
scanner is shown in Figure 19. The size of an acquired fingerprint image is 280 x
440 pixels with a resolution of 500 dots per inch (dpi) and a dynamic range of 8-
bits (256 grayscales). Therefore, the scanner is compatible with the FBI standards
[BerB03].

Figure 18:
Fingerprint image reconstruction [Bis02]

Figure 19:
An example fingerprint acquired with FCAT-100 fingerprint scanner

In the measurement setup, the fingerprint scanner was connected to a personal

computer (PC) via universal serial bus (USB). The clock frequency of the PC’s

61
central processing unit (CPU) was 2,79 GHz and the size of the random access
memory (RAM) was 1 gigabyte (GB).

6.2 Description of the Software Programs

6.2.1 Bergdata Fingerprint Identification System

An SDK, which was ordered along with the fingerprint scanner, consists of a bio-
metric engine and a generic fingerprint scanner driver module, which is responsi-
ble mainly for capturing fingerprint images. It also allows to keep the biometric
application independent of a fingerprint scanner.

The biometric engine, namely the Bergdata Fingerprint Identification System

(BDFIS), takes care of the feature extraction, the template generation and the
matching operation stages. It is written in pure ANSI-C programming language
and hence marketed as very fast and highly portable software [BerA03]. How-
ever, since the BDFIS is a proprietary product, the details of the code weren’t
available and only the main operations could be examined. The overall structure
of the BDFIS software is shown in Figure 20 and the performance of each block,
excluding the ones shown in gray, were examined.

6.2.2 NIST Fingerprint Image Software 2

The NIST Fingerprint Image Software 2 (NFIS2) is an open source fingerprint

recognition software developed for the Federal Bureau of Investigation (FBI) and
the Department of Homeland Security (DHS) by the National Institute of Stan-
dards and Technology (NIST) [Wat04]. It consists of seven different packages,
but only few were actually used when carrying out the performance analysis. The
NFIS2 has a modular structure, which is shown in Figure 21 and since the details
of the source code were available, a detailed analysis of each block was carried
out. The performance of each block, from coarse into detail ones, were examined,
excluding the blocks shown in gray.

62
 Figure 20:
Structure of BDFIS fingerprint recognition software

It can be seen from Figure 21, that the feature extraction stage has more distin-
guishable tasks than the matching stage. The parameters and the algorithms in the
NFIS2 software are designed, so that their operation is optimal when processing
images with a resolution of 500 dpi and dynamic range of 8 bits [Wat04]. The
detailed operations of the subtasks shown in Figure 21 are described next.

Feature Extraction

Feature extraction begins with an optional image enhancement, which is done by

spreading the histogram in case of poor contrast in the original fingerprint image.
The fingerprint image is then divided into blocks, with a size of 8x8 pixels and
three different maps are created from the image. The maps are the low contrast
map, the low ridge flow map and the high curvature map. They are used for
representing the image quality of each block, where the minutiae are detected. All
the three maps created from the example fingerprint (see Figure 19) are shown in
Figures 22a-c. [Wat04]

In addition to the three maps mentioned previously, it is essential to create also a

direction map. The direction map represents the orientation of ridges in the areas
where the ridges and valleys are clearly visible and well-formed. The orienta-

63
64
Figure 21:
Structure of NFIS2 fingerprint recognition software
 Figure 22:
Different maps

tion of ridges is calculated by rotating a macroblock grid with a size of 24x24

pixels, incrementally in steps of 11, 25 ◦ and calculating the discrete Fourier trans-
form (DFT) in each block orientation. The ridges are considered to be towards the
orientation, which has the greatest coefficients on the lowest four frequencies. Af-
terwards, the inconsistent directions are removed, the blocks of the direction map
are smoothed and the blocks with invalid directions are interpolated by analyzing
their adjacent blocks. The complete direction map for the example fingerprint is
shown in Figure 22d. [Wat04]

Finally, after all the maps have been generated, a quality map is created by inte-
grating together all the information from the three maps representing the quality
of each block. The quality map, which is shown in Figure 23, is used for as-

65
signing the reliability for detected minutiae. The minutiae are not searched from
the margins of the direction map and from the low contrast blocks. In addition,
the minutiae detected from the blocks with low ridge flow or high curvature are
assigned with low quality. [Wat04]

Figure 23:
Quality map

Minutiae Detection

Since the minutiae detection algorithm is designed to operate on pure black and
white fingerprint images, the original fingerprint image must be binarized. In this
process each pixel is set to either black or white and the different shades of gray
are lost. In the NFIS2 software, the binarization process is based on the detected
ridge flow of the block and each pixel in a block is examined one by one. A grid,
with the pixel of interest located in the center, is turned to align with the ridge
flow. Then the grayscale values of the block are accumulated along the rows of
the grid and the actual binary value of the pixel is based on these grayscale values.
The binary image is finally scanned three times and on each scan the occasional
black and white holes are filled. [Wat04]

66
The blocks in the direction map, the low flow map and the high curve map are
then divided into single pixels, i.e. the value of a block is assigned to each pixel
in that block. Then the candidate minutiae are detected by searching certain pixel
patterns from the image. The pixel patterns are found by using masks, shown
in Figure 24, which match with the minutiae, i.e. ridge ending or bifurcation.
The scan is performed both in horizontally and vertically and the found candidate
minutiae points are collected into a list. The NFIS2 minutiae detection scheme
is particularly greedy, minimizing the chance of missing true minutiae at the ex-
pense of many false minutiae. Therefore, after the candidate minutiae are found
and collected into a list, false minutiae are removed from the list by a systematic
approach [Wat04].

Figure 24:
Pixel patterns used for minutiae detection [Wat04]

The candidate minutiae points are first sorted from top-to-bottom and left-to-right
order. Then isolated ridges in a valley or vice versa, are removed. These are called
lakes and islands, respectively. In order to classify that two minutiae form a lake
or an island, many different conditions must be fulfilled. These conditions include
e.g. that the two minutia detected are close to each other and their directions are
opposite or almost opposite. Also holes, which are small sized islands or lakes,
are removed. [Wat04]

Next, if a minutia is sufficiently close and pointing to a block, whose direction

field is invalid, the minutia is removed. A minutia is removed also if there are

67
several blocks with an invalid direction field in the proximity of the minutia, even
when the minutia is not pointing to any of these blocks. Then, the remaining
minutiae are adjusted slightly, so that they lie symmetrically to the ridge or valley
bifurcation. If there are minutiae, which lie in the side of a ridge or a valley or
combinations of two minutiae forming hooks that protrude off the side of the ridge
or valley, they are removed. [Wat04]

The final steps involve removing the minutiae located in the discontinuities of
ridges and valleys i.e. overlaps, and also the bifurcation minutiae which are either
too narrow or too wide. The minutiae, which are left in the candidate minutiae list
after all the false minutiae removal operations described above, are considered as
true minutiae. [Wat04]

The ridge counting task is performed by using the list of true minutiae. The minu-
tiae are first sorted column oriented, i.e. first the x-coordinate and then the y-
coordinate. The duplicate minutiae points are removed from the list and finally
the ridges are calculated between a minutia and its eight nearest neighbours. This
operation is repeated for all minutiae in the list. [Wat04]

Minutiae Matching

The NFIS2 minutiae matching, called the "Bozorth Matcher" in honor of the de-
veloper of the original algorithm, uses the minutiae information obtained from the
feature extraction stage [Wat04].

In the initialization stage, two intra-fingerprint minutia comparison tables are

constructed for an input fingerprint and for a gallery fingerprint, also called a
reference fingerprint. The gallery fingerprint can be compared to a template, even
though an actual template is never created in the NFIS2. In the initialization stage,
relative measurements between all the minutiae in the same finger are calculated.
The measurements include the distance between two minutiae, the angles between
each minutia and the intervening line between the two minutiae. They account for
the translational and rotational invariance of the fingerprint. Finally, the results
are collected into the minutiae comparison table. [Wat04]

68
After the initialization stage, the two minutiae comparison tables are examined
and compatible entries between the tables are looked for. There are three tests
conducted in order to determine if there is compatibility between the entries. In
the first test, the distances in the each entry of minutiae comparison table, are
examined and they must be within predefined tolerances. In the second and third
test, the angles of the minutiae are examined and they must also be within certain
tolerances. If entries in the comparison tables pass all three tests, a new entry is
made into a inter-fingerprint compatibility table. It should be noted, that an entry
is done into the compatibility table based only on the distance and the relative
position between two minutiae in a fingerprint. Therefore, one minutiae pair in
the input fingerprint may have several counterparts in the gallery fingerprint. This
means that many entries are made into the compatibility table, even though only
one of these entries can be a correct match. [Wat04]

The final stage in the fingerprint matching is to traverse the compatibility table.
Each entry in the table indicates a single, disjoint link in a compatibility graph
and each link is thus associated between two pairs of potentially corresponding
minutiae. The compatibility graph is traversed so that the traversals are initiated
from various starting points. As the graph is traversed, clusters are formed in
the compatibility graph by linking the entries of the compatibility table. When
the traversal is finally complete, the compatibility of the clusters in the graph
is checked by examining the amount of their global rotation. After this task, a
minutiae pair of the input fingerprint should match with only one minutiae pair of
the gallery print, at the most. The accumulated number of the compatible clusters
gives the final match score between two fingerprints. [Wat04]

6.3 Conducted Measurements

Bergdata Fingerprint Identification System

In order to conduct the performance measurements with the BDFIS fingerprint

recognition software, a test software was written in ANSI-C. The test software
applied library functions of the SDK in several processing stages of fingerprint

69
recognition, e.g. fingerprint scan, feature extraction, template generation and fin-
gerprint matching. The test software was based on an example code sequence
included in the SDK. The Microsoft Visual Studio.NET was used as the develop-
ment environment.

The test functions for the different fingerprint recognition processes were accessi-
ble via the main menu of the test software. If the enrollment process was selected,
the program conducted the scanning of four fingerprints and the acquired finger-
print images were saved in a bitmap format into the computer’s hard drive for
later use. The performance of feature extraction, template generation and match-
ing stages were measured separately, but a similar approach was used in all of
them.

In the BDFIS feature extraction stage, a raw fingerprint image was loaded from
the hard drive into memory and then a specific library function was used to carry
out the feature extraction. The number of detected minutiae, the fingerprint image
quality and the valid area were obtained as the output of the library function.
The execution times of the feature extraction stage were measured by using the
readTimeStampCounter (RDTSC)-function, which is an Intel Pentium processor’s
assembly instruction. It reads the accurate number of processor clock cycles at
the moment the function is called [For04]. The RDTSC-function was used twice,
immediately before and after library function call for the feature extraction. Since
the clock frequency of the processor was known, the exact execution time of the
feature extraction function could be calculated from the number of processor clock
cycles between the two time stamps. Finally, the execution times were saved into
a text file on the hard drive.

The BDFIS template generation stage began by loading two fingerprint images
into memory from the hard drive. Then the features were extracted from the im-
ages, and a template was generated from the extracted minutiae by using the spe-
cific library function. The RDTSC-function was used to measure the execution
time of the template generation function. The resulting times and templates were
saved into the hard drive.

Before using the library function for fingerprint matching, an input fingerprint
image and a reference template, were loaded into memory from the hard drive.

70
After this the matching was performed, and the execution times were measured
using the RDTSC-function. The resulting execution times and the matching scores
between two fingerprints were saved into a text file on the hard drive.

NIST Fingerprint Imaging Software 2

The performance tests described above were conducted also with the NFIS2 soft-
ware. The original source code of NFIS2 was divided into many different pro-
grams, which were each used for a specific process in fingerprint recognition. The
RDTSC-function was inserted into the original source code immediately before
and after the measured function call. The obtained execution times were saved
into a text file on the hard drive. A Linux-like environment for Windows, namely
the Cygwin [Cyg05], was used as the development environment.

Before feature extraction, the fingerprint images had to be converted from bitmap
format into jpg-format, which is a lossy compression method for images devel-
oped by the Joint Photographic Experts Group. The compression quality was set
to 100%, i.e. no compression at all, but still there could have been losses due to
roundoff errors and subsampling [Wat04].

After the conversion, the qualities of the fingerprint images were evaluated and
the features were extracted by using a specific executable subprogram for each
stage, respectively. The execution times for feature extraction stage were saved
into the hard drive along with the resulting number and the coordinates of detected
minutiae. Also the different maps (cf. 6.2.2) were obtained and saved on the hard
drive. The execution of the feature extraction stage was repeated many times with
different placings for the RDTSC-function. In this way, also the execution times
of the different subtasks could be measured.

The fingerprint matching stage in NFIS2 software was executed and measured
similarly as the feature extraction stage. The lists of previously detected minutiae
were loaded from the hard drive for the input fingerprint and the gallery finger-
print as the specific executable subprogram was used. The fingerprint matching
was executed many times in order to measure the subtasks also. The measured
execution times and the matching scores were saved into the hard drive.

71
Analysing the Results

After all the different measurements were done with both fingerprint recognition
software programs, all the obtained values were loaded into MatLab and examined
there. Scatter plots were generated to see the distribution of measured values. Also
the possible connections between two different values were examined visually
from the scatter plots. Finally, the different maps and also the detected minutiae
were drawn on the image of the example fingerprint.

6.4 Fingerprint Recognition

6.4.1 Enrollment

In order to conduct the performance tests, four fingerprint images of a finger were
collected from 12 different persons and from two different fingers of the author
of this thesis. Therefore the database used consisted of 14 different fingerprints
and four images from each fingerprint, totalling 56 fingerprint images. Before the
enrollment, all the volunteers were given instructions on how to use the fingerprint
scanner and they were also encouraged to practice the use of the scanner before
enrollment. This was done, since a sweep sensor is difficult to use in the beginning
and most of the volunteers had never used a fingerprint scanning device before.

In order to obtain four reasonable quality images from each fingerprint, the quality
of the images was checked visually and, if necessary, the scanning procedure was
repeated. The images from the scans, which had clearly failed due to e.g. too fast
or too slow sweep across the sensor, were discarded.

6.4.2 Feature Extraction

The feature extraction stage was performed for all previously scanned 56 finger-
prints. The input fingerprint image was changed from one to another after each
feature extraction, which corresponds to a situation where a different user is au-
thenticated after each time. However, there are some differences to a real life

72
situation. Firstly, all four fingerprint images from the same user were collected
and used consecutively. In addition, all the failed scans were discarded when
collecting the fingerprint images.

The measurements in the feature extraction stage were repeated so that all the
input fingerprint images were used cyclically, each one for 1000 times. The rep-
etition was done in order to diminish the variation of execution times, which are
caused by the background processes of the computer. The cyclical change of
the input fingerprint images was chosen, because it was noted that the execution
time of the first feature extraction stage was slower than the subsequent execution
times. This may be due to the processor’s cache memory where the fingerprint is
saved.

Bergdata Fingerprint Identification System

The average execution times and their standard deviation between users in the
BDFIS feature extraction stage and the template generation stage, are presented
in Table 8. The measured average feature extraction times correspond closely to
the time (0,02 s) advertised on the Bergdata’s webpages [BerA03].

In addition to the feature extraction time, also the quality of the fingerprint image,
the valid area and the number of detected minutiae were obtained. The image
quality depends on the intactness of the skin and the image acquisition process.
In poor quality images the image quality is less than 50%. The valid area means
those parts of a fingerprint, where minutiae can be detected. Typically the area
is between 100 mm2 and 300 mm2 . The average values for the image quality, the
valid area and the number of found minutiae are also shown in Table 8. Figure
25 presents the minutiae detected from the example fingerprint with black circles
(image quality 50%, valid area 239 mm2 number of found minutiae 67).

The variance between users was quite uniform with respect to all the measured
values. The image quality varied usually from scan to scan about 10-15% with
every user. The valid areas for all the fingerprint images were between 200 mm2
and 270 mm2 , and there was some variation from scan to scan. Usually, more
minutiae were detected from the fingerprint images with a larger valid area. How-

73
 Table 8: Feature extraction results in BDFIS software
Average value Standard deviation
between users
Feature extraction time (ms) 24,20 12,49
Template generation time (ms) 0,89 0,39
Image quality (%) 61,55 8,28
Template quality (%) 84,13 10,06
Valid area (mm2 ) 233,91 14,76
Minutiae (number) 55,00 15,21

ever, the number of detected minutiae varied from one user to another and also
between different images of the same finger, as could be expected.

Figure 25:
Minutiae found in the feature extraction stage of BDFIS software

The fingerprint image quality and the valid area seemed to be independent of each
other. Usually more minutiae were found from poor quality images, which might
indicate that many of the detected minutiae are actually false minutiae. This is
augmented by the fact, that if the image quality was poor there was more deviation
in the number of detected minutiae. In addition, the minutiae were found quite fast

74
if the image quality was poor. On the other hand, though the number of detected
minutiae was usually smaller in good quality images, the feature extraction stage
could be either fast or slow.

The execution of the feature extraction was slightly slower when more minutiae
were found. However, the feature extraction times were not divided uniformly
around the average of 24,2 ms but rather at three different levels, with the first
level around 12 ms, the second level around 21 ms and the third level around
38 ms. The level seemed to be independent of the number of detected minutiae,
the valid area and the image quality. Therefore it remains unclear which are the
circumstances leading to a slow or fast execution time.

The average execution time for the template generation and the average quality
of the generated templates are also shown in Table 8. The template quality repre-
sents the user’s skill to reproduce similar fingerprint images on each scan and the
amount of dactyloscopic data, i.e. the unequivocal information from a fingerprint,
which is used for authentication. The BDFIS software requires at least two finger-
print images to create a template. On the other hand, the NFIS2 software does not
create a template, but uses a list of detected minutiae from a single fingerprint. In
order to make the comparisons similar in both softwares, the template in BDFIS
software was created using the same fingerprint image twice. Therefore, the latter
characteristic of the template quality has no meaning and the obtained template
qualities may be too high. It should be also noted, that the manufacturer does not
recommend this.

Usually, the template was generated in less than 1,4 ms. There was a lot of vari-
ation in the execution times, but usually if the template quality was good, the
template was generated faster. The software probably measures the quality of the
minutiae, which are related to the quality of the template. This is augmented by
the fact, that when the image quality was good, a good quality template could be
usually generated. Also, if the number of detected minutiae was between 35-55,
a good quality template resulted. After this, as the number of minutiae increased,
the quality of template began to decrease. This probably means that more minu-
tiae were found from a poor quality image, but the quality and the reliability of
the detected minutiae was poor, thus resulting in a poor quality template. The
variation of the template quality within a single user was about 20%. There could

75
have been more variation, if the template was generated from several fingerprints.

NFIS2

The average execution times and their standard deviation between users in the fea-
ture extraction stage and in the corresponding subtasks, are presented in Table 9.
The percentage of a subtask execution time compared to the total feature extrac-
tion stage and the average number of detected minutiae are also presented. There
were many small operations in the subtasks, e.g. different initializations, which
are not listed and the percentages are rounded to a precision of 0.1 %. Therefore,
the percentages only give an order of magnitude and the sum of the percentages
in a subtask might not always add up to the task upper in hierarchy. Figure 26
presents the minutiae found from the example fingerprint (image quality 1, num-
ber of found minutiae 117) with circles. The directions of the minutiae are also
shown.

Figure 26:
Minutiae with directions found in feature extraction stage of NFIS2 software

76
 Table 9: Feature extraction results in NFIS2 software
Feature Average value Percentage of Standard
extraction (ms) the total deviation between
stage stage time users (ms)
FEATURE EXTRACTION 192,96 100 21,26
Image enhancement 1,76 0,9 0,02
Minutiae detection & binarization 191,20 99,1 21,21
Detect minutiae 186,15 96,5 21,04
Initialization 1,56 0,8 0,003
Maps 76,60 39,7 1,99
Compute block offsets 0,01 ∼0 ∼0
Generate initial direction map and low contrast map 68,95 35,7 1,26
Dilate and erode low contrast map 0,15 0,1 0,003
Remove inconsistent directions 3,18 1,6 0,92
Smooth direction map 0,93 0,5 0,04
Interpolate invalid direction blocks 0,09 ∼0 0,02
Remove inconsistent directions 2,53 1,3 1,09
Smooth direction map 0,96 0,5 0,03
Set direction map margin values to invalid 0,002 ∼0 ∼0
Generate high curvature map 0,32 0,2 0,01
Binarization 33,39 17,3 0,65
Binarize padded image 29,99 15,5 0,62
Fill black & white holes (3x) 3,17 1,6 0,11
Minutiae detection 28,07 14,5 5,67
Pixelize direction map 0,76 0,4 0,01
Pixelize low flow map 0,75 0,4 0,01
Pixelize high curve map 0,75 0,4 0,01
Scan minutiae horizontally 11,17 5,6 1,97
Scan minutiae vertically 14,75 7,6 3,83
False minutiae removal 31,49 16,3 12,08
Sort minutiae points 1,62 0,8 0,97
Remove minutiae on lakes and islands 11,66 6,0 4,96
Remove holes 2,11 1,1 0,69
Remove minutiae pointing to invalid direction 0,34 0,2 0,09
Remove minutiae close to invalid direction block 0,12 0,1 0,03
Remove or adjust minutiae on aside of ridge or valley 12,51 6,5 4,24
Remove minutiae forming hooks 0,79 0,4 0,53
Remove opposite minutiae overlapping 0,12 0,1 0,06
Remove too wide minutiae 2,15 1,1 0,60
Remove too narrow minutiae 0,55 0,3 0,28
Ridge counting 17,20 8,9 2,78
Sort minutiae points 0,03 ∼0 0,01
Remove duplicate points from list 0,01 ∼0 0,001
Count ridges between minutiae 17,19 8,9 2,76
Build integrated quality map 0,37 0,2 0,02
Assign reliability from quality map 1,26 0,6 0,10
M INUTIAE (number) 87,48 - 22,82

77
The measured execution times of the feature extraction stage were about 10 times
longer compared to the BDFIS software. The generation of the directional map
and the low contrast map contribute for the greatest portion of execution time.
Especially the direction map requires many accumulations and DFT transforms,
which may be one of the reasons that the process is slower than the feature ex-
traction stage of the BDFIS software. The image binarization task is another task,
which takes a relatively long time to execute. The task requires many accumu-
lations and it is therefore quite similar to the direction map generation task (cf.
6.2.2).

In the NFIS2 software, the quality of the fingerprints was represented on a scale
from 1-5, with a larger number meaning worse quality. The fingerprint images,
whose qualities were poor according to BDFIS software, were usually interpreted
as poor quality images also in NFIS2. However, many of the images which were
interpreted as good quality images in NFIS2, were barely satisfying according to
the BDFIS software. In addition, there weren’t any images on the levels three or
five at all.

The feature extraction times in NFIS2 software were quite similar among a single
user and they were divided uniformly. The feature extraction was usually per-
formed in less than 225 ms. The execution time of the feature extraction was
longer when more minutiae were found from the image. Therefore, the feature
extraction for poor quality images was usually slower, since more minutiae were
detected. Although the number of detected minutiae was clearly different between
the software programs, the relative number of minutiae detected with both soft-
ware programs remained nearly the same for all fingerprints. In other words, if
there were fingerprints with fewer minutiae found using BDFIS, it was true for
NFIS2 also. Figure 27 shows the minutiae detected from the example fingerprint
using both softwares. The black circles are the minutiae detected by BDFIS and
the squares are minutiae detected by NFIS2. The color of the square corresponds
to the reliability of the minutia. The lighter the square is, the more reliable is the
minutia.

The time for the false minutiae removal increased as the number of detected minu-
tiae was larger. Especially the time, which is spent in the removal of lakes and
islands and in the adjustment of the minutiae aside a ridge or valley, increased

78
 Figure 27:
Minutiae found in feature extraction stage of BDFIS and NFIS2 softwares

with the number of minutiae. Also the execution times for minutiae detection and
ridge counting subtasks increased slightly. The times for other subtasks remained
independent of the number of detected minutiae.

6.4.3 Fingerprint Matching

To conduct the measurements in the fingerprint matching stage, the data from the
56 fingerprints was divided into two equally sized parts, the input samples and the
references. The two fingerprints which had the best template quality according to
the BDFIS, were selected as reference fingerprints. This choice is justified, since
the enrollment phase is usually a controlled operation in a real-world application
and a good quality template is usually required. The same fingerprints were used
as references in the both programs, so that the results would be comparable with
each other.

The matching was performed in a similar way as the feature extraction. The 28
input samples were matched with a reference fingerprint one at a time. Then the
reference fingerprint was changed, and all the input fingerprints were matched

79
against this new reference fingerprint. In this way all the input fingerprints were
matched with all the reference fingerprints, totalling 784 (28 x 28) matches. The
process was repeated cyclically so that there were 1000 repeats for each matching
pair to diminish the effect of occasional changes in execution times.

The fingerprint matching scenario used here was a verification scenario, because
there wasn’t a specific data structure created for the reference fingerprints. An
efficient data structure is essential in identification applications in order to make
them feasible.

Bergdata Fingerprint Identification Software

The average execution times and their standard deviation between users in the
fingerprint matching stage are presented in Table 10. The median matching times,
the average score for the matching fingerprints and the number of matching errors
i.e. the false matches and the false non-matches, are also presented in Table 10.
The median times were calculated, since the measured execution times were not
uniformly distributed but rather concentrated around the lower values of execution
times. The number of false matches and non-matches indicates the security level
used here.

The security level in the BDFIS software was adjustable, but the different security
levels were described verbally and the specific thresholds remained unclear. The
matching threshold was set to the lowest possible level, because the output for
match score was always set to zero, if a non-match was declared between the two
fingerprints. The lowest possible security level turned out to be 25 % and the
matching scores were obtained upwards from there. Even though the threshold
level was set to the lowest possible, there were only two false matches. In addition,
there were three false non-matches and their number should have been small, since
the lowest possible security level was applied.

The average execution times and their standard deviation between users in the fin-
gerprint matching stage, were measured for all fingerprints, only for the matching
fingerprints and only for the non-matching fingerprints separately. This was done
in order to see, if there were some differences between execution times when two

80
fingerprints match or do not match.

Table 10: Fingerprint matching results in BDFIS software

Average value Median Standard deviation
value between users
Fingerprint match time (ms) 0,514 0,353 0,409
- All fingerprints
Fingerprint match time (ms) 0,537 0,481 0,247
- Matching fingerprints
Fingerprint match time (ms) 0,512 0,344 0,418
- Non-matching fingerprints
Matched fingerprint score (%) 57,4 56 14,34
FM 2 of 728 - -
FNM 3 of 56 - -

The fingerprint matching stage was usually completed in less than 1,1 ms. If
the two fingerprints could be matched, the matching took less than 0,9 ms. On
the other hand, in the most cases when a non-match was declared, matching was
slower. However, it was usually completed in less than about 1,2 ms. If the
execution of the fingerprint matching stage was slow, usually the match score and
the probability of correct match decreased. This could mean that in a poor quality
image more minutiae, including false ones, were found and a match could not
be declared. The image quality and the number of minutiae are probably very
important elements from the matching time point of view.

NFIS2

A previously extracted list of minutiae was used as a reference fingerprint in the

fingerprint matching stage of NFIS2 software. This is different from the BDFIS,
which uses templates that are preferably created from several fingerprints.

The average execution times and their standard deviation between users for the
fingerprint matching stage and the corresponding subtasks, are presented in Ta-
ble 11. The relative percentages of the subtasks with respect to the total finger-

81
print matching stage are also presented. All times were measured separately for
all fingerprints, only the matched fingerprints and only non-matched fingerprints.
Similarly to the feature extraction stage, there were many small operations in the
subtasks, which are not included in the Table 11 and the percentages are rounded
up a precision of 0.1 %. Therefore, they give an order of magnitude and do not
add up to 100%. The average scores for fingerprints, the number of false matches
and non-matches are also presented in Table 11. The median values for the exe-
cution times are also presented, since the distribution of execution times was not
uniform.

In the NFIS2 software, all the match scores were given as a result of the a matching
stage and no security level had to be defined beforehand. The resulting match
scores represent roughly the number of matched minutiae and a match score 40 or
greater usually indicates a correct match [Wat04].

It can be seen from Table 11, that the traversal of the compatibility graph takes
most of the matching time. This is pronounced when two fingerprints match with
each other, since in that case the compatibility table is longer and therefore also
the traversal of the corresponding compatibility graph takes a long time.

The fingerprint comparison was usually done in less than 35 ms. The decision
that two fingerprints match with each other, was usually done in less than about
550 ms. The execution time of the fingerprint matching was much shorter if the
fingerprints did not match with each other, since the non-match decision was usu-
ally done in less than 25 ms. However, there was a lot of variation in the matching
times and the matching stage is very much slower than the matching stage of the
BDFIS software.

Finally, the error rates i.e. the false match rate (FMR) and the false non-match rate
(FNMR) for both software programs are depicted in Figure 28. The false match
rates fall and the false non-match rates rise as the security level is increased. The
gray values are for NFIS2 and the black values for BDFIS, respecively.

82
 Table 11: Fingerprint matching results in NFIS2 software

Fingerprint Average Median Percentage of Standard

matching value value total matching deviation
stage stage between users
All fingerprints
FINGERPRINT MATCHING (ms) 29,16 7,16 100 117,56
Initialize input fingerprint (ms) 2,12 1,42 7,3 1,94
Initialize gallery fingerprint (ms) 1,86 1,02 6,4 1,82
Construct a compatibility table (ms) 2,34 1,47 8,0 2,48
Traverse the compatibility graph (ms) 20,86 1,88 71,5 91,80
Match Score 14,87 8 - 28,25
Matching fingerprints
FINGERPRINT MATCHING (ms) 213,95 72,75 100 373,36
Initialize input fingerprint (ms) 2,08 1,38 1,0 1,93
Initialize gallery fingerprint (ms) 1,76 1,03 0,8 1,67
Construct a compatibility table (ms) 3,39 1,4 1,6 3,69
Traverse the compatibility graph (ms) 176,37 71,32 82,4 265,10
Match Score 110,73 105 - 47,08
Non-matching fingerprints
FINGERPRINT MATCHING (ms) 16,30 6,69 100 52,17
Initialize input fingerprint (ms) 2,13 1,45 13,1 1,94
Initialize gallery fingerprint (ms) 1,87 1,02 11,5 1,83
Construct a compatibility table (ms) 2,26 1,47 13,9 2,36
Traverse the compatibility graph (ms) 10,04 1,62 61,60 49,10
Match Score 8,20 7 - 4,20
FM 0 of 728 - - -
FNM 5 of 56 - - -

6.4.4 Applicability to Identification

When considering a large-scale application, the most important characteristics of

a fingerprint software programs are the matching time for two fingerprints and the
error rates.

The average feature extraction time for NFIS2 was nearly eight times slower than
the feature extraction done with the BDFIS software. Even though the feature

83
 Figure 28:
False match rate and false non-match rate for NFIS2 and BDFIS software
programs

extraction stage is the slowest part of the whole fingerprint recognition task, the
fingerprint matching time is more important in identification applications, since
there must be many matches in a short time. The average fingerprint matching
time in NFIS2 software was more than 50 times slower, and the median time
about 20 times slower than the fingerprint matching with the BDFIS software.
Thus the NFIS2 software is considerably slower than the BDFIS software.

As an example of a large-scale system an identification system of 1000 users with

no specific data structure can be used. In such system the worst-case execution
times, where the matching is done with all the 999 non-matching fingerprints be-
fore the correct match, would be about 16,5 seconds with NFIS2 and 0,5 seconds
with BDFIS software. If the applied security level is chosen so that the both error
rates are as small as possible, the probability of correct identification would be

84
about 95% with NFIS2 and about 97% with BDFIS. However, it should be noted
that the template in the BDFIS software should have been created from several
different fingerprint images. This may have an effect on the error rates of BDFIS
software.

If the security level in an identification application was chosen so, that the both
error rates are as small as possible and the probability of a correct identification
should be 90%, the maximum allowable system sizes would be about 1900 and
3800, respectively. On the other hand, if the maximum allowed waiting time for
was chosen to be e.g. two seconds, the maximum number of users in the system
would be about 300 with NFIS2 and about 5600 with BDFIS software.

According to the number of users calculated above, it seems that it is not feasible
to use neither software in identification application without an efficient data struc-
ture and a pre-classification of a fingerprint, since there may be millions of users
in a single large-scale identification application. Another way is to decrease the
error rates and the execution times. Both of these can be affected by designing an
improved recognition algorithm. Currently, the matching algorithm of the NFIS2
software does not exploit the number of ridge counts at all, which probably has an
effect on the error rates and also on the overall execution time of the fingerprint
matching stage.

The calculation of DFT and the compatibility graph traversal are tasks which take
up the most of the time in fingerprint recognition. Therefore, it might be possi-
ble to speed up the whole recognition process by shortening the execution time of
these tasks. First of all, a dedicated hardware which would perform the slow tasks,
could be used. The hardware executable task would be predefined in the design
stage and fixed thenceforth but the execution time would be fast. Another time-
saving method could be parallel processing. In computer the fingerprint recogni-
tion software is executed sequentially. However, if e.g. in matching stage parallel
processing approach could be used, single input fingerprint could be matched with
many gallery fingerprints at the same time. Also the parallel processing could be
performed with hardware and it would obviously shorten the fingerprint matching
execution time. The parallel processing could be used also in DFT calculation of
the blocks.

85
Chapter 7

Conclusions

Biometric recognition is based on the physiological and behavioral characteris-

tics of a person. It is an emerging and effective method for authentication and
it can be seen as an addition to the token and knowledge based authentication
methods, which are widely used today. Many different biometrics e.g. fingerprint
and iris, can be used for recognition and they all have their own advantages and
disadvantages. In addition, biometric recognition is the only recognition method,
which can be used also for identification purposes and also with non co-operative
subjects. However, there are several aspects e.g. social acceptance and legal ques-
tions, which must be considered before using a biometric recognition.

When the use of biometric recognition is extended from a small-scale system into
a large-scale identification system, many technical challenges are encountered.
First of all, the identification time is related to the number of users, which might
be millions in a large-scale system. Therefore, the matching of an input biomet-
ric with a template must be a very fast process. In addition, the error rates are
changed from a small-scale system, and a suitable balance must be found between
the security, the user convenience and the amount of human intervention needed.
Unfortunately, these objectives are often in contradiction with each other.

A performance comparison was done between a commercial fingerprint recog-

nition software and an open source software. The operations of the open source
software were studied in detail. In addition, the error rates and the execution times

86
of each operation in feature extraction and fingerprint matching were measured in
both softwares. The suitability of the softwares for a large-scale application was
discussed also.

Clear differences were noted between the two softwares and especially the dif-
ferences in the execution times were much larger than expected and therefore the
bottlenecks of the fingerprint recognition process were identified. The execution
times in the feature extraction and the fingerprint matching are in order of tens to
hundreds of milliseconds and the fingerprint matching time is adequate for veri-
fication applications but not for identification applications, where many matches
must be done. The time for feature extraction is not crucial in either kind of ap-
plication, since it is done only once for each user.

If the fingerprint matching stage could be accelerated, the large-scale applications

using fingerprint recognition would become more feasible. The error rates in both
softwares should be decreased, since they have affect on the success and the ex-
ecution times of an identification process. This could be done by improving the
fingerprint matching algorithms but more research is required there. In addition,
a dedicated hardware could be used for decreasing the execution times, but also
this requires more research. Since the fingerprint matching was done sequentially,
also the possibility for conducting the fingerprint matching parallel should be in-
vestigated.

The usage of iris recognition in large-scale applications should also be investi-

gated more, since it is one of the most accurate and fastest biometrics available.

87
Bibliography

[ASC05] Accredited Standards Committee X9, Inc. The official Webpage of

Accredited Standards Committee X9, Inc. internet: http://www.
x9.org/, (visited March 8, 2005).

[Abr04] P. Abrahmsen. A walk through the UK’s Iris Recognition Immi-

gration System (IRIS). internet: www.biometrics-2004.com/
abs_Pat_Abrahmsen.htm, (visited October 18, 2004).

[Adl03] A. Adler. Sample Images can be Independently Restored from Face

Recognition Templates. Electrical and Computer Engineering, 2003,
IEEE CCECE 2003, Canadian Conference on , Volume: 2 , 4-7 May
2003, pages 1163 – 1166, 2003.

[Atm02] Atmel Corporation. FCD4B14 FingerChip Datasheet. in-

ternet: http://www.atmel.com/dyn/resources/prod_
documents/DOC1962.PDF, (visited March 9, 2005).

[BAC05] BiometricAPITM Consortium. The official website of

BiometricAPI TM Consortium. internet: http://www.bioapi.
org/, (visited March 8, 2005).

[BerA03] Bergdata Biometrics GmbH. Biometric Engine. inter-

net: http://www.bergdata.com/es/products/
biometric_engine2.php, (visited February 22, 2005).

[BerB03] Bergdata Biometrics GmbH. USB Fingerprintscanner FCAT100. in-

ternet: http://www.bergdata.com/es/products/usb_
fcat.php, (visited March 16, 2005).

88
[Bio03] BioNet Systems, LLC. BioPassword Knowledge Base. internet:
www.biopassword.com/home/support/kb.asp, (visited
September 10, 2004).

[Bis02] P. Bishop. Atmel’s FingerchipTM Technology for Bio-

metric Security. Atmel White Paper, 2002. internet:
http://www.atmel.com/dyn/resources/prod_
documents/FingerChip_WhitePaper%_11_12_02.pdf,
(visited February 23, 2005).

[Bol04] R.M. Bolle, J.H. Connell, S. Pankanti, N.K. Ratha, and A.W. Senior.
Guide to Biometrics. Springer-Verlag, New York, USA, First edition,
2004.

[CBE05] CBEFF Technical Development Team. CBEFF - Common Biometric

Exchange File Format. internet: http://www.itl.nist.gov/
div895/isis/bc/cbeff/, (visited March 8, 2005).

[Chi03] J. Chirillo and S. Blaul. Implementing Biometric Security. Wiley

Publishing, Inc., Indianapolis, USA, First edition, 2003.

[Cyg05] CygwinTM . Cygwin Home. internet: http://cygwin.com/,

(visited March 16, 2005).

[DFE99] The Discovery Fund for Eye Research. Anatomy of the Eye. inter-
net: www.discoveryfund.org/anatomyoftheeye.html,
(visited September 24, 2004).

[Dau04] J.G. Daugman. How Iris Recognition Works. IEEE Transactions on

Circuits and Systems for Video Technology, Volume 14, Number 1,
pages 21 – 30, January 2004.

[Dau93] J.G. Daugman. High Confidence Visual Recognition of Persons by

a Test of Statistical Independence. IEEE Transactions on Pattern
Analysis and Machine Intelligence, Volume 15, Number 11, pages
1148 – 1161, November 1993.

89
[Dau99] J. Daugman. Recognizing Persons by Their Iris Patterns. Article in
the book ’Biometrics - Personal Identification in Networked Society’,
pages 103 – 121, A. Jain and R. Bolle and S. Pankanti (Eds.), Kluwer
Academic Publishers, Massachusetts, USA, Fourth edition, 1999.

[Dix03] M. Dixon. Evolution of the DoD CAC Program. internet:

http://csrc.nist.gov/publications/nistir/
IR-7056/Gov-Requirements/Dixon%-evolution.pdf,
(visited December 17, 2004).

[Dre04] E. Dreyer. Case Study: Biometrics as an Anti-Fraud

Measure in the South African Healthcare Industry. inter-
net: www.biometrics-2004.com/abs_edwin_dreyer.
htm, (visited October 18, 2004).

[Dud01] R.O. Duda, P.E. Hart, and D.G. Stork. Pattern Classification. John
Wiley & Sons, USA, Second edition, 2001.

[Fer04] Thomas J. Ferriola. Scientific Principles of Friction Ridge

Analysis & Applying Daubert to Latent Fingerprint Iden-
tification. internet: www.clpex.com/Articles/
ScientificPrinciplesbyTomFerriola.htm, (visited
August 26, 2004).

[Fin03] findBIOMETRICS. findBIOMETRICS interwiews Min Chong,

CAC-Biometrics Project Lead, Department of Defense. internet:
http://www.findbiometrics.com/Pages/feature_
dod.htm, (visited December 17, 2004).

[Fin99] Finlex. Henkilötietolaki (523/1999). internet: http://www.

finlex.fi/fi/laki/ajantasa/1999/19990523, (vis-
ited February 15, 2005).

[For04] J. Forstén. Enhancing Priority Based IP-Packet Forwarding with

Hardware Acceleration Using Reprogrammable Logic. Master’s the-
sis, Helsinki University of Technology, Department of Electrical and
Communications Engineering, Signal Processing Laboratory, 2004.

90
[Fu86] K-S. Fu. Syntactic Pattern Recognition. Chapter in the book ’Hand-
book of Pattern Recognition and Image Processing’, pages 85 – 117,
T. Y. Young and K-S. Fu (Eds.), Academic Press Inc., USA, First
edition, 1986.

[Ger97] R.S. Germain, A. Califano, and S. Colville. Fingerprint Matching

Using Transformation Parameter Clustering. IEEE Computational
Science & Engineering, October – November.

[Ger99] R.S. Germain. Large Scale Systems. Article in the book ’Biometrics
- Personal Identification in Networked Society’, pages 311 – 325, A.
Jain and R. Bolle and S. Pankanti (Eds.), Kluwer Academic Publish-
ers, Massachusetts, USA, Fourth edition, 1999.

[Hen02] M. Henriksson. Analys av fingeravtryck. Master’s thesis, Linköping

Institute of Technology, Department of Computer and Information
Science, Division of Computer Science, 2002.

[Hil99] R. Hill. Retina Identification. Article in the book ’Biometrics - Per-

sonal Identification in Networked Society’, pages 123 – 141, A. Jain
and R. Bolle and S. Pankanti (Eds.), Kluwer Academic Publishers,
Massachusetts, USA, Fourth edition, 1999.

[IBGa04] International Biometric Group. IBG Case Study: California Depart-

ment of Motor Vehicles. internet: www.biometricgroup.com/
ca_dmv.html, (visited October 18, 2004).

[IBGb04] International Biometric Group. Biometrics Market and

Industry Report 2004-2008. internet: http://www.
securitysystemsnews.com/2004.02/downloads/
ss.pdf, (visited February 21, 2005).

[IO05] I/O Software, Inc. Standard in Biometrics Biometric API - BAPI. in-
ternet: http://www.iosoftware.com/pages/Products/
Biometric%20API/index.asp, (visited March 8, 2005).

[Int05] Intel. Intel Labs: Common Data Secutiry Architecture. in-

ternet: http://www.intel.com/cd/ids/developer/

91
 asmo-na/eng/technologies/20287.ht%m?page=1,
(visited March 8, 2005).

[Jai04] A.K. Jain, S. Pankanti, S. Prabhakar, L. Hong, A. Ross, and J.L. Way-
man. Biometrics: A Grand Challenge. To appear in the Proceedings
of International Conference on Pattern Recognition, Cambridge, UK,
August.

[Jai99] A. Jain, R. Bolle, and S. Pankanti. Introduction to Biometrics. Ar-

ticle in the book ’Biometrics - Personal Identification in Networked
Society’, pages 1 – 41, A. Jain and R. Bolle and S. Pankanti (Eds.),
Kluwer Academic Publishers, Massachusetts, USA, Fourth edition,
1999.

[Kar04] T. Karvonen. EU sopi biopasseista, 2004. internet:

http://www.digitoday.fi/showPage.php?page_
id=14&news_id=36619, (visited February 21, 2005).

[Mai00] J-F. Mainguet, M. Pégulu, and J.B. Harris. Fingerprint Recognition

Based on Silicon Chips. Future Generation Computer Systems, Vol-
ume 16, Issue 4, Elsevier Science B.V., pages 403 – 415, February
2000.

[Mal03] D. Maltoni, D. Maio, A.K. Jain, and S. Prabhakar. Handbook of Fin-

gerprint Recognition. Springer-Verlag, New York, USA, First edi-
tion, 2003.

[Man01] T. Mansfield, G. Kelly, D. Chandler, and J. Kane. Biometric

Product Testing Final Report, Issue 1.0, March, 19 2001. inter-
net: www.cesg.gov.uk/site/ast/biometrics/media/
BiometricTestReportpt1.pdf, (visited October 11, 2004).

[Myl04] N. Myllyoja. Suomalaiset turvapassit valmistetaan Hollannissa,

2004. internet: http://www.tekniikkatalous.fi/doc.
ot?f_id=640268, (visited February 21, 2005).

[Mön04] M. Mönttinen. Biotunniste koetaan liian järeäksi keinoksi estää tuki-

huijauksia. Kuntalehti, Issue 3, pages 6 – 6, 2004.

92
[Nan02] S. Nanavati, M. Thieme, and R. Nanavati. Biometrics - Identity Ver-
ification in a Networked World. A Wiley Tech Brief. John Wiley &
Sons, Inc., USA, First edition, 2002.

[Nav02] United States Naval Consolidated Brig. The Demostration of

Biometric Technologies to Track Inmates in a Correctional Envi-
ronment, June 2002. internet: www.nlectc.org/nlectcse/
download/seymour_feb2003_biometrics_part1.pdf,
(visited October 11, 2004).

[Nyk05] P. Nykänen. Setec riitautti biopassien tilauksen Hollannista. Kaup-

palehti, 2005. internet: http://www.kauppalehti.fi/4/
ug/uutiset/arkisto/showArticle.do?db=KKL040%
5X&ris=1&ht=1&rid=375&qid=0&rsi=0&p=0&s=20,
(visited February 10, 2005).

[OGo99] L. O’Gorman. Fingerprint Verification. Article in the book ’Bio-

metrics - Personal Identification in Networked Society’, pages 43 –
64, A. Jain and R. Bolle and S. Pankanti (Eds.), Kluwer Academic
Publishers, Massachusetts, USA, Fourth edition, 1999.

[OSu97] O. O’Sullivan. Biometrics comes to life. ABA Banking Journal,

1997. internet: www.banking.com/aba/cover_0197.htm,
(visited October 13, 2004).

[Pan02] S. Pankanti, S. Prabhakar, and A.K. Jain. On the Individuality of

Fingerprints. IEEE Transactions on Pattern Analysis and Machine
Intelligence, Volume 24, Number 8, August.

[Per03] J. Perttula. Sähköisen tunnistamisen menetelmät ja niiden sääntelyn

tarve. Liikenne- ja viestintäministeriö, 2003.

[Rat01] N.K. Ratha, J.H. Connell, and R.M. Bolle. Enhancing Security and
Privacy in Biometrics-Based Authentication Systems. IBM Systems
Journal, Volume 40, Number 3, pages 614 – 634, 2001.

[Rei04] P. Reid. Biometrics for Network Security. Prentice Hall PTR, New
Jersey, USA, First edition, 2004.

93
[Ric04] Edward P. Richards. Phenotype v. Genotype: Why Iden-
tical Twins Have Different Fingerprints. internet: www.
forensic-evidence.com/site/ID/ID_Twins.html,
(visited August 26, 2004).

[Rii04] T. Riippa. Sormenjälkitunnistus yleistyy. internet: http://www.

yle.fi/teema/verkkoyhteys/juttu.php?id=872,
(visited February 21, 2005).

[Saf03] Saflink Corporation. Saflink’s Team Receives Award from Office

of the Secretary of Defense for Network Logon System. internet:
http://www.saflink.com/pr/osd.html, (visited Decem-
ber 17, 2004).

[San02] P. Sankar and B. Bavarian and D. Hall. Examples of Large Scale

Biometrics Systems, Biometrics Consortium Conference, September,
23 2002. internet: www.biometrics.org/html/bc2002_
sept_program/3_bc0052_SankarBrief.pdf, (visited Oc-
tober 13, 2004).

[San04] M. Sandström. Liveness Detection in Fingerprint Recognition Sys-

tems. Master’s thesis, Linköping Institute of Technology, Department
of Electrical Engineering, Division of Information Theory, 2004.

[Sdu04] Sdu Identification. Finnish government chooses Sdu Identi-

fication’s passport concept, 2002. internet: http://www.
smartcardstrends.com/det_atc.php?idu=1438, (vis-
ited February 21, 2005).

[Sec04] Security Systems News. IBG Report Predicts Dou-

ble Digit Growth for Biometrics, February. internet:
http://www.securitysystemsnews.com/2004.02/
downloads/ss.pdf, (visited March 8, 2005).

[The03] S. Theodoridis and K. Koutrumbas. Pattern Recognition. Academic

Press, San Diego, USA, Second edition, 2003.

94
[The89] C.W. Therrien. Decision, Estimation and Classification. John Wiley
& Sons, Inc., USA, First edition, 1989.

[Tic01] M. Tico. On Design and Implementation of Fingerprint-Based Bio-

metric Systems. PhD thesis, Tampere University of Technology,
November 30, 2001.

[Tor03] G.J. Tortora and S.R. Grabowski. Principles of Anatomy and Phys-
iology. John Wiley & Sons, Inc., New York, USA, Tenth edition,
2003.

[Wat04] C.I. Watson, M.D. Garris, E. Tabassi, C.L. Wilson, R.M. McCabe,
and S. Janet. User’s Guide to NIST Fingerprint Image Software 2
(NFIS2). National Institute of Standards and Technology, Maryland,
USA, First edition, 2004.

[Way99] J.L. Wayman. Error-Rate Equations for the General Biometric Sys-
tem. Robotics & Automation Magazine, IEEE, Volume 6, Issue 1,
March.

[Wil03] I. Williams. Biometric Technology - An introduction to the science

(as applied to DL/ID requirements). internet: www.idsysgroup.
com/ftp/biometrics_101_ISG.pdf, (visited October 18,
2004).

[Woo03] J.D. Woodward Jr., N.M. Orlans, and P.T. Higgins. Biometrics.
McGraw-Hill, California, USA, First edition, 2003.

[Zal02] B. Zalud. Battling biometrics but real-life needs in-

trude. internet: www.securitymagazine.com/CDA/
ArticleInformation/features/BNP__Features_%_
Item/0,5411,72134,00.html, (visited October 18, 2004).

95