conflicting aspects of the broad principle of universality in design, pointing to ... However, the idea of universality then applies at a lower level, since the.
Using Biometrics as an Enabling Technology in Balancing Universality and Selectivity for Management of Information Access M.C. Fairhurst, R.M. Guest, F. Deravi, and J. George Department of Electronics, University of Kent, Canterbury, Kent, CT2 7NT, UK. {mcf, rmg, fd4, jg31}@ukc.ac.uk
Abstract. The key concept of Universal Access in the Information Society has important and far-reaching implications for the design of a wide range of systems and data sources. This paper sets out to examine two fundamentally conflicting aspects of the broad principle of universality in design, pointing to the opposite requirement that, in many applications, access to a system or set of data must be limited to an identifiable population of “authorised” users. However, the idea of universality then applies at a lower level, since the mechanisms used to impose these limitations should themselves not be dependent on the physical attributes or expertise of individuals, but rather related to their identity and designated level of authorisation. This leads to an interesting situation where the concept of universality must be implemented at different levels and, equally, must be balanced against the competing claims of the constraints imposed by authorisation-determined selectivity. This paper argues that technology based on biometric processing – the exploitation of measurements relating to individual physiological or behavioural attributes – provides a key platform on which an access management structure can be realised. Experimental results based on various biometric modalities are used to support and illustrate the ideas proposed.
1 Introduction The theme of universal access is of increasing importance in an age where technology penetrates almost every aspect of daily life for increasing numbers of citizens. There are many, often inter-related, reasons for this. For example, we recognise that different individuals have different skills and aptitudes for technology-based interaction, that some individuals have special needs for daily living and are all too easily excluded from activities which others can take for granted, that more and more data is being made available for general use, and that increasing numbers of people are responding to the benefits of technology to expand horizons and enhance possibilities for engaging in social interactions in a meaningful way. Interestingly, however, looking at the other side of the coin, an issue which is often overlooked is that the increasing availability of information and data itself imposes a greater necessity for ensuring that access to data sources is controlled or constrained, at least in the sense that not all information can or should be made available to everyone, and N. Carbonell, C. Stephanidis (Eds.): User Interfaces for All, LNCS 2615, pp. 249–259, 2003. © Springer-Verlag Berlin Heidelberg 2003
250
M.C. Fairhurst et al.
that some data sources should, of necessity, be restricted in terms of their accessibility. For these reasons very important questions of security, privacy, reliability and trust assume a paramount importance. It is apparent that attention to these areas has not developed at the same pace as that associated with the provision and desirability of facilitating access to systems and data on a universal basis, yet in an increasingly complex society such issues will assume an ever-increasing importance. In this paper we will consider exactly these issues and, in doing so, we will attempt to broaden our perspective on the way in which universal access can be seen as raising both sociological and technological questions representing two, sometimes competing, aspects of a single issue. We would argue that the enormously important area of universal access can only develop its full potential if both aspects are properly addressed and if the twin concerns of accessibility and constraint are equally recognised. Our discussion will, in fact, itself address two aspects of the accessibility issue. First, we will argue that imposing bounds on access to data or systems is, for almost all prospective users, generally an important and unavoidable issue, and we will review ways of regulating access through establishing identity and authority in potential users. As our second major point we will then focus on a key question which arises from this and which is absolutely central to the theme of User Interfaces for All. This is the question of how to ensure that the techniques and methods proposed can adapt and be tailored to meet the widely varying requirements of all users, irrespective of particular physical, behavioural or other limitations which they may experience. Thus, in a sense, we will be identifying the importance of regarding the Universal Access paradigm as something which must operate at different strata within user populations or systems. In fact, the paper is fundamentally concerned with the use of biometric measurements as a means of establishing or verifying individual identity. This is increasingly regarded as a prerequisite for regulating access to systems or data in a meaningful way, and is an area of technology which is gaining an increasing penetration into practical systems. At the same time, little attention has hitherto been given to the relation between biometric-based access regulation and the theme of Universal Access as it is currently understood, and we will address a number of relevant and important issues arising in this regard.
2 Biometrics and Identity Authentication Biometric measurements – the measurement of attributes of an individual which help to identify that person uniquely [1] – can be categorised as either physiological or behavioural. The first type, examples of which include iris patterns [2], fingerprints [3] etc, relate to inherent physiological characteristics of an individual, while the second type, such as handwritten signatures [4], keystroke dynamics [5], gait patterns [6], etc, arise from activities carried out by that individual, either those which occur spontaneously or, in some cases, those which are specifically learned. Some examples of common biometric modalities of current interest are:
Facial features Voice characteristics
Using Biometrics as an Enabling Technology in Balancing Universality and Selectivity
251
Fingerprints Handwritten signature Iris patterns Hand shape Hand vein patterns Keystroke dynamics Odour Ear shape Gait patterns Retinal blood vessel patterns This list shows an extensive range of possible biometric modalities, illustrative rather than exhaustive, since others could also be envisaged, and it is clear that many options can be considered to support identity checking with a range of different individuals, different environments and different application domains. Although the handwritten signature [7,8,9] has perhaps the longest history in this respect, many other biometric modalities which exploit technology developed primarily for other purposes (for example, face or voice recognition) have gained popularity in recent years. Although for most biometrics widespread practical exploitation is a comparatively recent phenomenon and, indeed, practical biometric implementation is an area which is still moving towards maturity, research interest in biometrics has a long history, and experience has clearly shown that different biometric modalities are suited in different degrees to different applications (see, for example, [10]). Similarly, an important factor in choosing an appropriate biometric for a given task is the degree of acceptability which it is accorded within the prospective user community. Although biometric authentication can also engender scepticism or outright negative reactions (for example, sometimes poor reliability, concerns about privacy and civil liberties, and so on), there is general agreement, however, that in many applications biometrics offer advantages over other approaches to identity checking. For example, a “sign-on” facility to a computer system can circumvent problems of the ease with which passwords can be intercepted, deliberately shared or forgotten. A fingerprint system might increase security in physical access control compared with, say, visual inspection of badges which is often error-prone or carelessly executed. In other situations such as on-line monitoring, face recognition can prove an effective and non-intrusive means of continually monitoring user identity beyond initial system registration, and many other examples could also be discussed. This issue of matching biometric modality to a particular application or scenario becomes especially important when the broader concepts of universality are considered, since particular individual needs, limitations and preferences then become of primary concern. For example, hand tremor will impose restrictions on the efficacy of handwriting-oriented behavioural biometrics or, in some cases, will preclude the use of this possibility, and similar arguments apply in other situations. Indeed, similar arguments also apply to questions about the suitability or usability of
252
M.C. Fairhurst et al.
certain devices in relation to individual characteristics, as well as simple matters of choice and preference. Hence, the potentially enormous benefits of biometric-based identity checking must be balanced against the difficulty of making a universal and application-led decision about choice of biometric modality or of devising a control structure which allows flexibility in matching specific modality to user abilities, requirements and preferences. It is this latter issue which impinges especially and directly on the theme of Universal Access, and which provides the focus for this paper.
3 Experimental Framework In order to illustrate the arguments to be developed later in this paper we will draw on a range of experimental results deriving from a large-scale exercise which we have recently undertaken to acquire biometric data in order to support a more effective evaluation of biometric-based identity authentication. In this experimental study, part of an on-going project designated IAMBIC (Intelligent Agents for Multi-modal Biometric Identification and Control [11]), data collection trials have been undertaken which have gathered biometric data from a range of commercially available biometric devices. Although device-specific (the individual devices are not explicitly identified here) the results provide clear insights into the relative characteristics of the different modalities which the devices adopted embody. The data collection protocol itself is designed to focus on the well established scenario testing regime and conforms to the recognised guidelines of good practice laid down for biometric testing [12]. The data collection trial is based around a group of 221 volunteers recruited from a cross-section of the general public, each of whom receive a small payment for participation, and each formally giving fully informed consent to their participation. Each volunteer takes part in two separate data collection sessions, the first involving enrolment on each of the devices under test, when up to three attempts at enrolment are permitted, together with a post-enrolment verification check. A second session is undertaken at least one month later, at which a second verification process is carried out using the enrolment templates generated at the first session. Each volunteer undertakes three verification attempts at this session, and this allows re-try scenarios in addition to the one-shot case to be evaluated. Although in the data acquisition process basic precautions are taken to avoid unnecessary and disruptive environmental disturbances (for example, voice sample collection takes place away from noisy public areas) no formal optimisation of acquisition conditions is undertaken in this study. The distribution of ages for the group of volunteer subjects and between male/female participants is shown in Table 1. The data acquired in these trials are stored for analysis and linked to basic personal and demographic information provided by the participants. The database thus constructed forms the basis of the experimental results reported in the following sections.
Using Biometrics as an Enabling Technology in Balancing Universality and Selectivity
253
Table 1. Age/sex distribution of subjects
Age range 18-24 25-34 35-44 45-54 55-64 65 +
Female 49 17 9 12 7 5
Male 42 29 18 11 15 7
4 Biometric Control of Data Sources We have argued that the corollary of a strategy which encourages “Universal Access” is to ensure that there is a balance between facilitating ease of access to specific information for those, whatever their individual characteristics, needs and abilities, who are entitled to such access, while providing assurance that access is not permitted to those without such an entitlement. We must first examine, therefore, some issues concerning biometric access control which relate to general performance characteristics and functionality. We have already noted that many different biometric modalities can exist, and it is self-evident that for a particular user-group, different modalities have different properties and, especially, that the effectiveness of use for different modalities in differing situations is also likely to vary. More fundamental than this, however, is the observation that the measurement acquired can itself inherently vary considerably for any individual. This can be illustrated as follows. Let us consider a biometric modality based on, for example, the use of a fingerprint to generate the requisite biometric measurement. The performance characteristics of this modality may be investigated by considering a wide variety of factors. For example, problems may be experienced by some users at the enrolment stage itself, perhaps because of unfamiliarity with the acquisition infrastructure, or difficulty in generating a fingerprint image of sufficient quality for accurate processing, and so on. Even after enrolment, the passage of time may give rise to a situation where, while having successfully enrolled and verified at an initial session, re-testing at a later date results in a verification failure (for example, because of damage to the finger in the intervening period, or a fundamental change in the way in which the finger is subsequently presented to the capture device). Even more serious would be a situation where, following a successful enrolment, the verification process fails on all attempts to verify a subject’s identity. Table 2 shows an analysis of our test data for the fingerprint modality based on each of these scenarios. The inherent difficulty of selecting an appropriate biometric modality is further illustrated if this is compared with Table 3, which shows equivalent data for biometric data derived from the voice modality. Here we see how different modalities show very different patterns of effectiveness in use. Over the population tested it is clear that satisfactory enrolment is significantly easier with the
254
M.C. Fairhurst et al.
fingerprint modality compared with the voice modality. On the other hand, where successful enrolment is achieved, the voice modality is significantly more stable during the verification process.
Table 2. Performance characteristics for fingerprint modality
Error Failure to enrol Failure to verify at second visit Enrol but fail to verify
Failure rate (%) 2.7 14.4 4.2
Table 3. Performance characteristics for voice modality
Failure rate (%)
Error Failure to enrol Failure to verify at second visit Enrol but fail to verify
10 1.5 0
Although these results should be interpreted with some caution, because no analysis of impostor testing has yet been carried out, it is apparent that a principal observation here is that no single biometric modality or device is likely to provide a universal solution for every potential user in every proposed application scenario. This leads directly and conveniently to the next and most pertinent part of the discussion, which concerns the nature of choice and strategies for exploiting biometric control in a way which meshes satisfactorily and supportively with the central principles of the universal access philosophy.
5 Choice and Selectivity in Biometric Control – The Universal Access Question The principle of universal access seeks to ensure that variations in individual abilities and circumstances do not inhibit participation in activities to which they otherwise have a right of access. We can now see how this principle might apply in situations where biometric control is being exercised, for we should not deny access to information to which an individual is entitled simply because a particular modality is unsuitable for that individual or because inherent unreliability degrades performance to such an extent that the system ceases to be viable. Thus, the first observation which can be made in this context is to draw attention to the need for an assessment of potential users of a system in relation to the biometric modalities which are suitable for the pool of users for which a system is intended. An appropriate choice of biometric modality and/or device should be made in the light of this assessment.
Using Biometrics as an Enabling Technology in Balancing Universality and Selectivity
255
There is, however, a much wider issue here. This concerns the fact that, as we have already seen, in any application where a large user population is implied, or where the characteristics of the individual members of the population might be expected to be particularly variable, it becomes increasingly unlikely that a single biometric can be identified which can meet the needs of all potential system users, and this points to the need for further consideration of the problem and a more powerful strategy for implementation. One particularly promising approach to the problem is to adopt a methodology based on the use of multiple biometric modalities – in other words, accumulating evidence of identity from more than one biometric source [11,13,14,15]. While, at one end of the spectrum, this can lead in many cases to an increase in the security and reliability afforded by an overall system (in the sense that requiring a user to satisfy identity checking in more than one modality is likely to improve the confidence in the resulting identification decision), at the other end of the spectrum it is clear that a system designed around the availability of identification evidence from more than one biometric source can also offer exactly the degree of selectivity and personalised matching for which we have been arguing. It is the latter option which is of primary interest here, however, but two specific issues are of great importance if the potential power of multiple modality processing is to be successfully adopted as a means of furthering progress towards the goal of universal access. These relate to the questions of selection flexibility on the one hand, to harmonise user characteristics and modality constraints, and on the other to compensate for individual characteristics and needs. We will consider these in turn. 5.1 Selection Flexibility to Harmonise User Characteristics and Modality Constraints We first note that the availability of more than one modality immediately increases the potential for successful operation of a biometrics-controlled information access scheme. This can be illustrated effectively through further analysis of the data obtained from the experimental trials described earlier. For example, we first consider the improved performance which accrues simply as a result of the availability of more than one modality, and where a weakness in one modality can be compensated by strength in another. Returning to an example where we consider a fingerprint modality and a voice modality biometric, Table 4 shows the Failure to Enrol rate and the Verification Failure rate when a combination of the two modalities is adopted. In the first case a Failure to Enrol is defined as a failure to complete a satisfactory enrolment process on both of the available devices, while Verification Failure refers to the situation where successful verification based on at least one of the modalities in the chosen combination has not been achieved. Clearly, a significant improvement in performance is evident in the multiple modality scenario. In fact in other combinations considered (for example, combining , say, fingerprint data and facial characteristics or voice and face features) it can be shown that it is possible to reduce these error rates to zero with appropriate choice of the modalities to be combined.
256
M.C. Fairhurst et al. Table 4. Performance characteristics for dual modality scenario
Error Failure to enrol Verification failure
Failure rate (%) 0.9 0.5
5.2 Selection Flexibility to Compensate for Individual Characteristics and Needs Of course, in the present context, the most important aspect of exploiting flexibility through modality integration is to allow the option of alternative biometric sources to compensate for specific characteristics and needs of individual system users which might render certain modalities ineffective. For example, an individual with poor limb control would be likely to find a significant degree of difficulty in manipulating a device which extracts a fingerprint image, but a biometric based on, say, face recognition, could be much easier to work with. A speech-impaired individual, on the other hand, may experience considerable difficulty with a voice-based biometric, but may be able to interact perfectly adequately with a system where a fingerprint modality is made available. Thus, inherent flexibility at the level of modality selection now becomes realisable purely from the provision of a structure which embodies a capability for multimodality in biometric sources. Embedding intelligence within the processing structure which both embraces knowledge of user requirements and access rights and which also possesses a capability for matching individual characteristics to selection of available biometric sources provides a very effective strategy for progress towards universality in systems which exploit biometric control of information access.
6 Implementation Issues In both the scenarios outlined above, a potentially serious drawback of introducing the concept of multimodality to improve either reliability or flexibility is the increasing complexity of the biometric data generated, the implications for the processing of that data, the diverse factors relating to personal choice, degree of security required and individual permissions profiles which become live issues in such a system, and, indeed, the form of the algorithm whereby evidence of different biometric sources is combined for an overall decision. Thus, the issue of the management of the complexity of a multiple modality biometric identity checking system becomes, in itself, a design problem which must be addressed. This is an area which will not be specifically addressed here in detail, though it is the subject of related work which has been reported elsewhere [16]. In brief, however, a processing structure based on an implementation which adopts intelligent agent technology [17, 18] as the focus for managing complexity in the system has been shown to offer a very flexible and robust framework for the implementation of an overall system design. The benefits of such an approach are related particularly to the negotiating power of the agents and the ease with which their interactions can support
Using Biometrics as an Enabling Technology in Balancing Universality and Selectivity
257
processing through which individual needs can be reconciled with the inherent features of different modalities and levels of permitted access. Further work in this area is expected to be very fruitful in providing practical support to the more general principles of concern in this paper, and is clearly likely to develop key components to underpin attempts to specify and realise in practice biometric-controlled universal access strategies.
7 Exploitation of Re-try Strategies and Learning Effects Finally, it is useful to note some results which shed light on the related issue of multiple enrolment attempts, since it is usual to allow more than one such attempt in initiating the exploitation of a biometric-based system. Table 5 shows the relationship between false rejection rates and the number of enrolment attempts allowed for the fingerprint modality, showing the positive effect of “training during use” associated with this type of activity. Similar information with respect to failure to enrol rates is recorded in Table 6. It is of particular interest to see this type of analysis in the context of adopting biometric measures for use by individuals who may have special needs, where such an effect could be especially important, but the results also point to the need for the design of appropriate interfaces to promote ease of interaction. Indeed, adaptable HCI strategies could play a key role in future development of biometric-controlled data access.
Table 5. False rejection rate as a function of number of enrolment attempts (Fingerprint modality)
Attempt st 1 enrolment attempt nd 2 enrolment attempt rd 3 enrolment attempt
False rejection (%) 11.2 9.8 2.8
Table 6. Failure to enrol as a function of number of enrolment attempts (Fingerprint modality)
Attempt st 1 enrolment attempt nd 2 enrolment attempt rd 3 enrolment attempt
Failure to enrol (%) 28.5 7.7 2.7
8 Conclusion Against a background of the established principles associated with the concept of universal access, we have argued that such a paradigm should be seen as multifaceted, balancing the imperative to facilitate information/system access for individuals with
258
M.C. Fairhurst et al.
an entitlement to such access against the need to avoid unauthorised access to data or systems in situations where a structure of predefined privileges and restrictions are inherently required. Our approach has been to develop ideas and strategies based on the adoption of biometric techniques for establishing individual identity, an area of increasing importance in today’s society, and to define an approach which exploits the power of biometrics in a way best suited to the stringent requirements for robustness and flexibility which the universal access paradigm imposes when seen in this broader context. In particular, we have invoked the principle of integrating multiple biometric modalities as a means of dealing with the twin issues of reliability in performance and evolving a system structure which can accommodate widely varying needs and levels of user ability. We have presented data based on an extensive data gathering exercise with a representative sample of members of the general public, and we have shown, through an initial analysis of the data obtained, how the ideas embraced by the approach proposed can, both in principle and in practice, be utilised to achieve the balance noted above. Although the data reported is extracted using specific devices and based on a sample of volunteers without any known special needs other than requirements arising from natural variations in biometric characteristics, it is clear that the results presented provide a firm basis for developing a strategy which is generic in its applicability, and which can be seen as an important contribution to progress towards achieving universal access in practice. Although specific limitations arising from individual characteristics involving severe disabilities are naturally not included in the data reported here, the principles of how to deal with issues of variability and inconsistency apply even in these cases. The concept of Universal Access is farreaching in its implications. This paper illustrates this point directly, and shows how an inclusive and wide-ranging view of universality will be increasingly important if it is to exploited to its full potential. Acknowledgement. The authors wish to acknowledge the support of the UK Engineering and Physical Sciences Research Council and the Department of Trade and Industry for this work and, especially, the contribution of the industrial partners in the IAMBIC project, Neusciences and Cardionetics. The significant contribution to the collection and processing of the biometric data made by Mr. N. Mavity is also gratefully acknowledged.
References 1. 2. 3.
Parkes, J.R.: Personal identification – biometrics, In: D.T. Lindsay and W.L. Proce, (eds.): Information Security, North Holland (1991) Daugman, J.G.: High confidence visual recognition of persons by a test of statistical independence, IEEE Trans. Pattern Analysis and Machine Intelligence 15 (1993) 1148– 1161 Jain, A.K., Hong, L., Bolle, R.: On-line fingerprint verification, IEEE Trans. Pattern Analysis and Machine Intelligence 19 (1997) 302–313
Using Biometrics as an Enabling Technology in Balancing Universality and Selectivity 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.
259
Fairhurst, M.C.: Signature verification revisited: promoting practical exploitation of biometric technology,: Electron. Commun. Eng. J. 9 (1997) 273–280 Obaidat, M.S. and Sadoun, B.: Verification of computer users using keystroke dynamics, IEEE Trans. Systems, Man and Cybernetics 27 (1997) 261–269 Huang, P.S., Harris, C.J., Nixon, M.S.: Human gait recognition in canonical space using temporal templates, IEE Proc. Vision, Image and Signal Processing 146 (1999) 93–100 Plamondon, R. and Lorette, G.: Automatic signature verification and writer identification – the state of the art: Pattern Recognition 22 (1989) 107–131 Leclerc, F. and Plamondon, R.: Automatic signature verification – the state of the art 1989–1993, Int. J. Pattern Rec. Art. Intell. 8 (1994) 643–659 Allgrove, C and Fairhurst, M.C.: Majority voting for improved signature verification, Proc. IEE Colloquium on Visual Biometrics, London, (2000) 10.1–10.4 Jain, A., Bolle, R., Pankanti, S.(Eds.): Biometrics – personal identification in a networked society, Kluwer (1999) Deravi, F., Fairhurst, M.C., Mavity, N.J., Guest, R.M.: Design of multimodal biometric systems for universal authentication and access control, Proc. WISA, Seoul (2001) 9–20 Best practices in testing and reporting performance of biometric devices, Biometrics Working Group/NPL (2000) Chibelushi, C.C., Mason, J.S.D., Deravi, F.: Feature-level data fusion for bimodal person th recognition, Proc. 6 IEE Int. Conf. Image Processing and its Applications (1997) 399– 403 Su, Q. and Silsbee, P.L.: Robust audiovisual integration using semicontinuous Hidden th Markov Models, Proc. 4 Int. Conf. Spoken Language Processing (1996) 42–45 Hong, L and Jain, A.: Integrating faces and fingerprints for personal identification, IEEE Trans. Pattern Analysis and Machine Intelligence 20 (1998) 1295–1306 Deravi, F., Fairhurst, M.C., Guest, R.M., Mavity, N.J., Canuto, A.: Intelligent agents for the management of complexity in multimodal biometrics, Int. J. UAIS (In press) Wooldridge, M and Jennings, N.R.: Intelligent agents – theory and practice, The Knowledge Engineering Review 10 (1995) 115–152 Wooldridge, M.: Agent-based software engineering, IEEE Trans. Software Engineering 144 (1997) 26–37
