ML20138E126
Text
..
('g' Juns 4,1993
' Docket Nos. 50-335, 50-389, 50-250 and 50-251 LICENSEE: Florida Power and Light Company (FPL)
FACILITY: St. Lucie Units 1 and 2 and Turkey Point Units 3 and 4 i
SUBJECT:
SUMMA?Y OF A MEETING ON THE BIOMETRIC ACCESS CONTRUL SYSTEM i
On June 2, 1993, a meeting was held at NRC Headquarters between the Florida Power and Light Company (FPL) representatives and NRC staff. During the meeting, FPL discussed the merits of the biometric access control system
.1 that FPL desires to use at the St. Lucie and Turkey Point sites.
contains the list of attendees. contains the meeting handouts.
(
(Original Signed By)
L. RaghavaW, Project Manager Jan A. Norris, Sr. Project Manager Project Directorate II-2 Project Directorate II-2 Division of Reactor Projects - I/II Division of Reactor Projects - 1/II Office of Nuclear Reactor Regulation Office of Nuclear Reactor Regulation j
Enclosure:
As Stated cc w/ enclosure:
See next page Distribution Docket 41?e ACRS (10)
PDII-2 Reading L. Plisco, EDO, RII T. Murley/F. Miraglia M. Sinkule, RII J. Partlow E. Jordan, MNBB 3701 S. Varga R. Skelton G. Lainas L. Bush (h
H. Berkow R. Fonner J. Norris P. McKee jb L. Raghavan E. Tana N
OGC OFFICE LA:PDII-2 PhDI[-2 PM:PDII-2 D:PDIb2 NAME ETana QNorhih LRaghava k HB 06///93 Oh/ kf93 t
06/ f /93 06/4/93 OATE
$/it/'it__
f30&\\ D L E hf
,J f
4
i..-
i i
4 f**
j i
v-Florida Power and Light. Company l
cc:-
i i
' Jack Shreve, Public Counsel Mr. Bill Passetti i
l Office of the Public Counsel Office of Radiation Control j
c/o The Florida Legislature Department of Health and 111 West Madison Avenue, Room 812 Rehabilitative Services 1.
Tallahassee, Florida 32399-1400 1317 Winewood Blvd.
i Tallahassee, Florida 32399-0700 l-Senior Re>ident Inspector i
i St..Lucie Plant-
- Regional Administrator, RII l
U.S. Nuclear Regulatory Commission U.S. Nuci n e Regulatory Commission-l 7585 S. Hwy A1A 101 Marietta Street N.W., Suite 2900
.Jensen Beach, Florida 34957 Atlanta,-Georgia 30323 j
i r
Mr. Joe Myers, Director Mr. R. E. Grazio j.
Div. of Emergency Preparedness Director, Nuclear Licensing; j
Department of Community Affairs Florida Power and Light Company 2740 Centerview Drive P.O. Box 14000 j.
Tallahassee, Florida 32399-2100 Juno Beach, Florida'33408-0420 Harold F. Reis, Esq.
Mr. J. H. Goldberg Newman & Holtzinger President - Nuclear Division 1615 L Street, N.W.
Florida Power and Light Company Washington, DC 20036 P.O. Box 14000 l
Juno Beach, Florida 33408-0420 Jchn T. Butler, Esq.
Steel, Hector and Davis Miami, Florida 33131-2398 Administrator i
Department of Environmental Regulation Mr. Thomas F. Plunkett, Site Power Plant Siting Section-Vice President p
State of Florida Turkey Point Nuclear Plant 2600 Blair Stone Road Florida Power and Light Company Tallahassee, Florida 32301 P.O. Box 029100 i
Miami, Florida 33102 i
Mr. Thomas R.L. Kindred i
County Administrator Senior Resident Inspector
^
St.-Lucie County Turkey Point Nuclear Generating 2300 Virginia Avenue Station Fort Pierce, Florida 34982 U.S. Nuclear Regulatory Commission P.O.-Box 1448 Mr. Charles B. Brinkman, Manager Homestead, Florida 33090 Washington Nuclear Operations ABB Combustion Engineering, Nuclear Power Attorney General 12300 Twinbrook Parkway, Suite 330 Department of Legal Affairs Rockville, Maryland 20852 The Capitol Tallahassee, Florida 32304
L-!.
l MEETING BETWEEN FLORIDA POWER AND LIGHT COMPANY AND NRC STAFF - TURKEY POINT l
ATTENDANCE RECORD Name Office J. Norris NRR/PDII-2 M. Dryden FPL W.G. White FPL J. West FPL F.R. Timmons FPL D. Gilbert FPL H. Berkow NRR/PDII-2 L. Raghavan NRR/PDII-2 R. Skelton NRR/PSGB L. Bush NRR/PSGB R. Fonner NRC/0GC P. McKee NRR/PSGB i
i
i, i
BIOMETRIC ACCESS CONTROL SYSTEM PRESENTATION TO NRC i
JUNE 2.1993 I
I 1.
INTRODUCTION l
A.
Meeting attendees l
B.
Proposal concept i
11.
Technical Description l
A.
IDS 3D system i
B.
Current vs proposed system 111.
Benefits A.
Increased Security B.
Reduced Costs IV.
Implementation Schedule V.
Discussion
i j.
"The 1991 Sandia Roport
!l A Performance Evaluation of Biometric identification Devices i
REPORT
SUMMARY
Prepared by:
Reco0nnion Systems, Inc.
i
{
Attached is the 1991 Sandia Laboratories report show up on the chart, and are easih minairea for what j
concermag the evalumuon of Biometnc idenuficauon might otherwise be taken as a long ta3 on the False
. Devuus. This is the latest in a contanmng series of Accept curve. Addinonal data was requemed from evaluanons of naamaric Idaar*=enaa Devices Sandas to construct a chart consonerstang on the 0.0%
2 conduand by Sandia Nabonal I.aboratones under to 1.0% range thereby gmag a clearer pecture of the contract to an agency of the U.S. Government. This systems 4 1he chart is ansched for year
=
sununary gives an overyww of the report with reference perucular emphams on the performance of Recosmtion Systems'ID-3D Hand Rander.
AAer revwwing the error rate charts for the vanous devices, it is clear the ID-3D hand reader performed The Sandia evaluanon covers the performance of six exceedagly well. The aggig.gr equal uror rate was boometne devices employing various technologies, 0.2%. The next most accurate device, the E eDentify 3
each manufactured by a different company, reunal scanner, had a single try equal error rate of 1.5% At the test threshold setung, the ID-3D had a l
Recognition Systems,Inc.
Hand Geometry 1l gag.gr False Reject error rase afless than 0.1% and i
j Identix,Inc.
Fingerprint a single try False Accept error c(0.1%.
1 Capital Security Symems,Inc.
Signature l
EyeDenufy, Inc.
Reunal Scan A new addition to this years test was a users survey i
Alpha Microsymans Inc.
Voicepnnt which anempts to quanufy the test groups impresson j
Insernanonal Electrosues, Inc.
Voiceprint of the vanous devices. Some q===*iana, such as l
(Fonnerly ECCO)
- Which machine do you feel is the easiest to use?"
concerned positive aspect Other quesuons, such as Nearly 100 test subjects used these devices on a daily
- Wluch machme is most frustrating to use?",
basis for a penod of several months In all, almost concerned negatin aspects. The positiw and negatiw 50,000 tranamenians were recorded, nearly 20,000 of responses for each machia* are sununanaed below. In j
which were on the Racognition Systems ID-3D hand order to give an idea of the relatrve acceptance c(each 1
readers.
device, an Arapen== Ratio was calculated by i
dmding the mieher of poortrve choece responses by i
The ID-3D hand reader prcmded the data required the mieher of negauve chace responses Because i
by Sandia to consruct perfonnance curves for the survey quesuons 15 through 19 deal with application hand reader. These curves are very useful appbcation specific quesuons and are not included in this i
sids because they show bew the False Accept and summary.
False Rapect error rates vary as the user a4ustable
}
threshold setung is changed. Parucular asennon The results of this survey are tabulated below and needs to be paid the chart for the ID-3D hand reader.
clearly show the user's.'
for Hand c.am,ery Since the chart in the body of the report covers errors as demanarrated by the *=priaanny high mi=her of i
toss the 0% to 10% range, the 2 and 3 try False positive responses and low negauves Radect curves are so near to 0% error that they hardly 4'
j Table 1: User Survey Results System Type Positive Nogetive Acceptance Responses Responses Ratio j
Alphe Micro Voice 22 103 0.21 i
Ifiti. Electronics Votos 22 141 0.14 i
Evedentify Ret 6nel.vertfy Mode 35 56 0.63 l
Retinal-identify Mode 87 87 1.00 identix Fingerprint 60 78 0.77 Capitel Security Signature 22 69 0.31 Recognie6on Hand ese1 stry 181 11 18,46 j
Sreessne
t USER ACCEPTANCE RATIO 4
5s./
m.e is.
14 12 to.
3 s.
4 2-
.a,a
.n e.J Hand RsWnal Fingerprint Signatn Voicepdnt oeometry scan some: sensie n.p etiest i
l ID-3D ERROR RATES 0.0% TO 1.0%
l
)
1 r
I 3
0.8 i-h 4---
~
l 1
y E 0.8
.l j
r l
l l
R p
R e.4 j
l l
i l
i l
O L.
i R 0.,..
l l
l I
O O
20 40 80 80 100 120 140 160 180 200 THRESHOLO VALUE Soume: Sandh Repen 1991 l+ 3 TRY PR + 3 TRY FA l
1
~
SANDIA REPORT 1
l SAND 91-0276
- UC-906 i
Unlimited Release Printed June 1991
?
1
. A Performance Evaluation of Biometric i
ldentification Devices 1
i 1
1 I
James P. Holmes, Larry J. Wright, Russell L. Maxwell i
i P,.
- r. e, s.nei. m.u.a. L
,.ior*.
i AllHagverque. 86ew GAes6co 87188 ene Livermore. Cellfornia 94550 4
fee the United states Department of Energy J
esneer Contract DE.AC04 76DP00789 l
.,f
^
t l
-i 4
g s
's p
~~. n
. ~.....
l
~4 m ':...
..nuun.uann.i. -
j r
f
'\\' & i.f. q s *s
' p' W. ' ' - (-
=
r R
l.; t)K'
,H M
'?:: '.
.y J
j
.. m -new
! g r.
$.,-. _" /
%s
%. 3)l(f$El5r ra i
h[
h E ii ' ' ' " ' '
j j
- h..w. 4 :..v.an s a r. i 1-Og
,3,
!f
)
i.%
ddl.
li!tEi26 cr.:..S-'#hi.)U.4 SF29000ff813
1 1
Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation.
NOTICE: This report was prepared as an account of work sponsored by an agency of the Unitad States Government. Neither the United States Govern-ment nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors or implied, or assumes any, or their employees, makes any warranty, express legal liability or responsibility for the accuracy, d
completeness. or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or j
service trade name, trademark, manufacturer, or otherwise, does not necessari constitute or imply its endorsement, recommendation, or favoring by the ited States Government, any agency thereof or any of their contractors or subcontractors. The views and opmions expressed herein do not necessarily state or reflect those of the United States Government, any agency thereof or any of their contractors.
Printed in the United States of America. This report has been reproduced directly from the best available copy.
4 Available to DOE and DOE contractors from Office of Scientific and Technical Information PO Bos 62 Oak Ridge TN 37831 Prices available from '8:15! 576 8401. FTS 626 8401 Available to the public from National Technical Information Service US Department of Commerce 5285 Port Royal Rd Springfield, VA 22161 NTIS price codes Printed copy: A03 Microfiche copy: A01 4
SAND 91-0276 Distribution i
Unlimited Release Category UC-906 l
Printed June 1991 2
1 A Performance Evaluation of Biometric identification Devices James P. Holmes and Larry J. Wright Facility Systems Engineering Division Russell L. Maxwell Systems Engineering Division Sandia National Laboratories Albuquerque, NM 87185 Abstract When an individual requests access to a restricted area, his identity must be verified.
This identity verification process has traditionally been performed manually by a person responsible for maintaining the security of the restricted area. In the last few years, biometric identification devices have been built that automatically perform this identity verification. A biometric identification device automatically verifies a per-son's identity from measuring a physical feature or repeatable action of the individual.
A reference measurement of the biometric is obtained when the individualis enrolled on the device. Subsequent verifications are made by comparing the submitted biometric feature against the reference sample. Sandia National Laboratories has been evaluating the relative performance of several biometric identification devices by using volunteer test subjects. Sandia testing methods and results are discussed.
~
4
.f l
i l
Contents l
l In trod ucti o n..
Ge ne ra l Test Descri p tion......................................... ~.................................
................. 7 Tes ti ng an d Tra i n i n g.....................................................,...............
8 DataProcessing.......~....................................................................................................
.. 9 Resul ts of the Tes tmg.........................................................
.........................................10 Alpha Microsystems Results..
..........10 Capital Security Systems, Inc. Results......................
...................................................12 International Electronics (ECCO VoiceKey) Results..............
................................. -......14 Eye De n ti fy Verify M od e R es ul ts......................................................................................... 15 EyeDentify Recognize M od e Results.......................
-- 16 IdentixResults.............................................................................................................
-17 Recognition Syste ms, Inc. Results..................._.........................................
18 Su m m a ry....
....................................................................20 Co n el u s i ons..
..............................................21 Refere nces.
..... 21 APPENDIX: User Survey Results..........................................
.23 Figures 1 Alpha Microsystems Voice Verifier, x12 x...
2 Ca pital Security Signature Dynamics....................................
.13 3 International Electronics Voice Verifier...................................
=.15 4 Eye Den tify Eye Re tin al Patte rn
......................................................................_........................ 16 5 Recognition Systems Hand Geometry.........
19 6 Average Verification Time in Seconds............
-20 1
1 l
l 56
i e
l-.
i 1
A Performance Evaluation of Biometric Identification Devices i
i i
l lntroduction
- 1. Fingerprint by Identix, Inc.8
- 2. Hand geometry by Recognition Systems,Inc.
2 j
In many applications, the current generation of biometric identification devices offers cost and per*
- 3. Signature dynamics by Capital Securitv Sys, tems, Inc. Sign /On Operations.8 (For'meriv formance advantages over manual security proce-gogo,;, gy,g,,,, goe,3 j
dures. Some of these applications are: physical access 3
control at portals, computer access control at termi-
- 4. Retinal vascular pattern by EyeDentifv. Inc.d nals, and telephone access control at central switching
- 5. Voice by Alpha Microsystems,Inc.*
j l
locations. An installation may have a single, stand.
- 6. Voice byinternationalElectronics Inc.*(For.
{
alone verifier which controls a single access point, or merly ECCO, Inc.)
it may have a large networked system which consists 2
l.
cf many verifiers, monitored and conaolled by one or General Test Description more central security sites.
Establishing how well s' biometric identification Statistics have been compiled on false rejection device operates should be an important consideration er rates and falu-acceptance error rates for each j
in any security application. Performance data, how.
verifier The error ratas are described as a percentage
,7,,,,,,,,,, p, y,,;g;,,g;,,,g,,,pg,. Attempt" is aver, is neither easy to obtain not to interpret. Be-used in this report to describe one cycle of an indi-e::use there are no test standards yet to test against, vidual using a verifier as proof of being a validly test methods must be well documented. To measure enrolled user (enrollee). Most verifiers allow more its theoretical performance limit, a verifier could be than one try per attempt. "Try" describes a single tested in an ideal environment with robotic simula-presentation of an individual's biometric sample to tion of biometric data. The results of such a test the verifier for measurement. " False rejection
- is the j
would probably differ greatly from its real world rejection of an enrollee who makes an honest attempt i
performance. The human element greatly affects the to be verified. A false rejection error is also called a performance of any identity verifier. Environmental Type I error. " False acceptance"is the seceptance of i
f:ctors such as noise, light, electromagnetic radiation, an imposter as an enrollee. A false acceptance error is moisture, dust, and temperature could also affect the also called a Type II error. False acceptance attempts i
verifier's performance.
are passive; these are cases where the imposter sub.
l
' Sandia began its latest verifier test series in mits his own natural biometric, rather than a simu.
l November,1989. Nearly 100 volunteers attempted lated or reproduced biometric of the enrollee whone j
j' many verifications on each machine. Environmental identity is claimed. To sum up:
L conditions were nominal, as the tests were all per.
false. rejection error - Type I error = rejection of formed in a laboratory room for the convenience of an enrollee j
the test volunteers. The biometric features used by false-acceptance error - Type !! error = accep.
1 the suppliers of the latest generation of verifier in tance of an imposter.
j the Sandia tests include:
l Y
l 4
I 1
-c
nurnbu d mn wm mnW m wMus um J
Each verifier in the test is a commercially avail-there was m, diceuon of below-average performance.
i able unit. Because of the differences in these units Jhe transactions prior to the reenrollment were not and because we needed an equitable basis of compar-inclu ed in Se test ash Som mandactmn ison, we attempted to modify some of the units. Oae remsmud that se mm be mamued as many goal was to have each verifier report a final decision tinws as necesary pmdm b W enmb.nnt score for every verifiestion try Although the manu-sems. We t w Hm mn nw nts t knwn facturers are generally cooperative, it was not pos-Problem cases due to the relatively short duration of sible to achieve all our goals within the time and our test, and also to give the venbrs more nearly budget constraints of the testing. The Identix finger-equal treatmer.t. Verifiers on which it is more difficult print verifier did not generate score data at all. The enroll would therefore tend to give somewhat less t
Capital Security signature verifier scores were not than oPdmum pedwmance in m test. %s e&ct is i
directly related to the accept or reject decision be, less sigmficant for venfiers which modify the stored cause of some additional decision making after the "I"*ce temp ate by averaging in the biometne l
ecores were generated. If a biometric testing standard samples from successful verification attempts. The ever becomes a reality, it should include a section on EyeDentify and the Identis umts are the 'wo tested score data generation and reporting.
verifiers that do not modify the reimace template.
Software and/or firmware modifications were Other known errors were identified for removal made by the manufactures on some units to allow Sandia to colicet the desired test data. All verifiers by instructing the users to note on a real time end specified modifications were purchased by Sandia.
hardcopy printout any transaction where he made a j
mistake, or was "esperimenting" and did not feel that l
Whm possible, each verifier was set up in accordance the verification attempt was valid. A similar method with the manufacturer's recommendations. In most was used to identify invalid transactions on the false-cases, a representative from each manufacturer vis, ited the testing laboratory to verify that his device seceptance test. Many hours were devoted to identi.
l was properly set up. Where problems were pointed fying and removing invalid transactions from the data l
i files. There is no doubt, however, that a small number out, attempts were made to rectify them. Some et, tempts wem mon successful than others within the of unrecognised errors remain in the data.
limits of our test facility resources.
The Problem of selecting a representative test l
user group is most vesing when testing biometric identification devices. While the differences in phys-I
'*'**'**'*"d6'""'"*"'""*'*""*"'"'h' Testin9 and Trainin9 das.s ror the devices, these s.me dirrerences can bias 1
The verifier tests at Sandia were conducted in an test results between test user groups. The best solu-l office like environment; volunteers were Sandia em-tion to this problem seems to be to use many users l
pioyees and contractors. A single laboratory room and to make numerous attempts. The larger the i
contained all of the verifiers. Each colunteer user was numbers, the more likely tia results will represent enrolled and trained on all verifiers. There were both true performance values. Rebtive performance must f
male and female volunteers and the efforts of both be measured against absolute performance. A verifi.
{
were valuable to this study. However, for the purpose er's relative performance within a user group is gen-of simplifying the text, we will use the term "his" erally easier to defend than is the absolute perfor-l rather than "his/her."
mance.
l There is a learning curve for the proper use of a No estraordinary incentives wue offered the vob biometric identification device. As a user becomes unteer users who performed the tests. Treats in the i
more familiar with a verifier, his false. rejection rate test room were used to tempt users to remain active.
decreases. This curve differs for individual users and A drawing for a free lunch was offered to the regular verifiem. This learning effect was minimised for the users. About 80 of the 100 enrolled users remained
(
Sandia testing by training the individuals before the fairly active in the tests. Work and travel schedules tast, by monitoring their performance, and by elimi-accounted for the loss of some users. Others simply l
anting the first few weeks of test data in the results. A lwcame disinterested.
l i
I I
--~
i l
First Test Series: False Rejection Testing A verifier can usually be configured to accept up
- users attempted verification on each machine to three "tries" on a verification attempt. A *try' is many times one cycle of the user presenting his biometric to the verifier for measurement. To simulate verifier perfor-
= test period was three months long mance on one, two, and three try attempt configu-l
= users were allowed up to three tries per verifi-rations, our users were instructed to try a third time if i
cation attempt.
verification was not successful on the first or second l
l try. Recorded time of day information allowed each l
Second Test Series:
score to be identified as either a first, second, or third Passive False Acceptance Testing g,y, a user submitted the personalidentification num-Up to three tries in a five minute time interval l
l ber (PIN) of other users were considered one verification attempt. Additional l
. user then submitted his own natural biometric tries within this interval were ignored. Tries beyond the Seminute interval were Med anoner m.
- users were allowed up to three tries per verifi.
ification attempt. At any given threshold value, a cation attempt.
score will produce either an accept or a reject. An accept on the first try is counted as an accept for one.
two, and three-try configurations. An accept on the Data Processing
,econd t,y is,mted as a, eject on a one.t,y conrig-The first step in the data processing was to uration and an accept on a two and three try config.
remove the invalid transactions that were noted on uration. An accept on the third try is counted as a the printed data logs generated at each verifier. The reject on a one and two try configuration and an data files were then processed to' remove incomplete accept on a three try configuration. Three rejects are records and to convert the data to a common format.
counted as a reject on all three configurations. To sum The data was sorted icto individual user groups.
up:
Records from users making less than six transactions i
were deleted. User data obtained prior to user group reenrollment on a verifier was also deleted.
1 Configuration Test Result Verification Action one try two try three try Accept on first try accept accept accept Accept on second try reject accept accept Accept on third try reject reject accept No' accepts with three tries reject reject reject No accepts with less than three tries only actual rejects counted 9
w :s r--
.r z-e---v-i=--rrsi
- tt--3--
s w
-w 1n----
--ez
+-e-wi++
wrui-+-
w---ep---
. -.. ~ -.. - -.. - - _~ -.- - - - -.-_ _ -. -
.- ~ -.- - - - - -
The false reject error rate is the ratio of false-biometric input. Additional tries allow the valid user rejects to total attempts at verification. A false reject to correct the inconsistencies and to generate an will be represented as "FR" and is reported in this acceptable input that matches the reference template.
document as a percentage value. Where transaction Imposters are generally rejected because their score data was available, the FR was calculated for biometric is not close enough to the reference to be each user for one try, two-try, and three-try verifier accepted. Additional tries increase the chances of configurations over a range of possible thraholds.
imposter acceptance if the biometric differences are i
The acores were used to find the number of errors that small enough to be masked by the inconsistent user would have occurred had the verifier test threshold inputs and by tolerant threshold settings.
l been set at each of the possible thresholds.
The Identia fingwprint verifier we tested did not The false accept error rate is the ratio of false-have a customer adjustable system threshold. While acceptances to total imposter attempts. It will be individual thresholds could be adjusted, we did not represented as *FA" and was calculated for each user get any test data at other than the factory-est thresh-over the range of possible thresholds and presented as old. The othw verifiers tested did provide test score a percentage value.
data, but the Capital Security signature verifier scores The FR and FA for each verifier was calculated could not be used to generate error rate curves be-by averaging the user percent error rates at each cause of a second calculation that it uses to make the threshold value selected. The FA and FR error rate accept or reject decision.
curves are shown in W next section, entitled "Results Our transaction time results were obtained by of the Testing." Whwe possible, error rate curves are timing the users from when they touched the verifier shown for one-try, two-try, and three try verification until the vwification attempt verdict was given. The attempts. These curves exhibit two general character-users were not told that they were being timed. We istics. One characteristic is the non zero value of the feel that the results reflect verification times that crossover point of the FA and FR eurves. A second would be typical in an actual installation. Thne times characteristic is the trend toward a lower rejection are substantially longer than the minimum times of a rate as the number of tries at verifiestion increases.
skilled user in a hurry.
Both these characteristics force some tradeoffs in using them vuifiers.
m = = = ar= v=i n t
- cr = vu poiat Results of the Testing means that there is no thrnhold setting where both the FA and FR error rates are zero. The user must choose a threshold setting to fit the application. As Alpha Microsystems Results the thrwhold is moved toward tighter security (higher Alpha Microsystems of Santa Ana, California rejection error rates), both imposters and valid users bought out Vostron and is now selling an updated face highw rejection rates. Both are rejected less system called Vw A Tel. This voice verification sys-often when the threshold is moved toward lower tem makes use of a personal computer (PC), which security. The point at wl.ich the FA and FR curves contains the speech board hardware and the software eroes ovw is referred to as the equal-error setting.
programs. User terminals are touch tone telephones.
'Ihis single value error rate has been accepted as a The Ver A Tel system is offered in two similar convenient value to describe the performance of a vnsions-h telephone intercept system (TIS) and verifier in the Federal Information Processing Stan-the remote access system (RACS). We tested the dards Publication (FIPS PM This and other public TIS version, but not the direct line RACS single value criteria have been used to characterine version.
verifier performance, but no single value can provide The software supplied with the system provides much insight into the true performance capability of the necessary management functions to enroll and any verifier.The FA and FR error rate curves provide delete users, to configure the system parameters, to much more insight into performance and should be display activities and alarms and to generate reports.
esamined for suitability in any security appliestion.
Because this password protected software is menu Multiple try attempts at verification can improve driven, it allows the security manager to select op-the performance of some biometric verifiers. The tions from the screen and to fill in the blanks to rejection rate for valid users generally decreaan faster configure h system. A supplied user's guide provides than the rejection rate for imposters, as more verifi-any additional information that might be needed.
cation tries are allowed. Valid users are generally Users were enrolled on the same touch. tone tele-rejected because ofinconsistent presentations of their phone that was later used to access the system. Prior 10
+w c-e+
--r-6w-m.
,,me,y,
r--
w-w w
<rr i=*' + = + -
-'-*-*rr*F=-
---7
-T-f
=
P ey-*-g-*7e*'P-
s e
1
[.-
i l
to enrollment, the security manager created a record the security manager to compensate for differences in for each user and each was assigned a unique PIN. An user performance. This adjustment is made (plus or i
optiorial secret enrollment passcode, to prevent an minus) to the system threshold setting.
j imposter'from enrolling in place of the authorized On verification attempts, an enrolled user's PIN user, was not tested.
is recognized by the system and is used to retrieve the A phrase is required for enrollment and subse-proper template from the enrollment database for i
quent verification. The security manager can select verification. The user is then prompted to say the i
from a number of standard phrases on the menu phrase for verification. Optionally, the new phrase j
, make up his own phrase. There are some restrictions update the template each time the verification is display; from this selection, he can allow the user to data may be averaged into the stored template to l
l on user-selected phrases, such as the minimum and successful. In time, if the user becomes more consis-l maximum length and the optimum number of sylla-tant and the verification scores improve, the securitv bles. These options are discusssed in the User's Guide manager may opt to adjust the user threshold value to 4
which is supplied with the system.
a more secure value. Experienced users generally skip Voice verifier manufacturers are quick to point the voice prompts because a preceding tone signals j
out that security is enhanced if each user has a secret the user that he can go ahead without further delay if j
phrase. These manufacturers, however, do not ad-he does not need the voice instruction.
dress the problem of how to keep a phrase secret that The time information given for the Alpha 3
i must be uttered into a microphone. On the other Microsystems voice verifier is different from other j.
hand, it is certainly less likely that an imposter would verifiers' because it includes dialing a 5-digit tele-be accepted if he does not know the proper phrase. It phone number and waiting for the verifier to answer.
j is even plausible that a valid user could have a lower We included this scenario because the telephone false reject error rate with a chosen phrase that was access method was also used in our test verifier. Other j
more natural or familiar to him. The objective of our access methods may result in different transaction test was to measure the ability of the system to verify times. The minimum time of ~13 seconds was nee-users based solely on their biometric properties. Thus' essary to perform the following steps:
we assigned the same phrase to all users.
To enroll, a user calls the verifier telephone
- lift the phone and dial a 5 digit extension f
number. The system answers and instructs the user to
. wait for the voice system to answer and generate l
enter his PIN on the touch tone keypad. If the system the tone prompts (without waiting for the sub-i finds thct the PIN belongs to someone who is not yet sequent voice prompts) enrolled,it tells the user what he must do to enroll.
This may include an instruction to enter the proper
. enter a 4-digit PIN on the phone keypad enrollment passcode on the keypad. The user is
. say " yankee doodle dandy" instructed to say the verification phrase a number of
. be verified.
times. The system performs checks on each response and may prompt the user to be more consistent and to The average user in our test took ~19.5 seconds repeat the phrase again. When the system parameters for a complete verification. This average includes for a successful enrollment are met, the system so multiple try attempts when this was required by the informs the user. A user template is generated from system.
the enrollment data and is stored for future verifica.
The crossover point where the one try false reject tion of the user's identity. The system may tell the and the one try false accept curves are equal has an user that the enrollment was better than most. This error rate of 6.5% at a threshold value of ~375. At the
. indicates that the enrollment phrases were very con-test threshold setting of 300, the three try, false reject eistent. It is also possible for the user to fail. In this error rate was 5.1G and the three try, false accept ease, the user is told to practice and try again. The error rate was 2.8%.
security manager can also check the enrollment scores There were 5434 transactions in the false reject to get a measure of the enrollment performance.
test and 2990 transactions in the false-accept test.
Individual accept or reject thresholds can be set by The results of these tests are shown in Figure 1.
i
i 10 t
\\
\\
\\ 1/ /
l
\\
\\
Y/ /
e
\\
\\
/M /
g7 Ea
\\UX i
W/\\
s VAp k
i 4
- W N
- / W N
-,u w
x 1
0-1 5 1 5 260 280 360 350 460 450 560 580 000 THRESHOLD VALUE i
TEST THRESHOLD = 300 h
i
= Three-try FR
-*- = One-try FR -*- = Two-try FR
-+ --
-*- = One-try FA -*- = Two-try FA -*- = Three-try FA l
Figure 1 Alpha Microsystems Voice Verifer cl*** must =*tch the caatraller interface require-Capital Security Systems, Inc.
ment.
Results Sortware is provided to allow the security man-Capital Security Systems, Inc. of Columbia, MD ager to configure the system and to enroll users. A purchased the signature dynamics verifier line from menu-driven program provides the manager with the Autosig Systems, Inc. This verific consists of a user necessary options. Before a user can be enrolled, a interface tablet and a controllw which is designed to user data record must be generated in the user data integrete into a host computer access control system.
file. The manager selects the options and tills in the The Capital security system offers products for both blanks to generate the record. For the model tested, a physical entry control and data access control. The magnetic stripe cud was required for ID entry. It was use interface is similar for both applications. A coded wie th uur's PIN and provided to the user I
variety of hardware and software options allow the for verifiers in this test series.
I system to function m spplications from stand.alone To mil, h w m folk h illmid protection of a single entrance to networked, host-p hiM Fih w Pm' is based systems.
entered with a swipe of his magneta.c stripe card The user interface is a desk top tablet (~9 3/8 by through the card reader. Nest, the user is prompted 11 inches) that incorporates a digitiser tablet, a to alternately sign on and wait while the system magnetic stripe card rendu, and a tethered pen. The 8'a'r*s a template. Finally, the user is prompted digitiser tablet (-21/2 by 5 inches) is the area where the user actually signs his name with the tethered wtan the neownce is complete. It normally takes two pen.The system measures the dynamics of the user's signatures and one vwification signature to enroll.
signature to form the biometric template for enroll.
The signature must be within the marked digitizer
- ment and verification, pad area, using the tethered pen. The system can be The controller can function as a stand.alone used with a regular ball. point pen tip and a stick on device with the user interface and door interface paper sheet over the pad, or with an innt, inkless pen hardware, but must be connected to a computer for tip system directly on the digitian pad.
pmgramming and user enrollment. An IBM PC or a Verification is similar to enrollment. The user higher class, compatible computer with a serial port PIN is entered with the magnetic card and the user and a floppy disk drive can be used. The computer signs his name on the digitizer pad with the tethered
~
12 9
m-y,--
4,m
,y.-,.
. i,-
~
v--*
4, -.,
.,w
,.---.-m.m.-
-~ - -. -. -. - - - -.
i pen. A prompt then tells the user whether the verifi.
than just a function of the transaction score. A second
~
cation was sucesssful or if another signature try is decision calculation is performed on all tries that
-ry. Two tries are usually allowed. Each suc.
produce a score between 16,000 and the verifier cessful verification is averaged into the reference threshold setting. The threshold was set at 21.000 for template to allow the system to accommodate long-our test.
j term changes in the user signature. This averaging All false eecept and false reject error rates ob.
can be inhibited by the security manager.
tained were from a count of the errors at the opera.
Imposter testing consisted of each imposter en-tional threshold:
taring PINS by using the magnetic stripe badges of all other users. The impostar knew the real user's name False-Reject Error Rate Percentage
~
~from the badge, but did not have a sample of the three-try 2.06 7, 5
user's signature. The imposter was free to tn to sign g,o.try 2.10Te the actual user's name. As a matter of interest, we one try 9.10 7.
attempted some verifications by tracing over valid signatures. The scores were generally much worse y,j,.. Accept Error Rate Percentage than other imposter attempts because of the impor-three.try 0.70re tance of the signature dynamics in verification. None
- '*'Y of the tracing attempts were included in our test
,t,y 0.
"he time to perform a verification depends in The Capital Security is usually set up for two tries.
part on how long a user takes to sign his name. Our There were 3106 transactions in the false reject users averaged ~15 seconds to verify on the Capital test and 6727 transactions in the false. accept test.
Security system; this time meludes PIN entry via a h CapiW h@ se eme m sh in swipe card reader and soine multiple try attempts as Mgure 2.
required by the system. The minimum time observed was -12 seconds.
Error rate curves are not shown because the Cap-ital Security accept or reject decision process is more 10 an, 8--
Y I
6-'
!4-I 2--
L L
0-One try Two-try Three-try TEST THRESHOLD = 21,000 i
i FALSE REJECT FALSE ACCEPT Figure 2. Capital Security Signature Dynamics 13
i j
t 1
4 International Electronics (ECCO this ti=, my were able to enter a 4 digit PIN on the l
t i
i keypad and to utter the single password.
VoiceKey) Results n,,,,,,,,,,,,;,,t a m ta,,,,.try, falm-I International Elc..ronics, Inc. of Needham reject curve and the one.try, false accept curve are Heights, MA purchased ECCO Industries, Inc. of equal has an error. rate of 8.2% at a threshold value of j
Danvers, MA and now markets the ECCO VoiceKey.
100. Only one try, false-accept data was obtained for j
The VoiceKey is a self-contained, wall. mounted user the VoiceKey verifier. There are three user thresholds interface that communicates with a controller over a available for the VoiceKey verifier. Security level 1 is copper wire cable. The user mterface contams an a threshold of 75, level 2 is a threshold of 65 and level l
alphanumeric display, keypad, a microphone, an au-3 is a threshold of 55. At the test threshold setting of
]
dible beeper, and indicator lighta. Keys, displays, etc.
75, the three try, false-reject error rate is ~4.3rc, and l
j cllow all necessary functions to be performed at the the one try false accept error rate is ~0.97c.
user interface. Some of these functions are user en-Vo. ice verifier manufacturers are quick to point j
i rollment and system management.
out that security is enhanced if each user has a secret i
The user interface and controller can operate in a phrase. These manufacturers, however, do not ad-stand alone mode to provide security at a single entry dress the problem of how to keep a phrase secret that point, or can be networked through a network con-must be uttered into a microphone. On the other i
troller to other units in a security system. A VoiceKey netwoo has a master voice reader and slave voice hand, it is certainly less likely that an imposter would f
readers.The master voice reader is normally used for be accepted if he does not know the proper phrase. It cll enrollments and programming, which are then is even plausible that a valid user could have a lower L
downloaded to the slave readers. Enrollment and false reject error rate with a chosen phrase that was l
programming can be performed at any slave, but it more natural or familiar to him. The objective of our cannot be downloaded to any other reader. A printing test was to measure the ability of the system to verify j
capability allows audit information to be output to a users based solely on their biometric properties. Thus, printer connected to the controller of the master we assigned the same phrase to all users.
reader.
We esperienced high, false rejection error rates i
User enrollment is normally performed at the with the assigned password. The manufacturer's rep-master voice reader by a security manager who is resentative suggested that each user be allowed to l
cuthorised to enter the programming mode. This choose a password familiar or comfortable to him. We j
authorization must be verified by voice before the gave additional training and reenrolled ~157c of the programming mode can be entered. Programming is users that were experiencing the most trouble with cecomplished by keypad key inputs. Message displays verification. On reenrollment, the users could choose s
end lighta provide feedback to the programmer as the from several suggested words. Some were allowed to l
program steps are entered. A supplied programming select a word of their choice. This effort did produce manual provides complete mformation on the pro-better verification scores for many of the individuals gramming procedures. A user program allows new after they were reenrolled. We were unable to corre-users to be added. Th,s option requires the security I* th' 'II'" 'I '""II"'"' '" th' I'"8'"' I*I"'
i 3
manager to enter a unique PIN to access zone data rejection error rates. Several variables remain in the i
and to enter the user authorization level for the new wific8t80n Process. As the user becomes more famil-user. The reader then displays a series of message and iar with a password, he would be espected to get more i
colored-light prompts for the new user to initiate the consistent in its use. The user's reference template is sequence and to say his password several times. A also modified for each successful verification, and 4
red / green light display at the end of the enrollment thus should improve the verification scores of consis-sequence informs the new user of failure / success in carolling. (This frustrates color blind users who can, tent users. An analysis of entire user group perfor-mance before and after reenrollment, however, did not distinguish between the red and green colors.) If I
successful, the new user can practace using his past.
not show a significant improvement over time.
word as desired. Each successful verification causes There were 4871 transactions in the false reject the user's template to be modified by the new input.
test and 3270 transactions in the false. accept test.
Verification can be accomplished in ~5 seconds.
The graphical results of these tests are shown in
]
Users averaged ~6.6 seconds per one-try attempt; in Figure 3.
14
- _ - _ ~
10
\\Y 9
\\\\
2 e
\\\\
/\\
g7
\\(/T
/ \\.
ge T
g3 g4
\\ \\/
\\
~
3 V\\
\\
2 1-
)
- : Im 0
20 40 60 W%
0 80 100 120 140 160 180 200 THRESHOLD VALUE TEST THRESHOLD = 73
-*- = One try FR
+ = Two-try FR
= Three-try FR
= One-try FA Figure 3". Internatiorial Electronics Voice Verifier EyeDentify Verify Mode Results are discussed in this section, and the results for The retinal pattern verifier in this test series was Reader 2 are discussed in the following section enti.
Model 8.5, manufactured by EyeDentify, Inc. of Port.
tied: "EyeDentify Recognize Mode Results."
land, Oregon. The verifier includes a reader and a The software allows the security manager to con.
controller. The reader contains an aperture where the figure the system and to enroll users. A menu driven user looks to align his eye with an optical target, program provides the manager with necessary op-which appears as a series of circles. As the user moves tions. Before a user can be enrolled, a user data record his eye around, the circles become more or less must be generated in the user data file. The manager concentric. Proper alignment is achieved when the selves the options and fills in the blanks to generate circles appear concentric and the user is looking at the the record. Once the record generation in the enroll-center of the circles. The reader also contains a ment sequence is completed, a message instructs the display, a keypad, and an insertion reader for mag.
user to enroll. The new user then aligns the optical netic stripe cards. A copper cable connects the resder target in the viewing aperture and presses the "EN.
to a controller box that contains processing and TER" key on the keypad to initiate the eye-scan interface electronics.
sequence. Each subsequent scan generates a score on The controller can function as a stand alone the computer display and allows the security manager device with the user interface and door interface to accept or reject it. The user template is generated hardware, but must be connected to a computer for from an average of the accepted scans on enrollment.
programming and user enrollment.
This template is not modified by subsequent verifi.
Two readers were tested. Reader 1 was set up to cations, so it is important to take some care during operate in the verify mode using a PIN entered via an enrollment and not to accept scores below the mid insertion card. Reader 2 was set up to operate in the 70s. It is not difficult for most properly instructed
" hands. free" recognize mode The results for Reader 1 users to score above 80.
la
The user's PIN must be entered for verification.
error rate are equal,was -1.5'. at a threshold of ~45 The EyeDentify 8.5 allows either manual entry on the for Model 8.5. At the test threshold setting of 70, the keypad or automatic entry by using the card reader.
three try, false reject error rate was 0.4'.V. No false-Our tests used the card entry option. The average accepts were recorded at this threshold value. There time for our users to perform the verification process were 5134 transactions in the false reject test and was ~7 seconds. This time included some multiple.
4196 transactions in the imposter test. The test re-try attempts and the removal of glasses by some users suits for Reader 1 are shown in Figure 4.
after inserting their card. The quickest times were cround 4.5 seconds.
EyeDentify Recognize Mode The false-reject error rates for EyeDentify Model 8.5 in this test are significantly less than for the Results Model 7.5 we tested in 1987.There are two differences A unique option of the Model 8.5 verifier is the between the models we tested that could account for
-hands free" mode of operation. While the verifier is the decrease in these errors:
operating in this mode, the user merely peers into the viewing aperture and aligns an optical target by
- 1. Improved dets acquisition software for Model positioning his head. The verifier senses the user's 8.5 now tests for eye fixation before accepting presence, takes a scan, and decides whether or not the a scan. This feature reduces the chance of a scan data is from an eye. If a digital pattern is
)
rejection due to eye movement.
generated from an eye, the verifier searches the i
- 2. The Model 7.5 we tested used only keypad template data base for a match. lf a match is found, PIN entry, while the Model 8.5 we tested the verifier recognizes the user as valid. Otherwise, used magnetic card PIN entry, the user is requested to
- REPEAT" up to two more The verify mode crossover point, where the one-tries until a valid match is found. The user is rejected try, false. reject error rate and one try, false accept if a match is not found in three tries.
1 T
H
\\
10 9
8 w
\\
\\
ll e
'(
//
9
\\\\
\\
5 e
4-
\\
[
w 2-
\\-
It t
wa LM~_5-~=
'~
1
^ ~ ~,
T:
On======
100 80 60 40 20 0
THRESHOLD VALUE TESTTHRESHOLD = 70
-*- = One-try FR -*- = Two-try FR -*- = Three-try FR
-e- = One-try FA + = Two-try FA -*- = Three-try FA Figure 4. EyeDentify Eye Retinal Pattern 16
s No timing information was taken for the recognise-ment. Our test vuifier was connected to a host mode operation becauw Wre is no precise point that computer with the Identix TouchNet software sup-can be oburved when the usw initiates the sequence.
port system. It also was connected to e magnetic.
4 The user peers into the aperture, aligns the target, stripe, swipe card re*% via its built in card reader and waits for the trget to turn off at the end of the interface. The card reader was used to enter user PIN scan. The auto-scan feature eliminates the need to information for verification attempta.
insert the magnetic card and press the START but.
The Identis supplied software is a password-ton. cutting ~2 to 3 seconds from the vuify mode protected, menu drinn program for IBM PC and transaction time. We had a user database of ~100 compatibles. It provides the capability to configure i
users that had to be marched to find a matching the system, to ut up user records, and to generate
. template for each transmetson. This anarching did not reports.
- add a noticeable time delay to the transaction. Larger User enrollment is performed at the sensor mod.
databases will add more march time to each transac-ule. A security manager must first be verified by a j
tion.
fingerprint scan before the enrollment mode can be The threshold was set to 75 for the recognize entered. Messages on the sensor module display pro-l mode of operation. This means that any scan that vide user prompts and status information. A unique produces a score of 75 or less is rejected as not being PIN must be entered for the new user, followed by a i
a member of the enrolled user base. A score of greater number of finger scans that allow the system to than 75 causes an accept, and the name of the generate a template. If the enrollment is successful, a identified user is displayed on the reader.
quality rating is displayed. The manager can accept or There were 5072 transactions recorded on the reject the enrollment at this point. The manufacturer recognize. mode reader. A transaction is defined as recommends that only "A" or "B" quality ratings be any scan the machine decides meets the minimum accepted. A "C" rating is the least desirable. If the criteria to be an eye. None of these scans resulted in a enrollment is unsuccessful, the system informs the false accept. This result is.especially significant be-user, who is invited to try again. The templatas are cause the 100 user database multiplies the possible not modified by subsequent verifications, so if prob.
matches to over half a million!
lems appear, the usu should be enrolled again.
False reject information cannot be reported on We accepted some *C" enrollments for our test.
the " hands free" recognize reader because there is no We retrained and reenrolled users that experienced PIN associated with a reject that can tie it to a user.
the most problems with verification. The reenrollment No doubt the false reject rate is significantly higher in did not always result in a highn quality rating. A l
the recognize mode because the user does not control number of our users appear to have poor quality the start of the scan. In many attempts, the sean fingerprints that would not produce good results, started before the user had the target properly even when other fingers were tried. Another problem aligned. Oth practice, most users learned to use the was caused by low humidity during our test period.
l' recognize mode to their satisfaction. EyeDentify has User's skin would dry out to the point where the now modified their acquisition software to allow users system could not verify the user. Lotion or skin more time to align the target. This change should moisturizer often solved the dryness problem.
lower the false reject error rate.
Our users all had the factory. default verification threshold of 125. The host system software allows the identix Results ucurity mana,er to change individuai threshold vai.
The fingerprint verifier evaluated in this test was ues, but we did not exercise this option. Our test j
the Touchleck, manufactured by Identix, Inc. in results do not include the error rate curves because i
Sunnyvale, California.
this wrifier did not generate wrification score infor-The user interface to the Identix system is a mation. Only the percentages of false reject errors
. sensor module that contains the finger platen / scanner and the false-accept errors at the factory default hardware, a display, a keypad and communications threshold can be reported.
electronics. This module is ~8.2 inches wide, 4.4 The lack of score data hampered our attempts to inches tall, and 3.9 inches deep. The sensor mod.ile quantify the Identix wrifier. Enrollment quality rat-communicates with a remote processor module over a ings were generated from groups of finger scans.
copper wire cable. The remote module contains the Individual scan quality was not available. Some clues processor, memory, input / output hardware, and com-wwe available from prompts to position the finger munications hardware to support stand alone opera-furthw up nr down on the platen, but we could not tion at a single entry point or in a network environ-correlate the finger positioning to sean quality. Our 17
i false rejection error rates were significantly worse operation or for use with a host processor. Our test
~
than the estimated error rates published in the verifiers were configured for use with a host processor.
identi TouchNet IJser's Guide, supplied by identix The host management software we used included i
with the TouchNet system. Identix indicates an esti-some custom features not required for normal system mated single try, false-rejection error rate of ~3?i.
operation.
for an enrollment threshold setting of 125. We expe.
User enrollment takes place at the verifier reader.
rienced over 9".
false rejections for three try at-In actual security system applications, each user is i
tempts with the 125 threshold setting. The cold, dry assigned an authority level and, if required, a pass-weather effect on skin conditions in Albuquerque word for entering the security management command could account for some of this difference. Individual mode. A new user can only be enrolled by a security score data might have given us more insight into the manager with the proper authority level and pass-i problem.
word to enter the enrollment sequence. The manager Our users averaged ~6.6 seconds for a card PIN must first he verified on the hand geometry reader, entry verification, including multiple.try attempts.
and then he must enter the proper password within a The fastest users verified in under 5 seconds.
time limit to initiate' the enrollment sequence. Our l
Two identical readers were used in this test. The test software did not require a password or manager two readers testad were set up for a maximum three-verification for user enrollment. It provided the nec-try attempt and only reported a single accept or reject essary functions with a menu driven program that transaction result for each attempt. If a user was allowed the test conductors to fill in the blanks and to l
accepted on either the first, second, or third verifica-initiate the enrollment sequence.
tion try, the attempt was recorded as an accept. If a user was rejected on all three tries, the attempt was User Enrollment Sequence recorded as a reject. Individual.try data was not
- 1. A valid PIN is entered by the new user.
available from the monitoring program.
Reader 1 logged 2248 v6rification attempts with a
- 2. A " PLACE H AND " message then appears false. reject error rate of 9.4fi and no false accepts.
on the reader display.
Reader 2 logged 2316 attempts with a false reject
- 3. The user must then place his hand on the stror ratg of 9.5%. and no false accepts. The number platen and against the guide pins.
cf false-accept attempts was 3424. The false-reject
- 4. When the imaging system determines that error rate equals the percentage of the three-try the hand is properly positioned within the I
false. rejects that occurred m the verification at-time limit, the hand geometry data is ac-tempts.
quired and a " REMOVE HAND " masage is displayed.
Recognition Systems, Inc.
- 5. The message display prompts are repeated at Results sent two more tima, and the umr r.fer.nce The Model ID3D.U hand profile verifier manu.
template is then generated from an average of f:ctured by Recognition Systems, Inc. (RSI) of San the three inputs.
Jose, California was evaluated in this test. The veri-fier houses the hand geometry reader and all the User Verification Sequence electronics in one enclosure. Both the wall mount or
- 1. Entar the user PIN by keypad or card reader.
the desk top models are available. The reader has a
- 2. Follow the " PLACE HAND " and platen with guide pins to aid in proper hand place,
" REMOVE HAND " instructions on the ment; an optical imaging system acquires the hand display.
geometry data. Displayed messages prompt the user cnd provide status information. A keypad and an The average verification time for our users was insertion magnetic stripe card reader record user data
~5 seconds, with card PIN entry. (Times as low as input. This verifier can be configured for stand-alone
~2.9aamaa were observed.)
is
The false reject error rates for Model ID3D U in and the one try, false accept error rate was ~0.1'...
this test were less than the rates were in 1987 when we Three-try, false-accept error rate data was not ob-tested the Model ID3D ST. PIN entry by magnetic tained in this test The test results were very similar cord rather than by keypad is the most likely reason on both readers; thus, only Reader 0 results are for the lower error rates.
plotted.
4 The crossover point, where the one try, false.
Reader 0 logged 5303 transactions in the false-reject error rate and the one-try, false accept error reject test and 5248 transactions in the imposter test.
rate are equal, was ~0.2%. at a threshold of ~100 for Reader 1 logged 5285 transactions in the false reject ModelID3D U. At the test threshold value of 75 the test and 3839 transactions in the imposter test. The three try, false reject error rate was less than 0.1%
results of this test are shown in Figure 5.
j 10
\\
9 8
\\
uJ 7
6
\\
xO 5
t 1
R x
4 i
3
/
k
/
h M ______..
e
- y._. _ _
O O
20 40 60 80 100 - 120 - 140 160 180 200 THRESHOLD VALUE TESTTHRESHOLD = 75
-*- = one-try FR
-e- = Two try FR -*- = Three-try FA Figure 5. Recognition Systems Hand Geometry 4
i 4
19
Semy-
^"'"*"'"***""'"'hT
summary results are given in the appendix. Users The relative performance of the tested verifiers generally preferred the verifiers that produced the can be deduced from the test results. These results fewest false rejects and which took the least time to include the user variables in the operation of the use. User frustration grew rapidly with high, false-machines and a,e therefore representative of the rejection rates; these rates proved to be a bigger performance that can be expected with average usern; problem for them than did the slow transaction times.
at the same time, they are not a true measure of the The RSI hand geometry was overall the user favorite.
machines absolute performance limits. The degree to The verification timegraph (see Figure 6) shows which our resulta differ from the performance limits the average transaction times for:
is an indication of the complexity of the user inter-
. entering the PIN face. As an mterface becomes more complex, more user variables are introduced that could shift the test
- Presenting the biometric feature resulta away from the performance limit.
. verification or rejection.
From a test viewpoint, it is desirable to have a The Alpha Microsystems u.me also m. eludes the final score value reported for each verification try.
II *' ""Y This report is not possible, however, because some verifiers do not provide the score data necessary for us
= to dial a five-digit number on a touch tone to calculate error rate curves. Verifier results in this telephone case are given only for the one threshold value tested.
. wait for an answer from the system.
It would have been possible to repeat the performance This data was obtained by timing the users with-tests at a number of different threshold values to out their knowledge. These times are representative obtain points on the error rate curves, but we did m>t of actual-use transactions; they are not intended to have the resources for such an extensive test. This is indicate the minimum times posnihie.
only one of.cverai ro.ad bljck. for ales clopmg liiomce ric verifier testing standards.
20 m,
1 1
18-
~~-
~---~~~
16-m, 14-l i
g,,.
z
~
~~~~~-- -~-
~ ----"
O 10-O
,i tu*
- g. -
m,
~
- - ~ ~ ~
6-
~ ~ -" ~~--
m, 4,
2-r
' ~ ~ - - - "
r 0-
~
A-MICRO lEl
' EYE-D 'lDENTlX' RSI CSI Figure 6. Average Verification Time in Seconds i
J 20
l i.
i Conclusions perspective to the real world. A 3G false accept Performance is a very important issue, but it is means that there is a 97% probability that an im.
poster will be detacted.
I not the only factor in choosing a biometric identifica-tion device. The device must also be suitable for the facility in which it is installed. The present generation of biometric identification devices provides reliable eferenCeS and cost effective protaction of assets. Available com-puter interfaces and software provide effective secu-
- Identix, Inc., 510 N. Pastoria Ave., Sunnyvale, CA 94086,(408) 739 2000 rity management with real time control, transaction logging, and audit traciong capabilities. The current
- Recognition Systems, Inc.,1589 Provencetown Drive,
' need m the biometric identification field is to have San Jose, CA 95129, (408) 257 2477 I
the market make greater use of what already exista.
" Capital Securities Systems, Inc., Capital Security While new biometric devices are still emerging, it is Operations,9050 Red Branch Road, Columbia, MD 21045 unlikely that any of them will turn the market around (301) 730-6250 with a price or performance breakthrough.
- EyeDentify, Inc., PO Box 3827 Portland, OR 97208, 4
The error rate curves contain much more infor-(503) 645 6666 mation about the performance of the verifiers than
' Alpha Microsystems,3501 Sunflower, Santa Ana, CA was included in our individual discussions. Manufac.
92704,(714) 957 8500 turers can provide additional information about how
- International Electronics, Inc., (ECCO) VoiceKey,32 to apply their devices to specific requirements. Fi-Wexford St., PO Box 584, Needham Heights, MA 02194, nally, it is important to keep the error rates in (617) 449 6646.
i 1
I l
4 4
4 J
21 22
e APPENDlX User Survey Results 4
i 23
2 A1,PMA EYEDENTIFY RECOGNITION Alf!1 SIC MICRO ECCO VERIFY RECOGNIEE IDENTIX SYSTE3tS sIGNON MONE Which machine do you feel 1.
is the easiest to use?
O 4
2 22 15 35 1
0 2.
is the fastest?
1 4
1 28 8
35 0
0 3.
Is the slowest?
38 5
1 2
9 0
24 1
4.
rejects you most often?
11 36 2
5 17 1
6 0
5.
rejects you least often?
11 6
10 11 12 42 9
0 6.
requires most concentration?
10 25 12 23 6
1 4
0 7.
requires most proficiency?
11 23 9
15 11 1
9 4
8.
requires leset profielency?
5 6
4 9
12 38 6
1 9.
is most frustrating to use?
10 34 2
12 12 0
5 3
10.
is most friendly / fun?
'5 2
6 17 13 31 6
1 11.
gives health / safety concerns?
1 0
23 21 1
5 0
47 12.
gives invasion of privacy concerns?
O 1
2 2
3 1
16 56 13.
was most difficult to enroll on?
17 21 1
1 15 2
3 18 14.
was most intisidating to use?
5 16 4
6 4
0 2
41 15.
best to secure a computer terminal?
7 4
12 10 22 18 7
9 16.
best for door security?
3 7
18 19 13 27 3
4 17.
best for bank /POS use?
1 0
13 8
21 11 23 6
18.
best for large population?
2 2
5 14 16 38 3
8 19.
Did you like card or pin best?
Card: 56 Pin: 17 None: 3 NOTES:
1.
Number of respondents: 76 2.
Respondents were allowed to make multiple responses to each question.
4 9
4
i
![
9 i
PERMETER ACCESS TO INTEFNAL CONTRJL
~
Hand geometry boasts
.simph..ty, convem.ence ci
(
l By BILL WILSON ured for identification. A high level of r
character discrimination was achieved.
in 1986 Recognition Systems Inc.
Btzes a uruque personal character-iometrics, a technology that util-began developing a three-dimensional
" '~
method of hand geometry. The basic
,istic to identify a person, as considered design objectives of the three-dimen-a relative newcomer by most in the ac-sional approach were improved accu-z.u*
cess control industry. However, the racy, higher speed and a cost low technology has been around for many enough to make it attractive to the years.
commercial marketplace. Of equal im-The granddaddy of all biometrics, portance was its non-intrusive, easy-to-
{
the Indentimat, used a simple hand ge-use design.
ometry measure to identify a person by The early 3-D designs achieved finger length. The Identimat was de-many of these objectives, but it wasn't veloped in the late 1960s and sold by until the third generation that cost and i
the identimation Co. in the early '70s.
physical design objectives were totally l
For measurement, the hand was realized.
j placed on a flat platen and a 1,000-watt overhead lamp projected the shadows of the fingers through slots in Measuring Hand Geometry the platen. Photoelectric cells scanned The three-dimensional hand geome-along the fingers to determine the po-try concept is quite simple. A solid-
}
sition of the tips and webs, and thus state digital camera is used to capture Hand acoment lastructions aid user l
the finger lengths.
a TV-like image of the hand. Both a or RSI ID3D HandKey reader.
The Identimat worked well (some top view, which gives length and width are actually still in use), but was large, information, and a side view, which expensive and only average in per-gives a thickness profile, are obtained.
I formance. The Identimat found signif-The camera is focused on the meas-l icant use in nuclear and high-security uring platen upon which the hand is l
commercial applications as well as in placed. From this perspective, the top-All physical measurements of the some interesting commercial niche ap-view image of the hand is recorded by hand depend on several optical cali-I plications. In 1987, the production of the camera. A side-view mirror inter-bration marks on the platen. These the venerable identimat ceased.
cepts part of the camera's field of view marks are placed in relation to the fin-During the 1970s and 1980s other and reflects it across the hand so that ger pins. Consequently, any move-biometric technologies, such as finger. the side view (thickness profile) of the ment of the camera trained on the I
print, voice recognition, retinal scan, hand is present within a portion of the platen is compensated for because the keystroke dynamics and signature ver-camera's field of view. Thus, the im-relationship between the calibration ification, were in the early stages of age seen by the camera consists of two marks and :he finger pins (and hand) development. In the early '80s, a study parts: the top view and the side view.
is not changed. It is only required that was done for the U.S. Air Force to de-Finger pins are used to properly po-the calibration marks and hand re-l termine the effectiveness of hand ge-sition the hand on the platen. This en-main within the camera's field of view.
j ometry that measured the total hand sures a high degree of repeatability in J
shape rather than just finger lengths, the hand measurement. The tactile l
as the Identimat had.
feedback provided by the pins makes Measurement Stored for ID in this study, hand-outline photo-hand placement automatic after a little The image captured by the camera is l
graphs were digitized and computer-experience; it is accomplished with no converted into a digital electronic l
analyzed to determine if unique char-more user attention than that required video signal that is transferred to the d
acteristics existed that could be meas-for grasping a door knob.
microprocessor memory. This video I
i dits is represented in memory in muc..
tion automatically removes the associ-the same way as a picture is printed in ated hand template.
D00r @p Scyperix 9
a newspaper, as a series of black and white dots. Each bit in memory repre-New-User Enrollment sents one dot, or pixel. Approximately The new-user enrollment process is 32,000 pixels of information are ana-quite simple and fast. The user places lyzed to extract the identifying fea-his hand on the platen, a reading is tures of the hano.
taken and the hand is removed. This i.
i Identification data is compressed in done three times. The readings are au-memory to allow a large number of tomatically averaged to develop the templates to be stored in the reader at nine-byte enrollment hand template, a low cost. In data compression, only which is stored with the assigned ID By BILL WILSON.
d:ts representing features that are number.
unique among all hand images in the The latest models of hand readers pplications for hand geometry system is stored at the time of a user's allow users to enroll themselves. This are expanding into all areas of h:nd reading. User characteristics that is accomplished quickly and simply at access control. Customer accep-tre shared by the total hand popula-any hand reader in the system; there is tance, the ability to positively iden-tion are discarded, no need for the user to go to a special tify users and decreasing; prices are Data compression is very efficient, enrollment station. In addition, self.
the main factors driving this reducing the hand picture to a nine-enrollment does not require the pres.
growth. There is a rapedly increas-byte identification vector that is stored ence of an enrollment supervisor. For ing desire to use biometrics to min-ts the user's template. In addition to this type of enrollment, the new user's irnize the mmrement mamns and ssving storage space, the small tem-ID number may be entered into the costs associated with such identifi-cation devices as cards and keys, pl te size greatly facilitates system in-hand reader by the system operator at tegrrtion.
any time; the new user need not be long-time staples in accest control systems. Following are some inter-in verifying the identity of a user, present.
the current hand picture is compared For self-enrollment, the new user is esting applications of hand geome-to the stored template. This compari-given his system ID number, a "prac.
try.
son yields a " score" that is the differ-tice" ID number and a card that con.
Major University. At this instal-ence between the current hand reading tains instructions on how to use the lation, hand readers are used for and the enrollment template. A low hand reader. The user begins enroll.
cafeteria access by authorized stu-score indicates a small difference, and ment by entering the practice ID num.
dents. At the beginning of each se-consequently a good match between ber. The hand reader goes through its mester, students purchase a meal the current hand reading and the tem-normal hand-scan operation, but never plan that entitles the student to eat piste. A high score indicates a poor unlocks the door. Instead, it uses the at any of three cafeterias as often as he or she wishes. The student is en-m:tch. During enrollment, a low score first hand reading to build a tempo.
is an indication of a good enrollment rary enroll.. tent template.
rolled in the biometric system when and ensures low false rejections.
On subsequent practice hand read-purchasing the meal plan. The hand Slow changes in hand characteristics ings, the comparison score is dis.
template plus the meal plan code j
or poor enrollments are compensated played. The user is instructed to prac.
are incorporated on the student's for by small updating increments to tice until a score of under 30 is magnetic stripe meal plan card.
the stored hand template at each suc-achieved. The user then enters his sys.
To enter the cafeteria line, the cessful hand reading.
tem ID number, the hand is read and student swipes the card through a The set-up and operation of the that hand reading is taken and stored reader that loads the hand template htnd reader is straightforward, and as the enrollment template for that into the hand reader. The hand is placed on the platen and the card with a bit of initial planning can be user.
carried out by regular security person-The ID number is used to locate the holder's identity is verified by the-nel. The initial planning is required to template in memory and to identify the hand reader. The objective is to en-esttblish who is responsible for the. user in printed or computer-stored sure that the card holder is the per-vtrious functions of the hand reader, data logs. When used with a com.
son who purchased the plan.
and to allocate passwords and/or au-puter, the ID numbers are typically Approximately 5,000 students are thority levels to these people, translated into users' names when re.
enrolled each semester. Four hand readers are used at each cafeteria Once this is done, only those re-ports are printed.
sponsible can enter the various hand Once the enrollment is completed, for three meals every day.
retder command levels and perform the user is in the system and can gain International Airport. At this lo-the functions within those levels. Start-access by entering an ID number, cation, hand readers coupled with l
up functions include setting the time-placing the hand and being verified.
card readers control access to the of-day clock, configuring the reader The entire operation takes about three airport operations area. At each en-for stand-alone or network operation to four seconds, with just over one try point, a card reader is used to and setting printer baud rates.
second required for the actual hand validate an ID number, and the Typically, once the hand readers are scan and comparison. All transactions hand reader verifies that the card in operation, only the enrollment and are data-logged to a printer, PC or ac-holder is the authorized person.
The Permits and Licensing De-crncellation functions are ongoing. An cess control system.
authorized person can revoke a user's There is much discussion about bio.
partment manages the system, and access privilege by removing the ID metric accuracy, perhaps because it enrolls and removes airport person-number by a keypad stroke. This ac-
i-rnel tiemplates. Mass tgp0,000
- * ~
km~ Drug EaW FsWHand
.w M M) readers control door access.'Ihe bi-g -1 Y.MN #
ometric device guaranteeppositive
"?g-aq M identity verification and facilitates l
hQ,'4-M: -,
- 7. Y the handling of the manytask force personnel who are temporary users
+
j 3
i of the facility. This is n' case in
+,.
whicif card or badge management y
.q
. g,jM,.,
was considered a major psoblem.
m.
A.
l i~ 4;_.... If.Jl i Stadest DorselterreThe hand I
W Fr[#4'.~
reader is used at a 10ecorreollege j
s@? pger ep dormitory to control access:daring a
night hours. Residentstidents use i
their socsal security nmmhers;to en-T.
.d i
~,W.
autbocized studentsdD81Eing'de'y-roll. Access is gained byonly those i
Y.'
light hours, access is'controued by
& y.,,, -
.4ese a student employee.
Stock Roomas, in thia'-
M l
gg 3
c
~~
access to enck roomsM'aights and weekcods for fielif'tervice"peo-M). ; ~ c pne is controlled by a.banesseder.
<s Eacl6 facility operatea.as a local sta-tion; however, all readersrare net-worked to a central host and all ac-Both tQ and side views of hand are recorded (top). Software can provide oper.
stion, data logging and report generation, and enables the door to be operated tivity is logged to this host.
directly by the hand reader station (bottom).
This is a nationwide network that operates over a dial-up telephone system. Each hand reader has a built-in auto-answer modem that is Host irayer called on a daily basis from a cen-
"'8 tral computer. When entled by the 5,
gago computer, the hand reader sends a eseah Door complete record of all transactions M
k'Ck of the past day to the host.
u The hand readers, which replaced g
q keypads and card readers, provide
. c. v positive records as to who enters the AM 2
a "g'
- " " -.,sa facihtaes and when.
-m m
F' Banks. A number of banks use e-38'F
hand readers to control access to f
l l
a ownsi IDeDe their internal operations areas. In-ternational banks are using hand Door lock readers to a'so control the number of people who can be inside the bank at a given time. These readers Wg are used at public entrances and in r
portals through which customers L
g pass.
Insurance and Financial Institu-tions. Hand reader use in these ap-plications is generally to control ac-cess to computer facilities. Each can be measured. Most biometrics can world; the curves actually have a cross-reader is set up with access levels be characterized by false-acceptance over point, also called the equal-error and time zones for all employees.
and false-rejection error curves that rate. That is the threshold at which Data-logging is done to record all are related to the system's sensitivity false-rejection and false-acceptance er-door activity.
threshold setting.
rors are equally likely.
Manufseturing Facility. Em-Ideally, both curves would be at Of course, the lower the equal-error ployee time-and-attendance is han-zero at some threshold, and setting the rate, the more accurate any particular died by three readers, one for em-system at that point would yield a zero device is. In general, a tight threshold ployees entering the building and false rejection and false-acceptance er-setting will reduce the potential for another for exiting. Using the hand ror. This is not the case in the real false-acceptance errors, but at the ex-
6 pense of false-rejection errors. The ap-l plication will dictate the best setting.
d climiutes fraudulenFclock.
$cilities are well known.-Correc-In most uses the balance must take into account user acceptance and level ing in or out by employees. Enroll-tional and law enforcement facili-of security, ment and cancellation is done by ties are also beginning to use hand Hand geometry measurement tech-the personnel department.
geometry for such things as visitor New York Cosamerdal Photogra-control and employee tracking.
nI has o imized e combination phy Stadio. This facility is located Membership clubs have installed in wn wn an am seem ty
, hand readen fm enW control. Be-equal-crror rate of any biometric, and an extremely low false-rejection error
- * * ****' With. the use of} -
cause' cards are abused.la most hand readers, lost or stolen cards.
clubs, use of the br,nd reader is a i
cannot be used for wm. This sys-simple solution. Members and man-The hand readers are calibrated so tem serves a dual purpose in addi-agement like the approach.because th t a rejection threshold score of 100 tionally providing. time-and-atten-it is quick and non-connontational.
?
dance fumadon fm tempmary The prospects for hand geometry e ite ed f o the yste
's set u mode, as required by the application.
Hospitshs. Hand readers are used
" 8*
Lower thresholds can be used for acceptance gmws. De M are e
h spi is t recmd tu, ne-obvious: The identificationfereden-higher-security applications. Also in-nd-auendance infamation fw dividual thresholds can be set to ac-tial(the hand)is always with you;it nes w rking m, differe 11 depan-can't be lost or left at home. This is commodate people who have diffi-bi an culty with hand placement because of h om A
w k's e
I physical or other impairments. (Rings readers together and to correlate the or Band-Aids do not have a material time and pay-scale data for the pay-effect, since they do not significantly roll department, Doctors use hand Scientists continue Irorking to affect the overall geometry of the readers to accas high-security arcas improve the band geometry tech-
{
hind.)
within the hospital.
n logy. The emphari:i: cn user ac-These are just a few commercial ceptance, cat, spced and accuw, toward the goal of ultimate access N:tworking Iland Reade'rs and industrial uses for hand geom-The basic hand reader is a complete, etry technology. Additional apph-control simplicity and conven-g single-door access control station ca-cations at nuclear power and DoD p:ble of handling more than 20,000 users without peripheral equipment.
Multiple hand readers can be con-nected to a simple network using a sin-gle-pair RS-485 communciation link.
In this case, one reader is configured as the network master. Adding and re-host access control system in standard puter c r host access control system. In moving users is handled from the mas-card format. The system then proc-a network arrangement, the hand ter reader. The master also provides esses this ID number, applying its ac-readers have two communication links, for central data logging of all reader cess control decision rules and control-an RS-232 and an RS-485/422. These activity to a printer or to a data-log-ling the door-locking hardware as ap-links are used for data-logging; enroll-ging computer.
propriate. Thus, biometric control and ment and removal of users; and sys-In many cases it is desirable to inte-security can be added to an existing tem set-up. All pertinent data, such as grrte hand readers with existing access access control system.
time, date, user information, door ac-control systems. This is quite easy to if central enrollment is desired, the tivity, enrollment and removal listing, do because the hand reader can be hand readers can be networked to a is available for writing to disk.
connected directly into standard card user-enrollment station. Through a in the hand reader-only network, a recess systems by using the hand read-two-wire link, enrollment and removal software package can provide com-er's Wiegand or magnetic stripe card information can be transmitted to all plete operation, data-logging and re-re der emulation port.
readers on the network, port generation with an RS-485 twisted in this mode of operation, once the The most common configuration of pair as the network link, and the door user's hand is verified, the ID number a networked system is one made up of coerated directly by the hand reader is sent to the card reader port of the many hand readers and a host com-nation. E Reprinted from ACCESS CONTROL. March 1992 e 1990 by Communication Channels,Inc., Atlanta, Ga. U.S.A.