Tom Olzak

Posts Tagged ‘false negative’

Implementing biometrics requires a little thought

In Access Controls, Biometrics on April 30, 2009 at 13:52

Implementing the right biometrics solution is not an easy task.  There are several considerations which, if analyzed carefully, might even result in a decision to look at other identity verification methods.  I’ve written about this in the past, but a recent post to The Daily WTF about an implementation-gone-wrong provides an opportunity to drive home some basic points once again… and apparently it’s needed.

Problem 1, failing to analyze the operating environment

The fingerprint biometrics system described in the article was intended to perform various tasks in a workout facility, including member check-in and check-out.  Check-ins seemed to work OK.  Check-outs, however, were problematic.  Finger characteristics temporarily changed while members were in the facility, caused by contact with normal gym environments, including exposure to water in the pool, sauna, or whirlpool as well as contact with lattice patterns on weight equipment. And the sensor quickly became unusable as it came in contact with a stream of unwashed hands.

Problem 2, failing to understand the technology

No allowance was made for sensor failure.  So no manual workaround was implemented.  If the check-out sensor failed, the only recourse was jumping over the turnstile, which remained locked until a recognizable print was read by the system.  To reduce the number of “jumpers”, the technicians turned recognition sensitivity down low.  In other words, the biometrics system would accept data which fell far short of what it normally considered effective print analysis.  This resulted in a high number of false positives; people were being identified as another member when they placed their digit on the sensor.

Problem 3, failing to understand how members would react to biometrics

It wasn’t clear from the article, but it appeared as if the gym manager jumped into biometrics without a lot of thought, including thinking about whether his customer would decide to change membership to a place where they didn’t have to provide personal information.  Privacy issues is a big reason why biometrics are rejected by employees and customers.  Another reason is the fear of picking up some disease from sensors used by more than one person.  In this case, it was clear many of the members chose to use the old method of using a touch screen to log in.

Lessons to take away

The business made three common errors when implementing new biometrics.  So you don’t make the same mistakes, I’ve provided a list of how to avoid them.

  1. It’s important to understand the environment in which biometrics will be used.  In this case, sweat and grime made the sensors useless.  In manufacturing environments, it might be lubricants or other substances in the air; even the cleanest hands won’t solve this problem.  If the sensors fail often, employees or customers will become frustrated and reject the technology, resulting in employee turnover or lost revenue.  In cases where environmental conditions are not friendly to biometrics, consider tokens such as magnetic stripe cards.
  2. Many business managers don’t understand the pros and cons of biometrics.  For example, I wonder if the vendor told the gym manager that no biometrics solution works on every print every time.  There will be false negatives and false positives.  Adjusting the system to reduce false positives will increase false negatives and vice versa (see Figure 1).  The gym manager, in turning down false negatives, allowed false positives to increase.  Some organizations, in the interest of tight security, go in the other direction, tuning their systems to eliminate false positives.  This increases the false negative rate to a point where the solution might be more trouble than its worth.  In the figure below, the CER is the ideal setting for a biometrics system.  The CER (Cross-over Error Rate) is the point at which the number of false positives and false negatives are equal.  The quality of a biometrics solution is often determined by the size of its CER, usually expressed as a percentage of total scans.  In any case, errors will occur.  Not having a manual workaround is a big oversight.
  3. Figure 1

    Figure 1

  4. Finally, there is the user factor.  Employees and customers may reject biometrics for a variety of reasons, including: fear that the company stores unique personal information and fear of contracting diseases through contact with publicly used sensors.  Another big reason people reject biometrics is frustration.  It probably wouldn’t take many jumps over the turnstile before gym members simply returned back to the old way of logging in and out.  The best way to deal with these issues is to hold open and honest discussions about how the systems work, the health risks involved, and how the organization plans to use the information. Remember, user acceptance doesn’t depend on how you perceive biometrics identity verification. Rather, it depends on how your employees and customers perceive it.
%d bloggers like this: