- Email: [email protected]
Biometric options for mobile phone authentication
FEATURE
Biometric options for mobile phone authentication
Mohammad Omar Derawi
Mohammad Omar Derawi, Gjøvik University College Businesses and consumers are making increasing use of mobile phones to access corporate data and networks, along with products and services that may demand authentication. As personal mobile devices become more popular the user has come to expect the full range of services from the mobile Internet, as limitations around screen size and interaction capabilities have disappeared. There are a number of emerging options for biometric authentication via mobile phone, including fingerprint recognition via a mobile phone with a camera function, gait recognition and activity recognition. Looking first at fingerprint recognition, most of the latest mobile phones have embedded cameras and some of those have 5 megapixel– plus cameras. Many fingerprint recognition algorithms perform well on databases when the images have been collected with high resolution cameras and in highly controlled situations1. However recent research shows that the performance of a baseline system deteriorates from an Equal Error Rate (EER) around 0.02 % with very high quality images to EER of 25% from low quality images2.
“An important question is which of the fingerprint authentication algorithms will work well with fingerprint images produced by mobile phone cameras” Research is still ongoing to improve recognition performance. In applications such as fingerprint authentication using cameras in mobile phones and PDAs, the cameras may introduce image distortions, for example because of fisheye lenses, and fingerprint images may exhibit a wide range of illumination conditions, as well as scale and pose variations. An important question is which of the fingerprint authentication algorithms will work well with fingerprint images produced by mobile phone cameras. Fingerprint reading is already being introduced and becoming acceptable on mobile phones. The Motorola Atrix mobile, released in February 2011, incorporates a fingerprint reader as an additional security
October 2011
feature. Users present their index fingers on both left and right hand. Additionally, research3,4 has shown that by using low-cost webcam devices it is possible to extract fingerprint information, applying different pre-processing and image enhancement approaches.
Privacy concerns Privacy concerns over fingerprint recognition technology deployment in non-high security applications have been raised5,6 slowing development of biometrics in the consumer market in recent years compared with the rapid development in the public sector such as border control, critical infrastructure access control, and crime There are at least two ways to alleviate these privacy concerns. Biometric template protection7,8 is one of the most promising solutions to provide both performance and privacy for biometric system users. The European Research Project Turbine9 demonstrated a good result around both the performance and privacy of the ISO fingerprint minutiae template-based, privacy enhancement biometric solutions. For the consumer market, using customers’ own biometric sensors will also help alleviate privacy concerns. For applications requiring high security, subjects’ own biometric sensors may not be suitable for data collection unless the phone can be authenticated as a registered and ‘untampered with’ device in both software and hardware. However for the consumer market, the mobile phone is generally deemed a secure device accepted by many customers and many banking services send transaction password or PIN codes via SMS to customers’ phones. The technical challenges lie in quality control around the samples captured by the phone camera, especially image processing aspects such as bias lighting conditions and an unsta-
ble sample collection environment caused by handholding. In addition, most existing phone cameras are not designed for biometric use and accurate focusing will always be a challenge for fingerprint image capture.
“The technical challenges lie in quality control around the samples captured by the phone camera, especially image processing aspects such as bias lighting conditions and an unstable sample collection environment caused by hand-holding” Fingerprint recognition may be an effective means of verifying the identity of the user of a mobile phone if it is made easy for the user while keeping the error rates in an acceptable and practical range. To address this issue, researchers at the Norwegian Information Security Laboratory created a fingerprint database using two different mobile phone cameras, the Nokia N95 and HTC Desire. An image database comprised of 25 subjects, from which fingerprint images were taken with a mobile phone camera. The database comprised 3000 fingerprint images in total. The user initially presents his or her biometric characteristic (ie fingerprint) to the sensor equipment (the camera in a mobile phone), which captures it as a biometric sample. After pre-processing this captured sample, features will be extracted from the sample. In case of fingerprint biometrics, these features would typically be minutia points. The extracted features can then be used for comparison against corresponding features stored in a database, which stores details from users who have enrolled into the system. The Neurotechnology Verifinger 6.0 Extended SDK commercial minutia extractor was used for feature extraction. The SDK includes functionality to extract a set of
Biometric Technology Today
5
FEATURE also be used for protecting valuable personal items. Moreover, reliably authenticated mobile devices may also serve as an automated authentication in relation to other systems such as access control systems or automated external system logon.
Gait recognition
Fingerprint authentication testing with Nokia N95 and HTC Desire.
minutiae data from an individual fingerprint image and to compute a comparison score by comparing one set of data with another. Both SDKs support open and interoperable systems as the generated minutiae templates can be stored according to the ISO or ANSI interchange standard. The left index finger performed best for both phones with the lowest error rate. The Nokia N95 performed significantly better than the Desire for various reasons. The Nokia was placed in a fixed way on the holder while capturing fingerprint data. Furthermore, the Nokia was set to an internal close-up mode setting. This mode is ideal for capturing details of small objects within a distance between 10-60cm.
Staged introduction A fingerprint biometric verification system in a mobile device could be staged in. The mobile device would enter a ‘learning’ mode during which high quality fingerprint data is processed and stored. Password-based or PIN code user authentication could be used during the learning session. If the fingerprint biometrics became stable and reliable, the system would go into a biometric authentication status after confirmation from the owner. In this state the system would asynchronously verify the owner’s identity every time the owner wanted to authenticate. In a future of truly pervasive computing, when small and inexpensive hardware can be embedded in various objects, this method could
Verification model for fingerprint authentication by mobile phone.
6
Biometric Technology Today
Gait recognition is also a promising option for mobile biometric authentication. The term ‘gait recognition’ describes a biometric method that allows an automatic verification of the identity of a person by the way he or she walks. There are three different approaches in biometric gait recognition: machine vision, floor sensor and wearable sensor. Gait recognition has been based on the use of video sources, floor sensors or dedicated highgrade wearable sensors (mainly accelerometers, although other sensors such as gyroscopes and magnetic field sensors could be used). It is possible to use mobile devices containing low-grade accelerometers, such as the Google G1 phone containing the AK8976A embedded accelerometer sensor.10 In machine vision approaches 11,12,13,14 the system will typically consist of several digital or analogue cameras with suitable optics for acquiring the gait data. Techniques such as background segmentation are used to extract features to identify a person. This technique is especially useful for surveillance. In the floor sensor approach15,16 the sensors are placed on the floor, which makes these methods suitable for controlling access to buildings. When people walk across the mat, they can be authenticated by the force to the ground, measured by the mat. The newest of the three approaches is based on wearing motion-recording sensors on the body in different places: on the waist, in pockets, shoes and so forth. The main advantage of gait recognition using wearable sensors is that it provides an unobtrusive authentication method for mobile devices that already contain accelerometers (like mobile phones, PDAs etc). Therefore, it can be applied for continuous verification of the identity of the user without user intervention. This has a great advantage over other biometric systems such as fingerprint or face recognition, which are also suitable for implementation on mobile phones but require active user intervention. This advantage of accelerometer based gait recognition compensates for the so-far worse recognition rates. As biometric gait recognition only works when the user is walking, this method has to be combined with another authentication method. This can be beneficial as adding an unobtru-
October 2011
FEATURE sive authentication method to mobile phones decreases the necessity for regular active authentication and so increases user friendliness.
“Adding an unobtrusive authentication method to mobile phones decreases the necessity for regular active authentication and so increases user friendliness” The Google G1 uses the Android platform and software was written for this platform to access the accelerometer and output the data from the sensor to a file (40-50 samples per second for each of the three directions). While recording the gait data the phone was placed in a pocket attached to the belt of the subject on the right hand side of the hip. Initial error rates retrieved started at an EER of 20.1%, which could be improved with a high quality dedicated accelerometer allowing commercial mobile phones equipped with accelerometers to carry out biometric gait recognition. Real world scenario testing gave an EER of 7.45%17. Each participant walked a certain route, which is a more realistic approach. The subject walked upstairs and downstairs, round corners, opened doors, etc. Variations were uncovered; walking fast led to better performance. One reason for variation of the EER was the wearing of different shoes on the different sessions. Further influencing factors are the clothes worn, which have an impact on the position (height, angle etc) of the bag carrying the mobile device as well as on how stable it is. Further work needs to be carried out on real world gait recognition in varying terrains and the attack resistance of this method needs further study. But it is clear that initial results are promising.
Time of flight Biometric gait recognition systems based on 3D videos obtained by time of flight sensors are another alternative to floor sensors and wearable sensors. Preliminary work has been carried out to demonstrate how a time of flight video camera could facilitate remote surveillance and biometric identification.18 An experiment was performed over two different days (sessions) using the Swiss ranger SR-4000 CW10 ToF sensor by Mesa Technologies. Each of the subjects walked a track within the camera field of view. The best EER obtained was 2.66 % for a discrete session. Including data for change in gait over time resulted in an EER of about 9.25
October 2011
%. This may seem a significant error rate but researchers are keen to stress that this research is the first step towards better performance in the future. Activity recognition is another aspect to gait recognition. The identification of everyday routine and leisure activities such as walking, running, biking, sitting, climbing and lying down may be tracked by accelerometer sensors in mobile devices. Recognition accuracy for activity recognition has shown great results and it could be useful for an automatic gait recognition system19.
10
11
12
References 1
Nist image group’s Fingerprint research. 13 February 2011. 2 Gafurov, Davrondzhon, Bours, Patrick, Yang, Bian and Busch, Christoph. ‘Guc100 multi-scanner fingerprint database for in-house (semi-public) performance and interoperability evaluation’. Computational Science and its Applications, International Conference, 2010, pp30-306. 3 Mueller, Robert and Sanchez-Reillo, Raul. ‘An approach to biometric identity management using low-cost equipment’. Intelligent Information Hiding and Multimedia Signal Processing, International Conference 2009, pp1096-1100. 4 Yan Hiew, Bee, Beng, Andrew, Teoh, Jin and Yin, Ooi Shih. ‘A secure digital camera based fingerprint verification system’. J Vis. Comun. Image Represent, April 2010. pp219-231. 5. Young, Tom, Mari, Angelica. Computing. co.uk. ‘Retailers Fingerprint plans prompt privacy concerns’.13 February 2011 6. Waterfield, Bruno. Telegraph.co.uk. ‘Europe tells Britain to justify itself over fingerprinting children in schools”. 13 February 2011. 7 Jain, Anil, Nandakumar, Karthik and Nagar, Abhishek. ‘Biometric template security’. EURASIP J. Adv. Signal Process, January 2008, pp113:1-113:17. 8 ‘ISO/IEC FDIS 24745 Information technology {Security techniques {Biometric information protection, FDIS’, February 2011. 9 ‘EU FP7 integrated project – trusted revocable biometric identities.’
13
14
15
16
17
18
19
13 February 2011 Nixon, MS, Carter, JN, Nash, JM, Huang, PS, Cunado, D and Stevenage, SV. ‘Automatic gait recognition’. Biometrics – Personal Identification in Networked Society. Kluwer, 1999, pp231–250. Han, J and Bhanu, B. ‘Individual recognition using gait energy image’, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol 28, 2006. pp 316–322. Liu, Z and Sarkar, S. ‘Improved gait recognition by gait dynamics normalization,” IEEE Transactions on Pattern Analysis and Machine Intelligence, , 2006, vol 28, no 6, pp863–876. Sarkar, S, Phillips, PJ, Liu, Z, Vega, IR, Grother, P and Bowyer, KW. ‘The huminID gait challenge problem: Data sets, performance, and analysis’, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol 27, pp. 162–177. Jenkins, J and Ellis, CS. ‘Using ground reaction forces from gait analysis: Body mass as a weak biometric’, Fifth International Conference on Pervasive Computing, 2007, pp251–267. Nakajima, K, Mizukami, Y, Tanaka, K and Tamura, T. ‘Footprint-based personal recognition’, IEEE Transactions on Biomedical Engineering, 2000, vol 47(11). Nickel, Claudia , Busch, Christoph. ‘Classifying Accelerometer Data via Hidden Markov Models to Authenticate People by the Way they Walk’. IEEE 45th International Carnahan Conference on Security Technology, 2011. Derawi, Mohammad, Ali, Hazem, Cheikh, Faouzi Alaya. ‘Gait Recognition using Time-of-Flight Sensor’. BIOSIG October 2011. Bajrami, Gazmend, Derawi, Mohammad, Bours, Patrick. ‘Towards an Automatic Gait Recognition System using Activity Recognition (Wearable Based)’. September 2011,
About the author Mohammad Omar Derawi is a researcher based at the Norwegian Information Security Laboratory, Gjøvik University College, Norway.
Biometric Technology Today
7
Biometric options for mobile phone authentication
Mohammad Omar Derawi
Mohammad Omar Derawi, Gjøvik University College Businesses and consumers are making increasing use of mobile phones to access corporate data and networks, along with products and services that may demand authentication. As personal mobile devices become more popular the user has come to expect the full range of services from the mobile Internet, as limitations around screen size and interaction capabilities have disappeared. There are a number of emerging options for biometric authentication via mobile phone, including fingerprint recognition via a mobile phone with a camera function, gait recognition and activity recognition. Looking first at fingerprint recognition, most of the latest mobile phones have embedded cameras and some of those have 5 megapixel– plus cameras. Many fingerprint recognition algorithms perform well on databases when the images have been collected with high resolution cameras and in highly controlled situations1. However recent research shows that the performance of a baseline system deteriorates from an Equal Error Rate (EER) around 0.02 % with very high quality images to EER of 25% from low quality images2.
“An important question is which of the fingerprint authentication algorithms will work well with fingerprint images produced by mobile phone cameras” Research is still ongoing to improve recognition performance. In applications such as fingerprint authentication using cameras in mobile phones and PDAs, the cameras may introduce image distortions, for example because of fisheye lenses, and fingerprint images may exhibit a wide range of illumination conditions, as well as scale and pose variations. An important question is which of the fingerprint authentication algorithms will work well with fingerprint images produced by mobile phone cameras. Fingerprint reading is already being introduced and becoming acceptable on mobile phones. The Motorola Atrix mobile, released in February 2011, incorporates a fingerprint reader as an additional security
October 2011
feature. Users present their index fingers on both left and right hand. Additionally, research3,4 has shown that by using low-cost webcam devices it is possible to extract fingerprint information, applying different pre-processing and image enhancement approaches.
Privacy concerns Privacy concerns over fingerprint recognition technology deployment in non-high security applications have been raised5,6 slowing development of biometrics in the consumer market in recent years compared with the rapid development in the public sector such as border control, critical infrastructure access control, and crime There are at least two ways to alleviate these privacy concerns. Biometric template protection7,8 is one of the most promising solutions to provide both performance and privacy for biometric system users. The European Research Project Turbine9 demonstrated a good result around both the performance and privacy of the ISO fingerprint minutiae template-based, privacy enhancement biometric solutions. For the consumer market, using customers’ own biometric sensors will also help alleviate privacy concerns. For applications requiring high security, subjects’ own biometric sensors may not be suitable for data collection unless the phone can be authenticated as a registered and ‘untampered with’ device in both software and hardware. However for the consumer market, the mobile phone is generally deemed a secure device accepted by many customers and many banking services send transaction password or PIN codes via SMS to customers’ phones. The technical challenges lie in quality control around the samples captured by the phone camera, especially image processing aspects such as bias lighting conditions and an unsta-
ble sample collection environment caused by handholding. In addition, most existing phone cameras are not designed for biometric use and accurate focusing will always be a challenge for fingerprint image capture.
“The technical challenges lie in quality control around the samples captured by the phone camera, especially image processing aspects such as bias lighting conditions and an unstable sample collection environment caused by hand-holding” Fingerprint recognition may be an effective means of verifying the identity of the user of a mobile phone if it is made easy for the user while keeping the error rates in an acceptable and practical range. To address this issue, researchers at the Norwegian Information Security Laboratory created a fingerprint database using two different mobile phone cameras, the Nokia N95 and HTC Desire. An image database comprised of 25 subjects, from which fingerprint images were taken with a mobile phone camera. The database comprised 3000 fingerprint images in total. The user initially presents his or her biometric characteristic (ie fingerprint) to the sensor equipment (the camera in a mobile phone), which captures it as a biometric sample. After pre-processing this captured sample, features will be extracted from the sample. In case of fingerprint biometrics, these features would typically be minutia points. The extracted features can then be used for comparison against corresponding features stored in a database, which stores details from users who have enrolled into the system. The Neurotechnology Verifinger 6.0 Extended SDK commercial minutia extractor was used for feature extraction. The SDK includes functionality to extract a set of
Biometric Technology Today
5
FEATURE also be used for protecting valuable personal items. Moreover, reliably authenticated mobile devices may also serve as an automated authentication in relation to other systems such as access control systems or automated external system logon.
Gait recognition
Fingerprint authentication testing with Nokia N95 and HTC Desire.
minutiae data from an individual fingerprint image and to compute a comparison score by comparing one set of data with another. Both SDKs support open and interoperable systems as the generated minutiae templates can be stored according to the ISO or ANSI interchange standard. The left index finger performed best for both phones with the lowest error rate. The Nokia N95 performed significantly better than the Desire for various reasons. The Nokia was placed in a fixed way on the holder while capturing fingerprint data. Furthermore, the Nokia was set to an internal close-up mode setting. This mode is ideal for capturing details of small objects within a distance between 10-60cm.
Staged introduction A fingerprint biometric verification system in a mobile device could be staged in. The mobile device would enter a ‘learning’ mode during which high quality fingerprint data is processed and stored. Password-based or PIN code user authentication could be used during the learning session. If the fingerprint biometrics became stable and reliable, the system would go into a biometric authentication status after confirmation from the owner. In this state the system would asynchronously verify the owner’s identity every time the owner wanted to authenticate. In a future of truly pervasive computing, when small and inexpensive hardware can be embedded in various objects, this method could
Verification model for fingerprint authentication by mobile phone.
6
Biometric Technology Today
Gait recognition is also a promising option for mobile biometric authentication. The term ‘gait recognition’ describes a biometric method that allows an automatic verification of the identity of a person by the way he or she walks. There are three different approaches in biometric gait recognition: machine vision, floor sensor and wearable sensor. Gait recognition has been based on the use of video sources, floor sensors or dedicated highgrade wearable sensors (mainly accelerometers, although other sensors such as gyroscopes and magnetic field sensors could be used). It is possible to use mobile devices containing low-grade accelerometers, such as the Google G1 phone containing the AK8976A embedded accelerometer sensor.10 In machine vision approaches 11,12,13,14 the system will typically consist of several digital or analogue cameras with suitable optics for acquiring the gait data. Techniques such as background segmentation are used to extract features to identify a person. This technique is especially useful for surveillance. In the floor sensor approach15,16 the sensors are placed on the floor, which makes these methods suitable for controlling access to buildings. When people walk across the mat, they can be authenticated by the force to the ground, measured by the mat. The newest of the three approaches is based on wearing motion-recording sensors on the body in different places: on the waist, in pockets, shoes and so forth. The main advantage of gait recognition using wearable sensors is that it provides an unobtrusive authentication method for mobile devices that already contain accelerometers (like mobile phones, PDAs etc). Therefore, it can be applied for continuous verification of the identity of the user without user intervention. This has a great advantage over other biometric systems such as fingerprint or face recognition, which are also suitable for implementation on mobile phones but require active user intervention. This advantage of accelerometer based gait recognition compensates for the so-far worse recognition rates. As biometric gait recognition only works when the user is walking, this method has to be combined with another authentication method. This can be beneficial as adding an unobtru-
October 2011
FEATURE sive authentication method to mobile phones decreases the necessity for regular active authentication and so increases user friendliness.
“Adding an unobtrusive authentication method to mobile phones decreases the necessity for regular active authentication and so increases user friendliness” The Google G1 uses the Android platform and software was written for this platform to access the accelerometer and output the data from the sensor to a file (40-50 samples per second for each of the three directions). While recording the gait data the phone was placed in a pocket attached to the belt of the subject on the right hand side of the hip. Initial error rates retrieved started at an EER of 20.1%, which could be improved with a high quality dedicated accelerometer allowing commercial mobile phones equipped with accelerometers to carry out biometric gait recognition. Real world scenario testing gave an EER of 7.45%17. Each participant walked a certain route, which is a more realistic approach. The subject walked upstairs and downstairs, round corners, opened doors, etc. Variations were uncovered; walking fast led to better performance. One reason for variation of the EER was the wearing of different shoes on the different sessions. Further influencing factors are the clothes worn, which have an impact on the position (height, angle etc) of the bag carrying the mobile device as well as on how stable it is. Further work needs to be carried out on real world gait recognition in varying terrains and the attack resistance of this method needs further study. But it is clear that initial results are promising.
Time of flight Biometric gait recognition systems based on 3D videos obtained by time of flight sensors are another alternative to floor sensors and wearable sensors. Preliminary work has been carried out to demonstrate how a time of flight video camera could facilitate remote surveillance and biometric identification.18 An experiment was performed over two different days (sessions) using the Swiss ranger SR-4000 CW10 ToF sensor by Mesa Technologies. Each of the subjects walked a track within the camera field of view. The best EER obtained was 2.66 % for a discrete session. Including data for change in gait over time resulted in an EER of about 9.25
October 2011
%. This may seem a significant error rate but researchers are keen to stress that this research is the first step towards better performance in the future. Activity recognition is another aspect to gait recognition. The identification of everyday routine and leisure activities such as walking, running, biking, sitting, climbing and lying down may be tracked by accelerometer sensors in mobile devices. Recognition accuracy for activity recognition has shown great results and it could be useful for an automatic gait recognition system19.
10
11
12
References 1
Nist image group’s Fingerprint research.
13
14
15
16
17
18
19
13 February 2011
About the author Mohammad Omar Derawi is a researcher based at the Norwegian Information Security Laboratory, Gjøvik University College, Norway.
Biometric Technology Today
7