• Combined identification and authentication systems. Unified system of identification and authentication in the infrastructure of the electronic government of the Russian Federation (ESIA)

    ZlodeiBaal August 11, 2011 at 9:54 pm

    Modern biometric identification methods

    • Information security

    IN lately There are many articles on Habré devoted to Google’s facial identification systems. To be honest, many of them reek of journalism and, to put it mildly, incompetence. And I wanted to write good article in biometrics, it’s not my first choice! There are a couple of good articles on biometrics on Habré - but they are quite short and incomplete. Here I will try to briefly outline general principles biometric identification and modern achievements of mankind in this matter. Including identification by faces.

    The article has, which, in essence, is its prequel.

    A joint publication with a colleague in a journal (BDI, 2009), revised to suit modern realities, will be used as the basis for the article. Habré is not yet a colleague, but he supported the publication of the revised article here. At the time of publication, the article was a brief overview modern market biometric technologies, which we conducted for ourselves before launching our product. The applicability judgments put forward in the second part of the article are based on the opinions of people who have used and implemented the products, as well as on the opinions of people involved in the production of biometric systems in Russia and Europe.

    General information

    Let's start with the basics. In 95% of cases, biometrics is essentially mathematical statistics. And matstat is an exact science, the algorithms from which are used everywhere: in radars and in Bayesian systems. Errors of the first and second types can be taken as two main characteristics of any biometric system). In radar theory they are usually called “false alarm” or “target miss”, and in biometrics the most established concepts are FAR (False Acceptance Rate) and FRR (False Rejection Rate). The first number characterizes the probability of a false match between the biometric characteristics of two people. The second is the probability of denying access to a person with clearance. The lower the FRR value for the same FAR values, the better the system. Sometimes a comparative characteristic of EER is also used, which determines the point at which the FRR and FAR graphs intersect. But it is not always representative. You can see more details, for example.
    The following can be noted: if the characteristics of the system do not contain FAR and FRR for open biometric databases, then no matter what the manufacturers declare about its characteristics, this system is most likely ineffective or much weaker than its competitors.
    But not only FAR and FRR determine the quality of a biometric system. If this were the only way, then the leading technology would be DNA recognition, for which FAR and FRR tend to zero. But it is obvious that this technology is not applicable at the current stage of human development! We have developed several empirical characteristics that allow us to assess the quality of the system. “Forgery resistance” is an empirical characteristic that summarizes how easy it is for a biometric identifier to be fooled. “Environmental stability” is a characteristic that empirically evaluates the stability of the system under various external conditions, such as changes in lighting or room temperature. “Ease of use” shows how difficult it is to use a biometric scanner, and whether identification is possible “on the go.” An important characteristic is “Speed ​​of operation” and “Cost of the system”. We should not forget that a person’s biometric characteristic can change over time, so if it is unstable, this is a significant disadvantage.
    The abundance of biometric methods is amazing. The main methods using static biometric characteristics of a person are identification by papillary pattern on the fingers, iris, facial geometry, retina, pattern of hand veins, hand geometry. There is also a family of methods that use dynamic characteristics: identification by voice, handwriting dynamics, heart rate, and gait. Below is the breakdown of the biometric market a couple of years ago. Every other source fluctuates by 15-20 percent, so this is just an estimate. Also here under the concept of “hand geometry” there are two different methods which will be discussed below.


    In this article we will consider only those characteristics that are applicable in access control and management systems (ACS) or in tasks similar to them. Due to its superiority, these are primarily static characteristics. Of the dynamic characteristics at the moment, only voice recognition has at least some statistical significance (comparable to the worst static algorithms FAR~0.1%, FRR~6%), but only under ideal conditions.
    To get a feel for the probabilities of FAR and FRR, you can estimate how often false matches will occur if you install an identification system at the entrance of an organization with N employees. The probability of a false match of a fingerprint scanner for a database of N fingerprints is FAR∙N. And every day about N people also pass through the access control point. Then the probability of error per working day is FAR∙(N∙N). Of course, depending on the goals of the identification system, the probability of an error per unit of time can vary greatly, but if we accept one error per working day as acceptable, then:
    (1)
    Then we find that stable operation of the identification system at FAR=0.1% =0.001 is possible with a staff size of N≈30.

    Biometric scanners

    Today, the concepts of “biometric algorithm” and “biometric scanner” are not necessarily interrelated. The company can produce these elements individually, or together. The greatest differentiation between scanner manufacturers and software manufacturers has been achieved in the finger papillary pattern biometrics market. The smallest 3D face scanner on the market. In fact, the level of differentiation largely reflects the development and saturation of the market. The more choice there is, the more the theme is worked out and brought to perfection. Different scanners have different sets of abilities. Basically it is a set of tests to check whether a biometric object is tampered with or not. For finger scanners this could be a bump test or a temperature check, for eye scanners it could be a pupil accommodation test, for face scanners it could be facial movement.
    Scanners greatly influence the resulting FAR and FRR statistics. In some cases, these numbers can change tens of times, especially in real conditions. Typically, the characteristics of the algorithm are given for a certain “ideal” base, or simply for a well-suited one, where blurry and blurry frames are discarded. Only a few algorithms honestly indicate both the base and the full issuance of FAR/FRR for it.

    And now in more detail about each of the technologies

    Fingerprints


    Dactyloscopy (fingerprint recognition) is the most developed biometric method of personal identification to date. The catalyst for the development of the method was its widespread use in forensic science of the 20th century.
    Each person has a unique papillary fingerprint pattern, which makes identification possible. Typically, algorithms use characteristic points on fingerprints: the end of a pattern line, the branching of a line, single points. Additionally, information is used about the morphological structure of the fingerprint: the relative position of the closed lines of the papillary pattern, “arched” and spiral lines. The features of the papillary pattern are converted into a unique code that preserves the information content of the fingerprint image. And it is the “fingerprint codes” that are stored in the database used for searching and comparison. The time to convert a fingerprint image into a code and identify it usually does not exceed 1s, depending on the size of the database. The time spent raising your hand is not taken into account.
    VeriFinger SDK statistics obtained using the DP U.are.U fingerprint scanner were used as a source of FAR and FRR data. Over the past 5-10 years, the characteristics of finger recognition have not made much progress, so the above figures show the average value of modern algorithms quite well. The VeriFinger algorithm itself won the International Fingerprint Verification Competition for several years, where finger recognition algorithms competed.

    The characteristic FAR value for the fingerprint recognition method is 0.001%.
    From formula (1) we find that stable operation of the identification system at FAR=0.001% is possible with a staff size of N≈300.
    Advantages of the method. High reliability - the statistical indicators of the method are better than the indicators of identification methods by face, voice, and painting. Low cost devices that scan a fingerprint image. A fairly simple procedure for scanning a fingerprint.
    Disadvantages: the fingerprint papillary pattern is very easily damaged by small scratches and cuts. People who have used scanners in enterprises with several hundred employees report a high rate of scanning failure. Many of the scanners do not treat dry skin adequately and do not allow older people to pass through. When communicating at the last MIPS exhibition, the head of the security service of a large chemical enterprise said that their attempt to introduce finger scanners at the enterprise (scanners of various systems were tried) failed - minimal exposure to chemical reagents on the fingers of employees caused a failure of the scanners' security systems - the scanners declared the fingers a fake. There is also insufficient security against fingerprint image forgery, partly caused by the widespread use of the method. Of course, not all scanners can be fooled by methods from MythBusters, but still. For some people with “inappropriate” fingers (body temperature, humidity), the probability of being denied access can reach 100%. The number of such people varies from a fraction of a percent for expensive scanners to ten percent for inexpensive ones.
    Of course, it is worth noting that a large number of shortcomings are caused by the widespread use of the system, but these shortcomings do exist and they appear very often.
    Market situation
    Currently, fingerprint recognition systems occupy more than half of the biometric market. Many Russian and foreign companies are engaged in the production of access control systems based on the fingerprint identification method. Due to the fact that this direction is one of the oldest, it has become most widespread and is by far the most developed. Fingerprint scanners have come a really long way to improve. Modern systems are equipped with various sensors (temperature, pressure, etc.) that increase the degree of protection against counterfeiting. Every day systems become more convenient and compact. In fact, the developers have already reached a certain limit in this area, and there is nowhere to develop the method further. In addition, most companies produce ready-made systems that are equipped with everything necessary, including software. Integrators in this area simply do not need to assemble the system themselves, since this is unprofitable and will take more time and effort than buying a ready-made and already inexpensive system, especially since the choice will be really wide.
    Among the foreign companies involved in fingerprint recognition systems, one can note SecuGen (USB scanners for PCs, scanners that can be installed in enterprises or built into locks, SDK and software for connecting the system with a computer); Bayometric Inc. (fingerprint scanners, TAA/Access control systems, fingerprint SDKs, embedded fingerprint modules); DigitalPersona, Inc. (USB scanners, SDK). In Russia, the following companies operate in this area: BioLink (fingerprint scanners, biometric access control devices, software); Sonda (fingerprint scanners, biometric access control devices, SDK); SmartLock (fingerprint scanners and modules), etc.

    Iris



    The iris of the eye is a unique characteristic of a person. The pattern of the iris is formed in the eighth month of intrauterine development, finally stabilizes at the age of about two years and practically does not change throughout life, except as a result of severe injuries or severe pathologies. The method is one of the most accurate among biometric methods.
    The iris identification system is logically divided into two parts: a device for capturing an image, its primary processing and transmission to a computer, and a computer that compares the image with images in the database and transmits the admission command to the executive device.
    The time for primary image processing in modern systems is approximately 300-500ms, the speed of comparing the resulting image with the database is 50,000-150,000 comparisons per second on a regular PC. This speed of comparison does not impose restrictions on the use of the method in large organizations when used in access systems. When using specialized computers and search optimization algorithms, it even becomes possible to identify a person among the residents of an entire country.
    I can immediately answer that I am somewhat biased and have a positive attitude towards this method, since it was in this field that we launched our startup. A paragraph at the end will be devoted to a little self-PR.
    Statistical characteristics of the method
    The FAR and FRR characteristics for the iris are the best in the class of modern biometric systems (with the possible exception of the retinal recognition method). The article presents the characteristics of the iris recognition library of our algorithm - EyeR SDK, which correspond to the VeriEye algorithm tested using the same databases. We used CASIA databases obtained by their scanner.

    The characteristic FAR value is 0.00001%.
    According to formula (1) N≈3000 is the number of personnel of the organization, at which employee identification is quite stable.
    Here it is worth noting an important feature that distinguishes the iris recognition system from other systems. When using a camera with a resolution of 1.3MP or more, you can capture two eyes in one frame. Since the FAR and FRR probabilities are statistically independent probabilities, when recognizing using two eyes, the FAR value will be approximately equal to the square of the FAR value for one eye. For example, for a FAR of 0.001% using two eyes, the false admission rate would be 10-8%, with an FRR only twice as high as the corresponding FRR value for one eye at FAR=0.001%.
    Advantages and disadvantages of the method
    Advantages of the method. Statistical reliability of the algorithm. Images of the iris can be captured from a distance of several centimeters to several meters, without physical contact between a person and the device. The iris is protected from damage - which means it will not change over time. It is also possible to use a high number of methods that protect against counterfeiting.
    Disadvantages of the method. The price of a system based on the iris is higher than the price of a system based on finger recognition or facial recognition. Low availability of ready-made solutions. Any integrator who comes to the Russian market today and says “give me a ready-made system” will most likely fail. Most of them sell expensive turnkey systems installed by large companies such as Iridian or LG.
    Market situation
    At the moment, the share of iris identification technologies in the global biometric market is, according to various estimates, from 6 to 9 percent (while fingerprint recognition technologies occupy over half of the market). It should be noted that from the very beginning of the development of this method, its strengthening in the market was slowed down by the high cost of equipment and components necessary to assemble an identification system. However, as digital technologies developed, the cost of a single system began to decrease.
    The leader in software development in this area is Iridian Technologies.
    Entering the market a large number the manufacturer was limited by the technical complexity of the scanners and, as a consequence, their high cost, as well as the high price of the software due to Iridian’s monopoly position in the market. These factors allowed only large companies to develop in the field of iris recognition, most likely already engaged in the production of some components suitable for the identification system (high-resolution optics, miniature cameras with infrared illumination, etc.). Examples of such companies include LG Electronics, Panasonic, OKI. They entered into an agreement with Iridian Technologies, and as a result of joint work the following identification systems appeared: Iris Access 2200, BM-ET500, OKI IrisPass. Subsequently, improved models of systems emerged, thanks to the technical capabilities of these companies to independently develop in this area. It should be said that the above companies also developed their own software, but in the end they prefer Iridian Technologies software in the finished system.
    The Russian market is dominated by products of foreign companies. Although even that can be purchased with difficulty. Long time The Papillon company assured everyone that they had iris recognition. But even representatives of RosAtom, their direct buyer, for whom they made the system, say that this is not true. At some point, another Russian company appeared that made iris scanners. Now I don’t remember the name. They purchased the algorithm from someone, perhaps from the same VeriEye. The scanner itself was a 10-15 year old system, by no means contactless.
    In the last year, a couple of new manufacturers have entered the global market due to the expiration of the primary patent for human eye recognition. The most trustworthy of them, in my opinion, is AOptix. At least their previews and documentation do not raise suspicions. The second company is SRI International. Even at first glance, to a person who has worked on iris recognition systems, their videos seem very deceitful. Although I wouldn’t be surprised if in reality they can do something. Both systems do not show data on FAR and FRR, and also, apparently, are not protected from counterfeiting.

    Face recognition

    There are many recognition methods based on facial geometry. All of them are based on the fact that the facial features and shape of the skull of each person are individual. This area of ​​biometrics seems attractive to many because we recognize each other primarily by our faces. This area is divided into two areas: 2-D recognition and 3-D recognition. Each of them has advantages and disadvantages, but much also depends on the scope of application and the requirements for a particular algorithm.
    I’ll briefly tell you about 2-d and move on to one of the most interesting methods today - 3-d.
    2-D facial recognition

    2-D facial recognition is one of the most statistically ineffective biometric methods. It appeared quite a long time ago and was used mainly in forensic science, which contributed to its development. Subsequently, computer interpretations of the method appeared, as a result of which it became more reliable, but, of course, it was inferior and every year is increasingly inferior to other biometric methods of personal identification. Currently, due to poor statistical indicators, it is used in multimodal or, as it is also called, cross-biometrics, or in social networks.
    Statistical characteristics of the method
    For FAR and FRR, data for the VeriLook algorithms were used. Again, for modern algorithms it has very ordinary characteristics. Sometimes algorithms with an FRR of 0.1% with a similar FAR flash by, but the bases on which they were obtained are very questionable (cut out background, identical facial expression, identical hairstyle, lighting).

    The characteristic FAR value is 0.1%.
    From formula (1) we obtain N≈30 - the number of personnel of the organization, at which employee identification occurs quite stably.
    As you can see, the statistical indicators of the method are quite modest: this eliminates the advantage of the method that it can be carried out covert filming persons in crowded places. It’s funny to see how a couple of times a year another project is funded to detect criminals through video cameras installed in crowded places. Over the past ten years, the statistical characteristics of the algorithm have not improved, but the number of such projects has increased. Although, it is worth noting that the algorithm is quite suitable for tracking a person in a crowd through many cameras.
    Advantages and disadvantages of the method
    Advantages of the method. With 2-D recognition, unlike most biometric methods, expensive equipment is not required. With appropriate equipment, recognition is possible at significant distances from the camera.
    Flaws. Low statistical significance. There are lighting requirements (for example, it is not possible to register the faces of people entering from the street on a sunny day). For many algorithms, any external interference is unacceptable, such as glasses, a beard, or some elements of a hairstyle. A frontal image of the face is required, with very slight deviations. Many algorithms do not take into account possible changes in facial expressions, that is, the expression must be neutral.
    3-D facial recognition

    The implementation of this method is a rather complex task. Despite this, there are currently many methods for 3-D facial recognition. The methods cannot be compared with each other, since they use different scanners and databases. Not all of them issue FAR and FRR; completely different approaches are used.
    The transitional method from 2-d to 3-d is a method that implements the accumulation of information about a person. This method has better characteristics than the 2d method, but it also uses only one camera. When a subject is entered into the database, the subject turns his head and the algorithm connects the image together, creating a 3D template. And during recognition, several frames of the video stream are used. This method is rather experimental and I have never seen an implementation for access control systems.
    The most classic method is the template projection method. It consists of projecting a grid onto an object (face). Next, the camera takes pictures at a speed of tens of frames per second, and the resulting images are processed by a special program. A beam falling on a curved surface is bent - the greater the curvature of the surface, the stronger the bend of the beam. Initially, a source of visible light was used, supplied through “blinds”. Then visible light was replaced by infrared, which has several advantages. Typically, at the first stage of processing, images in which the face is not visible at all or in which there are foreign objects that interfere with identification are discarded. Based on the resulting images, a 3-D model of the face is reconstructed, on which unnecessary noise (hairstyle, beard, mustache and glasses) is selected and removed. Then the model is analyzed - anthropometric features are identified, which are ultimately recorded in a unique code entered into the database. Image capture and processing time is 1-2 seconds for best models.
    The method of 3-D recognition based on images obtained from several cameras is also gaining popularity. An example of this is the Vocord company with its 3D scanner. This method gives positioning accuracy, according to the developers, higher than the template projection method. But until I see FAR and FRR at least according to them own database- I won’t believe it!!! But it has been in development for 3 years now, and progress at exhibitions is not yet visible.
    Statistical indicators of the method
    Complete data on FRR and FAR for algorithms of this class are not publicly available on manufacturers’ websites. But for the best models from Bioscript (3D EnrolCam, 3D FastPass), working using the template projection method with FAR = 0.0047%, the FRR is 0.103%.
    It is believed that the statistical reliability of the method is comparable to the reliability of the fingerprint identification method.
    Advantages and disadvantages of the method
    Advantages of the method. No need to contact the scanning device. Low sensitivity to external factors, both on the person himself (the appearance of glasses, a beard, a change in hairstyle) and in his environment (lighting, turning the head). High level of reliability comparable to fingerprint identification.
    Disadvantages of the method. High cost of equipment. Commercially available systems were even more expensive than iris scanners. Changes in facial expressions and facial noise impair the statistical reliability of the method. The method is not yet well developed, especially in comparison with the long-used fingerprinting, which makes it difficult to widely use.
    Market situation
    Recognition by facial geometry is considered one of the “three big biometrics”, along with recognition by fingerprints and iris. It must be said that this method is quite common, and it is still preferred over recognition by the iris of the eye. The share of facial geometry recognition technologies in the total volume of the global biometric market can be estimated at 13-18 percent. In Russia, there is also greater interest in this technology than, for example, in iris identification. As mentioned earlier, there are many 3-D recognition algorithms. For the most part, companies prefer to develop ready-made systems, including scanners, servers and software. However, there are also those who only offer the SDK to the consumer. Today, the following companies are involved in the development of this technology: Geometrix, Inc. (3D face scanners, software), Genex Technologies (3D face scanners, software) in the USA, Cognitec Systems GmbH (SDK, special computers, 2D cameras) in Germany, Bioscrypt (3D face scanners, software) - a subsidiary of the American company L- 1 Identity Solutions.
    In Russia, the companies Artec Group (3D facial scanners and software) are working in this direction - a company whose head office is located in California, and development and production are carried out in Moscow. Also, several Russian companies have 2D facial recognition technology - Vocord, ITV, etc.
    In the field of 2D face recognition, the main subject of development is software, because... regular cameras do a great job of capturing facial images. The solution to the problem of recognition from a face image has to some extent reached a dead end - for several years now there has been virtually no improvement in the statistical indicators of algorithms. In this area, a systematic “work on mistakes” is taking place.
    3D facial recognition is now a much more attractive area for developers. Many teams work there and we regularly hear about new discoveries. Many works are in the “about to be released” state. But so far there are only old offers on the market; the choice has not changed in recent years.
    One of the interesting points that I sometimes think about and which may be answered by Habr: is the accuracy of kinect enough to create such a system? There are quite a few projects to pull out a 3D model of a person through it.

    Recognition by veins of the arm


    This is a new technology in the field of biometrics, its widespread use began only 5-10 years ago. An infrared camera takes pictures of the outside or inside of the hand. The pattern of veins is formed due to the fact that hemoglobin in the blood absorbs infrared radiation. As a result, the degree of reflection is reduced and the veins are visible on the camera as black lines. A special program creates a digital convolution based on the received data. No human contact with the scanning device is required.
    The technology is comparable in reliability to iris recognition, being superior in some ways and inferior in others.
    The FRR and FAR values ​​are given for the Palm Vein scanner. According to the developer, with a FAR of 0.0008%, the FRR is 0.01%. No company provides a more accurate graph for several values.
    Advantages and disadvantages of the method
    Advantages of the method. No need to contact the scanning device. High reliability - the statistical indicators of the method are comparable to the readings of the iris. Hiddenness of the characteristic: unlike all the above, this characteristic is very difficult to obtain from a person “on the street,” for example, by photographing him with a camera.
    Disadvantages of the method. The scanner should not be exposed to sunlight or halogen lamps. Some age-related diseases, such as arthritis, greatly worsen FAR and FRR. The method is less studied in comparison with other static biometric methods.
    Market situation
    Recognition of hand vein patterns is a fairly new technology, and therefore its share in the world market is small and amounts to about 3%. However, there is increasing interest in this method. The fact is that, being quite accurate, this method does not require such expensive equipment as, for example, recognition methods based on facial geometry or iris. Now many companies are developing in this area. For example, by order of the English company TDSi, software was developed for the biometric palm vein reader PalmVein, presented by Fujitsu. The scanner itself was developed by Fujitsu primarily to combat financial fraud in Japan.
    The following companies also operate in the field of vein pattern identification: Veid Pte. Ltd. (scanner, software), Hitachi VeinID (scanners)
    I don’t know of any companies in Russia working on this technology.

    Retina of the eye


    Until recently, it was believed that the most reliable method of biometric identification and personal authentication was a method based on scanning the retina. It contains the best features of iris and arm vein identification. The scanner reads the pattern of capillaries on the surface of the retina. The retina has a fixed structure, unchanged over time except as a result of disease, such as cataracts.
    A retinal scan uses low-intensity infrared light directed through the pupil to the blood vessels at the back of the eye. Retinal scanners have become widespread in access control systems for highly sensitive facilities, since they have one of the lowest percentages of denied access to registered users and there is virtually no erroneous access permission.
    Unfortunately, a number of difficulties arise when using this biometric method. The scanner here is a very complex optical system, and the person must not move for a significant amount of time while the system is aimed, which causes unpleasant sensations.
    According to EyeDentify, for the ICAM2001 scanner with FAR=0.001%, the FRR value is 0.4%.
    Advantages and disadvantages of the method
    Advantages. High level of statistical reliability. Due to the low prevalence of systems, the likelihood of developing a way to “deceive” them is low.
    Flaws. Difficult to use system with high processing time. High cost of the system. Lack of a wide market supply and, as a consequence, insufficient intensity of development of the method.

    Hand geometry


    This method, which was quite common 10 years ago and originated from criminology, has been on the decline in recent years. It is based on obtaining the geometric characteristics of the hands: finger lengths, palm width, etc. This method, like the retina of the eye, is dying, and since it has much lower characteristics, we will not even introduce a more complete description of it.
    It is sometimes believed that vein recognition systems use geometric recognition methods. But we have never seen anything like this explicitly stated on sale. And besides, often when recognizing by veins, a picture of only the palm is taken, while when recognizing by geometry, a picture of the fingers is taken.

    A little self-PR

    At one time, we developed a good eye recognition algorithm. But at that time, such a high-tech thing was not needed in this country, and we didn’t want to go to bourgeoistan (where we were invited after the first article). But suddenly, after a year and a half, there were investors who wanted to build themselves a “biometric portal” - a system that would feed 2 eyes and use the color component of the iris (for which the investor had a worldwide patent). Actually, this is what we are doing now. But this is not an article about self-PR, this is a short lyrical digression. If anyone is interested, there is some information, and sometime in the future, when we enter the market (or don’t), I will write a few words here about the ups and downs of the biometric project in Russia.

    Conclusions

    Even in the class of static biometric systems, there is a large selection of systems. Which one should you choose? It all depends on the requirements for the security system. The most statistically reliable and forgery-resistant access systems are the iris and hand vein access systems. For the first of them there is a wider market of offers. But this is not the limit. Biometric identification systems can be combined to achieve astronomical precision. The cheapest and easiest to use, but with good statistics, are finger tolerance systems. 2D face tolerance is convenient and cheap, but has a limited range of applications due to poor statistical performance.
    Let's consider the characteristics that each of the systems will have: resistance to counterfeiting, environmental resistance, ease of use, cost, speed, stability of the biometric feature over time. Let's put ratings from 1 to 10 in each column. The closer the score is to 10, the better system in this regard. The principles for selecting assessments were described at the very beginning of the article.


    We will also consider the relationship between FAR and FRR for these systems. This ratio determines the efficiency of the system and the breadth of its use.


    It is worth remembering that for the iris, you can increase the accuracy of the system almost quadratically, without loss of time, if you complicate the system by making it for two eyes. For the fingerprint method - by combining several fingers, and recognition by veins, by combining two hands, but such an improvement is only possible with an increase in the time spent working with a person.
    Summarizing the results for the methods, we can say that for medium and large objects, as well as for objects with the highest security requirements, the iris should be used as a biometric access and, possibly, recognition by hand veins. For facilities with up to several hundred personnel, access using fingerprints will be optimal. Recognition systems based on 2D facial images are very specific. They may be required in cases where recognition requires the absence of physical contact, but it is impossible to install an iris control system. For example, if it is necessary to identify a person without his participation, using a hidden camera, or an external detection camera, but this is only possible if there is a small number of subjects in the database and a small flow of people filmed by the camera.

    A note to young technicians

    Some manufacturers, for example Neurotechnology, have demo versions of the biometric methods they produce available on their website, so you can easily connect them and play around. For those who decide to delve into the problem more seriously, I can recommend the only book that I have seen in Russian - “Guide to Biometrics” by R.M. Ball, J.H. Connell, S. Pankanti. There are many algorithms and their mathematical models. Not everything is complete and not everything corresponds to modern times, but the base is good and comprehensive.

    P.S.

    In this opus I did not go into the problem of authentication, but only touched upon identification. In principle, from the characteristics of FAR/FRR and the possibility of forgery, all conclusions on the issue of authentication suggest themselves.

    Tags:

    • biometrics
    • fingerprint scanners
    Add tags

    V.Shramko

    PCWeek/RE No. 45, 2004

    Preventing damage associated with the loss of confidential information stored on computers is one of the most important tasks for any company. It is known that enterprise personnel are often the main culprit of these losses. According to a study by the Computer Security Institute, unintentional employee errors account for 55% of such damage, and the actions of dishonest and offended colleagues account for 10% and 9%, respectively. The remaining losses are attributed to physical protection problems (natural disasters, power supply) 20%, viruses 4% and external attacks 2%.

    The main way to protect information from attackers is the implementation of so-called AAA, or 3A (authentication, authorization, administration) tools. Among AAA funds significant place are occupied by hardware-software identification and authentication systems (IIA) and devices for entering identification characteristics (the term corresponds to GOST R 51241-98), designed to protect against unauthorized access (UNA) to computers.

    When using SIA, an employee gains access to a computer or corporate network only after successful completion of the identification and authentication procedure. Identification consists of recognizing a user by an identification characteristic inherent or assigned to him. Verification of the identity of the user presented by him is carried out during the authentication process.

    The hardware-software SIA includes identifiers, input-output devices (readers, contact devices, adapters, trusted boot cards, system board connectors, etc.) and corresponding software. Identifiers are designed to store unique identification characteristics. In addition, they can store and process a variety of sensitive data. I/O devices and software send data between the identifier and the protected computer.

    On the world market information security The AAA segment is growing steadily. This trend is emphasized in analytical reviews and forecasts by Infonetics Research, IDC, Gartner and other consulting companies.

    Our article will focus on combined identification and authentication systems. This choice is due to the fact that currently systems of this class provide the most effective protection computers from NSD.

    Classification of identification and authentication systems

    Modern automated information systems, based on the type of identification features used, are divided into electronic, biometric and combined (see Fig. 1).

    Figure 1 Classification of SIA by type of identification features

    In electronic systems, identification features are presented in the form digital code, stored in the identifier memory. Such SIAs are developed on the basis of the following identifiers:

    • contact smart cards;
    • contactless smart cards;
    • USB keys (another name for USB tokens);
    • iButton IDs.

    In biometric systems, identification features are individual characteristics of a person, called biometric characteristics. Identification and authentication of this type is based on the procedure of reading the presented biometric feature of the user and comparing it with a previously obtained template. Depending on the type of characteristics used, biometric systems are divided into static and dynamic.

    Static biometrics (also called physiological) is based on data obtained from measurements of a person’s anatomical features (fingerprints, hand shape, iris pattern, facial blood vessel pattern, retinal pattern, facial features, fragments of genetic code, etc.).

    Dynamic biometrics (also called behavioral) is based on the analysis of human actions (voice parameters, dynamics and signature form).

    Despite the numerous biometric characteristics, SIA developers focus on recognition technologies based on fingerprints, facial features, hand geometry and iris. For example, according to a report by the International Biometric Group, in the global biometric security market in 2004, the share of fingerprint recognition systems was 48%, facial recognition 12%, hand geometry 11%, iris 9%, voice parameters 6%, signatures 2%. The remaining share (12%) is middleware.

    In combined systems, several identification features are used simultaneously for identification. Such integration makes it possible to erect additional barriers in front of the attacker, which he will not be able to overcome, and if he can, then with significant difficulties. The development of combined systems is carried out in two directions:

    • integration of identifiers within a single class system;
    • integration of systems of different classes.

    In the first case, systems based on contactless smart cards and USB keys, as well as hybrid (contact and contactless) smart cards are used to protect computers from unauthorized access. In the second case, developers skillfully “cross” biometric and electronic BIA (later in the article such a conglomerate is called a bioelectronic identification and authentication system).

    Features of electronic identification and authentication systems

    Electronic information and information systems and an analysis of their key characteristics, allowing you to make a choice in favor of one product or another, can be found in my review “Computer Security: Electronic Identification and Authentication Systems” (see PC Week/RE, No. 12/2004, p. 18 ). I will give only the main features of electronic automated information systems, knowledge of which helps to understand the structure and operating principle of combined systems.

    Combined SIAs may include electronic contact and contactless smart cards and USB keys. The core element of these devices is one or more embedded integrated circuits (chips), which can be memory chips, hard logic chips, or microprocessors (processors). Currently, identifiers with a processor have the greatest functionality and degree of security.

    The basis of the microprocessor contact smart card chip is CPU, dedicated cryptographic processor (optional), random access memory (RAM), read-only memory (ROM), non-volatile programmable read-only memory (PROM), sensor random numbers, timers, serial communication port.

    RAM is used to temporarily store data, such as the results of calculations performed by the processor. Its capacity is several kilobytes.

    Read-only memory stores instructions executed by the processor and other immutable data. Information in ROM is written when the card is manufactured. The memory capacity can be tens of kilobytes.

    Contact smart cards use two types of PROM memory: once-programmable EPROM and, more commonly, multi-programmable EEPROM. PROM memory stores user data that can be read, written, and modified, and sensitive data (such as cryptographic keys) that is not accessible to application programs. PROM capacity is tens and hundreds of kilobytes.

    The smart card's central processing unit (usually a RISC processor) implements a variety of data processing procedures, controls access to memory, and controls the progress of the computing process.

    A specialized processor is entrusted with the implementation of various procedures necessary to increase the security of automated information systems:

    • generation of cryptographic keys;
    • implementation of cryptographic algorithms (GOST 28147-89, DES, 3DES, RSA, SHA-1, etc.);
    • performing operations with electronic digital signatures (generation and verification);
    • performing operations with a PIN code, etc.

    Contactless smart cards are divided into Proximity identifiers and smart cards based on the international standards ISO/IEC 15693 and ISO/IEC 14443. The operation of most SIAs based on contactless smart cards is based on radio frequency identification technology. Structurally, radio frequency identifiers (see Table 1) are made in the form of plastic cards, key rings, tokens, disks, tags, etc.

    Table 1 Radio Frequency Identifiers

    The main components of contactless smart cards are a chip and an antenna. There may also be a lithium battery inside the IDs. Identifiers with a battery are called active, those without a battery are called passive. Each ID has a unique 32/64-bit serial number.

    Proximity identifiers operate at 125 kHz. The chip includes a memory chip (or a chip with hard logic) with auxiliary blocks: a programming module, modulator, control unit, etc. Memory capacity ranges from 8 to 256 bytes. Proximity primarily uses one-time programmable read-only EPROM, but rewritable EEPROM is also available. The memory contains a unique identifier number, device code and service information (parity bits, start and end bits of code transmission, etc.).

    Typically, Proximity IDs are passive and do not contain a chemical power source such as a lithium battery. In this case, the microcircuit is powered by an electromagnetic field emitted by the reader. The reader reads data at a speed of 4 kbit/s at a distance of up to 1 m.

    Proximity-based identification and authentication systems are not cryptographically secure (with the exception of custom systems).

    Contactless smart cards operate at a frequency of 13.56 MHz and are divided into two classes, which are based on the international standards ISO/IEC 15693 and ISO/IEC 14443.

    The ISO/IEC 14443 standard includes versions A and B, which differ in the way the transmitted radio signal is modulated. The standard supports data exchange (read-write) at a speed of 106 kbit/s (the speed can be increased to 212, 424 or 848 kbit/s), reading distance up to 10 cm.

    To implement encryption and authentication functions in ISO/IEC 14443 identifiers, three types of chips can be used: a MIFARE hard logic chip, a processor, or a cryptographic processor. MIFARE technology is a development of Philips Electronics and is an extension of ISO/IEC 14443 (version A).

    The ISO/IEC 15693 standard increases the range of use of a contactless identifier to 1 m. At this distance, data exchange is carried out at a speed of 26.6 Kbps.

    USB keys (see Table 2) are designed to work with a computer’s USB port. They are structurally manufactured in the form of key rings, which are produced in colored cases, have light indicators of operation and are easily placed on a key ring. Each ID has a unique 32/64-bit serial number that is flashed at the time of manufacture.

    Table 2 Characteristics of USB keys

    On Russian market The most popular USB keys are:

    • iKey 10xx, iKey 20xx, iKey 3000 series developed by Rainbow Technologies;
    • eToken R2, eToken Pro from Aladdin Knowledge Systems;
    • ePass1000, ePass2000 from Feitian Technologies;
    • ruToken joint development of the Aktiv company and the ANKAD company.

    USB keys are the successors to contact smart cards. Therefore, the structures of USB keys and smart cards, as well as the volumes of similar storage devices, are almost identical. USB keys may include:

    • processor data management and processing;
    • cryptographic processor implementation of algorithms GOST 28147-89, DES, 3DES, RSA, DSA, MD5, SHA-1 and other cryptographic transformations;
    • USB controller providing an interface with a computer USB port;
    • RAM storage of changeable data;
    • EEPROM storage of encryption keys, passwords, certificates and other important data;
    • ROM storage of commands and constants.

    Combined systems

    The introduction of combined information security information (see Table 3) into the company’s information security system increases the number of identification characteristics, thus making it possible to more effectively protect computers and the corporate network from unauthorized access. In addition, some types of systems are capable of managing and controlling physical access to buildings and premises.

    Table 3 Main functions of combined SIA

    Today on the computer security market there are combined identification and authentication systems of the following types:

    • systems based on contactless smart cards and USB keys;
    • systems based on hybrid smart cards;
    • bioelectronic systems.

    Contactless smart cards and USB keys

    Hardware integration of USB keys and contactless smart cards assumes that an antenna and a chip that supports a contactless interface are built into the key fob body. This allows you to use one identifier to organize access control to both the computer and the office premises. To enter the office premises, the employee uses his ID as a contactless card, and when gaining access to protected computer data, as a USB key. In addition, when leaving the room, it removes the identifier from the USB connector (in order to then enter back) and thereby automatically blocks the computer.

    In 2004, two combined identifiers of this type appeared on the Russian market:

    • RFiKey developed by Rainbow Technologies;
    • eToken PRO RM developed by Aladdin Software Security R.D. .

    The RFiKey (Figure 2) is a USB iKey with a built-in Proximity chip developed by HID Corporation.

    Figure 2 RFiKey ID

    The RFiKey product supports the USB 1.1/2.0 interface and operates with readers from HID Corporation (PR5355, PK5355, PR5365, MX5375, PP6005) and the Russian company Parsec (APR-03Hx, APR-05Hx, APR-06Hx, APR-08Hx, H-Reader) .

    The main characteristics of RFiKey include the following indicators:

    • operating frequency of the Proximity chip 125 kHz;
    • processor clock frequency 12 MHz;
    • implemented cryptographic algorithms MD5, RSA-1024, DES, 3DES, RC2, RC4, RC5;
    • supported standards PKCS#11, MS Crypto API, PC/SC;
    • file system with three levels of data access;
    • Supported operating systems: Windows 95/98/ME/NT4 (SP3)/2000/XP/2003.

    The eToken RM identifier is an eToken Pro USB key with a built-in chip that supports a contactless interface (Fig. 3). The customer can choose the supplier and type of chip according to his needs. The company currently offers radio chips manufactured by HID Corporation, EM Microelectronic-Marin, Philips Electronics (MIFARE technology), Cotag International and Angstrem OJSC.

    Figure 3 eToken RM ID

    For example, the radio frequency passive identifier BIM-002 from the domestic company Angstrem is made in the form of a round tag. It is built on the basis of the KB5004ХК1 microcircuit, which is based on a 64-bit EPROM memory and a programming unit used to record a unique identification code.

    The main characteristics of eToken RM with a built-in identifier BIM-002 include the following indicators:

    • operating frequency BIM-002 13.56 MHz;
    • identification code reading range up to 30 mm;
    • processor clock frequency 6 MHz;
    • implemented cryptographic algorithms RSA-1024, DES, 3DES, SHA-1;
    • the presence of a hardware random number sensor;
    • supported standards PKCS#11, PKCS#15 (CRYPTOKI), MS Crypto API, PC/SC, X.509 v3, SSL v3, S/MIME, IPSec/IKE, GINA, RAS/Radius/PAP/CHAP/PAP;
    • supported operating systems Windows 98/ME/NT/2000/XP/2003, ASP Linux 7.2, Red Hat Linux 8.0, SuSe Linux 8.2.

    In the domestic market, the estimated prices of combined identifiers are: RFiKey 1032 from $41, RFiKey 2032 and RFiKey 3000 from $57, eToken RM with 32 KB of protected memory and BIM-002 from $52.

    The difference between the cost of combined and regular USB keys approximately corresponds to the price of a Proximity smart card. It follows that the integration of contactless smart cards and USB keys leads to almost no increase in hardware costs when moving to a combined identification and authentication system. The gain is obvious: one identifier instead of two.

    Hybrid smart cards

    Hybrid smart cards contain dissimilar chips that are not interconnected (Fig. 4). One chip supports a contact interface, the others (Proximity, ISO 14443/15693) contactless. As in the case of the integration of USB keys and contactless smart cards, SIAs based on hybrid smart cards solve a dual problem: protection from unauthorized access to computers and to the company premises where they are kept. In addition, a photograph of the employee is placed on the smart card, which allows him to be identified visually.

    Figure 4 Hybrid smart card structure

    The desire to integrate radio frequency contactless and contact smart card technologies is reflected in the developments of many companies: HID Corporation, Axalto, GemPlus, Indala, Aladdin Knowledge Systems, etc.

    For example, HID Corporation, a leading developer of SIA based on contactless identifiers, has released identifier cards that combine various technologies for reading identification characteristics. The result of these developments was the creation of hybrid smart cards:

    • Smart ISOProx II integration of Proximity chip and contact interface chip (optional);
    • iCLASS integration of ISO/IEC 15693 chip and contact interface chip (optional);
    • iCLASS Prox integration of Proximity chip, ISO/IEC 15693 chip and contact interface chip (optional).

    On the domestic market, prices for these products are: iCLASS from $5.1; Smart ISOProx II from $5.7; iCLASS Prox from $8.9.

    In Russia, Aladdin Software Security R.D. The technology for producing eToken Pro/SC RM hybrid smart cards has been developed. In them, microcircuits with the eToken Pro contact interface are built into contactless smart cards. The company offers smart cards from various manufacturers: Angstrem OJSC (BIM-002), HID Corporation (ISOProx II), Cotag International (Bewator Cotag 958), Philips Electronics (MIFARE technology) and others. The choice of combination option is determined by the customer.

    Analysis of financial costs when switching to the use of hybrid smart cards, as in the case of combining contactless smart cards and USB keys, again confirms the triumph of the “two in one” principle. If you place a photo of an employee on the ID, then this principle is transformed into “three in one”.

    Bioelectronic systems

    To protect computers from unauthorized access, biometric systems are usually combined with two classes of electronic SIA - based on contact smart cards and based on USB keys.

    Integration with electronic systems based on contactless smart cards is mainly used in physical access control systems.

    As already noted, fingerprint identification technologies are leading the biometric security market today. Such an honorable place for fingerprinting is due to the following circumstances:

    • this is the oldest and most studied recognition method;
    • its biometric sign is stable: the surface of the skin on the finger does not change over time;
    • high values ​​of recognition accuracy indicators (according to the developers of fingerprint security tools, the probability of a false denial of access is 10-2, and the probability of false access is 10-9);
    • simplicity and convenience of the scanning procedure;
    • ergonomics and small size of the scanning device;
    • the lowest price among biometric identification systems.

    In this regard, fingerprint scanners have become the most used component of combined SIAs used to protect computers from unauthorized access. In second place in terms of prevalence in the computer security market are SIAs based on contact smart cards.

    An example of this type of integration is the Precise 100 MC (Fig. 5) and AET60 BioCARDKey (Fig. 6) products from Precise Biometrics AB and Advanced Card Systems, respectively. To access the computer's information resources using these tools, the user must insert a smart card into the reader and place their finger on the scanner. Fingerprint templates are stored encrypted in the secure memory of the smart card. If the fingerprint image matches the template, access to the computer is allowed. The user is very satisfied: there is no need to remember a password or PIN code, the login procedure is greatly simplified.

    Figure 5 Product Precise 100 MC

    Figure 6 Product AET60 BioCARDKey

    The Precise 100 MC and AET60 BioCARDKey products are USB devices that operate in Windows environment. Smart card readers support all types of microprocessor cards that meet the ISO 7816-3 standard (T=0, T=1 protocols). Fingerprint readers are capacitive-type scanners with scanning speeds of 4 and 14 fingerprints per second for the Precise 100 MC and AET60 BioCARDKey, respectively.

    To reduce the number of peripheral devices, you can integrate a fingerprint scanner and smart card reader into the USB keyboard of the protected computer. Examples of such devices are the KBPC-CID products (Fig. 7) from the Fujitsu Siemens Computers alliance, the Precise 100 SC Keyboard (Fig. 8) and the Precise 100 MC Keyboard from Precise Biometrics AB.

    Figure 7 Product KBPC-CID

    Figure 8 Product Precise 100 SC Keyboard

    To access computer information resources, as in the previous version, the user needs to place a smart card in the reader and place a finger on the scanner. It seems interesting and promising that the developers of combined security systems decided to combine a USB key with a fingerprint identification system (hereinafter we will call such a device a USB bio-key). An example of this solution is the FingerQuick USB biokeys (Fig. 9) from the Japanese corporation NTT Electronics and ClearedKey (Fig. 10) from the American company Priva Technologies.

    Figure 9 FingerQuick USB Bio-Dongle

    Figure 10 USB bio-key ClearedKey

    In the near future, USB biokeys may become widespread due to their advantages:

    • high level of security (presence of a fingerprint scanner, storage of secret data, in particular fingerprint templates, in a secure non-volatile memory of the identifier, encryption of data exchange with a computer);
    • hardware implementation of cryptographic transformations;
    • lack of hardware reader;
    • uniqueness of the attribute, small size and ease of storage of identifiers.

    The main disadvantage of USB biokeys is their high price. For example, the approximate cost of FingerQuick is $190.

    Conclusion

    At first glance, combined identification and authentication systems look like some expensive, exotic products. But global experience in the development of computer security systems shows that all the currently used security tools were also once such exotic products. And now they are the norm of safe life. Hence, it can be said with high probability that a similar fate awaits combined systems.

    ESIA - independent information system, a single “window” of access for citizens, businesses and executive authorities to the infrastructure e-government, as well as other information systems connected to the System of Interdepartmental Electronic Interaction (SMEI).

    The key function of the ESIA is to provide the user with a single account for access to many significant government information systems. The account allows you to log in to any portals that use the unified identification and authentication system under the same login and password.

    A single account allows you to quickly and easily pay taxes, enroll your child in kindergarten, find out the status of your pension account, and order many other government services. Business, among other things, received the opportunity to simply authorize on the electronic trading platform, and representatives of government agencies - in the State Automated Information System "Management".

    Why do you need ESIA?

    The system will relieve citizens of the need to store multiple logins/passwords to receive government services electronically. Having registered once in any state information system, a citizen will be able to use the received login and password on other departmental resources. For example, citizens registered on the government services portal will be able to use the login and password from their personal account to access departmental information systems using departmental websites.

    Double click to enlarge

    In addition, to access government resources it will be possible to use various electronic cards, tools provided by operators cellular communication and digital television - any means, information about which will be in the system.

    Single digital profile

    More than 66 million Russians are registered in the ESIA

    As of February 8, 2018, almost half of the Russian population - more than 66 million citizens - have an account in the Unified Identification and Authentication System (USIA). In 2017, the country's electronic population grew by more than 66%. According to annual statistics, about 2 million users were registered monthly in the Unified Identification and Autonomous Information System.

    The Nenets Autonomous Okrug, which a year ago occupied only 80th place, is in the lead in the regional ranking of the Unified Automatic Information System of the Ministry of Telecom and Mass Communications of Russia. Over the year, the number of “electronic” population in the region increased by more than 77% and amounts to 95.5%. In second place is the Republic of Tyva with an annual increase of almost 30% and a share of 93.5%. The Chukotka Autonomous Okrug also demonstrated record results - more than 60%. Over the course of the year, the region “rose” from 71st to 3rd place with an indicator of 87.1%. The top 5 is completed by the Khanty-Mansi and Yamalo-Nenets Autonomous Okrugs - 85.2% and 81%, respectively.

    The number of citizens over 14 years of age registered in the Unified Automatic Identification System exceeds 70% in 5 other constituent entities of the Russian Federation: Kursk, Tula and Sakhalin regions, as well as in the Republics of Dagestan and Altai. In the Tambov, Vologda regions and the Udmurt Republic, this figure has almost been reached and exceeds 69%.

    ESIA is a single point of access to more than 4 thousand government and commercial portals, the number of which increased 4 times in 2017. Almost 1 billion authorizations were made through the ESIA, more than a quarter of which were completed by users to enter the Unified Public Services Portal (UPGU).

    As of February 2018, more than 27 thousand government services at the federal, regional and municipal levels are available at the EPGU. To receive approximately 23 thousand of them, a confirmed account is required, the number of holders of which is about 60% of users of the Unified Portal of Public Services - more than 40 million citizens. You can confirm your identity at any User Service Center.

    2017

    Biometrics, cloud electronic signature, money transfers and data access for business

    Implementation of biometrics

    In particular, the Deputy Minister of Communications and mass communications Alexey Kozyrev of the Russian Federation announced plans to introduce support for biometrics into the Unified Automatic Identification and Automation System from the beginning of 2018. At the same time, at the first stage it is planned to implement voice and face recognition, and subsequently add the ability to identify by fingerprints and iris. According to the deputy minister, the Russian Ministry of Internal Affairs is already carrying out relevant developments.

    For now, identification in the ESIA is carried out using a login-password pair or using a qualified electronic signature ( electronic key, issued by an accredited certification center).

    Access to data for commercial organizations

    At the same time, it is planned to open access to personal data of Russian citizens to commercial organizations, primarily financial organizations, which are most prepared for electronic interaction, and then to representatives of other industries. In particular, organizations will be able to access the following personal data: a citizen’s profile on the government services portal, data on pension savings, tax payments, etc. Citizens, in turn, will be given the opportunity to regulate the use of their data through a special ESIA web interface: give and withdraw your consent to their processing by commercial organizations, receive notifications about the facts of their processing, etc.

    Cloud electronic transaction signature

    In addition, the Ministry of Telecom and Mass Communications plans to implement the ability to sign transactions in electronic format through the Unified identification and authentication system. At the same time, due to the complexity of the process of obtaining qualified electronic signature, it is planned to provide citizens with a cloud signature service. According to Alexey Kozyrev, two Russian companies, whose names have not been disclosed, already have the necessary developments to implement the service. Moreover, one of them is in the process of obtaining permits from the FSTEC of Russia.

    Money transfers without payment systems

    The most ambitious task voiced by Kozyrev is the creation of a new address space. According to the idea of ​​the Ministry of Telecom and Mass Communications, a unique identifier will make it possible to make a money transfer or send a registered letter to a citizen, regardless of his location. It is planned that citizens will be able to use the unified identification and authentication system to conduct financial transactions with each other - relevant work is already being carried out by the Central Bank and the Fintech association. A unique identifier can be a passport number, INN, SNILS, telephone number and other personal data of the user.

    To implement the task, a special platform for interaction between banks will be required. At the same time, the capabilities of payment systems for making such transfers will not be required, the deputy minister clarified.

    Connecting cellular operators to the e-government infrastructure

    In October 2017, Deputy Minister of Communications and Mass Communications of the Russian Federation Alexey Kozyrev held a meeting of the Subcommittee on the use of information technology in the provision of state and municipal services to the Government Commission on the use of information technologies to improve the quality of life and conditions for doing business. One of the main issues of the meeting was the connection of mobile radiotelephone operators to the Unified System of Identification and Authentication (USIA) and the System of Interdepartmental Electronic Interaction (SMEI), which are part of the e-government infrastructure.

    “After connecting to the Unified Identification and Information System and SMEV, operators will be able to comply with the requirements of the law and quickly clear subscriber databases of anonymous users. In addition, connecting to the Unified Identification System will allow operators to develop remote interaction with subscribers,” said Mikhail Bykovsky, Deputy Director of the Department for Regulation of Radio Frequencies and Communication Networks of the Russian Ministry of Telecom and Mass Communications.

    ESIA - a single point of access to digital services of departments

    On September 8, 2017, during a meeting of the Subcommittee on the use of IT in the provision of state and municipal services, chaired by the Minister of Telecom and Mass Communications of the Russian Federation Nikolai Nikiforov, the possibility of authorizing users when receiving information from state information systems exclusively through the Unified Identification and Authentication System was considered ( ESIA).

    The proposal for unified access came from representatives of the Arkhangelsk region. We are talking about such information as, for example, requests for information about traffic police fines through the official website of the State Traffic Inspectorate of the Ministry of Internal Affairs of Russia and the results of the unified state exam through the corresponding official websites on the Internet. The subcommittee instructed to work on the issue of unified access to information from state information systems through the Unified Identification and Information System of the Ministry of Internal Affairs of Russia and the Ministry of Education and Science together with the Federal Service for Supervision in Education and Science (Rosobrnadzor).

    During the meeting, a representative of the Kursk region reported on the increase in the number of government services ordered by the population in electronic form. Thus, for the entire 2016, citizens ordered 200 thousand services, and over the past months of 2017, more than 270 thousand applications were submitted. In total, in the Kursk region, more than 70% of the population is registered in the Unified Identification and Autonomous Authorization. The region's proposal to improve regulatory documents for the provision of fully electronic services for such popular services as, for example, issuing a hunting permit was supported. Based on the results of the meeting of the subcommittee, it was recommended that the regions take into account the experience of the Kursk region in achieving the share of citizens using the electronic mechanism for receiving government services.

    50 million Russian citizens

    The Central Bank explained that primary identification will remain face-to-face and the client will have to go through it at the bank in accordance with existing standards. After identification, this information will go to the unified identification and authentication system, which will become the central infrastructure for storing information. Further, if the client turns to another bank for a service, he will not have to go through personal identification, this bank will simply turn to the ESIA.

    It is planned to first use remote identification for transactions of individuals with accounts, deposits, transfers, obtaining loans, and providing account information. After the pilot, this list can be expanded, Skorobogatova said.

    To carry out the project, it is necessary to amend the law and introduce the concept of “remote identification”. The adoption of amendments to the anti-money laundering law and other regulations is expected in the first half of 2017.

    2016

    The monthly increase in users of electronic government services exceeded two million people

    As of the end of November 2016, 37.7 million people were registered in the Unified Identification and Authentication System (USIA). User growth electronic government services in November 2016 amounted to 2.4 million people. This is a record growth for the entire existence of the system.

    Integration with the system of interdepartmental electronic interaction (SMEV) version 3.0 has now been completed by the majority of constituent entities of the Russian Federation. The remaining two subjects - the Republic of Ingushetia and the Tver region - need to transition to a new version of the system.

    Statistics for summer 2016

    As of August 18, 2016, the unified identification and authentication system (USIA) is used by all regional public service portals, websites of the Federal Tax Service, Federal Service for State Registration, Cadastre and Cartography, Federal Treasury, Pension Fund of the Russian Federation, official websites for posting information on tenders and government procurement , the website of the Russian Public Initiative, the state information system of housing and communal services, as well as electronic state libraries.

    In July 2015, it became possible to authenticate using an account on the Unified Public Services Portal in the free Wi-Fi network of the Moscow metro. It is also possible to register using an ESIA account at Sheremetyevo International Airport, Aeroexpress terminals, a number of Moscow fairs, at the Spartak stadium and in the children's play learning park

    By creating an account on the official website gosuslugi.ru, a person simultaneously becomes a user of the ESIA. This abbreviation stands for Unified Identification and Authentication System. Essentially, this is an access key that is suitable for all resources that provide federal and municipal services. What are the advantages of this system and how to register with the Unified Identification and Authorization System through the State Services portal will be discussed in this article.

    What is ESIA?

    First of all, it is worth saying that the ESIA is a system for the functioning of which the Ministry of Telecom and Mass Communications of Russia is responsible. Any individual can become a participant in the system legal entity or organization. Registration in the ESIA on the State Services portal is free of charge, the procedure is available to all Internet users. At the same time, each registered participant in the system has the right at any time.

    Once registered, a person receives a password that can be used to access all government websites participating in the program. That is, if you have an active session on State Services and switch, for example, to the Virtual School resource connected to the Unified Self-identification System, you will not need to re-identify.

    In addition to a single entrance to government portals, the system provides simultaneous exit from them. That is, upon completion of the session on State Services, access to accounts on the website of the Federal Migration Service, Pension Fund of the Russian Federation, Federal Tax Service, etc. will be interrupted.

    ESIA provides the ability to enter and independently change the personal data of the account owner through Personal account. The authenticity of the SNILS number is checked using the Pension Fund service, the correctness of the TIN - using the Tax Service service, and passport data and information from migration cards (for foreign citizens) - the FMS service.

    What does the ESIA give?

    Registration in ESIA for individual– this is an opportunity to use the functionality of the State Services website and others information services connected to the program. This opens up wide opportunities for the account owner, allowing:

    • issue various documents via the Internet, for example, a passport, driver’s license;
    • make an appointment with a doctor via the Internet, choosing a convenient date and time for the visit;
    • put the child on the waiting list for kindergarten, enroll him in school, clubs and sections, summer camps;
    • learn about fines and tax debts;
    • submit applications for the provision of various services, for example, marriage registration, change of surname, registration of TIN certificate;
    • pay utility bills, telephone;
    • apply for benefits and social payments, receive benefits;
    • learn about pension savings, check your personal account with the Pension Fund, etc.

    How to become a member of the system?

    By creating an account on the State Services portal, the user becomes a participant in the Unified Identification and Autonomous Authorization. To log in, you need to go to gosuslugi.ru and indicate in special form your real name and phone number or email. The information must be up-to-date, since further you will need to add information from your passport and personal data from other important documents (SNILS, INN) to your profile.

    To complete the account registration procedure on the ESIA portal, you must enter the activation code sent by the system to telephone number, entered in the previous step. The second option for activating your account is to confirm your account by clicking on the link in the email received by email.

    Important: during registration, the user must have access to mobile phone or the mailbox used to create your account.

    How do I verify my account?

    Having passed simple procedure By creating an account on the State Services website, a person becomes a participant in the Unified Identification and Autonomous Activity (USIA) with a simplified account. It's worth figuring out what it is.

    Simplified registration gives you the right to enter the portal and view information about the various services that are provided on it. However, the user will not be able to receive these services, since actions on the site will be limited.

    Owners of simplified records can check debts and fines online and receive alerts about them. But each user can “raise” their account by adding information about themselves.

    Having indicated the SNILS number and passport data, the account owner, after checking the information by the system, receives a standard account. To assign the status of a standard account, you will need to indicate in your profile:

    • your full name;
    • gender, place of birth and date;
    • citizenship;
    • series/number of passport or other identity document;
    • SNILS number.

    Important: foreign citizens who do not have a SNILS number will not be able to upgrade their account status to standard.

    Standard accounting allows you to pay fines and bills online using bank cards and electronic wallets, make an appointment with a doctor, register a trademark.

    The next step, which opens access to all functions of the site, is to receive a confirmed entry. Owners of a confirmed account can issue various documents (passport, international passport, certificates, certificates, etc.) via the Internet, enroll a child in a queue for kindergarten, and gain access to personal accounts and so on.

    Important: to receive some services, you must have an electronic digital signature.

    To confirm your account, you must either come to the MFC in person or order a confirmation code by postal letter, or have . The most popular option is to go to the multifunctional center in person with a passport and card.

    Protection of user personal data

    The system stores important personal information about registered users:

    • passport details;
    • SNILS number;

    Therefore, the State Services portal must have a high level of security. Only its owner has access to all personal information. Data transferred to the system by account owners is stored on highly protected government servers. Data in the system is transmitted over secure channels with a high level of encryption.

    In turn, the account owner must understand that the ESIA account password is access to his personal data, so it cannot be disclosed to third parties. The owner chooses the method of storing the password for logging into the account independently, and all responsibility for the safety of this data lies with him.

    The State Services website was launched back in 2010, but for the first few years there was virtually no activity on it. However, today the portal is rapidly developing, opening up wide opportunities for its users. On the State Services website you can easily and quickly obtain hundreds of services of municipal and federal significance. To do this, you just need to fill out an application via the Internet and confirm the operation with your ESIA account password. This eliminates queues, unnecessary stress and additional financial expenses.

    Biometric identification is the presentation by the user of his unique biometric parameter and the process of comparing it with the entire database of available data. To extract this kind of personal data, .

    Biometric access control systems are convenient for users because the storage media is always with them and cannot be lost or stolen. is considered more reliable, because cannot be transferred to third parties or copied.

    Biometric identification technologies

    Biometric identification methods:

    1. Static, based on the physiological characteristics of a person that are present with him throughout his life:

    • Identification ;
    • Identification ;
    • Identification ;
    • Identification by hand geometry;
    • Identification by facial thermogram;
    • Identification by DNA.
    • Identification
    • Identification

    Dynamic ones take as a basis the behavioral characteristics of people, namely subconscious movements in the process of repeating any ordinary action: handwriting, voice, gait.

    • Identification ;
    • Identification by handwriting;
    • Identification by keyboard handwriting
    • and others.

    One of the priority types of behavioral biometrics is typing style on the keyboard. When determining it, the typing speed, the pressure on the keys, the duration of pressing a key, and the time intervals between keystrokes are recorded.

    A separate biometric factor can be the manner in which you use the mouse. In addition, behavioral biometrics covers a large number of factors not related to the computer - gait, features of how a person climbs stairs.

    There are also combined identification systems that use several biometric characteristics, which makes it possible to satisfy the most stringent requirements for the reliability and security of access control systems.

    Biometric identification criteria

    To determine the effectiveness of ACS based on biometric identification, the following indicators are used:

    • - false miss rate;
    • FMR is the probability that the system incorrectly compares an input pattern with an unmatched pattern in the database;
    • - false refusal rate;
    • FNMR is the probability that the system will make a mistake in determining matches between the input sample and the corresponding template from the database;
    • ROC graph - visualization of the trade-off between FAR and FRR characteristics;
    • Registration refusal rate (FTE or FER) – the rate of unsuccessful attempts to create a template from input data (if the quality of the latter is low);
    • False Hold Rate (FTC) - the probability that an automated system is unable to detect biometric input when it is submitted correctly;
    • Template capacity is the maximum number of data sets that can be stored in the system.

    In Russia, the use of biometric data is regulated by Article 11 of the Federal Law “On Personal Data” dated July 27, 2006.

    Comparative analysis of the main methods of biometric identification

    Comparison of biometric authentication methods using mathematical statistics (FAR and FRR)

    The main parameters for evaluating any biometric system are two parameters:

    FAR (False Acceptance Rate)- false miss rate, i.e. percentage of situations where the system allows access to a user who is not registered in the system.

    FRR (False Rejection Rate)- false refusal rate, i.e. denial of access to a real user of the system.

    Both characteristics are obtained by calculation based on the methods of mathematical statistics. The lower these indicators, the more accurate the object recognition.

    For the most popular biometric identification methods today, the average FAR and FRR values ​​are as follows:

    But to build an effective access control system, excellent FAR and FRR indicators are not enough. For example, it is difficult to imagine an access control system based on DNA analysis, although with this authentication method the indicated coefficients tend to zero. But the identification time increases, the influence of the human factor increases, and the cost of the system increases unjustifiably.

    Thus, for a qualitative analysis of a biometric access control system, it is necessary to use other data, which, sometimes, can only be obtained experimentally.

    First of all, such data should include the possibility of falsifying biometric data for identification in the system and ways to increase the level of security.

    Secondly, the stability of biometric factors: their immutability over time and independence from environmental conditions.

    As a logical consequence, the speed of authentication and the possibility of quickly contactless capture of biometric data for identification.

    And, of course, the cost of implementing a biometric access control system based on the authentication method under consideration and the availability of components.

    Comparison of biometric methods for resistance to data falsification

    Falsification of biometric data In any case, this is a rather complex process, often requiring special training and technical support. But if you can fake a fingerprint at home, then successful falsification of the iris is not yet known. And for retinal biometric authentication systems, it is simply impossible to create a fake.

    Comparison of biometric methods for strong authentication capabilities

    Improving the security level of the biometric system Access control is usually achieved using hardware and software methods. For example, “living finger” technologies for fingerprints, analysis of involuntary twitches for the eyes. To increase the level of security, a biometric method can be one of the components of a multifactor authentication system.

    Inclusion in the software and hardware complex additional funds protection usually increases its cost quite significantly. However, for some methods, strong authentication based on standard components is possible: using several templates to identify the user (for example, multiple fingerprints).

    Comparison of authentication methods based on the immutability of biometric characteristics

    Constancy of biometric characteristics over time the concept is also conditional: all biometric parameters can change as a result of a medical operation or injury. But if an ordinary household cut, which can complicate the user’s fingerprint verification, is a common situation, then an operation that changes the pattern of the iris of the eye is rare.

    Comparison of sensitivity to external factors

    The influence of environmental parameters on the efficiency of ACS depends on the algorithms and operating technologies implemented by the equipment manufacturer, and can differ significantly even within the same biometric method. A striking example of such differences is fingerprint readers, which are generally quite sensitive to the influence of external factors.

    If we compare other methods of biometric identification, 2D facial recognition will be the most sensitive: the presence of glasses, a hat, a new hairstyle or a grown beard can be critical here.

    Systems using the retinal authentication method require a fairly rigid position of the eye relative to the scanner, immobility of the user and focusing of the eye itself.

    Methods for identifying a user by the pattern of veins and the iris of the eye are relatively stable in operation, unless you try to use them under extreme operating conditions (for example, contactless authentication over a long distance during “mushroom” rain).

    Three-dimensional facial identification is the least sensitive to the influence of external factors. The only parameter that can affect the operation of such an access control system is excessive illumination.

    Authentication speed comparison

    Authentication speed depends on the time of data capture, the size of the template and the amount of resources allocated for its processing, and the main software algorithms used to implement a specific biometric method.

    Comparison of contactless authentication capabilities

    Contactless authentication provides many advantages of using biometric methods in physical security systems at facilities with high sanitary and hygienic requirements (medicine, food industry, research institutes and laboratories). In addition, the ability to identify a remote object speeds up the verification procedure, which is important for large access control systems with high throughput. And also, contactless identification can be used by law enforcement agencies for official purposes. That is why, but have not yet achieved sustainable results. Particularly effective are methods that allow you to capture the biometric characteristics of an object at a great distance and during movement. With the spread of video surveillance, the implementation of this operating principle is becoming increasingly easier.

    Comparison of biometric methods for the psychological comfort of the user

    Psychological comfort of users– is also a fairly relevant indicator when choosing a security system. If in the case of two-dimensional facial recognition or iris recognition it happens unnoticed, then scanning the retina is a rather unpleasant process. And identification by fingerprint, although it does not bring unpleasant sensations, can cause negative associations with forensic methods.

    Comparison of the cost of implementing biometric methods in access control systems

    Cost of access control and accounting systems Depending on the biometric identification methods used, it varies extremely. However, the difference can be noticeable within one method, depending on the purpose of the system (functionality), production technologies, methods that increase protection against unauthorized access, etc.

    Comparison of the availability of biometric identification methods in Russia

    Identification-as-a-service

    Identification as a Service in the biometric technology market is a fairly new concept, but it promises a lot of obvious advantages: ease of use, time saving, security, convenience, versatility and scalability - like other systems based on Cloud storage and data processing.

    First of all, Identification-as-a-service is of interest for large projects with a wide range of security tasks, in particular for state and local law enforcement agencies, allowing the creation of innovative automated biometric identification systems that provide real-time identification of suspects and criminals.

    Cloud identification as the technology of the future

    The development of biometric identification is parallel to the development Cloud services. Modern technological solutions are aimed at integrating various segments into comprehensive solutions that satisfy all client needs, and not only in ensuring physical security. So the combination of Cloud services and biometrics as part of access control systems is a step that fully meets the spirit of the times and looks into the future.

    What are the prospects for combining biometric technologies with cloud services?

    The editors of the site addressed this question to the largest Russian system integrator, the Technoserv company:

    "Let's start with the fact that the intelligent integrated security systems that we are demonstrating are, in fact, one of the cloud options. And the option from the movie: a person walked past the camera once and he was already logged into the system... This will happen. Over time, with increasing computing power, but it will be.

    Now, for one identification in a stream, with guaranteed quality, you need at least eight computer cores: this is to digitize the image and quickly compare it with the database. Today this is technically possible, but commercially impossible - such a high cost is simply not reasonable. However, with increasing capacity, we will come to the point that a unified bioidentification database will be created,”- answers Alexander Abramov, director of the department of multimedia and situation centers at Technoserv.

    Identity as a Morpho Cloud Service

    The first deployment indicates the acceptance of Cloud services as a convenient and secure solution automated system biometric identification for government law enforcement in a commercial cloud environment, completed September 2016: MorphoTrak, a subsidiary of Safran Identity & Security, and the Albuquerque Police Department successfully deployed MorphoBIS on the MorphoCloud. Police have already noted a significant increase in processing speed, as well as the ability to recognize prints of significantly lower quality.

    The service developed by MorphoTrak) is based on Microsoft Azure Government and includes several biometric identification mechanisms: fingerprint biometrics, facial and iris biometrics. In addition, tattoo recognition, voice, services (VSaaS) are possible.

    The system's cybersecurity is guaranteed in part by its hosting of the government's criminal justice server, Criminal Justice Information Services (CJIS), and in part by the combined security expertise of Morpho and Microsoft.

    "We designed our solution to help law enforcement agencies achieve time savings and increased efficiency. Security is, of course, a key element. We wanted a cloud-based solution that would meet the government's stringent CJIS security policies and found Microsoft the ideal partner to ensure tight controls on criminal cases." and national security data, within a distributed data center environment." says Frank Barrett, Director of Cloud Services at MorphoTrak, LLC.

    As a result, Morpho Cloud is an outstanding example outsourced identity management, which can provide effective and cost-effective improvements to law enforcement security systems. Identity as a service provides benefits not available to most institutions. For example, geo-distributed disaster recovery is generally not feasible from a high project cost perspective, and improving security in this way is only possible due to the scale of Microsoft Azure and Morpho Cloud.

    Biometric authentication on mobile devices

    Fingerprint authentication on mobile devices

    Study by Biometrics Research Group, Inc. is devoted to the analysis and forecast of the development of the market for biometric authentication in mobile devices. Study sponsored by leading biometrics market manufacturers Cognitec, VoicePIN and Applied Recognition.

    Mobile biometrics market in numbers

    According to the study, the volume of the mobile biometrics segment is estimated at $9 billion by 2018 and $45 billion by 2020 worldwide. At the same time, the use of biometric characteristics for authentication will be used not only for unlocking mobile devices, but also for organizing multi-factor authentication and instant confirmation of electronic payments.

    The development of the mobile biometrics market segment is associated with the active use of smartphones with pre-installed sensors. It is noted that by the end of 2015, mobile devices with biometrics will be used by at least 650 million people. The number of mobile users with biometric sensors is projected to grow by 20.1% per year and by 2020 will be at least 2 billion people.

    Material from the special project "Without a Key"

    The special project “Without a Key” is an accumulator of information about access control systems, convergent access and card personalization

    Read more: