• Font Size:
  • A
  • A
  • A

Feature Articles

Vision-Based Biometrics

by Ben Dawson, Ph.D., M.S.E.E., Director of Research eTrue, Inc. - AIA

A biometric is a measure of some biological quantity or pattern, but has come to mean a measurement of an individual's features, such as fingerprints, that can be used to identify or authenticate a person. Used this way, a biometric is a password that can't be forgotten, lost or stolen.

There are many possible biometrics, including DNA, odor, gait, height, handwriting, and speech, but my focus is on vision-based biometrics - those that use image sensors and algorithms derived from machine vision. I'll review the fundamentals of biometrics, describe vision-based biometric systems that use fingerprint, face or iris images and their abilities, mention multiple biometrics, and quickly review markets for biometric systems. References are set in square braces when introduced.

You might be familiar with Hollywood's version of biometrics. In Sneakers (1992), Robert Redford's character gains access to the bad guys' offices by using a tape recording ('my voice is my passport') to fraud a voice-based biometric. More recently, Gattaca (1997) provides a nightmare view of DNA biometrics, and Pierce Brosnan as James Bond walks a gauntlet of fantastic biometrics. Sneakers is the closest to reality - voice-based biometrics are used for authentication, particularly over the telephone network. To prevent fraud using a tape recorder, you are asked (challenged) to repeat random words.

Serious applications for biometrics include controlling access to a building (called physical access), authenticating a user to allow him/her to access some resource (for example, accessing a secured web site), and identifying a person from among many possible people (for example, looking for terrorists at airports).

Figure 1 shows the major elements in a biometric system. To use the system you first record your biometrics as a reference. This process is called enrolling, enrollment or registration and is shown above the horizontal dotted line. A familiar example of registration is signing a signature card when you open a bank account. Your signature is the enrolled biometric that could be used to check for signature forgeries in presented documents.

The sensor data are processed to find and extract biometric data. These data are put into a data structure called a template and are stored in the database keyed to your name, user name, or some other identifier. This process is sometimes called templification. Face-based biometrics systems can also store the sensor images for error review and for non-repudiation - 'You say you didn't cash that bad check? Well, here is a picture of you doing it!'

When you use the biometric system for authentication, the biometric data (the presented data) are converted to a template and this template is matched with the templates generated by registration. This is similar to template matching in machine vision.

Matching generates a score representing the quality of match between the presented biometrics and the enrolled biometrics. A common convention is to scale these scores to range from 0 to 10, with higher values being a better match. The score might be based on the distance between measurement vectors or a normalized correlation coefficient, or a more complex algorithm.

If you use a biometric system to verify your claim to be you, then you first present an identifier, such as your name, to get the enrolled biometrics from the database. Then your presented biometrics can be compared 'one-to-one' with your enrolled biometrics. This kind of matching is called verification. If you make no identity claim, then the system has to match your presented biometrics with a small ('one-to-few') or large ('one-to-many') number of enrolled biometrics. This kind of matching is called identification, although this leads to some confusion with this term. As the number of people we have to match to increases, the matching time and the possibility of errors increases, as does the database size.

To make the binary decision of accepting or rejecting the match, a threshold is used on the score. As in machine vision, thresholds are 'free variables' that are set as best we can from a priori knowledge. From a large population of users' measures we can compute the probability of correctly or incorrectly accepting or rejecting a match at a specified threshold.

The false acceptance rate (FAR) is the probability that the wrong person is accepted (fraud) using a particular threshold. The false rejection rate (FRR) is the probability that the right person is rejected using a particular threshold. Hypothetical distributions of FAR and FRR probabilities are shown below as a function of threshold.

These error curves show that changing the threshold to decrease one type of error rate increases the other type of error. The Equal Error Rate (EER) is the error rate (probability) where these two error curves cross (crossover rate). The EER is often used as a 'figure of merit' for a biometric system. Sometimes it is better to set the threshold higher or lower than the EER. For example, for verifying an ATM machine transaction, we favor accepting the wrong person over upsetting a customer by rejecting them so we reduce the threshold for a lower FRR and have a higher FAR.

The process of matching and decision making is known authentication. Once you have been authenticated, another process allows you to access those resources you have been authorized to access. For example, you are authorized access to certain parts of a building or based on your level of security clearance.


The fine ridges of skin on your hands, fingers, soles, and toes form unique patterns that can be analyzed for identification. Fingers (fingerprints) are most commonly used, although a print of a baby's sole is sometimes taken to give a larger area for analysis. These ridge and furrow patterns evolved to provide additional friction on surfaces used for gripping, hence fingerprint analysis is sometimes known as 'Friction Ridge Analysis.'

Fingerprints form during fetal development and are essentially unchanged throughout life. Their general pattern has a genetic basis (genotype) but the ridge details are unique to each individual (phenotype). Because of this combination, even identical twins with identical DNA will have slightly different fingerprints [GERMAN]. Fingerprints became the standard for forensic (crime) identification in the early 1900's [FBI]. In Mark Twain's Pudd'nhead Wilson, published in 1894, a case of switched identity and murder is solved by the use of fingerprints [TWAIN]. This is the first example of using fingerprints as part of a book's plot [WAISMAN].

In the past, fingerprints were registered (enrolled) by inking the fingers and rolling them on a fingerprint card. The fingerprint card was then manually compared to the ink print of a suspect, or to a 'latent' print taken from evidence. A latent print often has to be chemically treated to 'develop' the print for comparison. Electronic and optical imaging methods have mostly replaced the ink-and-roll method of getting fingerprints and comparing them with latent prints.

There are perhaps 50 vendors of fingerprint readers for personal identification (See Appendix A). A common type of reader has a red LED light source that totally reflects off a glass window or prism and through optics into a CCD or CMOS image sensor. When you place your finger on the window, the ridges touch the glass while the furrows between ridges do not. Where ridges touch the glass, the index of refraction outside the glass changes and 'frustrates' the total internal reflection at that point - the light is absorbed by the ridges. The sensor therefore 'sees' ridges as dark lines while furrows stay bright.

Another type of reader uses a large (perhaps 1.5 x 1.5 cm) integrated circuit 'area' sensor. The ridges and furrows of a finger placed on this sensor are sensed by capacitance or by radio frequency coupling to the sensor array. Some readers have a single line of sensors, like a line scan camera, over which the user draws their finger to form the image. A hybrid sensor passes an AC current through a polymer sheet to cause it to fluoresce, much like a night-light. A finger print image is formed from the ridges shorting out the fluorescence. The polymer sheet can be put directly on top of an area image sensor or can use optics similar to the LED-based fingerprint readers.

Major fingerprint features, such as whorls, arches or loops (see Figure 3) can be used to classify fingerprints into groups. For detailed classification, we measure positions and relationships of where ridges (or furrows) end or branch. These points are called minutiae (minutia, singular), as they are minute details. Extracting and measuring minutiae are challenging imaging problems [CHANG].


The minutiae are essentially independent measures, so with enough measures you can do well even when there is damage to the finger or the print is incomplete. However, people with small, simple, or missing fingerprints are difficult or impossible to enroll or match. These failure to enroll (FTE) errors occur in perhaps 2 to 4% of the population, more often in the very young and old, manual laborers, and petite women.

Face Biometrics

Our ability to recognize and identify faces is vital to our survival. Our brains come equipped to recognize and learn faces -- a day-old infant can learn to identify a particular face [SLATER] and within a month, knows his/her mother's face [LANGLOIS].

The difficulty of providing some of the brain's ability to recognize faces using a machine vision system has not deterred a few companies and many graduate students from trying (See Appendix B). Among the problems in automatic face recognition are the variable appearance of the face under different lighting and poses, the difficulty of making accurate measures because the face is flexible ('plastic'), and the apparent similarity between faces (See Figure 4). The fact that we recognize faces so easily makes everyone a natural critic of any computer-based face recognition system.


A typical face biometric system captures images with a visible-light camera and processes these images using a personal computer (PC). The camera must have enough resolution and image quality to capture the required details of the face. Inexpensive, consumer grade cameras can be used in office environments, but specialized cameras are needed in more demanding environments such as monitoring airports or outdoor areas.

Before the face can be identified, it must first be found in the image. This is a difficult problem in its own right. There can be multiple faces, the face might be partially obscured or blurred from movement, and there can be face-like objects that 'fool' a face finding algorithm. Skin color, approximate shape, stereo (depth), texture, and/or motion have been used to differentiate possible faces from non-faces (background). Each of the possible face locations is examined using correlation, neural nets, or some other pattern matching algorithm. As in machine vision, searching for faces is usually done on coarse to fine scales (small to large image size) so approximate face locations can quickly be found in a small image and then refined to get precise face locations.

The algorithms for generating face templates and matching these to the enrolled templates are generally proprietary. I group the algorithms into three rough classes:


  • Image-based methods use the intensity of the pixels or derived measures as the biometrics.  As an example, Eigenface methods generate a space of face images, with dimensions that account for face variability.  A face is characterized by a vector in this space [TURK].
  • Feature-based methods match using either features derived from the intensity image - such as intensity edges and 'blobs' - or try to identify and match individual features such as the corners of the mouth.  To overcome position and size variations, features can be analyzed on a local basis [VISIONICS] or neural nets are used to provide tolerant measurements [ETRUE].
  • Constraint-based methods use the known structure of the face to constrain the matching of local features. Constraints can include how much 'energy' it takes to stretch a model feature to a presented feature [YUILLE], [ETRUE].

These are not sharp classes - for example, image data become features and features can be used in constraint-based methods. As with machine vision, face biometrics can be improved by getting better data, using better algorithms, or adding better constraints.

Automated face recognition is the most natural and easy-to-use biometric. The problems of lighting and pose variation, the plastic nature of the face, and the similarity of faces make this biometric less reliable than fingerprints. Unlike fingerprints, there is never a failure to enroll with a face biometric -- assuming you don't have a bag over your head or another strange disguise.

Iris Scans

The iris is the colored part of the eye surrounding the pupil. The furrows, crypts and other structures of the iris are presumed unique, and do not change significantly throughout life (See Figure 5). The use of these patterns for identification was proposed in the 1960's but effective methods for using the patterns were first developed in the 1990's [DAUGMAN 1993].

An image of the iris can be 'unrolled' to produce a linear structure that is similar to a bar code. The 1's and 0's of this bar code are defined by structure of the iris, and are the biometric data. As with fingerprints, the large number of independent bits in this code allows you to miss or be wrong on many bits and still make a match with very high certainty [DAUGMAN WEB1].

A major problem in using the iris for identification is getting a good image of the iris, especially for registration. The iris is quite small and hard to find in an image, and requires precise focus. The iris can be obscured by drooping eyelids, common in some populations, and by pathologies (for example, Bell's Palsy). Once found, enough details of the iris have to be resolved to provide the 'bits' that make up the biometric data.

IriScan uses a hand-held or adjustable mirror in which the user must align his/her eye and through which an image of the iris is taken (See Figure 6). This forces the eye to be in the camera's field of view and at a typical distance from the camera. Sensar (now part of IriScan) developed a sophisticated electro-optical and mechanical system for finding the eye and 'zooming in' on the iris. This allows simpler, 'hands free' use of the biometric system, but at increased cost.

There are reports of failures to enroll as much as 5% of the population using iris biometrics. Iris scanning has the lowest false accept rate of any biometric, but failures to enroll and difficulty in use have limited its commercial acceptance.

Comparing Biometrics

An ideal biometric would have these features:

  • Small error rates (EER) or high 'accuracy'
  • No failure to enroll (FTE)
  • Easy for someone to use, not intrusive
  • Small cost and size
  • Fast verification, fast identification
  • Robust against 'countermeasures' and fraud
  • Social acceptance

In the table below I estimate best and typical EER (equal error rates) and rate each biometric system on the above feature list and using a scale of A = Excellent to D = Poor.

The typical EER rates are estimates based on published numbers and personal experience.  I've discussed the estimated FTE rates.

Ease of Use

Face is the easiest to use and is the only biometric that gives an image that anyone can use to check for errors or for non-repudiation - we are all experts in face recognition.  The iris systems require the user to align their eye or be trained to use the 'hands free' system.  Fingerprints require the user to learn how to put their finger on the sensor for reliable scanning.

Cost and Size

Fingerprint readers can be quite small and built into keyboards, handguns, etc.  Desk-top face biometric systems typically use a small, inexpensive camera, while the iris systems are either a hand-held 'mirror' device (see Figure 6) or a larger and more expensive device for finding and imaging the iris.


The total time for verifying using a biometric system should take 10 seconds or less, ideally less than 3 seconds.  Most of this time is spent on image acquisition, searching the image (if necessary), and template generation.  Fast template matching becomes important as the size of the 'one-to-many' population increases, for example trying to match a 'mug shot' photograph to a large collection of suspects.  A rate of 10,000 matches per second is probably comfortable for a high-end PC doing face or fingerprint matching.


As the value of the assets protected by a biometric system increases, so does the incentive to fraud the verification or identification process.  Face has the highest risk of fraud.  A simple method is 'fraud by photograph,' where a photograph of someone else is presented to the camera for verification.  Most face biometric systems deal with fraud by photograph by looking for head movements or face topography consistent with a live person.

It is harder to fraud a fingerprint reader, but perhaps you could use latex impressions of the target person's fingers.  Some finger readers try to sense a live finger by looking for heat or blood flow.  You might try to fraud an iris scanner by holding up a photograph, but this is countered by looking for eye blinks.  The iris scan images are taken in the near infrared and so a video 'playback attack' probably won't work.

Social Acceptance

It might seem strange to rate a biometric on social acceptability, but there are strong elements of (occasionally irrational) psychology in the use of biometrics.  Some people feel that fingerprints have a 'stigma of criminality', and some governments will therefore not allow fingerprints to be used for general identification.  A few people object to putting their finger on a fingerprint reader because of sanitary considerations.  People seem to accept face biometrics with out objection, perhaps because we are used to having our pictures taken.  Some people seem concerned that iris scanning will put 'radiation' in their eyes.

Multiple or Layered Biometrics

We can use multiple or layered biometrics to improve the accuracy of authentication and 'cover' weaknesses of a particular biometric.  For example, humans use additional biometrics such as height, weight, gait, voice sound, etc., to validate recognition based on a face.

Some commercially important layered biometric systems uses fingerprint as the 'primary' biometric and face as the secondary or checking biometric.  The fingerprint provides high accuracy and the face covers the cases where there is a failure to enroll or verify with the fingerprint.  Combining different biometrics to best effect requires careful combinations of multiple scores and thresholds.  Just using a simple AND or OR combination based on the assumption of independent probabilities leads to the 'weaker' biometric reducing the accuracy of the combined biometric [DAUGMAN WEB2].

Market Overview

I think there is a strong and growing market for vision-based biometrics, but the early hype surrounding biometric systems has made customers justifiably wary.  A new generation of biometric 'providers' has evolved from previous vendors, and they offer more solid and mature products.  This new generation typically uses multiple (layered) biometrics with a web-based business model.

As an example, eTrue combines face, finger and other biometrics using a set of 'rules' (an expert system) to provide high levels of accuracy.  The verification is done over the web at a secure server, thus reducing security issues surrounding the local storage and management of template information.  An exception handling process deals with the small percentage of cases that cannot be automatically verified.  Other vendors who are developing similar business models include:

  • BioNetrix Systems Corporation
  • Ethentica
  • Keyware Technologies
  • Safelink Corporation
  • And the iTrust division of Identix

The development of ASP (application service provider) systems for web-based biometric authentication is not a trivial task.  The vendors that capture this market may become the first tier of a biometric 'business chain'.  They will purchase quantities of cameras, fingerprint readers, and other vision biometric components from their vendors.  My guess of the first tier market is several hundred million dollars, and there should be substantial revenue pass through to suppliers of vision-based biometric components.

Organizations and forums related to biometrics are listed in Appendix D.


[DAUGMAN WEB1]  John G. Daugman.  The fundamental site on iris scan, including methods, history, and mathematical basis.

[DAUGMAN WEB2] John G. Daugman.  Discusses the hazards of combining biometrics. www.cl.cam.ac.uk/users/jgd1000/combine/combine.html

[ETRUE] eTrue.com, Inc.  A supplier of web-based authentication services. Developed face recognition products under the name of Miros, Inc. www.etrue.com

[GERMAN] Ed German, C.L.P.E., F.F.S.  'Frequently Asked Questions about Fingerprints'.  http://onin.com/fp/lpfaq.html

[IRISCAN] Develops iris scan technology and biometric systems. www.iriscan.com/  or  www.sensar.com/

[LANGLOIS] Langlois, J.H., Roggman, L.A., Casey, R.J., & Ritter, J.M. 'Infant preferences for attractive faces: Rudiments of a stereotype?' Developmental Psychology, 23, (1987) pp. 363-369.

[SLATER]  A. Slater and R. Kirby, 'Innate and learned perceptual abilities in the newborn infant', Exp. Brain Res., 123, (1998) pp. 90-94.

[TWAIN] Mark Twain, 'Pudd'nhead Wilson'.  Re-printed by Bantam Classic and Loveswept.  ISBN: 0553211587 (1984).

[TURK] Matthew A. Turk, Alex P. Pentland, 'Recognition in Face Space', SPIE Vol.1381 Intelligent Robots and Computer Vision IX : Algorithms and Techniques (1990).

[VISIONICS] Visionics Corporation.  A supplier of face recognition products. www.visionics.com

[WAISMAN] Scott Waisman.  'About Mark Twain' (1999).  www.geocities.com/~samclemens

[YUILLE] A.L. Yuille, P.W. Hallinan and D.S. Cohen. 'Feature extraction from faces using deformable templates', International Journal of Computer Vision. 8:2, (1992) pp. 99-111.

Appendix A. Some Fingerprint Reader Vendors and Distributors

Optical readers:
American Biometric Company    www.biomouse.com
BioLink Technologies International, Inc.   www.biolinkusa.com

Identicator       www.identicatorinc.com

Biometric Access Co.
Digital Persona, Inc.     www.digitalpersona.com
SAC Technologies, Inc.
NEC Technologies
SECUGEN Corp.     www.secugen.com
I/O Software, Inc.  www.iosoftware.com/products/integration/fiu500/index.htm
SECUGEN Corp.     www.secugen.com/

Ultrasonic Readers:
Ultra-Scan Corporation     www.ultra-scan.com

Thermal Finger Scan Readers:
Thomspon-CSF   www.tcs.thomson-csf.com/fingerchip/FC_home.htm

Hybrid (Polymer fluorescence):
Who?Vision, Inc.     www.whovision.com
(Now Ethentica)    www.ethentica.com




There are currently no comments for this article.

Leave a Comment:

All fields are required, but only your name and comment will be visible (email addresses are kept confidential). Comments are moderated and will not appear immediately. Please no link dropping, no keywords or domains as names; do not spam, and please do not advertise.

First Name: *
Last Name: *
Your Email: *
Your Comment:
Please check the box below and respond as instructed.

Search AIA:

Browse by Products:

Browse by Company Type: