Biometrics authentication techniques: A comparative study

Literature confirms that the biometric system lacks security and has numerous limitations and weaknesses. The disadvantages of this system come from the distinctness of biometric signals and the way it collects data and represents individuals, which is dependent on the method adopted to gather data, surroundings, the way users interact with the device, as well as the pathophysiological phenomena that arise due to variations in traits. In addition, this system has many problems in regard to forgery since, for instance, people’s voices can be captured when they are expressing their passwords, the camera is able to take the photo of an iris from across the room, and fingerprints on surfaces can be removed. As a result, a key feature with a high strength against any attacks is needed to be utilized in a way to maximize the biometric system security. To this end, numerous techniques for biometric authentication have been proposed. The present study attempts to introduce different biometric authentication techniques like biometric cryptosystem and palm vein cryptosystem.


Introduction
*In definition, biometric machines establish an individual's identity on the basis of his/her physical, chemical, or behavioral characteristics (Jain et al., 2004). Ali and Gaikwad (2016) maintained that biometrics is a certain technology measuring and studying the features of the human body to be applied to user authentication processes, and its work is entirely dependent upon two concepts: Uniqueness and permanence. The former guarantees that there will not be any similarity between the same biometric information of two individuals, while the latter guarantees that the biometric characteristic never changes over time. Biometric features must be distinctive, universally-applicable, and obtainable (Jain et al., 2004). Thus, any pair of human beings do not have a similar biometric feature, even in the case of twins. In this research, a number of concepts related to biometric technologies are discussed, i.e., biometric authentication, biometric cryptosystem, palm vein cryptosystem, and hand biometrics.
The rest of the paper is organized as follows. Section 2 reviews and discusses the literature. Section 3 introduces biometric authentication. Section 4 presents the biometric cryptosystem. Section 5 explains the concepts related to hand biometric. Section 6 introduces the palm vein cryptosystem. Section 7 introduces biometrics authentication systems strengths, and weaknesses and finally, Section 8 concludes the whole study.

Literature review
As reported by the Healthcare Financial Management Association (HFMA, 2016), hospitals are still dependent upon manual processes during care experience. Such processes involve identifying the patients at registration and then the use of modalities like armbands and barcodes. In addition, lots of protocols have been established to follow, for instance, the use of two patient identifiers at the time of drawing blood, giving medication, etc. Despite the presence of such protocols, these methods do not offer high reliability because human errors are always probable along with these processes, which may lead to mistakes (some of them can be deadly) inpatient identification processes (HFMA, 2016). As a dependable way to address such challenges, a number of health organizations have started some investments on biometric technology to be applied to patient identification processes. It has been found an effective way to minimize the patient misidentification-related problems and also to decrease medical records duplication. In biometric technology, unique biological identifiers are applied to matching the patients with their correct identity. Biometric systems are capable of measuring different physiological characteristics, such as palm print, palm vein, handprint, fingerprint, iris, etc. Andalib and Abdulla-Al-Shami (2013) and Tome and Marcel (2015) argued that biometric systems are also vulnerable to various system attacks. These attacks generally make use of the weakness in the system infrastructure or administration. It could be because of the limited liveliness detection capability of the commonplace system, which can, in turn, reduce the security of the system. Attacks performed against the systems can be categorized into two main groups: direct attacks and indirect ones. Adversaries attack the sensor with the use of artificial biometric samples with no particular knowledge about the framework. On the other hand, for indirect attacks, the adversaries need to hold additional information in regard to the internal structure, and they have to gain direct access to some components of the application (Ratha et al., 2001). Ngadi et al. (2012) proposed a mechanism that utilizes the dependency relationship among items to detect and prevent malicious data by calculating a number of relations among data items.
The use of a biometric system may cause two significant effects: Refusal of service and intrusion (Jain et al., 2008). The former takes place in case a legal user fails to obtain services s/he is completely qualified for because the infrastructure is attacked, and the user is kept deprived of gaining access to the system. On the other hand, the latter (intrusion) happens in case an attacker has obtained access to the system illegally, which could be due to low security and/or loss of private data. The big problem is that when a biometric template is utilized, it cannot be easily canceled, which is because of the absence of a revocation mechanism (Dhamija and Tygar, 2005); the template will then be rendered as unusable (Beng et al., 2008). Furthermore, according to Lalithamani and Sabrigiriraj (2014), the use of biometric information in situation identity attributes authentication to deliver a few nonminor tasks, which is because of the nature of biometric information. For instance, two successive analyses of specified biometrics do not bring about precisely the biometric template as matching against the stored template is probabilistic. In addition, storing biometric templates within a database together with more personally distinct data may lead to security/privacy hazards (Dhamija and Tygar, 2005). This is because the database can be highly susceptible to attacks that may set by insiders or outside adversaries, and also the database may be searched without justified reasons. In cryptographic, a significant issue related to the security system is key management. In case the key is selected too short or simple, attackers can simply break it, and if the key is stored in, for instance, a database, it can be lost or stolen, which causes threats for the system (Panchal and Samanta, 2016). If biometric data are leaked, it may result in significant privacy-related problems since biometric features are completely unique and stable for each person.
In random sequences, the key demonstrates the highest level of security; however, it is not easy to produce and memorize such keys rapidly. In addition, in case the key is disclosed, unauthorized parties are capable of determining the key producer or the person to whom the key is assigned (Ogiela and Ogiela, 2011). The process of biometric key authentication can also be subjected to different attacks, e.g., presentation of false biometrics, the matching unit corruption, attacking the channel between the template stored and the matching unit, tampering with the biometric feature presentation, etc. (Kannan and Asthana, 2012).
Apart from that, digital forensics has a relationship along with biometric systems to detect who the attacker is? How did the attack happen? And when did the attacking happen? For example, Ikuesan and Venter (2019) established an attribution approach based on heuristics built on traditional machine learning algorithms, with stress on the possibility of interactive mining constancy from the stochastic information of human performance. Digital investigation, explicitly in computer and network forensic, stands to increase much care from such social attribution process (Al-Dhaqm et al., 2017a). Several articles have been proposed for database forensics to detect and identify attackers or malicious activities (Al-Dhaqm et al., 2014;2016;2017b). Thus, biometric systems can be used with database forensic to detect and recognize database crimes.

Biometric authentication
In general, a biometric system creates a unique profile of the physical, chemical, or interactive characteristics of a certain individual (Jain et al., 2004). Biometric machines verify the individuals' identity in order to provide secure access to a certain system (Lalithamani and Sabrigiriraj, 2014). Biometrics can provide dependable tools to overcome the difficulty of individuals identified through the use of individuals' unique features (Jain et al., 2004). It proposes a strategy of high simplicity and security in a way to exactly verify people's identity, and also it assures the use of some identification tools that cannot be stolen, lost, or forgotten (Lalithamani and Sabrigiriraj, 2014). With the use of biometrics, individuals cannot make false denial claims since this system needs the individual to be present when the authentication process is being done (Jain et al., 2004). It also prevents unauthorized access (Adler, 2004).
According to Ali and Gaikwad (2016), biometrics is dependent upon two modes: Enrolment and recognition. At the enrolment step, biometric information is obtained by means of sensors and stored within a certain database together with the individual personal information to be used for recognition purposes. After that, at the recognition step, the biometric information is obtained by means of the sensors, and then the information is compared to the previously-stored information to exactly determine the individual's identity. The enrolment and authentication processes are depicted graphically in Fig. 1.   Fig. 1: The enrolment and authentication processes (Kothavale, 2004)

Biometric cryptosystem
Based on definitions proposed by Chafia et al. (2010) and Uludag et al. (2005), a biometric cryptosystem refers to a combination of the biometric components and cryptographic keys, which is typically known as a crypto-biometric system. Cryptography provides a high and adjustable level of security; it makes available non-repudiation and eliminates the need for memorization of the password or conveying tokens (Arul and Shanmugam, 2009).
In fact, the biometric cryptosystem makes a new integrated form combining biometrics and cryptography, aiming at exploiting the advantages of both fields. Cryptographic keys are generated through direct use of biometrics features (Balakumar and Venkatesan, 2012), which is consisted of long pseudo-random keys that cannot be memorized (Ayoub and Singh, 1984). Such characteristic controls and enhances the system security level for a long time (Balakumar and Venkatesan, 2012). The biometric cryptosystem combines biometric features and encryption (Sadkhan et al., 2016). In this combination, the biometric features play the role of individuals' authentication, while the standard key generation scheme addresses the other components related to controlling (Balakumar and Venkatesan, 2012). Fig.  2 displays the structure of a biometric system. Encoding the original data is performed by means of any key in a way to make it more and more complex. Then, it can be decoded whenever needed by means of the same key (Balakumar and Venkatesan, 2012). Two different levels can be observed in a biometric cryptosystem: Biometric-based key generation and biometric matching between input and enrolled biometric signal by means of the secret key (Verma and Jain, 2015). According to Arul and Shanmugam (2009) and Juels and Sudan (2006), the biometric cryptosystem comprises three modes: Key release, key binding, and key generation.

Hand biometrics
The hand plays a fundamental role in the body of any human being. It is the most used part amongst other parts of the body during a day. Thus, in the field of biometrics, the hand is highly accepted by people to be used (Hao et al., 2006). Generally, hand biometrics is divided into three categories: Skin surface-based modality, internal structure-based modality, and global structure-based modality. Two recognized instances of the skin surface-based modality are palm print and fingerprint, in which the information related to the skin surface is explored and stored. An instance of the internal structurebased modality is the veins pattern, where the information related to the veins structure under the skin surface is used for recognizing purposes. The vein pattern is highly unique and consistent. Finally, hand geometry is an example of the global structurebased modality. This is an acceptable choice in the case of small-scale applications and highperformance price ratio (Hao et al., 2006). As indicated by Ali and Gaikwad (2016), the surface of fingertips contains some ridge and valleys that hold a high uniqueness for each individual; the fingerprint features remain unchanged throughout one's life. In addition, no two individuals can be found with the exactly similar fingerprints even in case of twins. In a fingerprint system, the ridges are marked by black lines, whereas the valleys are marked by white lines. The image of a fingerprint is depicted in Fig. 3.
Palm is another part of the hand that comprises ridges and valleys with a high uniqueness. Palm consists of flexion creases, secondary creases, and ridges (George et al., 2014). In a palm print, there are some important characteristics, namely the palm geometry, principle lines (life, heart, and head), wrinkles, minutiae, and delta point (Ali and Gaikwad, 2016). They comprise information required for accurate identification of an individual (Awate and Dixit, 2015) since they hold unique information (Nie et al., 2019). Fig. 4 displays the features in a palm print. When recorded, the palm print is shown as a set of dark lines. It represents a high peaking portion of the friction ridge skin, whereas the valleys that exist between the ridges are shown as white space and is with a low shallow portion friction ridge skin (Fig. 5) (George et al., 2014).  (George et al., 2014) In the palm vein authentication system, the individuals' palm vascular patterns are used as identification sources (Mahto and Yadav, 2013), as seen in Fig. 6. During the last decade, extensive studies have been carried out into the palm vein structure (Kumar and Prathyusha, 2009;Wu et al., 2008). The vein pattern of an individual is established in utero, and any two persons cannot be found with the same patterns of palm vein (Mahto and Yadav, 2013). Within the vein vessels, there is deoxidized hemoglobin that absorbs the light of the wavelength of roughly (7.6*10.4mm) in the nearinfrared area (Miura et al., 2007). This way, we can observe some dark lines of blood vessel pattern that contains deoxidized hemoglobin molecules. The vein authentication device indeed translates the palm blood vessel pattern as black lines of infrared ray image (Mahto and Yadav, 2013).  (Mahto and Yadav, 2013)

Palm vein cryptosystem
The innovative technique of palm vein cryptosystem is used for identification purposes by means of the blood vessels that exist under individuals' palm skin (Zhou and Kumar, 2011). Palm vein is within the subcutaneous layer of palm skin; it is completely unique even in twins (Athale et al., 2015). Fig. 7 displays the cross-section anatomy of palmer skin. Fig. 7: Cross-section anatomy of palmer skin (Zhou and Kumar, 2011) The most reliable and secure biometric modality is a palm vein since this cannot be easily copied and faked. This is because palm vein cannot be observed directly by eyes under ordinary light (Athale et al., 2015). This unique feature will remain unchanged during an individuals' lifetime (Zhou and Kumar, 2011). Thus, it offers an accurate, reliable, and costefficient tool for identification (Athale et al., 2015).
The palm vein cryptosystem involves four steps: Acquiring an image, preprocessing, extracting features, and producing a key. Numerous low-cost vein acquisition systems have been proposed in the literature to take the image needed for the abovementioned processes (Raghavendra et al., 2014). During the acquisition step, the image of the palm vein is obtained by means of a near-infrared (NIR) illumination since it is not possible to penetrate with ordinary light. The volume of hemoglobin within the individual's blood affects the penetration of light; therefore, the visibility of different veins is different in infrared light.
Then, the obtained image is subjected to preprocessing steps for smoothing and enhancement purposes in a way to make the image completely suitable for the following processes. Through the image preprocessing process, blur, noise, and background are eliminated (Chavez-Galaviz et al., 2015). This step also involves cropping and scaling of the image to discard the undesirable parts and achieve the region of interest (ROI) and then improving the sharpness/smoothness of ROI. On the one hand, the ROI size should not encroach into the background areas, and on the other hand, it needs to be wide enough to preserve the pattern texture (Harmer and Howells, 2012).
After that, the image is transformed into a greyscale format to extract the required features, where the image contains grey shades ranging between white and black colors. Then, the global threshold segmentation method is used to convert the image into a binary format (Chavez-Galaviz et al., 2015). This format comprises only two digits, i.e., 0 and 1. After that, the obtained binary image is exposed to the thinning algorithm for the aim of obtaining the vein skeleton that is applicable to the feature extraction process (Chavez-Galaviz et al., 2015). As the binary image has a noise that comes from the threshold segmentation, it needs to be subjected again to the enhancement process by means of, at first, the Guided Filtering and then the Gabor filtering (Harmer and Howells, 2012). Segmentation noise is decreased using the morphological operation.
Then, it turns to perform the key production process through which the feature already extracted is encrypted in order to create a unique key. Literature consists of numerous approaches to the production of the unique key or the cryptosystem; the approaches include RSA algorithm, Blowfish cryptographic algorithm, Fuzzy commitments, etc. (Athale et al., 2015). As stated by (Nagar et al., 2011), the Fuzzy commitment scheme is applied to biometric encryption. It operates based on binary vectors. The Blowfish cryptographic algorithm makes use of a single key for both encryption and decryption (Balakumar and Venkatesan, 2012). RSA is known as a public cryptography algorithm offering a system for not only encryption but also authentication.

Strengths and weaknesses
The proposed biometrics authentication systems have strengths and weaknesses, as shown in Table 1. Greater surface area and contain more minutiae compared to fingerprint. More deformable than fingerprint. Ridges present in palms are unique and persistent. More distinctive than a fingerprint. Vary in quality of discrimination power and skin distortion Appearance is sensitive to illumination condition, aging, skin disease and abrasion (Banerjee et al., 2018;George et al., 2014;Hao et al., 2006)  Has broader and more complicated vascular pattern. Contain a wealth of differentiating features for personal identification. Less susceptible to change in skin color, unlike finger or back of the hand. Offer contactless authentication. Provides hygienic and non-invasive solution thus promoting a high level of user acceptance. Difficult to forged and contributes to a high level of security because it measures the hemoglobin flow through veins internal of the body. Cannot be stolen by photographing, tracing, and recording. Not susceptible to minor trauma, cuts and etc. because the vein is inside hand, so they are protected. Has no hair, thus eliminates an obstacle to capturing the vein pattern Acquisition device is expensive (Mahto and Yadav, 2013)

Conclusion
The previous works of the biometrics authentication systems discovered that biometric systems have several limitations and weaknesses. The disadvantages of this system come from the distinctness of biometric signals and the way it collects data and represents individuals, which is dependent on the method adopted to gather data, surroundings, the way users interact with the device, as well as the pathophysiological phenomena that arise due to variations in traits. In addition, this system has many problems in regard to forgery since, for instance, people's voices can be captured when they are expressing their passwords, the camera is able to take the photo of an iris from across the room, and fingerprints on surfaces can be removed. As a result, a key feature with a high strength against any attacks is needed to be utilized in a way to maximize the biometric system security. To this end, numerous techniques for biometric authentication have been proposed. The present study attempts to introduce different biometric authentication techniques like biometric cryptosystem and palm vein cryptosystem. Future work will include developing a cryptographic key generation from palm vein using a fuzzy vault scheme to detect and prevent the privacy of data.