Where modern biometrics is moving
Biometrics is a topic that is accompanied by myths and legends. About 99% accuracy, reliability, about breakthrough technologies, about the recognition of people Vkontakte. A couple of days ago there was an article about Sberbank, for example. Talking about biometrics is very easy to manipulate information: few people feel the statistics.
About five years ago I already wrote a series of articles on Habré about biometrics and how it works ( 1 , 2 , 3 ). Oddly enough, little has changed over the years, although the changes have occurred. In this article I will try to tell as much as possible about today's technologies, about what progress is being made and why Gref’s words say that the words “the card, the main task of which is identification, is a thing of the past” should be treated with skepticism.
In biometrics, there is one main characteristic that determines the quality of any system. More precisely, they are two, but they are inseparable:
• The probability of a false comparison with an object in the database (the probability of a false admission, FAR - false access rate)
• Probability of recognition failure of an object located in the database (FRR - false reject rate)
Each of you can write a program with 100% accuracy confirming the person’s identity in a minute . You just need to always display "yes, this is the desired person." Only here a false comparison of such a program will also be 100%. Anyone can pass.
Now you know that when Gref speaks about 99.9% accuracy, something is not being said to you.
Accuracy is generally such a thing, about which it is difficult to speak in the context of large numbers. 99.9% is a lot or a little? And the probability of 90%, maybe it is enough?
')
Take FAR equal to 0.1% (99.9% praised). Suppose that a person always coincides with himself (FRR = 0, although this will be far from it).
Suppose your company employs 100 people and you want to make a record of working time. With FAR = 0.1%, people will be mistaken for someone else in about 100 * 0.1 = 10% of cases. That is, out of 100 employees, 10 people will pass like other people every day.
On the other hand, these characteristics are sufficient in cases where a person has an access card. In order to penetrate your enterprise, he will need to use the card approximately 1000 times in order to pass for its owner. With minimal protection this is not possible.
The accuracy of 0.1% FAR is quite sufficient also to provide verification of the user of the CALL-center (after he introduced himself, or after determining his phone number), but not for identification.
For now, consider another example. The probability by eye (one of the most accurate recognition methods) to take one person for another (FAR) is 0.00001%. Seems like it is very good? But if there are a million customers in our bank, and we do not use cards? This means that each user with a probability of 10%, we have a jackpot - access to someone else's account.
Of course, you can recognize by two eyes, everything will be much better, the probability of false access will be only 0.0001%. But if at least 100 thousand people use ATMs every day, then with a 10% probability we will have one false access to someone else's account.
In reality, they cheat you. As I say, everything written above without FRR. An erroneous access denial is also unpleasant. As developers consider it:
• The most honest do this: we take an open base with biometric characteristics, we believe what happens.
• Rogue manufacturers throw one or two people out of the database, which spoil all the statistics. Such people are always there.
And now the secret. The first item is also a hoax. Although conspiratorial. Open databases are often ideal images / data that were collected in the laboratory with the right light / noise level. All unsharp / ambiguous from such bases clean manually.
In reality, everything is not so good. Suppose I want to go through the iris of the eye or face or veins of the hands (and there and there the scanners are very similar). What can I encounter?
1. The scanner will not notice that he had someone in sight
2. The scanner will not focus correctly.
3. The scanner is lit by the sun.
4. The scanner does not capture what you need.
5. The parameters of my biometric characteristics are outside the scope of the algorithm: a huge / small hand, a face burn, modified iris geometry
6. The bases on which the voice recognition algorithm works are usually dialed not on the subway or on the worst phones.
All this is not taken into account when calculating the FRR.
As a result, an algorithm that gives 0.1% of failures when a person is recognized on the base often gives 20-30% in real conditions. And this is not a problem of the basic algorithm, it is often a problem of the technique used or the conditions in which it is used.
These 20-30% of users try to repeat the recognition in the second, third, fourth time. FAR statistics is growing.
And there are people who do not work at all. For example on fingerprints. We were told that at the chemical plant, 20% of the staff did not have fingerprints that the scanner could capture. There are people with eye / hand / voice / face disease who are NEVER recognized. Basically.
For each algorithm, there is a certain percentage of such people. Manufacturers often keep silent about it or they themselves do not know if they have not had experience with a large implementation.
People do not like to use something new. Especially if it controls them. Do not want to learn. I saw people who basically could not scan their hand. Always applied with an error and did not listen to advice. I saw people who were terribly afraid of scanning the eyes (this is even some common phobia). And how many people are trying to break the hated scanners on the basis of working time, curtain rag / smeared or stained the camera.
Yes, installing a company scanner may forget such a trivial thing as periodically wiping it with a cloth. Statistics falls.
But let's digress and talk specifically about existing systems. What happened in recent years and where progress is going. Still yesterday, Sberbank announced a fundamentally new solutions.
A couple of common words. Progress does not stand still, but there is no exponential growth. For example, the newfangled Deep Learning, which recently has been tearing and throwing everything, has affected only a few areas of biometrics. But there is a crazy progress in electronics. Computational power appears in each board. Raspberry Pi, Jetson, etc.
Most of what we wrote 5 years ago is still relevant. I will try to reflect the main changes.
Serious biometrics is a type of biometrics that can be used anywhere, regardless of context. It has the best features. Often it can be put in the identification mode on the base (when we are dealing with a small company).
My favorite topic is iris recognition. Statistically, this is the most powerful and fast technology. She always had two big minuses. The price of equipment and ease of use. Now there is a systematic development in these areas. There are significant limitations imposed by optics, which more or less reached its limit. Most likely in the coming years there will be some advancement of technology at the expense of the new base in electronics. So far, it is used quite rarely.
Five years ago, it seemed to me that recognition by papillary pattern achieved everything that could. How I was wrong. In recent years, many fundamentally new ideas have been put forward:
• Recognition by 3d finger image. There are several competing algorithms, but only this link could be found. The difference is in the 3d scanner used.
• Recognition of vessels visible in IR. Again, as I have seen at trade shows, there are now several competing ideas.
• A fundamentally different mathematics, not tied to the standard fingerprint features. The use of adequate finger models and correlation algorithms.
To be honest, I do not even know the characteristics of most of these new systems. They are better than ordinary biometrics on the fingers. They say that the percentage of non-working people is much less. Exactly higher price than standard finger scanners.
There are no bases on which to independently test and confirm the percentages. Each manufacturer creates its own specific scanner - this is its novelty and uniqueness.
Fingers are the most frequently used technology, but rarely anyone uses newfangled improvements. The weakest version is usually used.
Very good feature. It loses in accuracy to the iris of the eye, but surpasses in convenience. People are much easier to learn, more stable to external conditions. Cheaper than iris eyes.
In recent years, the hardware base has fallen somewhat in price, but in general, the technology is now quite stable.
The 3d-person algorithm is directly tied to existing 3d scanners and their price. This is due to their development. The characteristic itself is not bad, comparable with the veins of the hands. But it is much more convenient than the veins and the iris. Just look at the scanner and miss you.
Since 3D scanners now have a dozen, each of them may have its own system. The accuracy of the system is usually determined by the quality of the scanner. For example, you can recognize faces through RealScense, but there will be no high accuracy.
For most systems, this direction is one of the most expensive scanner for the price. Many firms do not voice the price tag.
All the biometrics that I noted above was 5 years ago. Let a little bit in a different format. But two directions have suffered over the years a fundamental development. They did not become “serious methods”, but they became workable. This is a verification of voice and 2D face. Five years ago it was almost impossible to use them. Now they are quite well entrenched in the tasks of verification (confirmation of the person’s identity) and in the tasks of thinning the base. Both here and there the method should be used as a “hint” for the operator. For example:
• In call centers to confirm the speaker’s identity (voice)
• In stores for the seller to immediately see what the buyer bought the last times + contact by name and patronymic (person)
• Find Face (face)
• Banks before issuing a loan (person, voice)
These methods do not give an unambiguous result, but may be attractive for business. This is where the acclaimed Deep Learning applies and the main progress is made.
Predicting what will happen with these methods in the coming years is impossible.
I do not know how to call this biometrics differently. Of course, it gives some chance to correctly recognize the person and throw away the attacker. Perhaps the locker in the wardrobe can be locked. Or phone to password, if there is nothing important. But I would not count on anything more.
• Biometrics by electrocardiogram
• Biometrics in handwriting
• Biometrics gait
Somewhere once a couple of months on Habré there is surely an article about something next from this series. Identification by how a person holds the phone. Or by knocking on the keyboard. These are very bad methods that can always be circumvented if desired, which generate more problems than solutions.
There are still a couple of methods about which nothing has been heard for a long time. Disadvantage of use, complexity of equipment, poor accuracy:
• Biometrics on the retina
• Biometrics on hand geometry
Theoretically, the whole country can be driven into a biometric database and recognized by it. Probably even a properly assembled iris scanner that works on two eyes and a 3D face will cope with the task. But the price of such a scanner will be high. Plus - it is not on the market, you need to develop from scratch.
The problems will be the same - we get 5-10% of users who can not use it. Countrywide is a lot.
Under the project can not hide anything new. Perhaps there is a view of telephone banking + lending. There, biometrics has long been used in other banks.
In the topic of biometrics, I periodically twist since 2008. Mostly as a developer, sometimes as a consultant. And back in 2009, many banks were interested in this technology. Embed biometrics in test ATMs, for example. But nothing went wrong. There are no fundamentally new technologies since (except for Deep Learning, individuals and voices that are already used by banks). I am surprised again revived interest in the topic.
It is also not clear to me how to implement the “refusal of cards” when paying for it in stores. Now the prices of good and reliable biometric scanners start anywhere from $ 600. Rather, it is around 1000, especially with regard to integration. And the price is largely justified purely at the level of iron. Well, suppose that with millions of copies, you can reach 400. Compared to mobile terminals, this is a substantial price.
If you make your scanner eyes + face - it's a few thousand dollars.
If you work in the “verification” mode with cheap finger scanners, you still need the card.
About five years ago I already wrote a series of articles on Habré about biometrics and how it works ( 1 , 2 , 3 ). Oddly enough, little has changed over the years, although the changes have occurred. In this article I will try to tell as much as possible about today's technologies, about what progress is being made and why Gref’s words say that the words “the card, the main task of which is identification, is a thing of the past” should be treated with skepticism.
The most important thing
In biometrics, there is one main characteristic that determines the quality of any system. More precisely, they are two, but they are inseparable:
• The probability of a false comparison with an object in the database (the probability of a false admission, FAR - false access rate)
• Probability of recognition failure of an object located in the database (FRR - false reject rate)
Each of you can write a program with 100% accuracy confirming the person’s identity in a minute . You just need to always display "yes, this is the desired person." Only here a false comparison of such a program will also be 100%. Anyone can pass.
Now you know that when Gref speaks about 99.9% accuracy, something is not being said to you.
A few words about accuracy
Accuracy is generally such a thing, about which it is difficult to speak in the context of large numbers. 99.9% is a lot or a little? And the probability of 90%, maybe it is enough?
')
Take FAR equal to 0.1% (99.9% praised). Suppose that a person always coincides with himself (FRR = 0, although this will be far from it).
Suppose your company employs 100 people and you want to make a record of working time. With FAR = 0.1%, people will be mistaken for someone else in about 100 * 0.1 = 10% of cases. That is, out of 100 employees, 10 people will pass like other people every day.
On the other hand, these characteristics are sufficient in cases where a person has an access card. In order to penetrate your enterprise, he will need to use the card approximately 1000 times in order to pass for its owner. With minimal protection this is not possible.
The accuracy of 0.1% FAR is quite sufficient also to provide verification of the user of the CALL-center (after he introduced himself, or after determining his phone number), but not for identification.
For now, consider another example. The probability by eye (one of the most accurate recognition methods) to take one person for another (FAR) is 0.00001%. Seems like it is very good? But if there are a million customers in our bank, and we do not use cards? This means that each user with a probability of 10%, we have a jackpot - access to someone else's account.
Of course, you can recognize by two eyes, everything will be much better, the probability of false access will be only 0.0001%. But if at least 100 thousand people use ATMs every day, then with a 10% probability we will have one false access to someone else's account.
Tips in percent
In reality, they cheat you. As I say, everything written above without FRR. An erroneous access denial is also unpleasant. As developers consider it:
• The most honest do this: we take an open base with biometric characteristics, we believe what happens.
• Rogue manufacturers throw one or two people out of the database, which spoil all the statistics. Such people are always there.
And now the secret. The first item is also a hoax. Although conspiratorial. Open databases are often ideal images / data that were collected in the laboratory with the right light / noise level. All unsharp / ambiguous from such bases clean manually.
In reality, everything is not so good. Suppose I want to go through the iris of the eye or face or veins of the hands (and there and there the scanners are very similar). What can I encounter?
1. The scanner will not notice that he had someone in sight
2. The scanner will not focus correctly.
3. The scanner is lit by the sun.
4. The scanner does not capture what you need.
5. The parameters of my biometric characteristics are outside the scope of the algorithm: a huge / small hand, a face burn, modified iris geometry
6. The bases on which the voice recognition algorithm works are usually dialed not on the subway or on the worst phones.
All this is not taken into account when calculating the FRR.
As a result, an algorithm that gives 0.1% of failures when a person is recognized on the base often gives 20-30% in real conditions. And this is not a problem of the basic algorithm, it is often a problem of the technique used or the conditions in which it is used.
These 20-30% of users try to repeat the recognition in the second, third, fourth time. FAR statistics is growing.
Errors
And there are people who do not work at all. For example on fingerprints. We were told that at the chemical plant, 20% of the staff did not have fingerprints that the scanner could capture. There are people with eye / hand / voice / face disease who are NEVER recognized. Basically.
For each algorithm, there is a certain percentage of such people. Manufacturers often keep silent about it or they themselves do not know if they have not had experience with a large implementation.
People
People do not like to use something new. Especially if it controls them. Do not want to learn. I saw people who basically could not scan their hand. Always applied with an error and did not listen to advice. I saw people who were terribly afraid of scanning the eyes (this is even some common phobia). And how many people are trying to break the hated scanners on the basis of working time, curtain rag / smeared or stained the camera.
Yes, installing a company scanner may forget such a trivial thing as periodically wiping it with a cloth. Statistics falls.
Systems
But let's digress and talk specifically about existing systems. What happened in recent years and where progress is going. Still yesterday, Sberbank announced a fundamentally new solutions.
A couple of common words. Progress does not stand still, but there is no exponential growth. For example, the newfangled Deep Learning, which recently has been tearing and throwing everything, has affected only a few areas of biometrics. But there is a crazy progress in electronics. Computational power appears in each board. Raspberry Pi, Jetson, etc.
Most of what we wrote 5 years ago is still relevant. I will try to reflect the main changes.
Serious biometrics
Serious biometrics is a type of biometrics that can be used anywhere, regardless of context. It has the best features. Often it can be put in the identification mode on the base (when we are dealing with a small company).
Eyes
My favorite topic is iris recognition. Statistically, this is the most powerful and fast technology. She always had two big minuses. The price of equipment and ease of use. Now there is a systematic development in these areas. There are significant limitations imposed by optics, which more or less reached its limit. Most likely in the coming years there will be some advancement of technology at the expense of the new base in electronics. So far, it is used quite rarely.
Fingers
Five years ago, it seemed to me that recognition by papillary pattern achieved everything that could. How I was wrong. In recent years, many fundamentally new ideas have been put forward:
• Recognition by 3d finger image. There are several competing algorithms, but only this link could be found. The difference is in the 3d scanner used.
• Recognition of vessels visible in IR. Again, as I have seen at trade shows, there are now several competing ideas.
• A fundamentally different mathematics, not tied to the standard fingerprint features. The use of adequate finger models and correlation algorithms.
To be honest, I do not even know the characteristics of most of these new systems. They are better than ordinary biometrics on the fingers. They say that the percentage of non-working people is much less. Exactly higher price than standard finger scanners.
There are no bases on which to independently test and confirm the percentages. Each manufacturer creates its own specific scanner - this is its novelty and uniqueness.
Fingers are the most frequently used technology, but rarely anyone uses newfangled improvements. The weakest version is usually used.
Hand veins
Very good feature. It loses in accuracy to the iris of the eye, but surpasses in convenience. People are much easier to learn, more stable to external conditions. Cheaper than iris eyes.
In recent years, the hardware base has fallen somewhat in price, but in general, the technology is now quite stable.
3d face
The 3d-person algorithm is directly tied to existing 3d scanners and their price. This is due to their development. The characteristic itself is not bad, comparable with the veins of the hands. But it is much more convenient than the veins and the iris. Just look at the scanner and miss you.
Since 3D scanners now have a dozen, each of them may have its own system. The accuracy of the system is usually determined by the quality of the scanner. For example, you can recognize faces through RealScense, but there will be no high accuracy.
For most systems, this direction is one of the most expensive scanner for the price. Many firms do not voice the price tag.
Biometrics for special purposes
All the biometrics that I noted above was 5 years ago. Let a little bit in a different format. But two directions have suffered over the years a fundamental development. They did not become “serious methods”, but they became workable. This is a verification of voice and 2D face. Five years ago it was almost impossible to use them. Now they are quite well entrenched in the tasks of verification (confirmation of the person’s identity) and in the tasks of thinning the base. Both here and there the method should be used as a “hint” for the operator. For example:
• In call centers to confirm the speaker’s identity (voice)
• In stores for the seller to immediately see what the buyer bought the last times + contact by name and patronymic (person)
• Find Face (face)
• Banks before issuing a loan (person, voice)
These methods do not give an unambiguous result, but may be attractive for business. This is where the acclaimed Deep Learning applies and the main progress is made.
Predicting what will happen with these methods in the coming years is impossible.
Biometrics Just for lulz
I do not know how to call this biometrics differently. Of course, it gives some chance to correctly recognize the person and throw away the attacker. Perhaps the locker in the wardrobe can be locked. Or phone to password, if there is nothing important. But I would not count on anything more.
• Biometrics by electrocardiogram
• Biometrics in handwriting
• Biometrics gait
Somewhere once a couple of months on Habré there is surely an article about something next from this series. Identification by how a person holds the phone. Or by knocking on the keyboard. These are very bad methods that can always be circumvented if desired, which generate more problems than solutions.
Dead methods
There are still a couple of methods about which nothing has been heard for a long time. Disadvantage of use, complexity of equipment, poor accuracy:
• Biometrics on the retina
• Biometrics on hand geometry
What is wrong with the Sberbank project .
Theoretically, the whole country can be driven into a biometric database and recognized by it. Probably even a properly assembled iris scanner that works on two eyes and a 3D face will cope with the task. But the price of such a scanner will be high. Plus - it is not on the market, you need to develop from scratch.
The problems will be the same - we get 5-10% of users who can not use it. Countrywide is a lot.
Under the project can not hide anything new. Perhaps there is a view of telephone banking + lending. There, biometrics has long been used in other banks.
In the topic of biometrics, I periodically twist since 2008. Mostly as a developer, sometimes as a consultant. And back in 2009, many banks were interested in this technology. Embed biometrics in test ATMs, for example. But nothing went wrong. There are no fundamentally new technologies since (except for Deep Learning, individuals and voices that are already used by banks). I am surprised again revived interest in the topic.
It is also not clear to me how to implement the “refusal of cards” when paying for it in stores. Now the prices of good and reliable biometric scanners start anywhere from $ 600. Rather, it is around 1000, especially with regard to integration. And the price is largely justified purely at the level of iron. Well, suppose that with millions of copies, you can reach 400. Compared to mobile terminals, this is a substantial price.
If you make your scanner eyes + face - it's a few thousand dollars.
If you work in the “verification” mode with cheap finger scanners, you still need the card.
Source: https://habr.com/ru/post/302022/
All Articles