All biometric identification forms broadly contain four qualities: everyone has it, everyone’s is unique, the characteristic remains stable over time, and it should be easy to collect. Fingerprints, unlike some other forms, like facial scans, generally require the cooperation of the individual being enrolled in biometric authentication; when the characteristics of their fingerprint will be saved as a reference template. Any time a new biometric sample is submitted (the trial biometric), it is tested against the reference template. Since biometric systems don’t work to a level of granularity to ensure 100% identical samples each time, a score is calculated for the trial biometric and, as long as it meets the threshold for authentication, the user is authenticated.
Fingerprint patterns are stored by capturing images of the fingerprint which allow the system to observe the ridges and valleys in the fingerprint. The image of the fingerprint is then stored and divided in to regions which contain recognizable patterns, which can then be further subdivided to collect data within each region known as minutiae; data on which is captured through x and y axis, class of pattern, and angle. To fully identify a fingerprint sample, a combination of the number of regions, number of ridges, and minutiae are used.
Password comparison can be done by comparing an entered password with a one way hash stored (for example, as PVD) on the given system. Depending on the method of accessing the system, authentication may take more of a challenge-and-response format, where the system being accessed generates a challenge c, which is transmitted to the system from which the user is authenticating. The remote user’s system uses the challenge and a shared password generated between the systems to generate a response r, where r = g(p, c). The response value is checked against an expected value calculated by the system being accessed, and if the two values r = r’ then authentication succeeds.
While both password and biometric authentication check the received data (r or a scanned fingerprint, for example), against an expected value, those values look very different. A password hash, response value, etc. is a calculated field based on the initial input of the password created by the user or system, and can be easily changed; while a fingerprint (or other biometric data) is static (unless the person undergoes a physical change), and the data being compared between the reference and the trial biometric are based on data that was observed from the biometric sample, rather than a calculated field.
Josh Lambert 