Copyright 2005 Information Systems Audit and Control Association.

All rights res

erved. www.isaca.org.
Fingerprint Identification: An Aid
to the Authentication Process
By Rodger Jamieson, Ph.D., CA, Greg Stephens and Santhosh Kumar
F
F
ollowing the terrorist attacks of 11 September 2001 and the
ongoing war against terrorism, there has been a worldwide
effort by governments to develop a biometric standard that
could be used to identify airline passengers, control access to
high-security buildings and record the details of convicted
criminals...(implemented in) biometric technology, which uses a
chip to store biological information, such as face scans, iris
patterns and fingerprints. 1 Terrorism, ID fraud and cybercrime are
just a few of the reasons for investigating biometrics.
The purpose of this article is to investigate the application
of biometrics to the task of security, particularly the
authentication/verification processes. In addition to the reasons
provided above, there is a greater emphasis on e-business
systems, with these applications being developed for
distributed deployment and a diverse range of stakeholders.
Clearly, a major issue is the authentication of remote users,
that is, being reasonably certain that the individual is whom
he/she purports to be. Traditionally, a number of electronic
means have been attempted, such as user ID/passwords,
public/private keys and various forms of encryption.
As technology advances and provides more specialised
equipment, other means are becoming practical. This article
looks at the potential of fingerprint recognition as a means of
verifying a remote user. Fingerprinting has been selected as it
is the least invasive biometric system. This article looks at the
advantages and disadvantages, audit implications, and the
usability of fingerprint authentication.
Like most technical fields, biometrics and its associated
systems have a multitude of definitions. Most definitions are
dependent on the context in which the subject is being
discussed. For the purpose of this article, biometric systems
will be defined as:
Automated methods of verifying or recognising a
living person on the basis of some physiological
characteristics, such as fingerprint or iris patterns, or
some aspects of behaviour, such as handwriting or
keystroke patterns. 2
This definition has a physiological and a behavioural
aspect. The differences between using physiological and

behavioural identifiers are quite significant, especially when

considering accuracy, cost and acceptance by the user. These
differences will be considered later.
Why Biometrics?
Biometric systems use points of measurable uniqueness to
determine identities.3 This technology can act as the front end
to a system that requires precise identification of those
requesting access before the system may be used. This concept
is essentially what password systems attempt to achieve;
knowing a password provides access to a system or location.
There is, however, one fundamental difference between access
systems using passwords and those using biometric methods.
Password systems are identity-nonspecific. They can be
stolen, given to other users and, in some cases, guessed,
meaning that there is no guarantee that the person logging on is
the owner of that password. Put simply, there is no foolproof
way to prevent unauthorised intrusion or to determine user
identity beyond doubt.4 By contrast, biometric systems use
identifiers that are inexorably linked to the user in question.
These range from fingerprint and voice scans to iris and retinal
pattern recognition. The premise behind using such identifiers is
that they are unique, generally not subject to change, and cannot
be stolen, lost or forgotten.5 This is not to say that biometric
identifiers are infallible. They do, however, represent a useful
method of linking identity to specific system users.
How Biometrics Work
Biometric systems generally comprise three basic
components:6
An automated mechanism scans and captures a digital or
analogue image of a living individual s characteristics.
Another mechanism handles compression, processing,
storage and comparison of the collected data with the
stored data.
A third component interfaces with the application system to
which the user is attempting to gain access.
Obviously, the configuration of such a system may be
altered to suit a particular situation. However, the majority of
biometric control systems follow this simple model.
It should be noted that there is one crucial step required in
setting up a biometric system: enrolment. The only way to gain
access to a biometrically controlled system is to enrol.
Enrolment is required to generate a reference template. The
methods of enrolment vary according to the device used but
usually involve scanning the required biometric data a number
of times to gain an accurate measurement. A template is then
created and linked to the user s identity.7 This template provides
the reference for comparison when access attempts are made. It
is the storage and risk of misuse of such templates that create
the most concern for users. This issue will be discussed later.
Types of Biometrics Systems
Biometric systems fall within two broad categories:

physiological and behavioural. Physiological characteristics

are stable physical features, such as a fingerprint, hand
structure, retinal or iris pattern, or facial feature. They are
generally unchangeable, except by surgery or accident, and are
constant over time.
In contrast, behavioural characteristics reflect an
individual s psychological state and thus are affected by such
factors as stress, fatigue and illness (colds included). Most
behavioural characteristics alter over time. For example, the
voice print from a user with laryngitis can seriously confuse a
voice-based access control system. Hence, systems designed to
J OURN AL O NLINE

measure such characteristics often need to redefine their

Proven AFIS technology h
as been developed, refined and
reference templates to reflect these changes. This need to proven in demanding l
aw enforcement applications over the
update the reference template reduces the usability and last two decades.
reliability of behavioural-based systems.8 Legally accepted Legal precedents, whic
h have been
There is a large number of technologies and systems that established in the US c
ourt system, make fingerprints the
come under the heading of biometrics. To consider each one in only biometric pro
of of identification that is readily accepted
turn would not do them justice within the confines of this in legal proceedings.
article. Consequently, one such technology, fingerprint
Mature Fingerprint identif
ication technologies are well
identification, will be considered in some detail. This article beyond the resea
rch and development stage, as evidenced by
will outline how it works, its relative advantages and the fact that a number of
viable manufacturers produce
disadvantages, and its current and future uses. Then, the ethics competing produ
cts for a widespread and well-established
of collection and maintenance of repositories of such personal marketplace. In m
ost other biometrics, the technology is
identification information will be considered. available from only a single vend
or, making any large-scale,
long-term application very risky.
Recent advances in computing and digital imaging
An Example: Fingerprint Identification
technology have led to the introduction of new AFIS
With reference to the types of biometric systems discussed
methodologies using electronic live-scan plain-impression
above, fingerprint scanning is classified as a physiological
fingerprint images as the basis for identification. The
system. The human fingerprint is a unique identifier that is
proliferation of plain-impression AFIS systems is rapid and
intrinsically linked to each individual and thus cannot be lost,
accelerating at the state and national levels (US) in large-scale
stolen or transferred between individuals. Moreover, no two
applications, including welfare, driver s licenses, border
fingerprints are identical, which greatly assists in linking the
control, immigration and military personnel identification. For
user s access key to the user. Finally, barring serious accident
more detailed coverage of this area, refer to
or surgery, fingerprints are constant over time.
http://onin.com/fp/afis/afis/html.
Although there are variations amongst the fingerprint

scanners available on the market, the principle behind how the

user is identified is generally the same. A light-sensitive Advantages and Disad
vantages
device, either a scanner or camera, takes an analogue image of As with all biome
tric systems, there are a number of
the fingertip. The image is then digitised and compared with advantages and disa
dvantages associated with using fingerprint
template records that were created during the enrolment scanning to confirm an i
ndividual s identity. Often, weighing
process. At the most basic level, these systems work by the various benefits and
costs associated with particular
matching relationships amongst minutiae the points on biometric methods greatly af
fects which systems are
fingertips where print ridges end or divide. More complex implemented by an orga
nisation and, in some cases, whether
scanning systems also examine other major features, such as biometric systems ar
e adopted at all. In the case of fingerprint
the arch, loop and whorl that appear on the finger.9 scanning, the relative adva
ntages and disadvantages are
Despite popular misconceptions, these systems do not reasonably straightforward.
require a perfect, 100 percent match of all identifiers. Through The advantages
include:
the use of a number of complex mathematical techniques, a
Acceptance As most peopl
e are familiar with the use of
scanner requires only a match that is statistically significant. fingerprinting
for identification purposes, it is generally
This matching process has a number of advantages, the most accepted as a technol
ogy. Most people understand its
obvious of which relates to storage. The actual fingerprint is applicability to
access control.
not recorded; rather, the scanning device performs a reduction Accuracy By and lar
ge, fingerprint technology is accurate.
of the image into data points that describe the fingerprint There is a small cha
nce of rejection of a legitimate print,
layout in a statistical, rather than physical, form. This method i.e., there is
a chance of accepting a false print or a chance of
greatly assists in reducing the chances of reproducing a rejecting a legitimate
print. The chances of accepting a false
fingerprint for fraudulent use.10 print are very low.
Automated Fingerprint Identification System (AFIS)11 Ease of use Very little time
is required for enrolment with
technology has been used in law enforcement over the last 25 a fingerprint scann
ing system. Unlike other biometric
years, and the use of AFIS technology is rapidly expanding in devices, such as r
etina scanners, fingerprint scanners do not
a number of new applications areas including welfare. require concentrated effor
t on the part of the user.
However, the rush to capitalize on the benefits of this Accordingly, one could c
onsider fingerprint scanning to be
technology, in advance of appropriate standards and relatively nonintrusive.
technology validation methods, is likely to result in a Installation Changes in te
chnology have made fingerprint
widespread failure to achieve the very valuable programmatic scanners relatively
easy to install and inexpensive. Most
expectations over the long term. fingerprint scanners are now very small and por
table.

For serious large-scale, positive-identification applications, Plug-and-play tec

hnologies have made installation very easy.
no other available biometric technology comes close to In many cases, the scanni
ng device has been incorporated
fingerprints. Fingerprint identification technologies are: into keyboards, mouse
buttons and even notebook computers.
Well established Fingerprint identification has been used
Training Due to the intuit
ive nature of scanning
in law enforcement applications over the past 100 years and fingerprints, such d
evices require no training to use and little
has become the de facto international standard for positive training to support.
identification of individuals.
J OURN AL O NLINE

Uniqueness As noted previously, fingerprints are a unique itself. If the fingerpri

nt scanning example was extended to
identifier specific to the individual. include the population of Australia, the
overhead costs of
Security Fingerprints cannot be lost or stolen, and are collecting and storing app
roximately 20 million unique
difficult to reproduce. Furthermore, storing fingerprint fingerprints would be e
normous. Added to this is the question
templates as statistical algorithms rather than complete of who and what agencie
s would require access to such
copies ensures that the ability to reproduce these unique information. In the ca
se of fingerprint templates, there are two
identifiers is significantly reduced.12 possible storage solutions.
The disadvantages include: First, biometric templates could be stored in a serie
s of
Acceptance Although also an advantage, user acceptance is centralised databases. A
s noted, the overhead becomes quite
not guaranteed. Fingerprint scanning crosses the fine line large when considered
in reference to a country s population.
between the impersonal and nonintrusive nature of passwords Also, users may be r
equired to interact with a number of
and personal identification numbers (PINs), and utilising part databases dependi
ng on their access needs. For example, such
of an individual s body to identify him/her. As will be templates could be kept by
the Australia Taxation Office
discussed, some people view this as an invasion of privacy13 (ATO) for taxation
purposes, the Road and Traffic Authority
or worse. (RTA) for licensing information, on a server controlling access
Injury Injury, whether temporary or permanent, can to the user s home, or on specifi
c devices such as personal
interfere with the scanning process. In some cases digital assistants (PDAs) or
even cars. The more places such
reenrolment is required. For example, bandaging a finger for information is kept
, the greater the possibility of unsavoury
a short period of time can impact an individual if fingerprint elements of the c
ommunity stumbling upon a database
scanning is used in a wide variety of situations. Something as with weak securit
y and capturing biometric templates for
simple as a burn to the identifying finger could prevent use of fraudulent use.
an automatic teller machine (ATM). An alternative to database storage is the use
of smartcards.
Security As some authors have argued, there is nothing to Smartcards store the bio
metric template and are carried by the
suggest that the same technology that is used to store user. To gain access to a
fingerprint-protected system, a user
fingerprints as statistical algorithms cannot also be used or would insert the s
martcard containing the fingerprint template
modified to recreate accurate depiction of the print itself. This and then have
a fingerprint scan taken. The results of the scan
raises serious concerns related to how such data should be are then compared wit
h the information on the card to
stored, maintained and protected to prevent fraudulent use.14 determine authenti
city. This process is conducted at the point
of access and needs no interaction with additional systems.
Consequently, there is no risk of transmission interception and
Issues With the Use of

no requirement to hold such information centrally.17

Fingerprint Identification
Transmission and Storage
Ethical Considerations
The truism that the majority of physiological characteristics
One of the greatest concerns raised in response to the
are almost impossible to alter, fingerprints being one of them,
increasing use of biometric authentication systems has been
introduces a major drawback of biometric systems.15 When a
the issue of privacy. Organisations such as Fight the
user wishes to gain remote access to a device that is controlled
Fingerprint and the Electronic Privacy Information Centre
by a biometric system, e.g., an ATM, the terminal must
argue that there is great scope for abuse of biometric systems
transmit the biometric measurements to a host database for
by government agencies and the private sector. Coupled with
comparison. This creates two potential weaknesses in the
this, there are very few directives or standards established by
system. One relates to the security of the transmission method
legislature or adopted by industry regarding the dissemination
used, and the other relates to the security of and access
of biometric information.
permissions controlling the database in which the reference
By way of example, an individual is required to provide a
template is stored. If the security of these systems is weak, it is
fingerprint template to an employer to gain access to a place of
conceivable that the biometric measurements could in some
employment and the devices required to carry out his/her tasks
way be copied and fraudulently used.
as an employee. This template is then linked to the employee s

Considering the number of possible applications of this

personal records, which outline employment history, salary
technology, the implications for such fraudulent use could be
and financial information, dependant details and residential
disastrous. Unlike passwords or PINs, which can be changed if
information. An unscrupulous organisation could then sell this
compromise is suspected, fingerprints are unique identifiers
linked biometric data to direct marketing firms, mail-order
that cannot be altered. Furthermore, due to their unique nature
houses and even government agencies, which would then have
and the perceptions this creates, the existence of a fingerprint
access to a ready-made personal profile of each individual. It
authorisation for a fraudulent transaction represents a virtual
has been argued that when such cross-matching occurs, the
admission of guilt. Consequently, for such authentication
fine line between relevant information tracking and an invasion
techniques to be effective and confidently used, the
of privacy is blurred.18
transmission of biometric data and the storage of biometric
To take a more extreme view, fingerprinting has been
templates must attract tight security.16
described as a

Big Brother

population control method (e.g.,

The large number of potential applications and the

by Fight the Fingerprint). Most people readily accept the use
consequent variety of individuals, companies and agencies that
of PINs, signatures and photographs as legitimate methods of
would require access to stored templates make the physical
identification and access control. They are impersonal and not
storage requirements of biometric templates a major issue
JOURNALONLINE

physically connected to the individual. Biometric data, in 12 Op. cit., I/O Soft
ware; Op. cit.,Java Card Special Interest
contrast, are an intrinsic part of the human body. Therefore, a Group; White, R.
; Face vs. Fingerprint Identification,
number of organisations and individuals find such methods of 1999, www.zdnet.co.
za/pccomp/stories/reviews/
identification repulsive and invasive.19 0,5672,396764,00.html
13 Fight the Fingerprint, www.networkusa.org/fingerprint.shtml
14 Op. cit., I/O Software; Op. cit.,Java Card Special Interest
Conclusion
Group; Op. cit., White
Obviously, the use of biometric systems for identification
15 Op. cit., Kim
and access control purposes is a contentious issue. It is one
Ibid.
that requires clear and ethical consideration before adoption by 16
Op. cit., I/O Software
any organisation or agency. Furthermore, governments need to 17
develop strict guidelines that restrict the dissemination of 18
Op. cit., Kim
Schneier, B.; The Uses and Abuses of Biometrics,
biometric data and the information linked to such data to 19
Communications of the ACM, Association for Computing
prevent misuse and erosion of individuals rights. Information
Machinery, August 1999, vol. 42, no. 8, p. 136
system auditors and security personnel require knowledge of
these biometric techniques, as they may be asked to either
Rodger Jamieson, Ph.D., CA
audit or evaluate them for their clients or organisations.
is an associate professor at the School of Information Systems,
Technology and Management at the University of New South
Useful Web Resources
Wales (Australia), the director of SEAR (Security, E-business
www.onin.com/fp/afis/html
and Assurance Research) group, and director of the SAFE
www.duke.edu/web/mms190/team3/defining.html
(Security, Assurance and Fraud-prevention for E-business)

www.biometritech.com/features/smallback2.htm
research program for the Securities Industry Research Centre
www.onclickcorp.com/onclicksite/onclick.html
of Asia-Pacific (SIRCA). He serves on international journal
www.networkusa.org/fingerprint.shtml
editorial boards and is engaged in teaching, research and
consulting in the areas of IS assurance and security, risk
Endnotes
management, e-crime and identity fraud, computer forensics
1 Lebihan, R.; New Passport to Store Facial Biological
and electronic commerce. His prior experience includes
Information, The Australian Financial Review, 12 February
working as an IS audit manager with Touche Ross & Co. and
2003, p. 52
as a chartered accountant for Coopers & Lybrand. He also has
2 Kim, H.J.; Biometrics, Is It a Viable Proposition for
commercial experience with the AMP Society and Honeywell.
Identity Authentication and Access Control? Computers &
Security,vol. 14, 1995, p. 205-214
Greg Stephens
3 Java Card Special Interest Group (JC Sig),
is a lecturer in the School of Information Systems, Technology
www.javacard.org/others/biometrics_intro.htm
and Management at the University of New South Wales. His
4 Ibid.
research interests include audit and security concerns,
5 Biometrics Explained, I/O Software,
computer-mediated communication and its impact on social
www.iosoftware.com/pages/Products/Technologies/
networks within organisations, and knowledge-based/expert
Biometrics/index.asp#Fingerprint
systems. He has previously worked as an information systems
6 Op. cit., Kim

professional and as an IS auditor.

7 Ibid.
8 Op. cit.,Java Card Special Interest Group
Santhosh Kumar
9 Op. cit., I/O Software
is a researcher with the SEAR group at the University of New
10 Op. cit.,Java Card Special Interest Group
South Wales and a member of the Institute of Electrical and
11 Automated Fingerprint Identification Systems (AFIS), 2002,
Electronics Engineers (IEEE). He has previously worked in
www.onin.com/fp/afis/html
networking with Unitafe Networking Co. and TAC-Pacific in
Australia, and as an engineer for three organisations in India.
JournalOnline articles, the online-only counterpart of the Informations Systems
Journal, are published by the Information Systems Audit and Control Association,
Inc. Membership in the association, a
voluntary organization of persons interested in information systems (IS) auditin
g, control and security, entitles one to receive online access to the JournalOnl
ine as well as an annual subscription to the
Information Systems Control Journal.
Opinions expressed in the JournalOnline and Information Systems Control Journal
represent the views of the authors and advertisers. They may differ from policie
s and official statements of the
Information Systems Audit and Control Association and/or the IT Governance Insti
tute and their committees, and from opinions endorsed by authors' employers, or t
he editors of this Journal.
Information Systems Control Journal does not attest to the originality of author
s content.
Copyright 2005 by Information Systems Audit and Control Association Inc., former
ly the EDP Auditors Association. All rights reserved. ISCATM Information Systems
Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial class
room use without fee. For other copying, reprint or republication, permission mu
st be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for
those registered with the Copyright Clearance Center (CCC), 27 Congress St., Sal
em, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat
fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the
ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal
use or internal reference, or of articles or columns not owned by the associatio
n without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org
J OURN AL O NLINE