federated, secure trust networks for distributed healthcare it
TRANSCRIPT
FEDERATED, SECURE TRUST NETWORKS FOR DISTRIBUTED HEALTHCARE IT SERVICES:
A COMPARATIVE STUDY OF BIOMETRICS AND THEIR APPLICATION IN A WEB BASED HEALTHCARE ENVIRONMENT
A Thesis
in TCC 402
Presented to
The Faculty of the School of Engineering and Applied Science
University of Virginia
In Partial Fulfillment
of the Requirements for the Degree
Bachelor of Science in Computer Science
by
Andrew Joseph Marshall
March 23, 2004
On my honor as a University student, on this assignment I have neither given nor received unauthorized aid as defined by the Honor Guidelines for Papers in TCC Courses
_______________________________________________________
Approved_______________________________________________(Technical Advisor) Alfred Weaver Approved_______________________________________________(TCC Advisor) Kathryn Neeley
Preface I would like to thank the past and present members of the Internet Commerce
Group for all of their contributions that made this thesis possible. First, I would like to
thank Professor Alfred Weaver for allowing me on this project and providing me with the
support and resources necessary to complete this project. I would also like to thank Andy
Snyder and Tim Mulholland for their efforts in acclimating me to the project and working
on the first of the biometric devices in the system. Jim Van Dyke and Vince Noel helped
work out the connections between our respective thesis projects and the larger system.
James Hu and Xiaohui Chen managed the larger system for our project and helped me
integrate my biometric logon technologies into the system.
I would like to thank Microsoft Corporation for its generous grant that has funded
this project and its continued support of the project throughout the year. Much of this
work would not have been possible without the software and hardware purchased with
the grant money.
Finally, I would like to thank Professor Kathryn Neeley of the TCC department
for her guidance and support throughout the thesis project. She was helpful in realizing
my project in a new light with respect to social and ethical concerns that could be raised
by my work.
ii
Table of Contents Preface ___________________________________________________________________ ii Table of Contents___________________________________________________________iii List of Illustrations _________________________________________________________ v Glossary of Terms __________________________________________________________vi Abstract _________________________________________________________________viii
Chapter One: Introduction _______________________________________________ 1 Improving Logon Security ___________________________________________________ 1 HIPAA ___________________________________________________________________ 2 Internet Commerce Group ___________________________________________________ 3
Reliable Authentication ____________________________________________________________3 Dynamic Authorization_____________________________________________________________4 Encryption ______________________________________________________________________4 Trust Federation __________________________________________________________________5
Creation and testing of Biometric Systems ______________________________________ 5 Document Overview ________________________________________________________ 5
Chapter Two: Literature Review __________________________________________ 6 Web Services ______________________________________________________________ 6 Biometrics_________________________________________________________________ 7 Integrating Web Services and Biometrics _______________________________________ 8
Chapter Three: Detailed Design Descriptions _______________________________ 10 Basic design concept: Modal Dialog___________________________________________ 10 Previous Designs: Fingerprint and Iris Scanner ________________________________ 11 Signature Verification ______________________________________________________ 12 Voice Verification _________________________________________________________ 14 Biometric Testing System ___________________________________________________ 14 Integration into the larger system ____________________________________________ 15
Chapter Four: Evaluation and Testing ____________________________________ 16 Experimental Procedure ____________________________________________________ 16 Statistical Data ____________________________________________________________ 16 User Feedback ____________________________________________________________ 17
Questions ______________________________________________________________________17 Results ________________________________________________________________________18
Proposed Ordering Based on Findings ________________________________________ 19 1. Iris Scanner ___________________________________________________________________19 2. Fingerprint Scanner_____________________________________________________________19 3. Signature Verification___________________________________________________________20
iii
Chapter Five: The Thesis as a Social Experiment ___________________________ 21 Ethical Background________________________________________________________ 21 Motivation _______________________________________________________________ 22 Unintended Consequences __________________________________________________ 22 Implementation ___________________________________________________________ 23 Monitoring _______________________________________________________________ 24
Chapter Six: Conclusions _______________________________________________ 26 Summary ________________________________________________________________ 26 Interpretation_____________________________________________________________ 26 Recommendations _________________________________________________________ 27 Social and Ethical Implementation Issues______________________________________ 28
Bibliography__________________________________________________________ 29
iv
List of Illustrations Figure 1: Integrating Biometrics and Web Services. Created by the author.__________________ 8 Figure 2: Fingerprint Scanner Web Application and Panasonic Authenticam Iris Scanner.
Compiled by the author ____________________________________________________ 11 Figure 3: Signature Web Application. Created by the author. ___________________________ 13 Figure 4: Testing Interface. Created by the author.___________________________________ 14 Figure 5: The biometric logon form currently in use by the Medical Data Portal. Created by the
author. _________________________________________________________________ 15
v
Glossary of Terms 1. Authentication – part of a computer system that determines whether an entity is
who or what it claims to be 2. Authorization – part of a computer system that determines if an authenticated
entity is allowed to access certain parts of the system 3. Biometric – a way of identifying or verifying a person based of some sort of
physical trait 4. Digital Identification – any of a number of logon technologies that are not
biometric in nature. Examples include a USB Key and a Key Fob pseudorandom number generator.
5. Dynamic Context Aware Access Control – Access control model in which users, roles and permissions all have contexts associated with them, and the access control rules can be changed on the fly.
6. Equal Error Rate (EER) – statistical point at which the false acceptance rate and the false rejection rate are equal
7. False Acceptance Rate (FAR) – number of times an unauthorized person is allowed into a system on a specific technology
8. False Rejection Rate (FRR) – number of times an authorized person is refused from the system
9. Fingerprint – the pattern of ridges on the tip of one’s finger that can be used for biometric verification of one’s identity.
10. Hamming Distance – the number of bits in two bit patterns that are allowed to be different while still considering the bit patterns to be the same. Usually expressed as a decimal between zero and one.
11. HIPAA – Health Insurance Portability and Accountability Act of 1996. A law that describes new standards for patient privacy in the healthcare industry.
12. Identification – in biometrics, determining the identity of an unknown person by checking their template against all records and returning the closest one
13. Iris – the colored part of the human eye, containing assorted vein patterns that can be used for biometric verification of a person’s identity.
14. Modal Dialog Box – a dialog box that disallows the program or web application running underneath it to continue to run until it has closed and returned a value.
15. Modeless Dialog Box – a dialog box that allows the program or web application underneath it to continue to run while it is open.
16. Tablet PC – a portable computer with the ability to interface with the screen using a special stylus, or pointing device. The stylus can be used in certain applications to write directly on the screen, as if with a pencil and paper.
17. Trust Federation – the sharing of trust across different networks. Computers implicitly trust machines within their own network, but this implicit trust does not exist between computers on different networks and must be negotiated through Federation.
18. Trust Level – a number assigned to a logon method in a system that indicated how secure the system feels the logon technology is. Trust level can be used in access control methods to force users to be verified by a certain level of technology before viewing certain types of data.
vi
19. Verification – in biometrics, determining the veracity of a identity when an identity is posited by the user
20. Web Application – a web page, generally written in ASP.NET, that has program logic running behind it. Web applications are one way in which a web service can be called.
21. Web Service – any program kept on a web server that provides a service or a set of services to users via the internet
vii
Abstract Security is an increasingly important concern in electronic commerce, and is
especially vital for wireless devices. While encryption allows for secure transmission of
messages across the World Wide Web, the access to the encryption is only protected by a
username and password that can be easily hacked or stolen. In order to make the
transaction more secure from end to end, better logon methods are needed. Biometric
technologies are one solution to this security problem. Biometric technologies such
fingerprint scanners can be used on desktop machines for wired access to data, while
other methods, such as signature verification can be used on Tablet PCs for secure
wireless access to data. This project develops a signature verification module for secure
wireless access to a prototype healthcare system, recommends a relative ordering of the
trust levels of all logon methods, and discusses user preferences for the devices.
The new technology this thesis develops for use in the system is a signature
verification module for use on a Table PC. There already exists a fingerprint and an iris
scanner module in the prototype healthcare system. Users tested the fingerprint and iris
modules as well as the signature module and provided feedback data. The ordering of
trust levels is largely defined by published statistical data and the order is iris scanner,
fingerprint, and then signature verification with the fingerprint scanner being the most
popular among the users.
The signature module has allowed the Tablet PC to use its unique features inside
of the prototype healthcare system. Because a Tablet PC user can log onto the online
healthcare system with a signature, this thesis demonstrates a way in which secure
wireless access to data can be achieved.
viii
Chapter One: Introduction This thesis produced a biometric technology for use in logging on to a medical
web portal and a recommendation on the comparative reliability of all of systems
currently available to the medical portal. The biometric technology produced is
signature verification. The iris scanner is the most secure biometric technology, while
the fingerprint scanner is the most reliable and popular for daily use. This chapter
describes the background and motivation for the project and gives an overview of the
project results.
Improving Logon Security Security is a major concern for all companies who do any sort of electronic
commerce over the World Wide Web. Discussions about security have traditionally
centered on the actual data transmissions and encryption, leaving out logon procedures.
As a result, even for the most important electronic data transactions, the logon that
initiates the procedure uses the same username and password scheme that has been in
place for years. Due to human memory limitations, usernames and passwords must
remain relatively short in comparison to the encryption keys used by modern computers.
Consequently, usernames and passwords are easily decipherable by modern computer
systems, making the logon the weakest part of any electronic transaction.
Username/password schemes are not useless in a modern setting. Individual
computer users are not generally going to store incredibly sensitive data on their
computer systems, and they are not a very high risk of being hacked in order to obtain
such information. Username and password protection is sufficient for such types of
personal use, especially as a method for saving personalized settings from tampering.
However, large companies, including healthcare providers, need a more secure way of
protecting data throughout the transaction process. When protecting very sensitive data,
one needs a more robust and secure system in place at every point in the electronic data
transaction process.
The implementation of the signature biometric system from this thesis and the
existing fingerprint and iris scanning systems will help to alleviate the security problems
presented by traditional username/password systems by using more than a person’s
memorized secret to prove his or her identity. Biometric logon systems extract large
amounts of feature data from the user into a template. This template is generally
thousands of characters long, and acts as a password of sorts for the user that never needs
to be memorized, and is much more difficult to steal. Many industries are looking for
more secure logon mechanisms in order to secure more adequately their sensitive data.
Recent developments in the healthcare industry have made it an ideal candidate for field
testing these biometric technologies.
HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a
broad-based law that affects almost every aspect of the healthcare industry. It includes
sections on health insurance reform, administrative simplification, new healthcare
standardizations, and privacy and security rules (Public Law, 1996). The privacy and
security section of HIPAA is the basis for this project. This section gives the technical
requirements for all HIPAA compliant systems with respect to their treatment of data
security. HIPAA regulations require that all transactions that occur over a public network
like the internet be secure. Securing the data during transmission requires the use of
2
encryption technologies. The University of Virginia Medical Center has an interest in
securing the logon portion of data transmissions as well. The Medical Center had many
physical and electronic attacks to their data systems when Christopher Reeve was brought
to the Medical Center for surgery following his accident (Snyder, 9). Having biometric
logons in place at that time would have reduced the risk of their databases being hacked
for patient information. The next section details how the logins are integrated into a
larger system to make them useful.
Internet Commerce Group The Internet Commerce Group collaborated with the UVA Department of
Radiology to write a joint proposal to Microsoft to design a prototype system that
simultaneously meets the needs of the UVA Medical Center and the requirements of
HIPAA. Microsoft has funded the proposal, “Federated Trust Systems” (Weaver). The
overall research project, of which this thesis is a part, embraces these issues: reliable
authentication, dynamic authorization, encryption, and trust federation, or sharing.
Reliable Authentication The computer system must know the user in order for the system to allow the user
to access any data. All authentication technologies need a ranking based on their
reliability. The authorization system will use this ranking. There are two types of
authentication technologies: biometrics and digital identification. Biometric
technologies use some physical feature of a person to verify that person’s identity to the
computer system. Some biometric devices include fingerprint scanners, iris scanners,
signature verification systems, and voice recognition systems. Digital identification uses
electronic keys to verify one’s identity to the system. Some examples of digital
3
identification technologies are USB keys and key fobs. USB keys are small devices that
plug into a computer’s USB port and hold a piece of data identifying the user. Key fobs
use specific algorithms to generate pseudo random numbers that change every minute,
which has the effect of resetting the password to a system every minute. The user carries
a small digital device that produces the numbers in order to keep track of the changing
numbers. I am working on biometric authentication and Vincent Noel, a fourth year
undergraduate, is working on digital identification.
Dynamic Authorization Once the system has verified a user’s identity, it must determine how much data it
will allow a user to see based on what privileges the user has in the system and how
reliable the user’s logon method was. The system uses Dynamic Context Aware Access
Control (CAAC). In CAAC, each user has a role assigned to it, such as doctor or patient.
For each type of data in the system, a role can either be allowed or denied permissions to
the data. Each user, role, and permission has a context associated with it, which is a set
of circumstances under which a user in a role can have a permission. This system is
dynamic because the rules are changeable while the system is running without rewriting
the code. Graduate students James Hu and Xiaohui Chen are developing the
authorization engine for the system.
Encryption All data transactions must be encrypted in compliance with HIPAA regulations.
The system uses the Advanced Encryption Standard with 256-bit keys. Andrew Snyder
wrote his Master’s Thesis on the use of encryption in the system and its impact on
workflow in a medical setting (Snyder).
4
Trust Federation Computer systems that are not part of a hospital’s network, such as a pharmacy,
must be able to interact with the hospital’s system in some way. Trust and trust
federation, or sharing, are methods for allowing those computer systems to communicate
with one another. James Van Dyke, a fourth year undergraduate, is working on
techniques for federation in the system.
Creation and testing of Biometric Systems This project undertook a manageable and obtainable task; however, its results will
be useful to the University of Virginia Medical Center. The final products are a signature
verification module using web services and a recommendation on the ranking and usage
of the biometric systems. The signature verification module allows users to logon to
secure websites using portable hardware such as a Tablet PC. The recommendation is
that the technologies receive the following ranking in order from most to least secure:
Iris Scanner, Fingerprint Scanner, Signature Verification. The fingerprint scanner is the
best technology for day-to-day usage due to its high fidelity and user-friendly interface,
and it should allow the user to view all but the most important data. The signature
verification module should also allow users to see a large subset of data when they are
logging on from a wireless device like a Tablet PC.
Document Overview The following document seeks to answer the question: Which of the currently
available and useable biometric technologies are best suited for use in a web based healthcare environment? It will present a review of literature that is foundational to the project, detailed design specifications, testing and evaluation results, the thesis as a social experiment, and the conclusions drawn from the project.
5
Chapter Two: Literature Review In order to understand the need for this project, the principles underlying that
need must be discussed. The Web Services model of the medical data portal and the
principles of biometric technologies are discussed, as well as how these two components
work together in this project.
Web Services A Web Service is “programmable application logic accessible using standard
Internet protocols.” (Microsoft, A Platform for Web Services) Web Services provide a
standard method for performing tasks across a network and provide many features that
are important to this project. Information hiding and platform independence are some of
these features.
When a component of a program, such as a Web Service, practices information
hiding, it keeps the details of its implementation hidden from the user so that any changes
in the system that do not affect the outputs to the user. Information hiding is helpful to
this project because it allows the technologies used in the implementation to be upgraded
without having to completely redesign the system. When a program is platform
independent, it can run on a variety of operating systems (e.g. Windows, Unix, and Mac
OS) and produce the same result. Web Services are platform independent because they
are run on their original server, thus allowing them to be used by people using a variety
of operating systems.
In this project, Web Services also help protect data from unauthorized access.
Web Services can have policies attached to them to describe certain standards that must
be met in order to utilize the web service. The patient record database that is the focus of
6
HIPAA regulations is only accessible through Web Services that enforce access rules and
require authenticated access.
Biometrics Biometric technologies use some unique feature of a person’s body to verify his
or her identity to a computer system. Biometrics, unlike passwords, can provide false
approvals or rejections, which requires biometric technologies to receive evaluations
statistically. Biometric technologies are evaluated based on their false acceptance rate,
and false rejection rate.
The false acceptance rate is the number of times a user who does not have
legitimate access is admitted by the system (Technology, 2002). Any sort of noticeable
false acceptance rate causes a biometric system to be completely unreliable. Testing false
acceptance rate requires large data sets that were not available to this project. The false
rejection rate is the number of times a user who has legitimate access to the system is
denied by the system. A noticeable false rejection rate does not condemn a system in the
same way a noticeable false acceptance rate does, but it can make the system unusable in
a practical sense because users will run into problems logging on to the system.
The false acceptance rate and the false rejection rate can be adjusted through the
manipulation of the hamming distance in the verification algorithm. Hamming distance
is the fractional number of bits that can be different in two pieces of data such that the
two pieces of data can still be considered equal. They can be expressed in percentage
terms, or as a decimal between zero and one. Password verification never uses hamming
distance because the bit patterns must match exactly. However, with respect to
biometrics, the exact same data is never collected for each verification attempt due to
7
many factors; therefore, a hamming distance needs to be applied to biometric verification
to allow for these discrepancies. The equal error rate is the hamming distance at which
the false acceptance rate equals the false rejection rate for a given technology’s matching
function.
False acceptance rate and false rejection rate are inversely proportional. If a
system’s hamming distance is set closer to zero, the false acceptance rate will decrease,
providing more security to the system, while the false rejection rate increases, causing
more users logon problems for legitimate users. Likewise, if a system’s hamming
distance is set closer to one, the false rejection rate will decrease. A higher hamming
distance causes less logon problems for legitimate users; but the system is not as secure.
Systems set at the equal error rate are reasonably secure as well as user friendly. The
false acceptance rate and false rejection rate are used to describe the reliability of every
major biometric system available.
Integrating Web Services and Biometrics Biometric technologies and web services aid in increasing the security of data
transactions. Biometric technologies would be much less powerful without the web
services architecture. Figure 1 below shows the connections between biometrics and web
services in the current system.
Figure 1: Integrating Biometrics and Web Services. Created by the author.
8
A biometric device’s controlling software is loaded through a web application on
the client’s internet browser. After the biometric data is collected, the web service
needed to verify the biometric data is called from the web application across the internet.
Figure 1 shows the internet as a cloud to illustrate that the client does not know anything
about set up of the computer system the web service is running on, other than what web
services that system provides and how to interface with them. In the current system, the
web service connects to a database server in order to verify the biometric data passed to
it. The web service returns true or false to the client system, meaning verified or not
verified respectively.
9
Chapter Three: Detailed Design Descriptions The first stage in this project involved the development of two biometric web
services for the use of logging on to a medical data portal being developed by the rest of
the InterCom group. This section provides a general description of the design of each of
four biometric systems used, noting where they differ, and discusses the failure of the
voice system.
Basic design concept: Modal Dialog The first problem to overcome when working with devices that require special
software to interact with a program or web application, such as biometric technologies, is
that the software control needs to be loaded into the program or webpage before it can be
used. This is not really an issue for a normal program running directly on a computer,
but for a web application, the control cannot load once the page has finished loading.
Internet browsers can create two types of dialog boxes, modeless and modal, which can
contain a web application to load the necessary software control. Both types of dialog
boxes can accept information from its creating web application as well as return
information to its creating web application. This allows the dialog box to receive the
username and return the decision as to whether or not the user’s credentials matched or
not. Modeless dialog boxes pop up over the existing web page, but allow the user to
continue to manipulate the web application. Because the user can proceed without
completing or canceling the logon procedure in the modeless dialog box, it is not useful
to this project. However, modal dialog boxes force the user to do what the dialog box
requires before he or she continues browsing web pages. The first two devices used in
10
the system, the fingerprint scanner and iris scanner, used the modal dialog in order to
send and receive information pertaining to system logon.
Previous Designs: Fingerprint and Iris Scanner The fingerprint and iris scanning modules were in place before the
commencement of this project, and are very similar in their design. Figure 2 below
shows the final web control developed for the Digital Persona U.are.U Pro fingerprint
device as well as the Panasonic Authenticam to capture iris images to be verified by the
Iridian Technologies KnoWho iris scanning software.
Figure 2: Fingerprint Scanner Web Application and Panasonic Authenticam Iris Scanner. Compiled by the author
Both modules use a dynamic link library (DLL) that can be displayed in a web
application. Prior the start of the fall semester, members of the Internet Commerce group
developed these DLLs. They allow the biometric data to be read by a web application
and sent to a web service for verification. All of the biometric logon modules have two
parts: a web application, which is a webpage with program logic running behind it, for
data collection and a web service for verification. The web application is allowed to
interface with the physical biometric device but not the database containing the enrolled
user data, while the web service can do the exact opposite. The following scenario shows
the flow of data between the web application and the web service during a fingerprint
logon.
11
Dr. Jones comes to her terminal for the first time today and opens the medical
data portal. She enters her username and elects to sign in using the fingerprint scanner.
The fingerprint dialog box appears and the web page passes Dr. Jones’s username to the
web application running inside of the dialog box. Once the control is loaded into the
dialog box’s web application and the scanner status reads, “Waiting for fingerprint…,”
she places her finger on the sensor. The control reads the fingerprint, and then exposes
the fingerprint data to the dialog box’s web application. The dialog box’s web
application now calls the fingerprint verification web service, passing it the username
from the original web page and the fingerprint data from the control. The web service
then returns the result of the attempted verification. If it was successful, it returns true,
otherwise, it returns false. The dialog box’s web application then closes the dialog box
and alerts the original web page to the web service’s decision, either true or false.
Signature Verification The signature verification module uses a different approach to the design than the
first two systems, but achieves the same result. It runs on a Tablet PC, which is a
computer that uses a stylus interface instead of the traditional mouse to point and click on
objects. Tablet PCs have many new applications that incorporate the use of the stylus for
user input. One set of them is a line of products by the Communication Intelligence
Corporation designed to allow users to sign on to their computers and other secure
systems using their signatures, since many Tablet PCs do not have keyboards. Their
web-based product’s name is iSign, and it is specifically designed for use on web pages,
making it very different from the fingerprint and iris scanning systems that had to have
wrapping code written around them in order to work on web pages.
12
The iSign product will work on any computer that has its software loaded onto it.
However, on computers that do not have the stylus interface, the mouse must be used to
generate the signature. These radically different interfaces keep the iSign product from
being useful on all computers. Since Tablet PCs need no extra hardware to utilize iSign,
the signature verification module is significant because it allows users to access the
medical data portal on a computer that can connect to the portal wirelessly without
having to have a fingerprint device or iris scanner connected to it and making it
cumbersome.
Figure 3 below shows the interface to the signature module. The user signs on the
line and then presses “Validate Signature” to log in.
Figure 3: Signature Web Application. Created by the author.
13
Voice Verification The voice verification module does not work due to an error in the manufacturer’s
provided interface. The voice product is from Voice Security Systems. It had a similar
interface to the fingerprint and iris scanners, but then the manufacturer’s verification
function was called from a web service, the manufacturer’s code would fail without
returning a verification decision.
Biometric Testing System The biometric testing system uses a design similar to that of the biometric devices
themselves. Figure 4 below shows the web application interface to the system. After
entering a username and selecting the technology to test, pressing the “Test FRR” button
creates a modal dialog box with the desired biometric control. Once the biometric returns
a decision as to the authenticity of the attempted verification (true or false), the web
application calls a web service to log the data into a database. The database contains the
number of verification attempts on a specific device and the number of successful
verifications.
Figure 4: Testing Interface. Created by the author.
14
Integration into the larger system Integrating the working biometrics into the larger medical data portal system is
relatively simple since their code is self-supporting. The original version of the medical
data portal directly utilized the modal dialog concept with the fingerprint device. Now
that more options exist, a method of choosing between the various logon techniques
became necessary. The modal dialog box is still a sufficient starting point for
development of the necessary web application and web service to perform biometric
verification from a webpage, but it is not adequate when there are multiple technologies
available. Figure 5 below shows the current system used by the medical data portal to
select a logon technology, which was developed by James Hu. A button is enabled if the
user’s computer can support that type of logon technology; otherwise, the button is
disabled. A user performs a logon by selecting his or her preferred technology, following
the instructions for the control to gather the data and then pressing “Done.” This returns
the type of logon and the logon data to the main web page, where the logon is processed
by the appropriate web service.
Figure 5: The biometric logon form currently in use by the Medical Data Portal. Created by the author.
15
Chapter Four: Evaluation and Testing This section describes the results of testing the biometrics for ranking them for
use in the authorization engine of the medical data portal. The discussion of the data
centers on False Acceptance Rate, False Rejection Rate, and user feedback about the
systems.
Experimental Procedure Test users follow a series of steps in order to interact with the developed
biometric systems, generating statistical data and user feedback:
1. The moderator explains the systems being tested, including any instructions a
normal user would be given when encountering this technology.
2. The moderator guides the user through enrollment on each of the technologies.
3. The user utilizes the test harness to attempt verification by the technologies.
4. The user completed a survey on his or her experiences in interacting with the
system.
Statistical Data The most useful data that can be collected without a large sample of data is false
rejection rate data. False acceptance rate data requires a large number of people to
produce any false positives on the biometric technologies used in this project. False
rejection rate is as much a measure of user preference as a statistical measure of a
biometric technology’s accuracy. If a user has trouble logging in with a specific
biometric technology, he or she will be disinclined to continue to use that technology.
Therefore, a user will generally prefer the technology with the lowest noticeable false
rejection rate unless it is unreasonably difficult or uncomfortable to use. The data
16
discussed in the following paragraphs is not statistically valid; therefore, it should not be
used to prove any statistical points about the systems. It is used here to give a general
feel for the functionality of the biometric systems.
To date, the iris scanner has a false rejection rate of zero percent when it has
worked, but the server software failed in the beginning of testing due to a server
malfunction, making its practical false rejection rate (meaning the times a user is not
allowed because of the a false rejection or a system failure) initially high. Out of all of
the users tested, the fingerprint scanner has falsely rejected only one user. Neither the
fingerprint nor the signature system has ever failed. Signature verification generated the
most false rejections of any of the technologies tested.
The iris scanner is the most secure system in use, with fingerprint and signature
following in that order. According to manufacturer and market data, this should be the
ordering of these systems using statistically valid data as well. According to the
manufacturer’s data, the iris scanner and the fingerprint device are very close to one
another in terms of false acceptance and false rejection rates.
User Feedback User feedback was necessary since statistically significant data for false accept
and rejection rates could not be obtained in the scope of this thesis. User feedback also
allows the recommendations to go beyond that of pure statistical data and take user
preferences such as ease of use into account for how much data a device should expose.
Questions To obtain feedback from users on their preferences, the users filled out an online
survey after completing the testing. Each user answered ten multiple-choice questions
17
about the three systems. The same three questions were asked of each of the
technologies:
• “How easy was it to use?”
• “How comfortable was it to use?”
• “Did you prefer this technology to both of the others?”
The final question correlates to the statistical data: “How consistent would you say your
signature is (how much does each of your signatures look like each other)?” The
questions provided the following range of answers:
• Very easy, comfortable, or consistent
• Somewhat easy, comfortable, or consistent
• Neutral
• Somewhat difficult, uncomfortable, or inconsistent
• Very difficult, uncomfortable, or inconsistent
The question of preference had three choices: Yes, Maybe, and No.
Results All test subjects have found the fingerprint scanner to be both very easy and very
comfortable to use. A large majority has preferred it to the other technologies available.
Most users found the iris scanner to be either somewhat easy or very easy to use, but
about thirty-five percent found that it was not easy to use. A large majority of users
found the iris scanner to be somewhat comfortable or very comfortable to use, though a
small percentage found it somewhat uncomfortable. No one definitely preferred iris
scanning to either of the other technologies, but the users were split between “No” and
“Maybe.” User experience with the signature system varied greatly, causing responses
18
about the easy of use and comfort of the system to be more distributed among the
possible answers. Almost seventy-five percent of users did not prefer the signature
system to either of the systems. Most of the users described their signature as at least
somewhat consistent, and the same number were verified by the system. The others
described their signatures as somewhat inconsistent.
The fingerprint system is the most useable module, followed by the iris and then
the signature modules. The iris scanner and signature verification require acclamation to
their interface that users cannot get in one sitting.
Proposed Ordering Based on Findings The proposed ordering of the three working devices from the highest security to
lowest is: (1) Iris Scanner, (2) Fingerprint Scanner, and (3) Signature Recognition.
1. Iris Scanner According to available literature, the iris scanner is the most reliable biometric in
our system in terms of false acceptance rate and false rejection rate. The module is
balanced at the equal error rate, and the manufacturer reports the odds of either a false
acceptance or a false rejection at 1 in 1.2 million, or 0.000083% (Daugman,
Recognizing). However, it is not recommended for daily use due to user preference away
from it and toward the fingerprint scanner.
2. Fingerprint Scanner According to available literature, the fingerprint scanner is almost as reliable as
the iris scanner, with the manufacturer reporting a false acceptance rate of 0.01% and a
false rejection rate of 1.4% (Digital Persona). Because users prefer it to the iris scanner,
19
it is proposed that users be allowed to access all but the highest security data with the
fingerprint scanner.
3. Signature Verification In the trials run so far, those persons with a consistent signature motion are nearly
always verified, and those with a less consistent motion tend to have trouble with the
system. Published statistical data has shown that signature verification at best yields a
false acceptance rate of 1.6% and a false rejection rate of 2.8% (Abstracts). Since both of
these numbers are significantly higher than fingerprint and iris scanning, it is not
recommended that users be able to perform as many tasks with signature verification as
with other technologies. However, users should be allowed to perform basic processes
from a successful signature logon, especially if it is the only viable method for logging on
to the system from a device like a Tablet PC.
20
Chapter Five: The Thesis as a Social Experiment Biometrics is a new set of technologies that has not been utilized by the general
computer user. Biometric technologies provide interesting grounds for discussion of
engineering as social experimentation because of the various ways in which they can be
integrated into society. A discussion about informed consent is especially valuable for
biometric technologies, since it is still possible to obtain such consent from users, instead
of subversively forcing the technology upon them.
Ethical Background Engineers have a large ethical responsibility when creating new technology for
public consumption. Possessing a strong moral imagination for possible unintended
consequences of a technology is increasingly necessary for engineers working on
innovative technologies such as the biometric devices dealt with in this thesis. Informed
consent is often sorely lacking the introduction of new technologies. The public usually
receives a technology without knowing how it could affect their lives. Informed consent
should be especially important when one is introducing a new technology of which the
public may be wary. This project’s social experiment comes after the technical work is
complete, during its implementation in medical centers. It will involve seeing how well
people take to using non-traditional methods of computer identification. Research shows
that these technologies are legitimate and safe for public use when used properly.
However, statistical data is not overly useful in the implementation of this project
because the public must gain an understanding that the technology is safe.
21
Motivation This project’s primary motivation is HIPAA, a law with far reaching impacts on
society. Patient privacy is a focus of the HIPAA regulations. All patient data must be
protected so that only those who are allowed to see the data actually see it. The issue of
reliable, secure access to sensitive data that underlies the HIPAA framework takes this
project beyond a simple medical motivation to a more general motivation toward secure
data transmission and electronic commerce. A neutral third party should verify statistical
error data on biometric devices provided by the manufacturer. Since these devices are
being used on the web, new error data must be collected. This motivation points to the
long-term goal of a third party ordering of the reliability or trust level of biometric
devices, so that companies could use these trust levels to restrict access to data based on
the reliability of the logon device.
Unintended Consequences Privacy is also an issue when one begins to consider the possible unintended
consequences of the project’s implementation. If the biometric logon data is not properly
encrypted for transmission, it could be intercepted and used for identity theft on a system.
Personal privacy advocates would be staunchly opposed to my project on the grounds of
identity theft and potential storing of data such as a picture of a user’s fingerprint.
Informing the public of the use of secure transmissions, and the claims of the
manufacturers that no images of the user are stored in any sort of retrievable or usable
format will help to assuage these fears. Another potential unintended effect of a
biometric logon system is workflow slowdown. Because biometric identifiers are unique
to each person, there can be no password sharing for easy access to higher-level
materials. Our overall system will address this problem by creating a system where
22
certain users can easily change authorization levels to account for the lack of password
sharing. The costs of implementing a system such as the one the project describes would
initially be high, but it would drop significantly after the first purchase of the necessary
equipment, and the far-reaching benefit of patient privacy would greatly outweigh the
original cost of implementation.
Implementation In order to look beyond the end of this project, one may find it helpful to look to a
time when the product being developed is thoroughly integrated into people’s lives.
Biometrics devices could very easily become the standard for logon technologies for
many different aspects of computerized systems. They could replace all current user
name/password schemes on desktops and the internet, thus elevating the standard for
security on all computer systems. Biometrics could eventually be used to restrict access
to secure locations as well. Current electronic door locking technologies could be mixed
with biometric verification devices to control access to various parts of a hospital or other
building with restricted areas.
Informed consent plays a huge role in this vision of the future. One of the biggest
risks to its implementation is a lack of widespread acceptance. A fear of identity theft
can come from both those who lack knowledge of the workings of biometric technologies
as well as those with detailed knowledge of biometric systems. Those who lack
knowledge of the systems may fear that a picture is being stored of their fingerprint or iris
(or some other part of the body) on a company’s server, so that the company can do with
it as they please. The implementer of the technology must explain to users how no
pictures of their personal identification marks are being stores, but rather data about these
23
marks is being stored in such a way that such a picture can never be reconstructed. This
can be difficult to do since the products tend to show the image on the screen to improve
the aesthetic quality of their programs. Those with more in depth knowledge of the
systems may fear data interceptions through a lack of security. One can more easily
inform these people of the protection of their privacy by showing what security measure
measures are in place to protect against such problems.
Obtaining the informed consent of both of these groups is critical to the
realization of the positive impacts of my project. In order to have a successful
experiment, overall informed consent must not be initially present. Instead, a small group
of testers needs to consent to aid in the testing of these systems in order to obtain the
necessary data to prove the reliability of biometric systems. While biometrics is one of
the most promising methods for replacing conventional username/password systems,
digital identification is another alternative to biometrics. Because of the existence of
digital identification technologies in our system, one can safely abandon biometrics as a
means of identification at any time and the focus can shift to these digital forms of
identifying oneself to a computer system.
Monitoring Because one of the motivations behind this project is third party testing of
biometric technologies, regular reevaluation of biometric technologies are necessary for
proper monitoring of biometric reliability. New technologies, as well as upgrades, will
need to be evaluated and tested to rank them with current biometric technologies.
Because these technologies will be regularly reevaluated, they will also require
24
maintenance on the user end. The systems will require upgrades, as well as the devices
tested for durability in order to cut down on overall cost.
Some intriguing aspects of social experimentation arise in the application of
biometric technologies. Social acceptance of a new technology is a difficult thing to
judge, and constant monitoring must be done in order to be certain that the fears of those
opposed to such a project do not become realities. Informed consent will play an
important role in this acceptance, and the presence of a safe exit at any point in the
implementation is very useful in promoting its usage. Because one cannot say that
biometrics is the only way to solve the logon problem, biometrics become easier to
accept as one of a few options instead of the only option.
25
Chapter Six: Conclusions
Summary There are two main results of this thesis, a signature biometric system implemented
in a web services environment, and a proposed reliability ordering of all existing
biometric technologies in the system, which is (1) Iris Scanner, (2) Fingerprint, and (3)
Signature. The iris scanner and the fingerprint device are very close in statistical data,
and because users prefer the fingerprint device to the iris scanner, the iris scanner should
only be used for the most important and sensitive data, while the fingerprint device
should allow access to almost all features used on a daily basis.
Interpretation The signature verification module is important because it allows for more secure
wireless access to sensitive data. The test results are an important first step in developing
a robust ordering of a multitude of biometric technologies for use by an authorization
engine. While the published statistical data for the various biometric technologies easily
distinguish them, user preference should also play a role in the choices made, as long as
the technology meets a set reliability standard. The existence of four logon methods
(password, fingerprint, iris scan, and signature) in the larger system provides the Internet
Commerce Group with the ability to demonstrate the designation of trust levels for
biometric devices when the authentication service issues a token to a user of the system.
Multiple logon devices also allow for the demonstration of how trust levels affect
authorization in the Dynamic Context Aware Access Control module.
The results are only useful in a limited scope because of the small number of test
subjects used for the thesis and the small number of systems tested. The lack of a
26
functional fourth biometric logon technology was a major setback for the thesis. Time
spent on the non-functional voice verification logon prevented work on other parts of the
thesis project and delayed the start of the testing phase. The results of the thesis would
have been more interesting had the voice verification worked because voice and signature
verification have very similar published statistical data. Therefore, user preference would
have played a much larger role in the recommendations. Because the number of users
tested was smaller than originally anticipated, the data is less reliable than projected.
However, the thesis work is still useful because it produced more than just
recommendations on biometric usage.
Recommendations This thesis provides a roadmap with finished examples for the development of
biometric logon devices using web services. The signature verification module
developed for this thesis provides a secure logon for the Tablet PC. It also provides a
methodology for extensive testing of web-based biometric logon procedures in order to
produce third part statistical data for creating an ordering of trust levels for biometric
technologies. Unfortunately, the data collected for this thesis was insufficient for detailed
data analysis.
In order to further the results of this thesis, the following actions should be
undertaken:
• The Internet Commerce Group should present the findings of this thesis along
with the other theses currently under development to the UVA Medical Center.
27
• Work should begin on a web-based enrollment management module for
authentication technologies to streamline the use of biometric and other logon
devices in the larger system.
• Other biometric systems should be explored for flexibility in the logon as well as
greater distinctions between trust levels.
• Statistically significant third party data should be sought out or generated for all
biometrics in question.
This work will allow the results of this thesis to be furthered and made more
useful through the application of the designs and modules presented.
Social and Ethical Implementation Issues Biometrics is a relatively young field in computing, and it has yet to be introduced
to the public on a large scale. Therefore, great care should be taken in the
implementation of this and similar projects to obtain and maintain informed consent
regarding the use of biometric technologies. Because informed consent may be difficult
to obtain, biometric technologies should be phased into a system slowly to allow users
ample time to grow accustomed to them. Continual monitoring of biometric technologies
is crucial, including periodic reevaluation of the trust level of the technologies.
Constantly evaluating the technologies upholds the security of the systems they run on by
making certain the technologies meet a certain reliability standard. Because digital
identification technologies also exist, there is a clear safe exit for biometric technologies
should they every become unreliable, or should the public reject them. Biometrics has a
promising future in the computing industry if the technology is properly managed and
maintained.
28
Bibliography 1. Abstracts of Current Projects. http://biometrics.cse.msu.edu/abstracts.html.
Accessed July 22, 2003. 2. Daugman, John. Recognizing Persons by their Iris Patterns. Cambridge University.
From Iridian Tech KnoWho SDK Compat Disc.. 3. Digital Persona White Paper Guide to Fingerprint Recognition. from Digital Persona
SDK Compact Disc. 4. Microsoft. (2001, January). A Platform for Web Services Web Services Technical
Articles. From Microsoft Developer’s Network. 5. Public Law 104-191. Health Insurance Portability and Accountability Act of 1996.
from http://aspe.hhs.gov/admnsimp/pl104191.htm 6. Technology: Metrics and Standards (2002, February), Biometric Market Intelligence,
01, p. 8. 7. Snyder, Andrew (2003, August). Performance Measurement and Workflow Impact
of Securing Medical Data Using HIPAA Compliant Encryption in a .NET Environment. Department of Computer Science, University of Virginia.
8. Weaver, Alfred C. and Samuel J. Dwyer III. (January 1, 2003 – December 31, 2004) Federated, Secure Trust Networks for Distributed Healthcare IT Services. Microsoft Corporation. $250,000.
29