Recognizing humans based upon one’s intrinsic physical or behavioral traits has been gaining acceptance and is termed as biometrics. It involves either confirmation or denial of the identity that the user is claiming. It is especially important in ensuring security for access to highly restricted areas (for example: accessing classified documents, control gates and defence related applications). This chapter will discuss the use of brain signals at an application level exploiting the evoked potential approach for biometrics.
The most primitive and widely used authentication method to establish a person’s identity is the textual password and usage of personal identification number (PIN) which are motivated by the facts of popularity due to low cost and user familiarity.
However these schemes have obvious shortcomings in the form of dictionary attack, shoulder surfing and people picking up obvious known words which can be easily cracked. Dictionary attacks can be prevented by using human-in-loop verifications (Pinkas & Sander, 2002) and encrypted key exchange methods (Bellovin & Merritt, 1992), but operating system vulnerabilities and access control failures may lead to disclosure of password databases. The use of PIN actually denotes the automatic identification of the PIN, not necessarily identification of the person who has provided it. The same applies with card and tokens, which could be presented by anyone who successfully steals the card or token. The system and information is definitely vulnerable during the period before a user’s card or token is revoked. Even the recently proposed graphical password which is motivated by the fact that people have a remarkable memory for pictures seem to share similar problems along with the shortcomings of guessing attacks (Thorpe & Van Orschot, 2004) and reduced effective password space. The ominous presence of mobile phone cameras, digital cameras, and wireless video cameras brings in a new threat in the form of “recorded shoulder surfing” for high security applications.
Hence biometric technology based on measurable physiological and/or behavioral characteristics (e.g., fingerprints, Roddy & Stosz, 1996, the iris, Daugman, 2004, and voice recognition, Monrose, Reiter, Li & Wetzel, 2001) is often considered to surpass conventional automatic identity measures like passwords and PIN by offering positive human identification.
Fingerprint biometric systems have found its way in many public person identity databases (Maltoni, Maio, Jain & Prabhakar, 2003), but they do not seem suitable for high security environments. Recent articles and studies (BBC, 2007a; Matsumoto, Matsumoto, Yamada & Hoshino, 2002) show that common household articles (e.g., gelatine) can be used to make artificial fingers and prints to bypass the security systems. Also development of scars and cuts can result in erroneous fingerprint matching results thus increasing false rejects. Voice recognition as a biometric seems to suffer from several limitations. Different people can have similar voices and it may also change over time because of health, emotional state and age. Face recognition has been used as a biometric system but issues like the family resemblance, occurrence of identical twins (one in every 10,000) seem to question the reliability. A recent article shows that face recognition systems can be bypassed by using still and video images of a person (BBC, 2007b). Also it is inherently unreliable where high security is needed because there is not nearly enough randomness in the visual appearance of people’s faces and also small variations in pose angle, illumination geometry, and facial expression have disastrous effects on the authentication algorithm accuracy (BBC, 2007b).
Another issue facing many of the biometric systems is the factor that biometric data (e.g., fingerprints or iris scans) have information which is valid and unchangeable for lifetime of the user and is irreplaceable if stolen. However it is a known fact that no biometric is expected to effectively meet the requirements for all applications. The choice of a specific biometric completely depends on the requirements of the application domain.