Authentication

Cardholder authentication is the process of verifying that the user of the card is the owner or authorised user of that card. Not all applications require the cardholder to be verified. For example, the presentation of a transport smart card containing a valid ticket or concession is usually enough to allow travel on public transport. Where it is important to know who the user is (such as for financial or identity uses), cardholder verification is normally required.

The conventional method for cardholder authentication is for the recipient to compare the signature on the payment slip with the signature on the back of the card. With self-service terminals the conventional method is for the customer to key in a 4-digit personal identification number (PIN). Customers often have difficulty in remembering too many PINs (particularly if they are used infrequently), so are prone to writing them down which lessens the security of the system. People with dyslexia can have problems in remembering the digits in the correct order.

Numerous biometric systems have been developed to improve the security of cardholder authentication, including fingerprints, corneal patterns and facial recognition. For people with disabilities, it would be desirable for the customer to be able to choose to use an alternative method of customer verification; for instance, a customer with damaged fingers might want to use a PIN instead of fingerprint recognition.

Do not use a single biometric identification method, such as fingerprint, iris pattern or speech pattern recognition, as the only user identification method. If any of these are used, provide users who do not have the required biological characteristics with an alternative method, such as a different biometric identifier or a PIN code.

If access to the terminal requires using a PIN or other access code, do not require users to remember one which has been supplied to them but not chosen by them.

Rationale

Biometric identification methods rely on identifying biological attributes which are unique to the individual human being, such as fingerprints, iris patterns or speech patterns. However, for each of these characteristics, there is some proportion of the user population who do not have the required biological part. They may, for example, have no hands, no irises or no ability to produce constant natural speech. However, they must still have a way to identify themselves to the terminal.

In Europe, more than 25 million people have dyslexia to the extent that they cannot reliably remember and use a 4-digit PIN unless they can choose their own number. In addition, people with intellectual impairment may have a problem keeping the number secret, so a biometric identification method would be more suitable for them.

Biometrics commonly used to confirm identity include:

finger

Fingerprint recognition;

 

iris recognition

Iris recognition;

 

face recognition

Face recognition;

 

hand geometry recognition

Hand geometry recognition;

 

vein recognition

Vein recognition;

 

voice recognition

Voice recognition; and

 

dynamic

Dynamic signature recognition.

A biometric system is essentially a pattern recognition system that operates by acquiring biometric data from an individual, extracting a feature set from the acquired data and comparing this feature set against the template set in the database.

Some of the physiological and medical factors that can affect the usability and efficiency of biometrics are examined below.

For visually impaired people:

  • Aniridia, absence of iris, a phenomenon found in 1.8 out of 100,000 births, which affects both eyes for genetic reasons;
  • Similar effects may be caused by laser iridotomy (used to correct angle-closure caused by glaucoma);
  • Blind people can have problems due to their natural difficulty to align their eyes with the camera;
  • A similar case is that of people with pronounced nystagmus (tremor of the eyes);
  • People that have been operated on for cataracts may need to be re-enrolled, although empirical evidence suggests that relatively few people need to do so.

For hearing impaired people:

  • Speech may be affected due to loss of hearing resulting in difficulty using voice recognition systems;
  • Inability to hear instructions, for example from the camera of face and iris recognition systems.

For physically impaired people:

  • Conditions such as arthritis may affect usability (it may be difficult to position the finger and/or hand correctly);
  • Skin conditions such as eczema may cause blistering on the fingertips;
  • Any kind of surgery that significantly changes the structure of the face will require an individual to re-enrol;
  • Cuts, bruises and swelling can have a temporary affect on face or hand images;
  • Inability to use hand or finger based systems due to loss of limbs and or digits;
  • Crutches may make it difficult to stand steadily;
  • Drooping eyelids;
  • Wheelchair users can face usability barriers due to the usual location of cameras and insufficient height variation possibilities;
  • Changes in medical condition can be faster than normal ageing effects;
  • Those with cerebral palsy, multiple sclerosis, muscular dystrophy, motor neurone disease etc, may have little control of their muscle movement and may find it very difficult to hold their head or fingers still long enough for a facial, iris or fingerprint recognition device.

For cognitively impaired people:

  • Dyslexia, language, learning or knowledge retention difficulties may make it difficult to reliably and consistently provide a biometric sample or otherwise navigate through an automated process.

For people who are language impaired:

  • Speech and language disabilities include functional limitations in comprehension and expression, voice response rate, quality of voice and fluency, and stuttering, which may affect using voice recognition systems;
  • Colds and laryngitis can have a temporary affect on the voice.

For older people:

  • Biometrics usually have higher failure rates with the very old. As people get older, ageing processes tend to degrade biometrics. For instance, the ridges of their fingerprints wear down and cataracts are more prevalent;
  • In addition to visual impairments, many older people have a combination of impairments (cognitive impairments such as dementia, physical impairments such as arthritis and Parkinson's disease etc). Also multi-tasking becomes less easy. The effect of all these factors is that many older people may have problems in using a biometric terminal at the same speed as their younger counterparts if at all.

Accessibility problems may not be restricted to disabled people. Other groups of people may be affected, for example:

  • People carrying out construction and manual work – people working with cement and chemicals may result in the wearing down of fingerprints;
  • The wearing of veils due to religious reasons may result in some people being unwilling to use certain biometric technologies such as face and iris recognition systems;
  • People who have had cosmetic surgery (eg. botox) may have problems with face recognition systems, in particular at the authentication stage if they have had the procedure after the enrolment stage; and
  • Cold weather may affect people using fingerprint and signature recognition systems, especially if the authentication terminals are outside.

Directions and Techniques

Either allow the user to make up a PIN when they register or, if one is supplied to them, allow them to change it at any time, or at least the first time they use the service.

Consider providing an alternative access security mechanism such as biometric identification for users who find PINs difficult to remember.

When using biometric authentication, ensure that the authentication terminal is comfortable to use. For instance, enrolment of fingerprints will normally be done with the subject sitting down. However, authentication in normal use may be done with the subject standing. It is important that the height and angle of the fingerprint reader is comfortable for both a tall person and someone in a wheelchair. If it is not viable to make the reader a variable height (or on a flexile lead), it might be helpful if it was able to tilt to allow a comfortable angle for the wrist. A wrist rest might be beneficial for a subject with hand tremor.

Two (or more) modalities could be combined in parallel to produce a system that would allow more flexible use. For example, biometric systems built for both fingerprint and face recognition could allow the use of only the facial image for verification when users have problems enrolling their fingerprints and vice-versa. Moreover, this procedure could prove extremely useful to those users who have temporarily lost the ability to provide one of their biometric traits (for example, a temporary eye problem that rules out an iris scan). The same could apply in cases where people refuse to use a specific modality (for religious or health purposes, for instance). A multi-modal system, therefore, allows enhanced flexibility by providing alternatives for the identification process.

An ISO standard is under development that will highlight the needs of the disabled and suggest practical ways of addressing their needs:

  • Systems using a biometric should be designed so that as many potential users as is reasonably possible can use the system effectively and with the minimum of discomfort;
  • In the design of such new systems or services, the needs of disabled users should be considered from the outset;
  • For users with a disability, adequate training in the use of the system should be offered;
  • Wherever practical, the user should have a choice of biometric systems and should not be discriminated against if their disability prevents them from using a specific biometric;
  • Where no alternative biometric is available and where the disability prevents the use of this biometric, users should be permitted to use an alternative method. Wherever practical, the use of such an alternative should not result in an inferior level of service or functionality to the user;
  • If the user can no longer use a verification system reliably, the user should be provided, wherever feasible, with the opportunity to repeat the registration process;
  • Staff supervising systems using biometrics should be trained in how to process disabled users;
  • A system using a biometric should not store details of a user's disabilities without their informed consent;
  • The privacy rights of a disabled user should be the same as those of a non-disabled user.

How you could check for this

Before authentication systems are deployed, both the registration and authentication environments should be thoroughly tested with users who represent the widest range of abilities (that is, in respect of visual, auditory, physical, cognitive and behavioural ability).

During testing, the following key checks should be made:

  • An alternative to a PIN is provided;
  • There is the ability to change a PIN;
  • There is a choice of biometric verification;
  • Instructions regarding lost and stolen cards are clear.