Dot the i's and cross the t's: identification, verification and authentication in biometric products

“Biometric identification”, “it is necessary to complete verification”, “authentication failed” — these phrases are well known to many of us.
But do we know their true meaning? Do we understand the difference between identification, verification, authentication? Practice shows that not always. Meanwhile, these processes are extremely important for understanding the principles of facial recognition algorithms. We sort out the terminology with the RecFaces team!
About terms and the like
First of all, let us define the three terms and determine how the three processes differ. Despite the frequent mess, this is not so difficult to do.
Identification is one of the most popular mechanisms in biometric technologies. This is a one-to-many comparison. Most often, identification is used in video surveillance systems. In particular, when working with “stop lists” of intruders or offenders. Recognizing the face of a person, the algorithm begins to compare it with other persons in the database. His main task is to recognize one person from many others. Identification is the cornerstone of different RecFaces products. For example, Id-Target, designed to personalize employee-customer interaction and address retail marketing challenges. As well as in Id-Guard, integrated with most of the world's leading video surveillance systems.
Verification is not less popular. Unlike identification, in this case, the algorithm matches the data according to the “one-to-one” principle. The system uses two samples of data and determines their belonging to one person. The simplest example of verification is a physical check of a passport. So, for the border guard, the first “unit” is a photo in the person's passport, and the second one is the person standing in front of him. The “one-to-one” principle is also used when unlocking a smartphone “by face”.
In biometrics the main scope of verification is access control systems. For example, based on biometric verification, a ready-made Id-Gate solution by RecFaces works. Compared to conventional access cards, this technology gives higher protection, since the system matches photos from an existing database with a person's face in real time. In addition, the verification principle is the basis of another biometric product of RecFaces — Id-Check, which allows you to check a person's identity at the same time both “by face” and by passport data.
Authentication is the check of a user's identity by comparing biometric data of a person with data from a database. In fact, authentication is a part of verification. But if verification is more about physical access control, then authentication is about access to information systems. You should distinguish between authentication and authorization. In the first case, we are talking only about checking the user, and in the second — directly about granting the right to access or carrying out any operations.
Let's consider the authentication scheme using the example of the ready-made Id-Logon biometric solution by RecFaces, integrated with the Active Directory system by Microsoft. When a user starts working on a service computer, it is enough for him to enter only his login, and his face becomes a password. The biometric algorithm recognizes personal data, and then compares it to information from the database. After making sure that he or she is “its” person, the system sends a request for verification to Windows, after which Windows gives the command to authorize the user and unlock the device. Note that authentication can be used not only in Windows, but also in enterprise applications. There is also a so-called web authentication. It is used to further verify the identity of a person before conducting any serious activities: bank transactions or money transfers. In this case, biometrics becomes a tool for protecting against fraud in the financial sector.
Global standards
Like other products, biometric algorithms have their own quality measurement tools. Today they are established by NIST — the American “National Institute of Standards and Technologies”.
NIST experts annually test facial recognition algorithms available on the global market, with data sets or checks taking place on different types of data. For example, for individual tests, the so-called visa-photo are used — high-quality pictures on which a person looks directly at the lens. In other mugshots — a photo of acceptable clarity, where a person slightly deflects the head or wild-photo, taken in motion.
Neural networks also make mistakes
Biometric algorithms are based on neural networks. And it is worth realizing that all neural networks can be mistaken to one degree or another. The main errors or “false positives” in biometric identification and verification are false failure or false access. In the first case, the system takes a person with the right of access as a “stranger”, and in the second, vice versa.
Various factors lead to malfunctions in the operation of algorithms, in turn. For example, the training of the neural network itself. It is curious that not only the duration of the training is important, but also the content and size of the data base on which the algorithm was trained. So, if the base mainly contained persons of the Caucasian type, then when processing photos of persons of the Asian type, the number of false positives may differ more from the declared indicators. Another example is recognition people wearing masks. Today it is already difficult to believe, but before the pandemic, algorithms recognized people in masks worse. However, with the beginning of the “era” of coronavirus, developers had to quickly retrain neural networks. As a result, today's algorithms are perfectly sharpened to work with faces both in masks and without them.
Another common reason is the quality of the photo. The ideal option, of course, is visa-photo. It is these pictures that companies, using biometric verification in the work of their ACS, take for the employee database. However, often the algorithm has to work with bad shots. For example, with so-called kiosk-photo made by ATM webcams. The number of false positives in the operation of the algorithm is directly related to the quality of the photo. The quality is also affected by the camera's positioning and how it “sees” people's faces. If the camera is correctly installed and the faces in the frame are received en face, with minimal blur, sufficient depth of sharpness and uniformly illuminated, then the accuracy of the algorithms will be close to the values declared by the manufacturer.
“Traffic light” of similarity
You can minimize the risks of errors using the settings of the biometric product itself. So, you can set the allowable angle of rotation of a person's head during recognition, lower or increase the similarity index. For both verification and identification and authorization, three similarity zones are established.
Red zone — no matches. In this case, the system notifies the security service of the appearance of an undesirable person in the surveillance area (during identification) or denies a person access to the facility, while notifying security or administration officers about the incident (during verification).
Yellow zone — a similar profile was found, but for one reason or another, the algorithm is not sure that this is that person. For example, if we are talking about highly similar people. Or, if the database stores an old photo of a person, and since then he has managed to change drastically his appearance (grow a beard, change his hairstyle, etc.). The yellow zone acts as an additional “filter” against possible cases of fraud with algorithms and helps security officers additionally verify the identity of the person about whom the algorithm has a question.
Green zone — acceptance, the system correctly identified its employee and a stranger.
Multifactorality and facial biometrics
If necessary, facial biometrics can work together with other methods of checking a person's identity. Here we talk about the concept of multifactorality.
So, verification by facial biometrics can be supplemented by verification by an access card, QR code or passport. The system first verifies the card or document, and then the person's face data. But the greatest possibilities for multifactorality are in authentication. Face access can be combined with a regular password, SMS codes, additional account PIN codes (usually combinations of numbers known only to one person) and a liveness system that identifies a real person in front of the camera or not.
The number of factors depends on the tasks of a particular project. The higher the need for security, the more deployed the multifactorality becomes. The speed of the processes is only slightly affected. So, in ready-made biometric solutions of RecFaces, the speed of identification, verification or authentication does not exceed 1 second, even when considering additional checks. You can learn more about the features of using different principles of biometric algorithms using free training courses by RecFaces.