Expert insights on biometrics

Raul Sanchez-Reillo is a full-time Professor at University Carlos III of Madrid (UC3M) in Spain. He is also the Head of the University Group for Identification Technologies (GUTI) since 2001. Prof. Sanchez-Reillo has been working across several biometric modalities, currently vascular, handwritten signature, fingerprint, face, gait and ECG.

Below are the excerpts from the interview...

Expert insights on biometrics
Megha Roy Zwipe 10. January 2022

You have been into the area of biometrics for a long time. Looking back, how do you define the evolution of biometrics over the years?

Biometrics has evolved in several ways: from few researchers working in the field, to get the focus of international community after 9/11. Also, improvements such as computing power, neural networks, deep learning, etc. have allowed boosting algorithm performance and portability. Capture devices have also improved a lot, considering new acquisition technologies, where the best example can be found in fingerprints.

Another notable change has been the creation of independent evaluation entities (either as certified laboratories or as public competitions), clarifying the real performance of this technology, in contrast to the performance metrics claimed by manufacturers.

How would you characterize the differences among biometric modalities?

I believe there is no single solution for biometrics, i.e., there is not one single biometric modality that can be considered best and the only one to be used. Scenarios, cost, security, user acceptance, etc. are parameters that can place a lower-performance modality to the best preferable option. One fine example is voice biometrics, which experiences huge challenges in real scenarios, but being the best option in over-the-phone scenarios.

Also, depending on the capture device used, the performance of a biometric modality may differ greatly. Deciding one or another is typically decided according to either cost or even sensor size (e.g., a fingerprint sensor for an Automatic Border Control system, is not even comparable with the one used for being integrated into a smartphone).

An important factor is to analyze the risk involved in the operation, and then consider whether the modality is suitable or not, or if it must be complemented with any other modality, authentication factor, or PAD mechanisms.


"There is a significant focus on PAD"

"I rather prefer BSoC than smartphone solutions"

"There is not one single biometric modality that can be considered best"

What are the technological drivers for change in biometric recognition? Is it more on the sensor or the algorithm side?

Every single aspect is important, and sometimes the focus should not be placed on technology, but on system implementation or policies involved. For example, it is very important to let the user feel comfortable with the system and teaching them in using the system correctly. Therefore, a suitable enrolment policy is perhaps even more important than the technology used.

Considering sensors and algorithms, in many modalities, algorithms have reached a high-performance level at lab conditions. But they must face important challenges in real conditions. This is where sensors might come to help. A sensor that can acquire a high-quality sample in all (or most) situations is a must. Also, a sensor/device design that allows a proper interaction of the user with the system, will improve the performance in real conditions.

What are the notable trends you witnessed in biometric recognition?

These days, there is a significant focus on PAD, but in my opinion, there is a lack of taking the problem at a more holistic level. For example, most of the work on PAD base their input on a static samples (e.g., a still image), trying to detect artifacts in the sample that may show that it is an attack. A more interesting approach is to consider not only the result of the sample presentation, but also the whole process of the user presenting the sample, i.e., gathering dynamic information, analyzing if it is a proper human interaction.

For some modalities/algorithms, there is also the need to work into the verification in open sets, i.e., without having to enroll the whole population in a centralized database, training then a model to achieve high performance.

How do you view fingerprint presentation attack detection? What are some of the promising technologies in anti-spoofing?

It is a must, with low-cost sensors such as the ones in smartphones (so easy to attack them). As said above, algorithm solutions, based on still images, is not a good solution. Using dynamic information may achieve universality in PAD. If it is possible to add new sensors, then acquiring additional ones at the presentation act, is extremely valuable.

Another approach is to complement fingerprint with "an internal biometric modality", such as ECG, not allowing the fingerprint verification until a certain threshold has been passed in the ECG verification.

How do you see fingerprint biometrics being integrated into payment cards via a BSoC, which includes the capturing device?

If payments are involved, risk of attacks increases. Therefore, unless PAD is present, and you can avoid that a chopped finger can be used for authentication, I really do not like the idea. Being a bit more optimistic, I rather prefer BSoC than smartphone solutions. Having said so, if you consider the number of people paying nowadays with the phone, with the only authentication mechanism of unlocking your phone, and being such unlocking mechanism a fingerprint presentation with no PAD mechanism implemented (i.e., being so easy and cheap to attack it), then the current scenario is frightening. But we're living with it!

Lastly, how do you differentiate between biometric payment cards and off-card biometric recognition?

At least, by paying with card, you do not allow third parties (such as Google or Apple), to track your shopping. Unlocking a phone is much easier than a PIN presentation, but it is also much easier to be seen and copied by others. If you lose your smartphone, you lose most of your credentials, and all your life is exposed, including your financial mechanisms. But you will notice much sooner if you lose your phone than if you lose your card!


PAD: Presentation Attack Detection

BSoC: Biometric System-on-Card