Breakthroughs in technology as well as heightened need for higher level security have combined to bring renewed attention to biometrics as a means of physical access control. Bill Spence of Recognition Systems division of IR Security & Safety is author of this special report. This first in the report’s series provides an executive briefing on practical issues of biometrics and the need to understand error rates.

The first question, once you have decided to consider biometrics, should be “Is this technology right for me?” After getting comfortable with the technology and successful in justifying it, the next step is deciding what biometrics technology is right for the specific application. Certain technologies are extremely well-suited and thoroughly proven in access control applications. Others still are relatively untried or unreliable.

For the majority of access control applications in use today, there are several practical and proven methods ranging from hand and finger to iris. One way to compare systems is by error rates.

Biometrics includes captured data compared to "live" data.

Don’t Overlook Error Rates

There are several types of error rates to consider in the practical selection of a biometric device. Security professionals typically concentrate on preventing an unauthorized individual from entering. However, if a biometric device (or any other access control method) does not consistently recognize and allow entry to authorized people, it won’t remain on the door for very long. The real job of security is as much to let only authorized people into specific places as it is to keep the unauthorized people out. Therefore, it is important to ensure that the biometric device does a good job of recognizing the authorized users.

The reality is that biometric devices aren’t perfect, and all will make some errors.

Biometric devices can make two kinds of errors; the false accept, in which the device accepts an unauthorized person; and the false reject, in which the device falsely rejects an authorized person. Picking the right biometric device requires careful analysis of which type of error will have the greater impact on both security and everyday operations.

Because different types of biometric devices have widely differing false reject and false accept rates, the parameters of the specific application must be considered. Where a device serves a small population or has limited use, a higher false reject rate may not make much difference. In larger populations or with frequent use, a high false reject rate can affect enough people to make the system impractical.

For example, in a group of 20 people that each use the device twice a day, a 2 percent false reject rate would cause an average of less than one person per day to be wrongly denied access. With 100 people going in and out four times daily, generating 400 transactions, the resulting eight false rejects per day could be enough to cause the device to be removed. Therefore it is important to focus not only on the ability of the device to deter unauthorized entry but also its ability to let authorized people in.

Biometric device manufacturers claim a broad range of results, but check further to be sure the claims can be substantiated. For example, a manufacturer can claim its false reject rate is 0.1 percent, but just as important is how this number was derived and over what period of time. The time over which a result is generated is critical to the validity of the results.

Checking a device’s operation over a few weeks will not necessarily give a representative result for projecting over the years the device is expected to be in operation. In fact, some biometric technologies experience higher error rates during the wintertime, due to the dryness of the season. Will the manufacturer provide results to substantiate its claimed performance over time?

Failure to Enroll Problems

Another significant factor, too often overlooked, is failure to enroll. This is usually due to the particular biometric technology being unable to read the characteristics of a given person for various reasons. The failure to enroll rate is multiplied by the number of expected users; the false reject rate is multiplied by the number of transactions over time, since every single attempt is an opportunity for a false reject.

The false acceptance rate should not be over looked since it provides the essential deterrent that is critical in all security applications. Again just like the other error rates, it must be put in the context of the application. As an example, if a group of 100 people use a given door four times per day, it adds up to 400 transactions per day or 2,000 transactions per week. A one percent false reject rate will create 20 problems within one week, which is high given the context of a 100-person group. As for the false accept rate, one must remember that a false reject can only occur when an unauthorized person attempts to gain entry. So by contrast, the number of false attempts by unauthorized persons during the same week would be considerably lower in all cases.

This contrast and the frustration of dealing with a high number of false rejects will have authorized users and management alike looking for a way to replace the biometric system with something else if these factors are not considered up front.