Copyright © 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Fingerprint Identification: An Aid
to the Authentication Process
By Rodger Jamieson, Ph.D., CA, Greg Stephens and Santhosh Kumar
F
ollowing the terrorist attacks of 11 September 2001 and the
ongoing war against terrorism, there has been a worldwide
effort by governments to develop a biometric standard that
“could be used to identify airline passengers, control access to
high-security buildings and record the details of convicted
criminals...(implemented in) biometric technology, which uses a
chip to store biological information, such as face scans, iris
patterns and fingerprints.”1 Terrorism, ID fraud and cybercrime are
just a few of the reasons for investigating biometrics.
The purpose of this article is to investigate the application
of biometrics to the task of security, particularly the
authentication/verification processes. In addition to the reasons
provided above, there is a greater emphasis on e-business
systems, with these applications being developed for
distributed deployment and a diverse range of stakeholders.
Clearly, a major issue is the authentication of remote users,
that is, being reasonably certain that the individual is whom
he/she purports to be. Traditionally, a number of electronic
means have been attempted, such as user ID/passwords,
public/private keys and various forms of encryption.
As technology advances and provides more specialised
equipment, other means are becoming practical. This article
looks at the potential of fingerprint recognition as a means of
verifying a remote user. Fingerprinting has been selected as it
is the least invasive biometric system. This article looks at the
advantages and disadvantages, audit implications, and the
usability of fingerprint authentication.
Like most technical fields, biometrics and its associated
systems have a multitude of definitions. Most definitions are
dependent on the context in which the subject is being
discussed. For the purpose of this article, biometric systems
will be defined as:
“Automated methods of verifying or recognising a
living person on the basis of some physiological
characteristics, such as fingerprint or iris patterns, or
some aspects of behaviour, such as handwriting or
keystroke patterns.”2
This definition has a physiological and a behavioural
aspect. The differences between using physiological and
behavioural identifiers are quite significant, especially when
considering accuracy, cost and acceptance by the user. These
differences will be considered later.
Why Biometrics?
Biometric systems use points of measurable uniqueness to
determine identities.3 This technology can act as the front end
to a system that requires precise identification of those
requesting access before the system may be used. This concept
is essentially what password systems attempt to achieve;
knowing a password provides access to a system or location.
There is, however, one fundamental difference between access
systems using passwords and those using biometric methods.
JOURNALONLINE
Password systems are identity-nonspecific. They can be
stolen, given to other users and, in some cases, guessed,
meaning that there is no guarantee that the person logging on is
the owner of that password. Put simply, there is no foolproof
way to prevent unauthorised intrusion or to determine user
identity beyond doubt.4 By contrast, biometric systems use
identifiers that are inexorably linked to the user in question.
These range from fingerprint and voice scans to iris and retinal
pattern recognition. The premise behind using such identifiers is
that they are unique, generally not subject to change, and cannot
be stolen, lost or forgotten.5 This is not to say that biometric
identifiers are infallible. They do, however, represent a useful
method of linking identity to specific system users.
How Biometrics Work
Biometric systems generally comprise three basic
components:6
• An automated mechanism scans and captures a digital or
analogue image of a living individual’s characteristics.
• Another mechanism handles compression, processing,
storage and comparison of the collected data with the
stored data.
• A third component interfaces with the application system to
which the user is attempting to gain access.
Obviously, the configuration of such a system may be
altered to suit a particular situation. However, the majority of
biometric control systems follow this simple model.
It should be noted that there is one crucial step required in
setting up a biometric system: enrolment. The only way to gain
access to a biometrically controlled system is to enrol.
Enrolment is required to generate a reference template. The
methods of enrolment vary according to the device used but
usually involve scanning the required biometric data a number
of times to gain an accurate measurement. A template is then
created and linked to the user’s identity.7 This template provides
the reference for comparison when access attempts are made. It
is the storage and risk of misuse of such templates that create
the most concern for users. This issue will be discussed later.
Types of Biometrics Systems
Biometric systems fall within two broad categories:
physiological and behavioural. Physiological characteristics
are stable physical features, such as a fingerprint, hand
structure, retinal or iris pattern, or facial feature. They are
generally unchangeable, except by surgery or accident, and are
constant over time.
In contrast, behavioural characteristics reflect an
individual’s psychological state and thus are affected by such
factors as stress, fatigue and illness (colds included). Most
behavioural characteristics alter over time. For example, the
voice print from a user with laryngitis can seriously confuse a
voice-based access control system. Hence, systems designed to
measure such characteristics often need to redefine their
reference templates to reflect these changes. This need to
update the reference template reduces the usability and
reliability of behavioural-based systems.8
There is a large number of technologies and systems that
come under the heading of biometrics. To consider each one in
turn would not do them justice within the confines of this
article. Consequently, one such technology, fingerprint
identification, will be considered in some detail. This article
will outline how it works, its relative advantages and
disadvantages, and its current and future uses. Then, the ethics
of collection and maintenance of repositories of such personal
identification information will be considered.
An Example: Fingerprint Identification
With reference to the types of biometric systems discussed
above, fingerprint scanning is classified as a physiological
system. The human fingerprint is a unique identifier that is
intrinsically linked to each individual and thus cannot be lost,
stolen or transferred between individuals. Moreover, no two
fingerprints are identical, which greatly assists in linking the
user’s access key to the user. Finally, barring serious accident
or surgery, fingerprints are constant over time.
Although there are variations amongst the fingerprint
scanners available on the market, the principle behind how the
user is identified is generally the same. A light-sensitive
device, either a scanner or camera, takes an analogue image of
the fingertip. The image is then digitised and compared with
template records that were created during the enrolment
process. At the most basic level, these systems work by
matching relationships amongst minutiae—the points on
fingertips where print ridges end or divide. More complex
scanning systems also examine other major features, such as
the arch, loop and whorl that appear on the finger.9
Despite popular misconceptions, these systems do not
require a perfect, 100 percent match of all identifiers. Through
the use of a number of complex mathematical techniques, a
scanner requires only a match that is statistically significant.
This matching process has a number of advantages, the most
obvious of which relates to storage. The actual fingerprint is
not recorded; rather, the scanning device performs a reduction
of the image into data points that describe the fingerprint
layout in a statistical, rather than physical, form. This method
greatly assists in reducing the chances of reproducing a
fingerprint for fraudulent use.10
Automated Fingerprint Identification System (AFIS)11
technology has been used in law enforcement over the last 25
years, and the use of AFIS technology is rapidly expanding in
a number of new applications areas including welfare.
However, the rush to capitalize on the benefits of this
technology, in advance of appropriate standards and
technology validation methods, is likely to result in a
widespread failure to achieve the very valuable programmatic
expectations over the long term.
For serious large-scale, positive-identification applications,
no other available biometric technology comes close to
fingerprints. Fingerprint identification technologies are:
• Well established—Fingerprint identification has been used
in law enforcement applications over the past 100 years and
has become the de facto international standard for positive
identification of individuals.
• Proven—AFIS technology has been developed, refined and
proven in demanding law enforcement applications over the
last two decades.
• Legally accepted—Legal precedents, which have been
established in the US court system, make fingerprints the
only biometric proof of identification that is readily accepted
in legal proceedings.
• Mature—Fingerprint identification technologies are well
beyond the research and development stage, as evidenced by
the fact that a number of viable manufacturers produce
competing products for a widespread and well-established
marketplace. In most other biometrics, the technology is
available from only a single vendor, making any large-scale,
long-term application very risky.
Recent advances in computing and digital imaging
technology have led to the introduction of new AFIS
methodologies using electronic “live-scan” plain-impression
fingerprint images as the basis for identification. The
proliferation of plain-impression AFIS systems is rapid and
accelerating at the state and national levels (US) in large-scale
applications, including welfare, driver’s licenses, border
control, immigration and military personnel identification. For
more detailed coverage of this area, refer to
http://onin.com/fp/afis/afis/html.
Advantages and Disadvantages
As with all biometric systems, there are a number of
advantages and disadvantages associated with using fingerprint
scanning to confirm an individual’s identity. Often, weighing
the various benefits and costs associated with particular
biometric methods greatly affects which systems are
implemented by an organisation and, in some cases, whether
biometric systems are adopted at all. In the case of fingerprint
scanning, the relative advantages and disadvantages are
reasonably straightforward.
The advantages include:
• Acceptance—As most people are familiar with the use of
fingerprinting for identification purposes, it is generally
accepted as a technology. Most people understand its
applicability to access control.
• Accuracy—By and large, fingerprint technology is accurate.
There is a small chance of rejection of a legitimate print,
i.e., there is a chance of accepting a false print or a chance of
rejecting a legitimate print. The chances of accepting a false
print are very low.
• Ease of use—Very little time is required for enrolment with
a fingerprint scanning system. Unlike other biometric
devices, such as retina scanners, fingerprint scanners do not
require concentrated effort on the part of the user.
Accordingly, one could consider fingerprint scanning to be
relatively nonintrusive.
• Installation—Changes in technology have made fingerprint
scanners relatively easy to install and inexpensive. Most
fingerprint scanners are now very small and portable.
Plug-and-play technologies have made installation very easy.
In many cases, the scanning device has been incorporated
into keyboards, mouse buttons and even notebook computers.
• Training—Due to the intuitive nature of scanning
fingerprints, such devices require no training to use and little
training to support.
JOURNALONLINE
 • Uniqueness—As noted previously, fingerprints are a unique
identifier specific to the individual.
• Security—Fingerprints cannot be lost or stolen, and are
difficult to reproduce. Furthermore, storing fingerprint
templates as statistical algorithms rather than complete
copies ensures that the ability to reproduce these unique
identifiers is significantly reduced.12
The disadvantages include:
• Acceptance—Although also an advantage, user acceptance is
not guaranteed. Fingerprint scanning crosses the fine line
between the impersonal and nonintrusive nature of passwords
and personal identification numbers (PINs), and utilising part
of an individual’s body to identify him/her. As will be
discussed, some people view this as an invasion of privacy13
or worse.
• Injury—Injury, whether temporary or permanent, can
interfere with the scanning process. In some cases
reenrolment is required. For example, bandaging a finger for
a short period of time can impact an individual if fingerprint
scanning is used in a wide variety of situations. Something as
simple as a burn to the identifying finger could prevent use of
an automatic teller machine (ATM).
• Security—As some authors have argued, there is nothing to
suggest that the same technology that is used to store
fingerprints as statistical algorithms cannot also be used or
modified to recreate accurate depiction of the print itself. This
raises serious concerns related to how such data should be
stored, maintained and protected to prevent fraudulent use.14
Issues With the Use of
Fingerprint Identification
Transmission and Storage
The truism that the majority of physiological characteristics
are almost impossible to alter, fingerprints being one of them,
introduces a major drawback of biometric systems.15 When a
user wishes to gain remote access to a device that is controlled
by a biometric system, e.g., an ATM, the terminal must
transmit the biometric measurements to a host database for
comparison. This creates two potential weaknesses in the
system. One relates to the security of the transmission method
used, and the other relates to the security of and access
permissions controlling the database in which the reference
template is stored. If the security of these systems is weak, it is
conceivable that the biometric measurements could in some
way be copied and fraudulently used.
Considering the number of possible applications of this
technology, the implications for such fraudulent use could be
disastrous. Unlike passwords or PINs, which can be changed if
compromise is suspected, fingerprints are unique identifiers
that cannot be altered. Furthermore, due to their unique nature
and the perceptions this creates, the existence of a fingerprint
authorisation for a fraudulent transaction represents a virtual
admission of guilt. Consequently, for such authentication
techniques to be effective and confidently used, the
transmission of biometric data and the storage of biometric
templates must attract tight security.16
The large number of potential applications and the
consequent variety of individuals, companies and agencies that
would require access to stored templates make the physical
storage requirements of biometric templates a major issue
JOURNALONLINE
itself. If the fingerprint scanning example was extended to
include the population of Australia, the overhead costs of
collecting and storing approximately 20 million unique
fingerprints would be enormous. Added to this is the question
of who and what agencies would require access to such
information. In the case of fingerprint templates, there are two
possible storage solutions.
First, biometric templates could be stored in a series of
centralised databases. As noted, the overhead becomes quite
large when considered in reference to a country’s population.
Also, users may be required to interact with a number of
databases depending on their access needs. For example, such
templates could be kept by the Australia Taxation Office
(ATO) for taxation purposes, the Road and Traffic Authority
(RTA) for licensing information, on a server controlling access
to the user’s home, or on specific devices such as personal
digital assistants (PDAs) or even cars. The more places such
information is kept, the greater the possibility of unsavoury
elements of the community stumbling upon a database
with weak security and capturing biometric templates for
fraudulent use.
An alternative to database storage is the use of smartcards.
Smartcards store the biometric template and are carried by the
user. To gain access to a fingerprint-protected system, a user
would insert the smartcard containing the fingerprint template
and then have a fingerprint scan taken. The results of the scan
are then compared with the information on the card to
determine authenticity. This process is conducted at the point
of access and needs no interaction with additional systems.
Consequently, there is no risk of transmission interception and
no requirement to hold such information centrally.17
Ethical Considerations
One of the greatest concerns raised in response to the
increasing use of biometric authentication systems has been
the issue of privacy. Organisations such as Fight the
Fingerprint and the Electronic Privacy Information Centre
argue that there is great scope for abuse of biometric systems
by government agencies and the private sector. Coupled with
this, there are very few directives or standards established by
legislature or adopted by industry regarding the dissemination
of biometric information.
By way of example, an individual is required to provide a
fingerprint template to an employer to gain access to a place of
employment and the devices required to carry out his/her tasks
as an employee. This template is then linked to the employee’s
personal records, which outline employment history, salary
and financial information, dependant details and residential
information. An unscrupulous organisation could then sell this
linked biometric data to direct marketing firms, mail-order
houses and even government agencies, which would then have
access to a ready-made personal profile of each individual. It
has been argued that when such cross-matching occurs, the
fine line between relevant information tracking and an invasion
of privacy is blurred.18
To take a more extreme view, fingerprinting has been
described as a “Big Brother” population control method (e.g.,
by Fight the Fingerprint). Most people readily accept the use
of PINs, signatures and photographs as legitimate methods of
identification and access control. They are impersonal and not
physically connected to the individual. Biometric data, in 12
Op. cit., I/O Software; Op. cit., Java Card Special Interest
contrast, are an intrinsic part of the human body. Therefore, a Group; White, R.; “Face vs. Fingerprint Identification,”
number of organisations and individuals find such methods of 1999, www.zdnet.co.za/pccomp/stories/reviews/
identification repulsive and invasive.19 0,5672,396764,00.html
13
Fight the Fingerprint, www.networkusa.org/fingerprint.shtml
Conclusion
14
Op. cit., I/O Software; Op. cit., Java Card Special Interest
Obviously, the use of biometric systems for identification Group; Op. cit., White
and access control purposes is a contentious issue. It is one
15
Op. cit., Kim
that requires clear and ethical consideration before adoption by
16
Ibid.
any organisation or agency. Furthermore, governments need to
17
Op. cit., I/O Software
develop strict guidelines that restrict the dissemination of
18
Op. cit., Kim
biometric data and the information linked to such data to
19
Schneier, B.; “The Uses and Abuses of Biometrics,”
prevent misuse and erosion of individuals’ rights. Information Communications of the ACM, Association for Computing
system auditors and security personnel require knowledge of Machinery, August 1999, vol. 42, no. 8, p. 136
these biometric techniques, as they may be asked to either
audit or evaluate them for their clients or organisations. Rodger Jamieson, Ph.D., CA
is an associate professor at the School of Information Systems,
Technology and Management at the University of New South
Useful Web Resources Wales (Australia), the director of SEAR (Security, E-business
www.onin.com/fp/afis/html
and Assurance Research) group, and director of the SAFE
www.duke.edu/web/mms190/team3/defining.html
(Security, Assurance and Fraud-prevention for E-business)
www.biometritech.com/features/smallback2.htm
research program for the Securities Industry Research Centre
www.onclickcorp.com/onclicksite/onclick.html
of Asia-Pacific (SIRCA). He serves on international journal
www.networkusa.org/fingerprint.shtml
editorial boards and is engaged in teaching, research and
consulting in the areas of IS assurance and security, risk
Endnotes management, e-crime and identity fraud, computer forensics
1
Lebihan, R.; “New Passport to Store Facial Biological and electronic commerce. His prior experience includes
Information,” The Australian Financial Review, 12 February working as an IS audit manager with Touche Ross & Co. and
2003, p. 52 as a chartered accountant for Coopers & Lybrand. He also has
2
Kim, H.J.; “Biometrics, Is It a Viable Proposition for commercial experience with the AMP Society and Honeywell.
Identity Authentication and Access Control?” Computers &
Security, vol. 14, 1995, p. 205-214 Greg Stephens
3
Java Card Special Interest Group (JC Sig), is a lecturer in the School of Information Systems, Technology
www.javacard.org/others/biometrics_intro.htm and Management at the University of New South Wales. His
4
Ibid. research interests include audit and security concerns,
5
“Biometrics Explained,” I/O Software, computer-mediated communication and its impact on social
www.iosoftware.com/pages/Products/Technologies/ networks within organisations, and knowledge-based/expert
Biometrics/index.asp#Fingerprint systems. He has previously worked as an information systems
6
Op. cit., Kim professional and as an IS auditor.
7
Ibid.
8
Op. cit., Java Card Special Interest Group Santhosh Kumar
9
Op. cit., I/O Software is a researcher with the SEAR group at the University of New
10
Op. cit., Java Card Special Interest Group South Wales and a member of the Institute of Electrical and
11
Automated Fingerprint Identification Systems (AFIS), 2002, Electronics Engineers (IEEE). He has previously worked in
www.onin.com/fp/afis/html networking with Unitafe Networking Co. and TAC-Pacific in
Australia, and as an engineer for three organisations in India.

JournalOnline articles, the online-only counterpart of the Informations Systems Journal, are published by the Information Systems Audit and Control Association, Inc. Membership in the association, a
voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive online access to the JournalOnline as well as an annual subscription to the
Information Systems Control Journal.

Opinions expressed in the JournalOnline and Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the
Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal.
Information Systems Control Journal does not attest to the originality of authors’ content.

© Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

JOURNALONLINE