Smart Card Biometrics
This article covers dynamic signature verification — analyzing how a signature is produced, not just its appearance — as a behavioral biometric technology.
Signature verification is the process used to recognize an individual's hand-written signature.
Dynamic signature verification technology uses the behavioral biometrics of a hand-written signature to confirm the identity of a computer user. This is done by analyzing the shape, speed, stroke, pen pressure and timing information during the act of signing. Natural and intuitive, the technology is easy to explain and trust.
As a replacement for a password or PIN, dynamic signature verification is a biometric technology used to positively identify a person from their handwritten signature.
There is an important distinction between simple signature comparisons and dynamic signature verification. Both can be computerized, but a simple comparison only takes into account what the signature looks like. Dynamic signature verification takes into account how the signature was made. With dynamic signature verification it is not the shape or look of the signature that matters, it is the changes in speed, pressure and timing that occur during the act of signing. Only the original signer can recreate the changes in timing and X, Y, and Z (pressure).
A pasted bitmap, a copy machine or an expert forger may be able to duplicate what a signature looks like, but it is virtually impossible to duplicate the timing changes in X, Y and Z (pressure). Reproducing the patterns shown would require the practiced, natural motion of the original signer.
There will always be slight variations in a person's handwritten signature, but the consistency created by natural motion and practice over time creates a recognizable pattern, making the handwritten signature well suited to biometric identification.
Signature verification is natural and intuitive. The technology is easy to explain and trust. The primary advantage that signature verification systems have over other biometric technologies is that signatures are already accepted as the common method of identity verification. This history of trust means people are very willing to accept a signature-based verification system.
Dynamic signature verification technology uses the behavioral biometrics of a hand-written signature to confirm the identity of a computer user. Unlike the older technologies of passwords and keycards — which are often shared, easily forgotten, lost or stolen — dynamic signature verification provides a simple and natural method for increased computer security and trusted document authorization.
Signature-scan technology uses the distinctive aspects of the signature to verify the identity of individuals. The technology examines the behavioral components of the signature, such as stroke order, speed and pressure, rather than comparing visual images of signatures. Unlike traditional signature comparison technologies, signature-scan measures the physical activity of signing. While a system may also compare the visual appearance of a signature, or "static signature," the primary components of signature-scan are behavioral.
The signature, along with the variables present during the signing process, is transmitted to a local PC for template generation. Verification can take place against a local PC or a central PC, depending on the application. In employee-facing signature-scan applications such as purchase order authentication, local processing may be preferred; there may be just a single PC used for such authorization. For customer-facing applications, such as retail or banking authentication, centralized authentication is likely necessary because the user may sign at one of many locations.
The results of signature-scan comparisons must be tied into existing authentication schemes or used as the basis of new authentication procedures. For example, in a transactional authentication scenario, the "authorize transaction" message might be sent after a signature is acquired by a central PC. When signature-scan is integrated into this process, an additional routine requires that the signature characteristics be successfully matched against those on file for the "authorize transaction" message to proceed. In other applications, the results of a signature-scan match may simply be noted and appended to a transaction. For example, in document authentication, an unsuccessful comparison may be flagged for future resolution without halting the transaction. The simplest example would be a signature used for handheld device login: the successful authentication message merely needs to be integrated into the login module, similarly to a PIN or password.
Signature-scan has several strengths. Because of the large amount of data present in a signature-scan template, as well as the difficulty of mimicking the behavior of signing, signature-scan technology is highly resistant to imposter attempts. As a result of low False Acceptance Rates (FAR) — a measure of the likelihood that a user claiming a false identity will be accepted — deployers can have a high confidence level that successfully matched users are who they claim to be. Signature-scan also benefits from its ability to leverage existing processes and hardware, such as signature capture tablets and systems based on public key infrastructure (PKI), a popular method for data encryption. Since most people are accustomed to providing their signatures during customer interactions, the technology is considered less invasive than some other biometrics.
However, signature-scan has several weaknesses. It is designed to verify subjects based on the traits of their unique signature. As a result, individuals who do not sign their names consistently may have difficulty enrolling and verifying in signature-scan. During enrollment, subjects must provide a series of signatures similar enough that the system can locate a large percentage of common characteristics between the enrollment signatures. During verification, enough characteristics must remain constant to determine with confidence that the authorized person signed. As a result, individuals with muscular illnesses and people who sometimes sign with only their initials might see a higher False Rejection Rate (FRR), which measures the likelihood that a system will incorrectly reject an authorized user. Since many users are unaccustomed to signing on a tablet, some subjects' signatures may differ from their signatures on ink and paper, increasing the potential for false rejection.
Signature-scan is implemented in situations where signature or written input processes are already in place. These applications include contract execution, formal agreements, acknowledgement of services received, and access to controlled documents.
As the act of signing documents becomes more integrated with electronic capture processes — signing on acquisition tablets, using special styluses, etc. — the opportunity for biometric authentication will increase dramatically. As of today, there are few acquisition devices deployed in operational environments capable of capturing biometric data. Note that signature-scan is not the same as signature capture, currently used in various point-of-sale systems, nor is it the same as digital signatures, an encryption technology.
Though it is one of the least frequently deployed technologies in the biometric market today, signature-scan usage will increase, as a complement to static signature capture, through 2005. Though a handful of vendors sell signature-scan, these firms will need to demonstrate the success of the technology in more high-profile settings. As applications for contract execution, formal agreements and access to controlled documents are demonstrated, signature-scan revenues are projected to grow from $3.0m in 2000 to $101.1m in 2005. Signature-scan revenues are expected to comprise approximately 5% of the entire biometric market.
Handwriting has been around since the beginning of civilization, and the "signature" — the act of signing a document — has long been accepted by nearly every culture as a person's recognition of, and agreement to, the contents and implications of written words.
The increasing recognition of electronic signatures by lawmakers is bringing to the forefront concerns over electronic security for privacy and the protection of individuals.
For the many people now conducting business transactions over private networks or the Internet, some form of official acknowledgement is now essential and legally binding. The security implications of producing or recognizing "original" electronic documents will be more important than ever before. In this respect, it is important to understand the distinction between the terms "biometric" and "digital" signatures.
A digital signature is a term used to describe a long numerical code uniquely assigned to one person, hence the reference to "signature." It has nothing to do with a real signature. Its purpose is to be used in encryption systems. Asymmetric encryption (or PKI) is an example of a popular encryption approach. A digital signature is issued to an individual by what is called a Certificate Authority — a group or organization responsible for the maintenance and safekeeping of digital signatures. Because of their length no one actually remembers or even knows their digital signature.
An individual's digital signature normally resides on their computer, or can be stored on a card (similar to banking cards). When someone wishes to encrypt an electronic document, they use a password or PIN that in turn allows the digital signature to be used. Although secure once encrypted, digital signatures are only as safe as the medium where they reside. Anyone obtaining access to your password, PIN or computer can potentially make unauthorized use of your digital signature. The use of a digital signature does not guarantee the identity of the originator. Handwriting results from a highly complex series of dynamic neuromuscular tasks from brain to fingertips. A naturally developed signature represents the most often reproduced and habitual act of writing.
Although we never sign exactly the same way twice, the signature adheres within certain boundaries unique to each individual. This natural variation is an essential component of handwriting. It also means that each signature is unique, in that no two will be identical in all discrete features. Unlike fingerprints, retinal or DNA patterns, which remain constant over time, the execution of a person's signature will be unique and individual at that particular moment. Handwriting remains one of the most powerful human identifiers that exist today. Identical twins have the same DNA pattern, while their handwriting and signatures remain distinctively different.
Biometric signature is a term used to refer to a signature that has been recorded and captured using a variety of input devices, such as digitizing tablets, personal digital assistants (PDA), computer displays or other contact-sensitive technologies. This method allows real handwritten signatures to be incorporated into e-documents during electronic transactions. Not every technology captures signature information the same way. Some systems take a static approach and only record an image of a signature, and as such do not record the unique behavioral elements associated with executing a signature. In a biometric system such as CIC's SignIt, both the geometric and dynamic characteristics of the signing process are recorded and incorporated into an electronic document. Most of the elements that make a signature unique and identifiable can be derived from the digital signature data. Furthermore, the data incorporated into an electronic document can be used to lock and protect the contents from alteration. Biometric signatures can also be used to provide and control access security to buildings, networks, computers, documents and databases.
For the layperson, the pictorial appearance of a conventional signature can be convincingly imitated. Forensically, when there is a question of whether or not the signature on a document is genuine, expert visual and microscopic examination is required. This involves evaluating and comparing the general and discrete features of the contested signature with known signatures. With biometric signatures, authentication can be done in real time or after the fact. If a biometric signature is contested, the signature data can be extracted from the document and submitted to similar forensic investigation and analysis to verify its authenticity.
In fact, some of the biometric data captured — such as speed, acceleration, deceleration, and the amount of time the pen is on and off the paper — is measured precisely. This data is either unavailable or only qualitatively assessed at best in conventional forensic examinations of signatures. The additional behavioral features recorded from biometric signatures make them even more difficult, if not impossible, to imitate.
Biometric signatures represent an ideal bridge between the long-recognized convention of signing a document and the need for electronic documents to be uniquely recognized by individuals. This application provides individuals with security and control over documents originated, transacted and stored in the digital domain.