9

Over the last five years, India has systematically advanced a biometric identification scheme, which now has an enrollment of over 800 million users. To ensure the accuracy of matching for such a large population, the Biometrics Standards Committee proposed collecting all 10 fingerprints where physically possible, presumably to set a larger threshold for identification (e.g. 80% confidence on 3 or more fingers).

A PoC conducted by the Unique Identification Authority of India found that a suitable technique to use for authentication would be to verify "two separate fingers for upto 3 attempts" (details here). This provides an accuracy of 99% which the committee finds reasonable since authentication is 1:1 and not 1:N (an analogy is that the password is only checked for a single username during login). While this process also has tons of privacy and security problems, these are fairly well studied.

However, the process of enrolling a new user is supposed to perform deduplication, and hence is 1:N (a user should not be enrolled if fingerprints match). Assuming that only "the best two fingers are being matched", is it feasible to assume that this deduplication is not being carried out during enrollment, since beyond a certain number of users collisions are probably inevitable? The last report I've seen indicated 34,015 duplicates when 290 million people were enrolled (~ 0.01%)

Is such a system truly feasible and scalable? The birthday paradox seems to indicate that most users should have "doppelgangers" (even assuming 0.01% collision over 800m users). Are there any techniques that could be used to reliably and automatically identify "true duplicates" as opposed to "false duplicates" in such a system? Do biometric systems get progressively worse as users are added?

EDIT/TL;DR Do biometric authentication systems have negative network effects, whereby they get progressively worse (less accurate/precise) as the number of users increase? If no, why not?

Jedi
  • 3,936
  • 2
  • 24
  • 42
  • 1
    It looks like you mispelled [Aadha**a**r](https://eaadhaar.uidai.gov.in/) in the title. – A.L Jul 13 '16 at 11:53
  • 1
    Oh...no...now we have to cut 2 fingers... :D – Overmind Jul 13 '16 at 12:57
  • Pardon me while I burn off my fingertips with acetone. – Verbal Kint Aug 04 '16 at 19:33
  • [Relevant article by Hans Verghese Mathews](http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf) that describes how the proportional number of duplicands will increase as the number of users increase. [Screengrab of table](http://i.imgur.com/8VIlgLy.png) – Jedi Mar 30 '17 at 21:50

1 Answers1

2

Assuming that only "the best two fingers are being matched" doesn't seem to be a reasonable assumption. Since deduplication is harder, surely evaluating all 10 fingerprints where physically possible would be an obviously more sensible strategy, and likely the one followed.
One of your sources says UIDAI says duplicate enrolments are around 5% and that UIDAI says it detected 34,015 cases (about 0.1%) where one person has been issued two Aadhaar numbers. What's unclear to me is how they detected these cases - what techniques were used to identify "true duplicates" as opposed to "false duplicates" in each of these sets. In other words, once UIDAI cancelled those 34,015 Aadhaar numbers, how many duplicate enrolments were left? None? Not necessarily. How many residents who a valid Aadhaar numbers no longer had one? None? Not necessarily.

We don't know the collision rate among 290 million users is 0.01%. Given the info presented, I think we don't know the number of fingerprints being compared, or what else if anything is being compared) to identify the 5%, 0.1%, or (by definition) what % of duplicate enrolments remain undetected.

But can we figure it out / guesstimate? The report on authentication says the System FAR is set to 1 in 10, 000 (i.e. 1 in 10, 000 authentications will have a false accept error)

If as the report suggests, the FRR – False Reject Rate goes from 6.5% to 2% with one scan and from 3.5% to 0.7% with up to 3 scans when going from 1 best finger to the two best fingers, what would we expect could happen when we go with the maximum # of fingers for 1:1 authentication? for 1:N identification? I don't find enough info to offer specifics. More research needed.

But I can answer the "Do biometric authentication systems have negative network effects, whereby they get progressively worse (less accurate/precise) as the number of users increase?" part of your question. Yes. They do, categorically. You have a correct understanding of the problem. Biometric systems do get progressively more challenged, as users are added, to keep FAR and FRR low.