Use Case of Palm Vein Authentication

Palm vein authentication is a vein feature authentication technology that uses palm veins as the biometric feature. Palm vein patterns are normally captured using near-infrared light via either the reﬂection or the transmission methods. In the reﬂection method, near-infrared rays are emitted towards the palm to be identiﬁed and the reﬂected light is captured for authentication. Because veins are beneath human skin, it is difﬁcult for someone else to copy or steal them, so the palm vein is more secure compared to some other biometric features. Moreover, because palm vein patterns are diverse and complex, they give sufﬁcient information to identify one individual among a large population. As a result, palm vein authentication is secure and highly accurate. As a contactless type of biometric identiﬁcation, it is suitable for use in applications that require a high level of hygiene or for use in public applications. Several banks in Japan have been using palm vein authentication for ATM security since July 2004. In addition, palm veins have been used in a variety of applications such as door security systems, login management systems for PCs, ﬁnancial services, payment services and patient identiﬁcation systems in hospitals. This chapter introduces the technical outline of palm vein authentication and its use cases.


Fujitsu Lab started to develop Palm Vein Authentication as Contactless Hand
Biometrics in 2000. At the time, we didn't know which accuracy to expect from hand features, so we evaluated hand features by experimental cameras and illumination. We set up four different cameras to capture different parts of the hand. By using these cameras, we collected about 1,400 hands vein images (palm, finger, back of hand and wrist) from 700 persons. As a result of authentication performance evaluation using these images, we chose palm vein for our product. Because a person's palm vein patterns have web-like complex patterns (Fig. 5.1), they give sufficient information to identify one individual from a large population of people. Compared to the back of the hand or the back of a finger, the palm is a good area for authentication because it does not have any hair which can obscure the vein capture process.
Palm vein patterns are believed to be unique to each individual as with fingerprints or other biometrics. To confirm this, we collected 140,000 palm vein images by 70,000 persons for verification in 2005 [1]. Experiments based on large-scale data show that palm vein patterns have the advantages of consistency and accuracy as a method of personal identification. It has also been shown that palm vein patterns are stable for a sufficiently long time period for the purpose of personal identification.
A patent for hand vein authentication was filed in 1985 by Joseph Rice in the United States [2]. The first device for palm vein authentication was presented by Advanced Biometrics, Inc. in the United States in 1997. In 2003, a novel contactless device was released by Fujitsu in Japan. In 2004, Japanese financial institutions, the Bank of Tokyo-Mitsubishi first adopted Fujitsu's technology for confirming the identity of their customers. This was the first major application in Japan in which a private enterprise adopted vein authentication in a service for the general public. Fujitsu's concept and implementation of a contactless sensor was awarded the Wall  [3]. This chapter will provide a broad use case of contactless palm vein authentication.

Palm Vein Sensing
Vein patterns sit within the subcutaneous tissue of a person's palm and are captured using near-infrared rays. This technology is called near-infrared spectroscopy (NIRS) and imaging. This field of research has been investigated as a technology of in vivo "within the living" measurement for over 10 years [4].
Palm vein images can be captured using two different methods: the reflection method and the transmission method. In the reflection method, the palm is illuminated from the front side and the image is captured on the same side. In the transmission method, the palm is illuminated from the backside of the hand and the image is captured from the front side. In the transmission method, the illumination device and the capture device are separated, facing each other across a palm. While in the reflection method, the illumination device and the capture device can be integrated together to create a more compact device because the direction of the illumination is the same as the direction of image capturing.

Sensor Products with Reflection Method
We commercialised reflective type of palm vein sensors ( Fig. 5.2). Users don't need to touch the sensor; they only have to show their palms to the sensor. To obtain a high-quality palm vein image, the imaging process should be adequately controlled due to the movement or position of the hand. In addition, the illumination should be controlled depending on the environmental light conditions around the sensor.
The contactless method eliminates user concerns about hygiene as users don't have to have direct contact with publicly used devices. The method is also suitable for identification in environments where high hygiene standards are required such as in medical facilities or food factories. The intensity of the near-infrared rays emitted from the sensor is deemed safe as it is less than the intensity specified in the "Light and Near-Infrared Radiation" guidelines of the American Conference of Governmental Industrial Hygienists (ACGIH) [5].
The first palm vein authentication systems were introduced in ATM services in 2004. To expand the application of palm vein authentication, miniaturisation of the palm vein sensor is continually being promoted. The lighting component was designed to provide a wide radiation range and very bright luminosity, despite its compact implementation, by carefully positioning the LED and optimising the shape of the waveguide. The authentication algorithm was also upgraded to better match the properties of images captured by the miniature sensor.
For security reasons, the sensor should encrypt the palm image prior to transmission to the host PC; templates should also be encrypted for storage or transmission. These functions protect the palm vein image from any unauthorised access or fraud.
In Fujitsu's implementation [6][7][8], a palm vein authentication sensor is made in the shape of a small box, 25 mm deep × 25 mm wide × 6.0 mm high ( Fig. 5.3). Capturing is executed in a contactless manner. With the advancement of sensor miniaturisation, it became possible to incorporate the sensors into laptop PCs and tablets.
As a result, Fujitsu launched a laptop PC with the world's first built-in vein sensor in 2011. In 2014, a tablet with a built-in palm vein authentication sensor was commercialised.

Matching Performance
At the first stage of palm vein authentication, the palm vein pattern is extracted from the near-infrared image taken by the palm vein sensor. As palm veins exist under human skin, the vein pattern is generally not as clear as other biometric features like fingerprints, so the extraction method is one of the key technological components of palm vein authentication.
The similarity between the captured palm vein to be authenticated and the registered template stored in the database is then calculated. The similarity can be calculated using various methods.
In the verification process (one-to-one matching), the user is authenticated if the similarity score is greater than or equal to the predetermined threshold. In the identification process (one-to-many matching), similarity scores are calculated between the input palm vein image and all of the registered templates in the database. The user's identity is determined to be the user that shows the highest score among these calculated scores and whose score is greater than or equal to the predetermined threshold.
Our latest matching algorithm achieves a false rejection rate of 0.01% (including one retry) and false acceptance rate of 0.00001% or less. This algorithm enables 1:N authentication of up to 10,000 hands (5,000 with both hands registration). Palm vein images of 16,000 hands were collected from 8,000 people for this verification. This authentication performance was calculated based on the ISO/IEC 19795 series.

Usage Situation
Palm vein authentication is used worldwide. Commercial palm vein sensors are shipped in over 1 million units. And in our survey, 86 million people have registered their palm veins. Because palm vein authentication has many public uses, it tends to have more registrants than sensors. This chapter introduces some use cases.

Login Authentication
Palm vein sensors can be embedded in a PC mouse. Using a mouse as a palm vein authentication sensor offers convenience and space-saving advantages. Most companies and government agencies have internal information systems which handle sensitive personal data. Using a mouse with an integrated palm vein authentication sensor enables advanced, high-level security for system logins with the high accu-racy and reliability of palm vein authentication in comparison with the conventional combination of ID and password.
With these laptop PCs equipped with palm vein authentication (Fig. 5.4) [9], it is possible to perform pre-boot authentication at BIOS start-up. Furthermore, tablets with built-in palm vein authentication have been put to practical use (Fig. 5.5) [8]. These are mainly used in PC login and second factor authentication solutions. Hundreds of thousands of employees and staff are using this in technology large companies and governments.
Palm vein authentication is also applied to logins for virtual desktops. In Fujitsu, approximately 40,000 employees access their thin-client terminal by using palm vein authentication [10].

Physical Access Control Systems
Palm vein authentication sensors have been installed in many access control systems (Fig. 5.6). They are used to control entry and exit for rooms or buildings. Palm vein authentication is well suited to access control systems because of the following reasons: • Palm vein authentication works in a contactless manner; this is an optimal feature for public usage. • It is simple and easy to use; users only have to show their palms to the device.
• Palm vein patterns are difficult to counterfeit.
Because of the Personal Information Protection Act that went into full effect in Japan on April 2005, the Department of Planning, Information and Management of the University of Tokyo Hospital began using palm vein authentication in a new security system to control room access. The security levels of the system were divided into three access levels: access to the administrative room, the development room and the server room. An access control unit that uses palm vein authentication has been installed at the entrance to each room. The system has been able to restrict an individual's entry in stages.
Additionally, the smart-card-based authentication installed at the entrances to two offices in Japan (Fujitsu Solution Square and the Tokai Branch Office) will make the switch over to palm vein authentication, and a field trial covering some 5,200 employees working at these locations will take place over the course of approximately 1 year. In both cases, identity authentication and integrated operations and management will be performed on a cloud-based platform. Users can pass the gate by waving their hand over the sensor (Fig. 5.7).

Payment Systems
A payment system using palm vein authentication called "Hand Pay Service" has been introduced by the major Korean credit card company Lotte Card Co., Ltd. Making full use of the palm vein authentication technology proudly provided by Fujitsu, Lotte Card started the first bio-pay service in Korea on May 2016, which allows Lotte Card customers to make lump-sum credit card payments even when they are not carrying their cards, by just using biometrics and phone numbers to authenticate who they are. The encrypted data are divided and stored in the Bio-Information Distributed Data Management Center of the Korea Financial Telecommunications & Clearing Institute (KFTC) and the system environment of Lotte Card, to strengthen security even further. Moreover, it was Fujitsu Korea that established the system that works with the Biometric Information Distributed Data Management Center of the KFTC to which the Lotte Card "Hand Pay Service" is linked (Fig. 5.8).
AEON Credit Service and Fujitsu will begin a field trial of a cardless payment system using Fujitsu's palm vein biometric authentication technology. Starting in September 2018, the trial will take place in selected Ministop convenience stores. Customers use this service by registering in advance, then adding their palm vein pattern to their AEON card information. When paying at a register, customers can pay with their registered AEON card by inputting their date of birth and then scanning the palm of their hand over the reader. Customers can use their AEON card with greater convenience, without the bother of taking the card out of their wallet or purse. AEON Credit Service and Fujitsu will be conducting a field trial for AEON Group employees at a number of Ministop locations beginning in September 2018. Based on the results of the field trial, the companies plan to roll out the technology for use in store locations for the various AEON Group companies.

Financial Services
In 2003, Japan saw a rapid increase in financial damage, caused by fraudulent withdrawals from bank accounts through spoofing with fake bank cards that were made from stolen or skimmed cards. It was a significant social problem. This caused a sharp increase in the number of lawsuits brought forward by victims against financial institutions for their failure to control information used for personal identification. The "Act for the Protection of Personal Information" came into effect on May 2005, and in response, financial institutions in Japan have been focusing on biometric authentication methods together with smart cards, as a way to reinforce the security of personal identification. Palm vein authentication is the form of biometric authentication that was most quickly introduced for customer confirmation at banking facilities; it was first introduced in July 2004, before the act came into effect.
Palm vein authentication in financial services is applied as follows. A user's palm vein pattern is registered at a bank counter and stored on a smart card. This has the advantage of allowing users to carry their own palm vein pattern with them. In the verification process for ATM transactions, the palm vein pattern of the user is captured by a palm vein authentication sensor on the ATM (Fig. 5.9). The captured palm vein pattern is transferred to the user's smart card and compared to the template stored in the smart card. Finally, a matching result score is transmitted back from the smart card, keeping the palm vein template within the smart card.
In addition to Japan, Brazil has also adopted palm vein authentication to identify users in ATM banking transactions. Banco Bradesco S.A., the largest private bank in Latin America, has tested palm vein authentication with various other biometric technologies. Bradesco chose palm vein authentication because of its outstanding features, such as its high level of verification accuracy and the fact that it is noninvasive and hygienic, making it more easily accepted by customers of the bank.
In 2012, Ogaki Kyoritsu Bank Ltd. in Japan started a new cardless biometric ATM system service applying palm vein authentication. With this system, customers are able to use ATM services for withdrawals, deposits and balance inquiries without passbooks or ATM cards. By combining their date of birth, palm vein authentication and PIN, customers have access to financial services that combines both security and convenience. In a huge disaster situation such as an earthquake, people would evacuate their houses immediately, so they wouldn't have any identifying documents like ATM cards or driver's licenses. Even in a situation like this, the new ATM system will provide financial services to customers by applying the high accuracy rate of palm vein authentication [11].

Health Care
Palm vein authentication is being deployed throughout the Carolinas HealthCare System (CHS) in the United States as part of a solution to effectively register patient information and ensure that the proper medical care is given to the right person, while protecting their medical record and privacy from identity theft and insurance fraud. For this system, the CHS team developed a unique hand guide for the sensor. This hand guide is adapted for a hospital environment, since it incorporates a paediatric plate that adapts the guide so it can be used with young children, accommodating all CHS patients.
The Sapporo Hospital of the Keiyu Association in Japan also adopted palm vein authentication for patient authentication in their electronic medical records system. Patients who are to undergo an operation register their palm vein patterns before the operation. On the day of the operation the registered palm vein pattern and the palm vein pattern scanned from the patient are compared, confirming that the patient to be operated on is the correct person. This avoids the wrong patient being operated on, which might occur if two patients have the same name, for example. Other applications for health care, such as secure access to patient medical records, can also be achieved due to the contactless nature of palm vein authentication and its excellence in terms of hygiene.
In Turkey, the Ministry of Health decided to introduce a nationwide biometric patient authentication system with palm vein authentication for the SSI (Social Security Institution) in order to prevent billing fraud in hospitals and pharmacies. In order to apply for insurance from the government through MEDULA, medical institutions (hospitals, clinics, family doctors, pharmacies and opticians) must implement palm vein authentication. The service started in 2012 and more than 10,000 units are being used.
(MEDULA: the social security application system for customers' medical expenses at all medical institutions.)

Airport Security
In South Korea, the Korea Airports Corporation (KAC) has deployed palm vein authentication system at all 14 domestic airports under its jurisdiction, to ameliorate congestion by identifying boarding passengers with biometric authentication (Fig. 5.10). The domestic airports under KAC's jurisdiction are currently used by about 32 million people per year. Korean citizens, over the age of 14, travelling on domestic flights must have their identity checked before passing through boarding security, and this had previously been done on-site by showing a citizen ID card to security personnel. Because visually confirming a passenger's identity takes time, this process could lead to congestion in the airports, and it had become an issue for KAC. In addition, passengers who had not brought their citizen ID cards were not able to board their flights, which compromised the quality of customer service.
KAC has given attention to the high identification accuracy and convenience of palm vein authentication, and therefore decided to deploy a personal identification system using palm vein authentication.
Users can register in advance at registration devices installed in airports, linking their palm vein pattern with their citizen ID number, name and phone number. Then, after scanning a barcode on their ticket, users can confirm their identity by holding out their hand at the newly installed identity confirmation gates before security checkpoints. Users will not have to constantly carry their citizen ID cards, and the system will slash waiting times and enable smoother processing at airports.
This system began operation on 28 December 2018, and it has been used over 1 million times, with 160,000 individuals who have already registered their palm vein patterns.

Government and Municipal
The Japan Agency for Local Authority Information Systems introduced palm vein authentication for user authentication of the Resident Registry Network (JUKI-net), implemented for all local government offices. All municipalities, prefectures and governmental agencies use this system to protect the private information of residents. Operational costs such as issuing ID cards and reissuing forgotten or lost IDs or passwords have been reduced. More than 10,700 terminals are connected to this system. The operator can easily understand that he/she has been identified, which will act as a psychological barrier to the intentional leaking of information.
Naka city in Ibaraki prefecture, Japan, introduced a system utilising palm vein authentication technology for the city's new public library in October 2006. The library system is the first of its kind in the world. Users can check out books from the library by using palm vein authentication. Users of the Naka City Public Library will be given a choice between using an ID card with an embedded IC chip or using the palm vein authentication system for identity verification. Users who select palm vein authentication will be able to check out library materials or use its audiovisual section without using ID cards. First, users input their date of birth, then they simply suspend their hand above the authentication device and their palm vein pattern is compared to their pre-registered pattern for verification. Now, more than 90% of the 20,000 users choose to use palm vein authentication for convenience (Fig. 5.11).

Conclusion
Palm vein authentication has been used in a variety of applications such as door security systems, login management systems for PCs, financial services, payment services and patient identification systems in hospitals. The vein pattern of the palm has a two-dimensional complexity, and because the image exists under the skin, the acquired image is very stable. Based on these advantages, we believe that palm vein authentication will become more widespread.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.