Pattern Recognition 37 (2004) 2245 – 2255 www.elsevier.com/locate/patcog Biohashing: two factor authentication featuring fingerprint data and tokenised random number Andrew Teoh Beng Jin a , ∗ , David Ngo Chek Ling a , Alwyn Goh b a Faculty of Information Science and Technology (FIST), Multimedia University, Jalan Ayer Keroh Lama, Bukit Beruang, Melaka 75450, Malaysia b Distinctive Biometrics Sdn. Bhd. B-S-06, Kelana Jaya 47301, Petaling Jaya, Selangar, Malaysia Received 1 August 2003; received in revised form 3 March 2004; accepted 27 April 2004 Abstract Human authentication is the security task whose job is to limit access to physical locations or computer network only to those with authorisation. This is done by equipped authorised users with passwords, tokens or using their biometrics. Unfortunately, the first two suffer a lack of security as they are easy being forgotten and stolen; even biometrics also suffers from some inherent limitation and specific security threats. A more practical approach is to combine two or more factor authenticator to reap benefits in security or convenient or both. This paper proposed a novel two factor authenticator based on iterated inner products between tokenised pseudo-random number and the user specific fingerprint feature, which generated from the integrated wavelet and Fourier–Mellin transform, and hence produce a set of user specific compact code that coined as BioHashing. BioHashing highly tolerant of data capture offsets, with same user fingerprint data resulting in highly correlated bitstrings. Moreover, there is no deterministic way to get the user specific code without having both token with random data and user fingerprint feature. This would protect us for instance against biometric fabrication by changing the user specific credential, is as simple as changing the token containing the random data. The BioHashing has significant functional advantages over solely biometrics i.e. zero equal error rate point and clean separation of the genuine and imposter populations, thereby allowing elimination of false accept rates without suffering from increased occurrence of false reject rates.  2004 Pattern Recognition Society. Published by Elsevier Ltd. All rights reserved. Keywords: BioHashing; Two factor authentication; Biometrics; Fingerprint; Token 1. Introduction Today’s human authentication factors have been placed in three categories, namely What you know, e.g password, se- cret, personal identification number (PIN); What you have, such as token, smart card etc. and What you are, biomet- rics for example. However, the first two factors can be ∗ Corresponding author. Tel.: +60-6-252-3404; fax: +60-6-231- 8840. E-mail addresses: bjteoh@mmu.edu.my (A.T.B. Jin), david.ngo@mmu.edu.my (D.N.C. Ling), alwyn_goh@yahoo.co.uk (A. Goh). 0031-3203/$30.00  2004 Pattern Recognition Society. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.patcog.2004.04.011 easily fooled. For instance, password and PINs can be shared among users of a system or resource. Moreover, password and PINs can be illicitly acquired by direct observation. The main advantage of biometrics is that it bases recognition on an intrinsic aspect of a human being and the usage of biomet- rics requires the person to be authenticated to be physically present at the point of the authentication. These character- istics overcome the problems whereas password and token are unable to differentiate between the legitimate user and an attacker. In addition biometric authentication informa- tion cannot be transferred or shared; it is a powerful weapon against repudiation. However, it also suffers from some in- herent biometrics-specific threats [1]. The main concern