Wave Issue 0511 3/18/05 Article 1-01

***Biometrics Summit
By John Latta

Miami, FL
February 23 – 24, 2005

The Biometrics Summit is a small conference focused on how to use
biometrics. Many in the audience come from local governments
seeking to understand how to apply the technology. The speakers
have described practical issues of making biometrics work. The
result is a practical conference which attracts a broad cross
section of users or potential users of the technology. Networking
happens throughout the event as learning is an objective of the
Advanced Learning Institute, who manages this conference. This is
one of the few events which focuses on real case studies and as a
result is quite insightful in the practical applications of
biometrics.

Making Biometrics Learn in Large Projects

Joseph Atick, President and CEO, Identix reviewed the state of
biometrics. He presented a summary of the major on-going efforts
to apply biometrics. There are many success stories, some
failures but the acceptance of biometrics continues to increase.
He counseled that biometrics is not the means to the end but the
real issue is human identity. To address these issues he proposed
a “Universal Model of Identity Management.”

As lead speaker, Joseph Atick has many years experience in
biometrics. His presentation looked at many projects, mostly
large government ones, to critically assess the state of the
industry. It had many interesting points which go well beyond
just government projects.

USVISIT was described as a great success story. This uses 2
prints as the biometric but a photo is also taken for US
entry and exit. (In a subsequent talk Neal Latta, stated
that 20m individuals have been processed by USVISIT.)

Saudi Arabia has begun the CAFIS program which takes 10
prints and will enroll 30m individuals.

Jordon will begin a NationalID program which uses face,
finger and IRIS.

The UK has a passport program which will also uses face,
finger and IRIS. This was described as what to do wrong. The
Human Factors issues were underestimated, the systems
integrator lacked motivation and experience and as a result
a large number of individuals could not enroll. The effort
is being changed and it was described as back on track.

At the other end of the spectrum is the Swedish Passport
program which is largely self service. It is based on finger
and face biometrics and deployment is underway.

A bad eye was cast on the UAE deportation and visa program –
The pun fits. This relied on IRIS scans and has demonstrated
how difficult this is to accomplish. The problem is a high
failure to enroll rate for IRIS. As a result, the effort is
shifting to finger. Also in the UAE is eGate which is based
on finger and this has worked very well.

Results were presented for facial which imply a new sense of
confidence in the scalability of the technology.

There is a view that Tri-biometric enrollment: face, finger
and IRIS, will provide for completeness. But this was
countered that IRIS is only buying insurance with the
expectation that it would improve. In other words – it may
get better in the future.

Considerable emphasis was placed on the quality of the
enrollment biometric and its subsequent collection. This
certainly applies to finger and there is renewed emphasis on
confidence in facial, based in part on image quality
improvements. Along these lines a quality factor is being
defined called “faceness” which is the closeness of the
facial expression to an expressionless frontal view.

Joseph Atick went so far as to state that facial screening
is coming back. Tried in the past this was a failure due to
the high level of false positives.

When it comes to systems architecture, a significant case
was made for the end of “proprietary end-to-end systems.”
The elements of this approach include:

The integration of small subsystems to form a larger
system;

The components work to a Standards based API;

The system is not tied to a specific vendor;

The SI is about a process and not technology.

In these large systems the biometrics is well down the
systems stack.

This led Joseph to state that biometrics is only a means and
not the end. At the heart of these systems is human
identity. Yet, because this is about identity the problems
created relate to: fake identity, aliases, theft and
mistrust.

From this Joseph outlined a “Universal Model of Identity
Management.” This has four components: Trust, Identity,
Actions and Reputation. All of these interact. Biometrics
fits because this is a way to handle identity problems.
Another factor is Knowledge Discovery – the finding of
duplicate entries and uncovering risky identities. Feared is
the dreaded “identity laundering” which is a bad identity
getting into a identity management system.

Many of these issues are first being faced in ePassports.
One of the contributions is that interoperability is a key
requirement. Unfortunately the deadline of October 2005 is
unrealistic and will likely not be met. For example,
something as simple as readers is holding up progress.
Further, there are many challenges such as identity
laundering, compliance and trust across jurisdictional
boundaries to be worked.

Joseph went so far as to suggest a “circle of trust” concept
between countries. This is a difficult concept to accept.
But he suggested that the visa waver program is similar in
concept.

The bottom line is that Joseph feels we are 5 – 10 years
away from these interoperable identity systems. But the only
way to get there is to begin.

Beyond Physical Access Control

IBM described their Service Delivery Centers (another name for
data centers). They gave a standard presentation on how a secure
a data center installation can be accomplished with biometrics.
Biometrics is essential to entry and exit. The focus is on
effectively using biometrics and physical controls. In response
to a question from the WAVE, it was stated that, yes, the tools
used for physical access are also being used by some for logical
access. That is, the biometrics for entry will work on both the
physical space and the network log on.

Yet, this did not address logical access to the systems within
the data center. When further asked by the WAVE, IBM stated this
is a real issue. They have taken the same biometrics technology
used for physical access and also use it for access to the
network. However, at the present time its use is optional based
on the individual.

When seen in the context of an Identity Management system this
makes sense. That is, the ability to create identity problems
such as a fake identity, aliases, theft and mistrust is severely
limited when the physical controls are place. Thus, in this IBM
example, logical access uses biometrics with high confidence when
physical access controls are strong. The practical application of
this approach is limited because most will not tolerate such
physical controls.

Making Face Recognition work on the Street - Illinois

Illinois is a pioneer in that it was the first state to use a
biometric in a driver’s license. Beth Langen of the Illinois
Office of the Secretary of State described their efforts to apply
facial recognition in driver license and identity card issuance.
One of the problems is that the DL/ID (driver’s license and ID
document) have become the de facto national identity document. In
spite of the fear of many that this would happen, the process is
already underway. As a result, the issuance of these documents is
a gateway to crime. Thus, criminals are using fraud to gain one
or more such documents to carry out other crimes. The expectation
of society is that these documents are to be trusted since they
are being issues by a government agency. What Illinois has done
is to seek to increase the quality of the documents but applying
a biometric and to improve the processes for their issuance.

When it comes to the issuance of the DL/ID the following are
to be addressed:

Minimize traffic safety threats such as underage
drinking;

Identity theft and fraud;

Balancing cardholder privacy with public and business
interests; and

Public safety;

To increase the security of the cards, Illinois began in
1997, with first operational deployment in 1999, the use of
facial biometrics. There has been nearly 100% enrollment.
The implementation has not been static. For example:

2000 – Began to use “binning” to improve performance

2001 – The eye finding and processing algorithms
improved and

2005 – The technology went from eigenvalues to
Hierarchical Graph Matching (HGM) with a web
based application.

The work flow in Illinois is that the DL/ID cards are issued
on the spot but the fraud detection processing happens after
the card was issued. If this should be changed is being
considered.

The system captures 8,000 – 12,000 new images a day, of
these 400 – 500 duplicates are detected. So far, the state
has identified 1,800 fraud cases.

Some of the most interesting issues came from the description of
future changes. Illinois cannot have a contract with one company
for the same project for more than 10 years. As a result they are
preparing to rebid this project and could well change the
biometric being used. One of the reasons for the facial biometric
was in 1997 this was the only biometric which was readily
accepted by the public. That has now changed.

National Identity

The National Intelligence Reform Act, which was driven by the
recommendation of the 9/11 Commission, set new standards for
identity documents and this includes:

Proof of identity;

Verification of documents; and

Card security.

There is a requirement for compliance in 2 years. Many see this
as setting the de facto DL/ID document in that the federal
government can withhold funds for non-compliance.

All of this pales in comparison to the impacts of the REAL ID Act
of 2005, (H.R. 418), if it is passed by the Senate. The bill has
already passed the House and the President has voiced support.

H.R.418

REAL ID Act of 2005

Title: To establish and rapidly implement regulations for
State driver's license and identification document security
standards, to prevent terrorists from abusing the asylum
laws of the United States, to unify terrorism-related
grounds for inadmissibility and removal, and to ensure
expeditious construction of the San Diego border fence.

Sponsor: Rep Sensenbrenner, F. James, Jr.

This, if law, would supersede the requirements of the National
Intelligence Reform Act and be much more stringent. Individuals
would have to have such a card to get access to any federal
facilities – it would become a de facto national ID card. The use
of biometrics has not been decided yet.

Enterprise Biometrics – Are the promises outpacing delivery?

Two cases studies were presented which used biometrics to secure
a corporate environment: one inside and the other outside.
Digital Persona, supplier for one of these case studies, is
focused on the “password problem” and claims that “biometrics
allows up to lock down the network.” Yet, we came away troubled –
is this a solution or marketing?

There was little doubt about the value of a “biometrics solution”
as expressed here. The words were appealing:

The password is going out of style.

Biometrics is a virtual smart card

Biometrics resulted in a 90% decrease in support calls; and

Better security is required, by mandates such as Sarbanes-
Oxley, and biometrics provides what is needed.

Yet, when we asked the presenters of one of the case studies
“have you done a risk assessment?” The response was “Testing has
started of a post deployment testing of risk.” It seems obvious
that confidence in risk reduction would not be possible without
understanding the risks.

Locking Down ERP with Biometrics

Molded Fiber Glass (MFG) Companies worked with its vendor SAFLINK
to implement a biometric protected access to its ERP application.
At the same time this also implemented the domain log on. The
context is that there was no security, other than a common group
password, to access the corporate wide ERP software. The company
was being hit each year by its outside auditor for the lack of
security. It was felt that biometrics provided for:

It was easy to integrate and Install;

User Friendly;

Remotely administered;

Strong authentication; and

Standards based.

SAFLINK was chosen because it provided for the necessary network
administration, allowed for different biometrics and had an SDK
which could be integrated into the operations at MFG. The
integration was accomplished in less than 3 days. The net result
was that passwords have been eliminated. The solution was also
used for active directory log on.

The cost per system was estimated to be $350 - $400 per desktop.

No risk assessment was performed.

Making online Banking Secure with Biometrics

United Bankers’s Bank and Digital Persona described how the
latter’s technology was used to secure online access to bank
accounts. Note that United Banker’s Bank is a commercial bank
that offers services to other banks, similar to the Federal
Reserve but on a smaller local scale in the mid-west. The
contrast was striking. The FED access systems were described as
onerous with multiple passwords and complex logons. However, most
banks that use Banker’s Bank find that passwords are written
down, shared, easily guessed, inconvenient and stolen. Further, a
Trojan – BankHookA – will specifically target the logging of
passwords used for bank accounts. In spite of the fact that more
secure solutions exist one must balance cryptographic strength
with the user. That is, how to get the user to participate in the
security process and system. It was the experience of Banker’s
Bank that a fingerprint augments secret-based authentication
(passwords and smartcards) since it does not rely on the user.

Banker’s Bank selected Digital Persona because of its ease of use
and ability to integrate into their environment. The product
U.are.U online operates like a virtual smartcard which binds a
fingerprint to a key pair. It can be readily integrated into web
applications. A patented architecture ensures separation of
fingerprint data from the user record.

The implementation of the online application used these
additional security features:

TCP/IP Filtering

Sensor digital serial number filtering

Two long ons required

Time Limits for access

Transaction amount limits

User Lockouts

Backup dial up network

Catalog pricing was quoted as:

Host software - $25,000

User License - $13.33 each

Annual Maintenance

Persona fingerprint devices - $129

The bank gave to the customer one fingerprint reader per account
and the customer bank had to buy any additional units.

Digital Persona quotes their False Accept rate at 1 in 100,000.
But this company has not been shown on the NIST test activities
and it is not clear that this performance has been independently
tested. The company claims that 400,000 to 500,000 sensors have
been deployed. The company has implemented a system within the
Pentagon with 7,000 workstations in the Office of the Secretary
of Defense and they claim a reduction of 90% in support calls.

WAVE Comments

Improvement of the security environment is a long term issue. In
spite of the individual focus on biometrics elements such as an
API, biometric, device, middleware or standards, the real issue
of digital infrastructure security is that it is used by
individuals and organizations to reduce risks from threats and
damaging actions.

The intent of biometrics is the coupling of individuals with
their actions or potential for action. It also recognizes that
single individuals can cause significant harm. Reduced to its
most basic form, biometrics, as it is evolving today, is about
interfacing an aspect of personal identity to a digital
infrastructure. It is assumed that the biometric used is not
easily modified and can be readily reduced to a template which
allows for ready transport and comparison across many biometric
systems anywhere in a network. One’s description and its
associated template, that is assumed unique to the individual, is
a network directory component or a SQL data base entry.

Compared to other components of the digital infrastructure,
biometrics has much higher failure rates. That is, false accept
rates are much higher and the ability to spoof biometric systems
is relatively easy. If any improvements in overall security
system failure rates are to be accomplished, biometrics must be
complemented with other forms of physical and logical security.

There are two different worlds of biometrics: public and private.
The government uses biometrics to include identity documents,
criminals, punishment for crimes, security of government
transactions and comparison to established identity records.
Business uses of biometrics include commerce, internal operations
and network security. The reality is that the public use of
biometrics is way ahead of the private use. For one, the
government is making large investments from research to system
deployment. The private sector has done little which compares.
Yet, there are many forces to increase private use of biometrics
and these relate to cost reduction, improved security and time
saving. Unfortunately these savings have not been assessed. The
impact on overall security has not been addressed.

When looking at the state of biometrics, as a technology, it is
early in the technology life cycle. Consider these measures of
immaturity:

The Understanding of the human factors use issues including
enrollment and use is early in the life cycle;

Interoperability, based on thorough testing, is quite
limited even between sensors of the same biometric;

There is very little multimodal testing;

Error rate assessment has been developed by NIST but not
widely used other than in the government;

Risk assessment processes are poorly developed; and

Systems integration has just begun and again the public
sector is leading.

Biometrics as the only measure to determine identity is risky as
the primary means of risk reduction. In most cases, biometrics is
combined with other biometrics and with physical and logical
security. Many of these factors are assumed or taken for granted
that they create a more secure environment. In the public sector
other factors include seeing an individual along with a
fingerprint – it may be a crude multimodal biometric but better
than one biometric. In the private sector it may include
restrictions on the access to a computer – physical constraints
raise the security bar.

Missing from most private deployments of biometrics is a thorough
assessment of risk vs. gain vs. cost. Unfortunately, the ease of
use of a fingerprint biometric creates a perception that
“security is for free.” That is not the case.

It should be noted that today’s security environment has major
vulnerabilities. Frequent mandated password changes may make
administrators comfortable along with stringent rules for
password use but this is useless if the passwords are written
down and the char force picks them up. Thus, as others have
noticed security with biometrics has two sides: before and after
biometrics. This is to be considered in the Risk assessment but
as seen at the Biometrics Summit this was only simple
observations. We saw no example of a thorough risk assessment.

The use of standards is critical for interoperability. Further,
everyone but the vendors believe that no one vendor should drive
system implementation. There are many standards efforts and the
ones cited most frequently include INCITS M1 and JTC 1 SC 37.

Finally, privacy issues are everywhere. Even in enterprise use of
biometrics, the question surfaced – will my fingerprint get sent
outside of the company? As the public sector has responded with
privacy plans we expect that this will be the case with private
deployments, even if in-house within an enterprise.