Biometric Consortium
Conference 2004
By John.N.Latta
Wave Issue
0439 10/8/04
September 9 - 22, 2004
Crystal City, VA
Biometrics is hot. Yes, much of this is driven by the US Government as a result of 9/11 concerns. There is progress being made in the technology, its application and the public acceptance of biometrics. This conference is similar in many ways to the First International Conf. on Biometric Authentication, ICBA 2004. While the event in Hong Kong had a strong academic orientation this conference has a balance between application of biometrics and research.
There is a line in the technology sand between authentication and identification. While authentication is the validation of a person based on a biometric against a biometric template of that person or only a few persons, identification is the determination of that individual across a very large population. The focus here is very much on identification. This is certainly the more difficult problem. At the same time we are seeing a wide range of technologies on the floor, especially facial biometrics and other biometrics.
Biometrics is focused on creating a means to establish identity which can be stored in a medium or even made portable. The assumption is also made that those who seek harm with not establish their correct identity on a voluntary basis or seek to conceal it. In the PC industry, identity is conveyed via a password or smart card or both. However, the leap to automatic means of biometric identification on a networked PC has serious drawbacks. One of the problems is how to preserve the identity in a secure manner so that when the individual seeks entry the comparison with the stored identity has a very low false accept rate. There is no absolute precision in Biometrics. In spite of these limitations, it is being used in many ways:
US-VISIT Program
Trusted Traveler Pilot
Transportation Worker Identification Credential (TWIC)
ePassports
Part of the discussion here is that we are heading, a biometric step at a time, to a national Biometric identity card. This has not been articulated here, due to the public sensitivity on the issue, but the thrusts of the biometric programs underway today indicate this may happen in stages.
US Banks Big on Biometrics
Asa Hutchinson, Under Secretary for Border and Transportation Security, Department of Homeland Security, gave the closing keynote. One of the most knowledgeable officials on biometrics, he provided a context for why this technology is important to the US Government.
Asa Hutchinson combines experience as a former member of Congress and an administrator and yet, he is unusual in his knowledge of biometrics. He began by citing the recent 9/11 Commission report. It noted the continuing importance of immigration, national security policy and the role of biometrics. In particular, the US-VISIT program plays a key role.
Biometrics plays an important role in DHS and these include:
Biometrics to Guard against threats
Biometrics are being used to check travelers against the watch list of individuals that either should not enter the country or pose threats.
Biometrics for Confirmation of Identity.
This is being implemented in the Trusted Traveler Program. Such travelers will be able to pass without secondary screening with authentication of either a fingerprint or Iris scan.
Biometrics Provides Maximum Efficiency with Minimum Inconvenience
This is at the center or the US-VISIT program for entry and exit from the US.
DHS recently completed a study group on Biometrics within
the organization. They found over 60 initiatives. We will be streamlining
these efforts to make best use of biometrics. It is my intent to make
DHS a leader in the use of biometrics. It is also our intent to have
a single biometric identity for all persons.
NIST Plays a Major Role in Biometrics
Charlie Wilson, Image Group, IAD-ITL, NIST is responsible for the test and evaluation of biometric performance. This is mandated by the Patriot Act. They have completed a major test of both biometric matching technology and SDKs. The largest test set had 48,000 sets of finger prints used which had nearly 400,000 finger print images. Three systems stood out: NEC, SAGAM and Cogent. One of the limitations of the test came from errors in the input data sets. It was found that the errors within a set can vary from .5% to 1.5%. Charlie commented that quoting error rates less that exceed 1X10**-4 is infeasible when the data set errors are at that level. Thus, there are many factors that determine the applicability of fingerprints as a biometric. The other factor most cited is the quality of the fingerprint images. The results of their work are at:
One of the more interesting results came from a test of both facial and fingerprint biometric. Here is a summary:
Most Accurate Face System
.72 True Accept Rate @ 10**-4 false accept rate
.90 True Accept Rate @ 10**-2 false accept rateMost Accurate Finger Print System
.994 True Accept Rate @ 10**-4
.999 True Accept Rate @ 10**-2
Standards
NIST also plays major role in Biometrics standards and a presentation on this topic was given by Michael Hogan. In general, NIST does not set standards but works with standards bodies to foster the development of standards. Currently there are significant standards efforts at ANSI and ISO under the following groups:
ANSI – M1 – Biometrics
ISO – SC37 - Biometrics
Standards that NIST are involved in include:
Common Biometric Exchange Formats Framework (CBEFF), NISTIR 6529-A
BioAPI – ANSI INCITGS 358 – 2002
Biometric Profile – ANSI INCITS 383:2004 – Application to Transportation Workers
Face Recognition Grand Challenge
NIST has launched an effort called the Face Recognition Grand Challenge (FRGC). Given the relatively poor performance of face recognition it describes this challenge to improve the performance of still and 3D facial images by an order of magnitude. With a FAR, false accept rate of .1%, the current error rate is 20% and they seek to lower this to 2%. This implies that out of 50,000 match scores there are 1,000 errors.
The evaluation of the Grand Challenge results is expected in Aug/Sept 2005. The Release of the Grand Challenge problem V2.0 will happen on 27 September, 2004. This will lead to the V3.0 in February 2005.
http://face.nist.gov/FRGC/frgc_v1a.pdf
E-Government - Will Biometrics Make the eGovernment Cut?
Under the direction of the White House and OMB there is an E-Government initiative to put services online. This is focused on remote authentication to establish identity for use of these services. The OMB documents is M-0404.
http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf
Four assurance levels have been set:
Level 1: Little or no confidence in asserted identity’s validity
Level 2: Some confidence in the asserted identity’s validity
Level 3: High Confidence in the asserted identity’s validity
Level 4: Very high confidence in asserted identity’s validity
The NIST presentation focused on how to accomplish this and the role that biometrics would play in establishing the identity. The effort to date has resulted in NIST SP800-63 which provides guidance on electronic authentication.
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf
http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm
This guideline is focused on conventional secret token based remote authentication, passwords and smart cards, and does not cover Knowledge Based Authentication. Further, modest use of biometrics is made for registration and to unlock keys. The guidelines also state that when more factors are required; the stronger the authentication, for example, two factors are required to reach Level 3.
Overall confidence was not expressed in biometrics for authentication. The question was asked:
Can we get to Level 2 [rather modest level] with only biometrics?
Further it was also asked:
Can we combine a password and a biometric to get to Level 3?
There are many issues posed by biometrics in such applications. NIST will be holding a conference in the January/February 2005 to discuss these.
Other source materials:
http://csrc.nist.gov/publications/nistbul/Aug-2004.txt
Biometrics Security
Little is being said about security issues in Biometrics from the government side. This is, in part, due to the desire not to let others gain insights on how to exploit weaknesses in biometric systems. Yet, here at Biometric Consortium Conference 2004 some troubling signs surfaced about the weak state of biometric systems.
The most comprehensive assessment of biometric security was provided by CESG, the National Technical Authority for Information Assurance, in England.
http://www.cesg.gov.uk/site/ast/index.cfm?menuSelected=4&displayPage=4
http://www.cesg.gov.uk/site/ast/biometrics/media/BiometricTestReportpt1.pdf
The presentation was on:
CESG: Biometric Security Capabilities Program: Method, Results and Research Challenges
Matthew Lewis spoke about the Biometric Vulnerability Assessment. They have tested 7 fingerprint systems and worked with the vendors to assess security vulnerabilities. Means of attack included:
Zero Effort/Casual Impostor Test
Weak/Easy Template Generation
Access to Template or Data Storage
Spoofing with artificial attempts Mimicry or fakes
Wire Capture or Replay
The biometrics evaluated were fingerprint, facial and Iris. No results were presented other than top level but the impression was given – it is relatively easy to attack these systems. The effort is on-going.
Attacks Make Fingerprint Biometric Easy Target
Umut Uludag, Michigan State University presented a Fingerprint Minutiae Attack System that was based on his research attacking a biometric system. The focus was at the input to the matcher for fingerprints. It was called a hill-climbing attacker for minutiae based fingerprint authentication systems. The template is unknown to the attacker but it is assumed that the attacker has access to the matching score. The results were impressive:
With 160 fingerprint accounts the attacker broke all in less than 1,000 attempts.
The minimum, mean and maximum number of attack attempts were: 128, 195 and 488 respectively.
Hashing of Fingerprint Minutiae for Security
The Center for Unified Biometrics and Sensors at SUNY Buffalo presented a paper on Symmetric Hash Functions for Fingerprint Minutiae. The parallel drawn for this research is the hashing process that takes place with passwords for logon. The objective is to gain a match even with partial or rotated fingerprints. The results showed a error rate of 3% with hashing and a rate of 1.7% without hashing. This was done with 2,800 genuine tests and 4,950 impostors.
On the Exhibit Floor...
Bio-Pen – What is it?
This is a ball point pen which has electronics in the upper 1/3 of the pen. The capabilities of the pen and the computer, related to it, allow one’s signature to be recognized as a reliable biometric. It is claimed that the FRR is in excess of 97%. The WAVE spoke at length with its President, Richard Kim.
The pen does not work at all like Anoto or other stroke devices. There is no need to record or carry stroke data from the pen to the computer. In fact, it is not possible to reconstruct the signature from the data which is sent from the pen to the computer.
The best that we could tell is that the pen records: pen velocity, pressure and pen angle. This is processed in real time in the pen and passed via a wired connection to the computer (USB). What is stored in a server connected to the notebook, as shown in the booth, is the encoded signature from the enrollment process. The new signature which was just made in this example is compared against the signature parameters which are stored in the server.
It is claimed that one only has to enter 2 signatures to enroll.
There are no biometrics on the pen. Thus, nothing is recorded when the fingers come in contact with the pen surface. It is only the pen actions that are transmitted to the pen identification server.
The pen shown in the booth is relatively small, when compared to the early Anoto pens. The next version will be the size of an ordinary ball point pen. Presently the pen costs $150 but the future generation target pricing is $60 - $70.
A wireless pen is in design, using Bluetooth, and will be available early in 2005.
Currently, the pen is being used in vertical markets, including financial markets. No other application segments were described.
DynaSig is seeking funding before it takes a larger profile.
Further information can be obtained at
Geometrix was showing a 3D facial identification system. This includes: stereo camera, enrollment software, verification software and identification software. The matching technique is based on relief matching. It is claimed that it takes ¼ second to acquire the image, 60 seconds to enroll and <7 seconds to identify. The price is a secret. When asked if they have units to sell the response was yes. This inconsistency was passed off.
The International Biometric Group does market assessments and consulting. Their
reports stand out in price per page.
State of Biometric Technology Standards, $995, 30 pages
State of Fingerprint Technology, $2995, 50 pages
Multimodal Biometrics, $4995, 50 pages
Cyberextruder. This product will take one photograph and construct a 3D model
of the face. It is based on learning from many faces. Nearly all the purchases
of this product are bought by systems integrators and the pricing is usage
based. It was not clear how the relief features in the 3D model would be
accurate.
Technoimagia. This Japanese company sells a desktop fingerprint reader and
one that also combines a smart card. The fingerprint sensor costs <$300.
The authentication is server based. The SDK cost, with a TI DSP card is approximately
$500.
http://www.technoimagia.co.jp/e_index.htm
Cherry sells a biometric keyboard for $150 and a mouse, based on the Siemens
design for $90. The smart card keyboards, without biometrics, are selling
well in these vertical markets: financial, insurance and health care (in
part due to HIPAA).
WAVE Comments
NIST is driving the worldwide efforts on Biometric technology evaluation. For example, at the conference individuals from Israel and England were asking questions. The scope of the data sets that NIST is working with provides a level of test credibility that cannot be achieved, to date, in other environments. Thus, the vendors come to NIST to participate in the tests. Certainly one of the best examples of how this is paid off is the equipment for fingerprint matching that Cogent Systems has deployed in the US-VISIT program. It will operate at 1m matches/sec.
Further, the issues with remote authentication for E-Government are very similar to those faced in e-commerce. To date biometrics has yet to establish a position as technology other than at low levels of confidence.
http://www.biometrics.org/bc2004/index.htm