Biometric Consortium Conference 2004
Wave Issue 0439 10/8/04
September 9 - 22, 2004
Biometrics is hot. Yes, much of this is driven by the US Government as a result of 9/11 concerns. There is progress being made in the technology, its application and the public acceptance of biometrics. This conference is similar in many ways to the First International Conf. on Biometric Authentication, ICBA 2004. While the event in Hong Kong had a strong academic orientation this conference has a balance between application of biometrics and research.
There is a line in the technology sand between authentication and identification. While authentication is the validation of a person based on a biometric against a biometric template of that person or only a few persons, identification is the determination of that individual across a very large population. The focus here is very much on identification. This is certainly the more difficult problem. At the same time we are seeing a wide range of technologies on the floor, especially facial biometrics and other biometrics.
Biometrics is focused on creating a means to establish identity which can be stored in a medium or even made portable. The assumption is also made that those who seek harm with not establish their correct identity on a voluntary basis or seek to conceal it. In the PC industry, identity is conveyed via a password or smart card or both. However, the leap to automatic means of biometric identification on a networked PC has serious drawbacks. One of the problems is how to preserve the identity in a secure manner so that when the individual seeks entry the comparison with the stored identity has a very low false accept rate. There is no absolute precision in Biometrics. In spite of these limitations, it is being used in many ways:
Part of the discussion here is that we are heading, a biometric step at a time, to a national Biometric identity card. This has not been articulated here, due to the public sensitivity on the issue, but the thrusts of the biometric programs underway today indicate this may happen in stages.
Asa Hutchinson, Under Secretary for Border and Transportation Security, Department of Homeland Security, gave the closing keynote. One of the most knowledgeable officials on biometrics, he provided a context for why this technology is important to the US Government.
Asa Hutchinson combines experience as a former member of Congress and an administrator and yet, he is unusual in his knowledge of biometrics. He began by citing the recent 9/11 Commission report. It noted the continuing importance of immigration, national security policy and the role of biometrics. In particular, the US-VISIT program plays a key role.
Biometrics plays an important role in DHS and these include:
DHS recently completed a study group on Biometrics within
the organization. They found over 60 initiatives. We will be streamlining
these efforts to make best use of biometrics. It is my intent to make
DHS a leader in the use of biometrics. It is also our intent to have
a single biometric identity for all persons.
NIST Plays a Major Role in Biometrics
Charlie Wilson, Image Group, IAD-ITL, NIST is responsible for the test and evaluation of biometric performance. This is mandated by the Patriot Act. They have completed a major test of both biometric matching technology and SDKs. The largest test set had 48,000 sets of finger prints used which had nearly 400,000 finger print images. Three systems stood out: NEC, SAGAM and Cogent. One of the limitations of the test came from errors in the input data sets. It was found that the errors within a set can vary from .5% to 1.5%. Charlie commented that quoting error rates less that exceed 1X10**-4 is infeasible when the data set errors are at that level. Thus, there are many factors that determine the applicability of fingerprints as a biometric. The other factor most cited is the quality of the fingerprint images. The results of their work are at:
One of the more interesting results came from a test of both facial and fingerprint biometric. Here is a summary:
NIST also plays major role in Biometrics standards and a presentation on this topic was given by Michael Hogan. In general, NIST does not set standards but works with standards bodies to foster the development of standards. Currently there are significant standards efforts at ANSI and ISO under the following groups:
Standards that NIST are involved in include:
NIST has launched an effort called the Face Recognition Grand Challenge (FRGC). Given the relatively poor performance of face recognition it describes this challenge to improve the performance of still and 3D facial images by an order of magnitude. With a FAR, false accept rate of .1%, the current error rate is 20% and they seek to lower this to 2%. This implies that out of 50,000 match scores there are 1,000 errors.
The evaluation of the Grand Challenge results is expected in Aug/Sept 2005. The Release of the Grand Challenge problem V2.0 will happen on 27 September, 2004. This will lead to the V3.0 in February 2005.
Under the direction of the White House and OMB there is an E-Government initiative to put services online. This is focused on remote authentication to establish identity for use of these services. The OMB documents is M-0404.
Four assurance levels have been set:
The NIST presentation focused on how to accomplish this and the role that biometrics would play in establishing the identity. The effort to date has resulted in NIST SP800-63 which provides guidance on electronic authentication.
This guideline is focused on conventional secret token based remote authentication, passwords and smart cards, and does not cover Knowledge Based Authentication. Further, modest use of biometrics is made for registration and to unlock keys. The guidelines also state that when more factors are required; the stronger the authentication, for example, two factors are required to reach Level 3.
Overall confidence was not expressed in biometrics for authentication. The question was asked:
Further it was also asked:
There are many issues posed by biometrics in such applications. NIST will be holding a conference in the January/February 2005 to discuss these.
Other source materials:
Little is being said about security issues in Biometrics from the government side. This is, in part, due to the desire not to let others gain insights on how to exploit weaknesses in biometric systems. Yet, here at Biometric Consortium Conference 2004 some troubling signs surfaced about the weak state of biometric systems.
The most comprehensive assessment of biometric security was provided by CESG, the National Technical Authority for Information Assurance, in England.
The presentation was on:
CESG: Biometric Security Capabilities Program: Method, Results and Research Challenges
Matthew Lewis spoke about the Biometric Vulnerability Assessment. They have tested 7 fingerprint systems and worked with the vendors to assess security vulnerabilities. Means of attack included:
The biometrics evaluated were fingerprint, facial and Iris. No results were presented other than top level but the impression was given – it is relatively easy to attack these systems. The effort is on-going.
Umut Uludag, Michigan State University presented a Fingerprint Minutiae Attack System that was based on his research attacking a biometric system. The focus was at the input to the matcher for fingerprints. It was called a hill-climbing attacker for minutiae based fingerprint authentication systems. The template is unknown to the attacker but it is assumed that the attacker has access to the matching score. The results were impressive:
The Center for Unified Biometrics and Sensors at SUNY Buffalo presented a paper on Symmetric Hash Functions for Fingerprint Minutiae. The parallel drawn for this research is the hashing process that takes place with passwords for logon. The objective is to gain a match even with partial or rotated fingerprints. The results showed a error rate of 3% with hashing and a rate of 1.7% without hashing. This was done with 2,800 genuine tests and 4,950 impostors.
Bio-Pen – What is it?
This is a ball point pen which has electronics in the upper 1/3 of the pen. The capabilities of the pen and the computer, related to it, allow one’s signature to be recognized as a reliable biometric. It is claimed that the FRR is in excess of 97%. The WAVE spoke at length with its President, Richard Kim.
DynaSig is seeking funding before it takes a larger profile.
Further information can be obtained at
Geometrix was showing a 3D facial identification system. This includes: stereo camera, enrollment software, verification software and identification software. The matching technique is based on relief matching. It is claimed that it takes ¼ second to acquire the image, 60 seconds to enroll and <7 seconds to identify. The price is a secret. When asked if they have units to sell the response was yes. This inconsistency was passed off.
NIST is driving the worldwide efforts on Biometric technology evaluation. For example, at the conference individuals from Israel and England were asking questions. The scope of the data sets that NIST is working with provides a level of test credibility that cannot be achieved, to date, in other environments. Thus, the vendors come to NIST to participate in the tests. Certainly one of the best examples of how this is paid off is the equipment for fingerprint matching that Cogent Systems has deployed in the US-VISIT program. It will operate at 1m matches/sec.
Further, the issues with remote authentication for E-Government are very similar to those faced in e-commerce. To date biometrics has yet to establish a position as technology other than at low levels of confidence.